Patient HIPAA Complaint Handling: Internal Process + OCR Referral (45 CFR § 164.530(d))
9 min read · Last reviewed May 23, 2026
Every HIPAA-covered entity must provide a process for individuals to make complaints about its compliance with the Privacy Rule and document each complaint and its disposition. The requirement lives at 45 CFR § 164.530(d), and the absence of a documented complaint log is one of the most frequently cited deficiencies in OCR Resolution Agreements. A patient with a workable internal process is a patient who often does not need to file with OCR.
What HIPAA requires for complaint handling
Three core obligations under 45 CFR § 164.530(d):
- A process to receive complaints. The covered entity must implement a process by which individuals can make complaints regarding policies, procedures, or compliance with the Privacy Rule. The process must be available and meaningful — not a single named contact who has been gone for two years.
- Documentation of all complaints and dispositions. The complaint and its disposition must be retained for six years under 45 CFR § 164.530(j). The log is a discrete artifact OCR will request.
- No retaliation. Under 45 CFR § 164.530(g), the covered entity cannot intimidate, threaten, coerce, discriminate against, or take retaliatory action against any individual for filing a complaint, participating in an investigation, or opposing an act they believed in good faith to be unlawful.
The Notice of Privacy Practices under 45 CFR § 164.520(b)(1)(vi) must inform every patient that they may file a complaint with the covered entity and with the Secretary of HHS, and must provide a contact for the internal complaint path.
Patient complaints that should have been resolved internally end up at OCR because the practice never had a written intake process, the named contact had left the organization, or the patient was told the complaint "didn't qualify." All three are common findings in OCR enforcement letters.
Internal complaint procedure
A defensible complaint workflow has six steps. Each step generates a discrete document that lives in the complaint log.
- Intake. Accept the complaint in any channel — in person, by phone, by mail, by patient portal, by email, by voicemail. Record the date received, the channel, the complainant's name and contact (or note "anonymous" if applicable), and a verbatim summary. Do not paraphrase. Do not editorialize.
- Acknowledgment. Send a written acknowledgment within five business days. Confirm receipt, identify the Privacy Officer (or designee) as the investigator, state the anticipated timeline (typically 30 days), and provide the no-retaliation statement. Use a HIPAA-safe channel; do not respond via the same insecure channel the complaint arrived through unless the patient confirms it is acceptable.
- Investigation. Identify the alleged violation, map it to the relevant Privacy Rule section, interview workforce members involved, review the underlying records and logs, and document findings. The investigation should be proportionate to the allegation — a misdirected mail piece is a different investigation than an allegation of unauthorized access to a database.
- Disposition. Reach a finding: substantiated, partially substantiated, unsubstantiated, or unable to determine. Document the basis. If substantiated, identify corrective action — mitigation under 45 CFR § 164.530(f), workforce sanctions under 45 CFR § 164.530(e), policy revisions, additional training.
- Response to complainant. Send a written response to the patient describing the investigation, the finding, and the corrective action taken. Do not disclose workforce member identities or internal disciplinary detail beyond what is necessary. Include the patient's right to file with OCR.
- Log the closure. Complete the complaint log entry with all six fields (intake date, acknowledgment date, investigator, finding, corrective action, response date) and file every supporting document. The log is the artifact OCR will request.
The Privacy Officer designated under 45 CFR § 164.530(a) owns the workflow. If the role is vacant, the workflow does not run — and an OCR investigation will identify that gap immediately.
When OCR gets involved
A patient (or any individual, including a former workforce member) may file a complaint with the Secretary of HHS under 45 CFR § 160.306. The complaint must:
- Be filed in writing, electronically or on paper, through the OCR complaint portal at hhs.gov/hipaa/filing-a-complaint
- Name the covered entity or business associate alleged to have committed the violation
- Describe the acts or omissions believed to have violated the Privacy or Security Rule
- Be filed within 180 days of when the complainant knew or should have known of the alleged violation, per 45 CFR § 160.306(b)(3); OCR may extend on a showing of good cause
OCR reviews each complaint to determine whether it states a possible violation. If so, OCR may open an investigation under 45 CFR § 160.306(c) or a compliance review under 45 CFR § 160.308. The covered entity receives a data request letter; the response posture is the subject of the OCR investigation letter response guide.
OCR is not the only agency a patient may approach. State Attorneys General have civil enforcement authority under 42 USC § 1320d-5(d), added by HITECH § 13410(e). The U.S. Department of Justice handles criminal HIPAA matters under 42 USC § 1320d-6. State medical-licensure boards also receive informal patient privacy complaints and run their own investigations.
Documentation requirements
Retain for six years under 45 CFR § 164.530(j):
- The complaint log (master register of every complaint received)
- Each complaint intake record (date, channel, complainant, allegation)
- Each acknowledgment letter
- The investigation file (witness statements, records reviewed, access logs pulled)
- The finding memo with regulatory citation to the Privacy Rule sections at issue
- The corrective action evidence — sanction memo, training completion, policy revision, mitigation documentation
- The response letter to the complainant
- Any subsequent OCR or state correspondence on the matter
The complaint log is a regulatory document, not an internal courtesy. Practices commonly maintain it inside the compliance binder so an OCR data request can be answered with one document, not a reconstruction.
A separate sanctions log under 45 CFR § 164.530(e) tracks workforce discipline. The complaint log and the sanctions log cross-reference each other when a complaint leads to workforce action.
How to investigate
A defensible investigation has three properties: it is proportionate, it is documented, and it is privileged where appropriate.
- Proportionality. A misdirected billing statement complaint involves the billing workflow, the mailing log, and the addressee verification. An alleged unauthorized chart access involves the EHR audit log, workforce interviews, the user provisioning record, and the role-based access policy. Spend the investigative effort where the allegation lives.
- Documentation. Every interview, every log pull, every record review is documented contemporaneously. A finding memo written six months later from memory is not a credible defense if OCR opens an investigation.
- Privilege. When the complaint alleges conduct that could lead to enforcement (substantial breach, willful conduct, pattern complaints), counsel should run the investigation under attorney-client privilege. The internal log entry references the privileged investigation; the privileged file lives separately. Privilege does not attach to the underlying operational records, only to the legal communications.
Patterns in the complaint log matter. Three complaints in 18 months about the same workforce member, the same workflow, or the same access pattern are themselves a finding under the risk-management requirement at 45 CFR § 164.308(a)(1)(ii)(B). OCR explicitly reviews complaint patterns when investigating.
State-law overlay
State law layers additional obligations:
- California (CMIA, Civil Code §§ 56–56.37). Patient access requests and disclosure complaints have a separate state-law track; the California AG and the CDPH both accept privacy complaints from patients.
- Texas (HB 300, Tex. Health & Safety Code Chapter 181). Patients may file privacy complaints with the Texas Attorney General independent of OCR.
- New York (SHIELD Act + Public Health Law § 18). State enforcement authority parallels OCR; patient access disputes have their own complaint path.
- Massachusetts (G.L. c. 93H + 201 CMR 17.00). The Office of the Attorney General accepts privacy and data-security complaints.
- Florida (FIPA, F.S. § 501.171 + F.S. § 456.057). The Florida Department of Legal Affairs handles consumer privacy complaints; state licensure boards handle record-access complaints.
Patient complaints often arrive at multiple agencies simultaneously. The internal investigation should account for parallel filings.
What not to touch
- Do not retaliate against a complaining patient or workforce member. 45 CFR § 164.530(g) is enforced strictly. Adverse actions following a complaint require contemporaneous documentation of an independent basis and counsel review.
- Do not require a complainant to waive their right to file with OCR. Conditioning resolution on a waiver is itself a violation under 45 CFR § 160.316.
- Do not delete the complainant's chart entries, access logs, or related email. Litigation hold runs from intake.
- Do not respond on social media to a complaint posted publicly. Acknowledge through a private, HIPAA-safe channel; never acknowledge the patient-provider relationship publicly without authorization under 45 CFR § 164.508.
- Do not pay a complainant to "drop" a complaint. It does not extinguish the OCR filing right and creates obstruction exposure.
- Do not investigate without involving the Privacy Officer. Front-desk resolution of complaints without log entries is the most common reason OCR finds a 164.530(d) deficiency.
How d3rx fits
The d3rx compliance binder maintains the patient-complaint workflow: NPP language disclosing the internal complaint contact and the right to file with OCR, the complaint log template, the intake form, the acknowledgment letter template, the investigation worksheet keyed to Privacy Rule sections, the finding memo template, the response-letter template, and the six-year retention index. The Privacy Officer dashboard in the binder tracks active complaints, days-to-disposition, and pattern detection across the rolling log. The d3rx audit defense workflow walks the OCR data-request response if a complaint escalates. d3rx is a source-grounded administrative documentation aid that the Privacy Officer and counsel work from; it does not represent the practice in OCR proceedings and does not replace counsel.
D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Patient HIPAA Complaint Handling: Internal Process + OCR Referral (45 CFR § 164.530(d)). We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
What if a patient sends their complaint by Instagram DM — does that count?
Yes, if a workforce member sees it and it expresses a privacy concern, the intake clock starts under [45 CFR § 164.530(d)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530). The regulation does not specify a channel. Patient concerns expressed in social media DMs, online reviews, voicemails, text messages, or front-desk conversations all qualify. Document the complaint as received (screenshot, transcript, or memo), acknowledge through a HIPAA-safe channel (mail, phone, secure portal — not the DM), and run the standard intake. The complaint cannot be dismissed because of how it arrived.
A former employee filed a complaint with OCR alleging retaliation. Does no-retaliation cover them?
Yes. [45 CFR § 164.530(g)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530) prohibits intimidation, threats, coercion, discrimination, or retaliation against any individual for filing a complaint, participating in an investigation, or opposing an act they believed in good faith to be unlawful under the Privacy Rule. The protection extends to former workforce members, current workforce members, and patients alike. Workforce terminations following a complaint are heavily scrutinized — even when the termination is for an unrelated, documented reason. Document the basis contemporaneously and route through counsel and HR before any adverse action.
A patient demands $5,000 to 'drop' the complaint. What's the right move?
Refuse, document, and route to counsel immediately. Paying to suppress a complaint is its own exposure — it can be characterized as obstruction in any subsequent OCR investigation, it does not extinguish the patient's right to file with OCR, and it does not stop OCR from investigating once the complaint is on file. The right path is to investigate the underlying issue on its merits, document the finding, take corrective action if warranted, and respond to the patient through counsel.
We resolved the complaint internally to the patient's satisfaction. Do we still document?
Yes, and the documentation is exactly the point. Internal resolution is the goal — but the [45 CFR § 164.530(d)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530) record (complaint received, investigated, resolved) must be retained for six years under [45 CFR § 164.530(j)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530). The complaint log is the most-requested document in any OCR Right of Access or compliance review. A practice that resolves complaints but cannot show the log looks identical to a practice that ignored them.
The patient threatened to file with OCR. Can we ask them to sign a release before resolving the complaint?
No. Conditioning resolution on the patient waiving their right to file with OCR is a separate violation under [45 CFR § 160.316](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.316), which prohibits waiver of the right to file a HIPAA complaint as a condition of treatment, enrollment, payment, or eligibility. Resolve the underlying issue; do not request a waiver. If the patient still chooses to file with OCR, that is their right and not within the practice's control.
How long does a patient have to file an OCR complaint, and where do they go?
180 days from when the patient knew or should have known of the alleged violation, per [45 CFR § 160.306(b)(3)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.306). OCR can grant a good-cause extension. Patients file through the OCR complaint portal at [hhs.gov/hipaa/filing-a-complaint](https://www.hhs.gov/hipaa/filing-a-complaint/index.html). The Notice of Privacy Practices the practice gave the patient on first encounter is required under [45 CFR § 164.520](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520) to disclose this right and to provide the practice's own internal complaint contact.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR § 164.530(d)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
- 45 CFR § 164.520(b)(1)(vi)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.520
- 45 CFR § 160.306https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.306
- hhs.gov/hipaa/filing-a-complainthttps://www.hhs.gov/hipaa/filing-a-complaint/index.html
- 45 CFR § 160.308https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.308
- 45 CFR § 164.308(a)(1)(ii)(B)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
- 45 CFR § 160.316https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.316
- 45 CFR § 164.508https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- ComplianceAccounting of Disclosures (45 CFR § 164.528): Tracker + ProcedureA 2026 HIPAA Accounting of Disclosures procedure citing 45 CFR § 164.528 — the six-year lookback, what to log, exclusions, and a copy-ready tracker template.
- ComplianceHIPAA Workforce Sanction Policy — Template (45 CFR 164.308(a)(1)(ii)(C))A 2026 HIPAA workforce sanction policy template — required by 45 CFR 164.308(a)(1)(ii)(C), with a four-tier discipline matrix and documented application examples.
- ComplianceNotice of Privacy Practices (NPP) Template — 2026A 2026 Notice of Privacy Practices template aligned to 45 CFR 164.520, with every required header, the post-Dobbs reproductive-health content, and CMIA/HB 300 carveouts.
- ComplianceOCR Investigation Letter: Your 30-Day Response PlaybookReceived an OCR HIPAA investigation letter? The first 30 days set the trajectory. Confirm the docket, freeze logs, route through counsel, and produce a tabbed response.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
- SRACMS Promoting Interoperability and the Security Risk Analysis AttestationHow the CMS Promoting Interoperability program (formerly Meaningful Use) requires a HIPAA Security Risk Analysis for each EHR reporting period, what the attestation actually claims, and how CMS audits it after the fact.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- Glossary60-Day Overpayment RuleACA requirement that Medicare and Medicaid overpayments be reported and returned within 60 days of identification.