What Happens When a Covered Entity Doesn't Have a Complaint Process? Here's Why It Matters
Imagine you just found out your personal health information was shared with the wrong people. Maybe it was a billing error that exposed your diagnosis to your employer. You're angry, you're scared, and you want to do something about it. Because of that, maybe your therapist's office accidentally sent your records to your ex-spouse. So you call the healthcare provider, the hospital, the insurance company — whoever handled your data — and ask: "How do I file a complaint?
They hem. In real terms, they haw. But they transfer you around. Here's the thing — no one can tell you where to send a written complaint, what form to use, or even who handles these issues. Days turn into weeks. Nothing happens And that's really what it comes down to..
That's not just bad customer service. In real terms, in the world of HIPAA compliance, it's a serious problem. A covered entity must have an established complaint process — and if they don't, they're already breaking the rules before anyone files the first complaint.
What Is a Covered Entity (and Why the Complaint Rule Exists)
Let's back up for a second. A covered entity under HIPAA is any organization that handles protected health information (PHI) in some form. That includes three main groups: healthcare providers (doctors, hospitals, clinics, pharmacies), health plans (insurance companies, HMOs, Medicare/Medicaid programs), and healthcare clearinghouses (companies that process health data between organizations) Small thing, real impact..
If you interact with the healthcare system in almost any capacity, your data is being handled by a covered entity. And because HIPAA is fundamentally about protecting your health information, it comes with obligations — one of which is giving people a way to complain when things go wrong.
Here's the specific requirement: covered entities must have procedures in place for individuals to file complaints about potential HIPAA violations. This isn't optional. It's written into the HIPAA Privacy Rule, and it's something the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) takes seriously during investigations.
What "Established Complaint Process" Actually Means
It's not enough to simply accept complaints when they show up. A covered entity needs to have a defined, documented process. This typically means:
- Clear information about how and where to file a complaint (in writing, via email, through a dedicated contact)
- A designated person or office responsible for receiving and handling complaints
- A timeline for acknowledging and responding to complaints
- Documentation that complaints were received and reviewed
- Procedures for investigating and resolving issues, or for escalating them if necessary
In practice, this usually shows up on a covered entity's website as a "Privacy Complaint" or "HIPAA Complaint" form, along with a mailing address and sometimes an email. Larger organizations often have a privacy officer whose job specifically includes handling these matters.
Some disagree here. Fair enough Worth keeping that in mind..
Why This Matters More Than Most People Realize
Here's the thing — most people don't even know they can file a HIPAA complaint. So they assume their only recourse is to call customer service or, in extreme cases, hire a lawyer. And a lot of covered entities have done a poor job of making the complaint process visible or accessible.
That creates a double problem. First, individuals don't get a clear path to report violations, which means problems may never get flagged or corrected. Second, covered entities that don't actively maintain a complaint process are technically non-compliant — even if they've never received a single complaint Most people skip this — try not to. Took long enough..
This changes depending on context. Keep that in mind.
The complaint process serves a few critical functions:
It gives individuals recourse. If your PHI was mishandled, you deserve a way to report it directly to the organization responsible. Without a formal process, you're left guessing.
It helps covered entities catch problems early. A well-run complaint system acts as an early warning system. If three patients complain about the same billing vendor or the same front desk staff member in one month, that's a pattern worth investigating — before it becomes a bigger breach.
It demonstrates good faith compliance. When a covered entity has a clear, accessible complaint process and handles complaints seriously, it looks far better in the eyes of OCR if a complaint ever escalates to a formal investigation. Investigators notice whether an organization had reasonable procedures in place.
It fulfills a legal requirement. This one is straightforward. The HIPAA Privacy Rule specifically requires it. Covered entities that lack a documented complaint process are in violation, period The details matter here..
What Happens If There's No Process in Place?
Let's say OCR receives a complaint from an individual who alleges their health information was improperly disclosed. OCR investigates. But part of that investigation involves asking the covered entity: "What are your complaint procedures? How did you handle this individual's concern?
If the covered entity can't produce a clear, documented process — or worse, admits they don't have one — that becomes its own compliance issue. Day to day, it doesn't matter if the original complaint was valid or not. The failure to maintain a complaint process is a separate violation Which is the point..
In practice, OCR typically works with covered entities to come into compliance rather than issuing immediate penalties for procedural gaps. But the risk escalates if there's a pattern of complaints, if the organization is unresponsive, or if the underlying violation is serious. We've seen cases where lack of a complaint process contributed to larger fines, especially when combined with other HIPAA failures.
How a Covered Entity Should Actually Set This Up
Here's where it gets practical. What does a compliant complaint process actually look like? It's not complicated, but it does require some intentionality Small thing, real impact..
Step 1: Designate Responsibility
Someone needs to own this. For most organizations, that's a Privacy Officer — a role that HIPAA already requires for covered entities with more than a few employees. That person should be clearly identified as the point of contact for privacy complaints, and their contact information should be publicly available.
Step 2: Make It Accessible
The complaint process should be easy to find. That means:
- Posting it on the organization's website, typically in a privacy or legal section
- Including it in patient handbooks, intake forms, and notice of privacy practices documents
- Having staff able to direct patients to the right place if they ask in person or by phone
Step 3: Define the Process in Writing
Have a documented procedure that covers:
- What information the complainant should provide (their name, contact info, description of the issue, date of the incident)
- How they'll receive acknowledgment that their complaint was received
- How long the investigation typically takes
- How they'll be informed of the outcome or any corrective action
Step 4: Keep Records
Every complaint should be logged. That includes the initial complaint, any investigation notes, the resolution, and communication with the complainant. Good records serve two purposes: they help the organization track patterns, and they demonstrate compliance if OCR ever comes asking Most people skip this — try not to..
Step 5: Respond in a Timely Manner
There's no single required timeline in the regulation, but dragging your feet is a bad look. A reasonable goal is to acknowledge complaints within 5-10 business days and complete an initial review within 30 days. More complex investigations may take longer, but the complainant should be kept informed.
Common Mistakes Covered Entities Make
After years of reading about HIPAA enforcement and talking to compliance professionals, I've noticed a few patterns. These are the mistakes that come up most often:
Making the process invisible. Some organizations technically have a complaint process, but it's buried so deep on their website that no one would ever find it. Or they mention it only in fine print that requires a law degree to interpret. That's not good enough Simple as that..
Treating complaints as a PR problem. A complaint isn't a bad review on Yelp. It's a potential compliance issue that deserves a genuine investigation. Some organizations spend more energy trying to make complaints go away than figuring out what actually happened Small thing, real impact..
No documentation. If no one wrote anything down, it didn't happen — at least as far as OCR is concerned. Verbal policies don't count. You need documentation It's one of those things that adds up..
Confusing the internal complaint process with the OCR complaint process. Here's something worth knowing: individuals can file complaints directly with OCR, not just with the covered entity. Some covered entities don't clarify this and make patients think the only option is going through them. That's misleading and can delay legitimate concerns from being addressed Worth keeping that in mind..
Assuming it only applies to big organizations. Even small healthcare providers — a solo practice with two employees, a local clinic — are covered entities. The complaint process requirement applies to them too. I know a surprising number of small practices that didn't realize this Worth keeping that in mind..
Practical Tips for Covered Entities (and What to Do If You're a Patient)
If you're running a covered entity and want to get this right, here's my honest advice:
Start simple. You don't need a fancy system. A dedicated email address, a printed form, and a spreadsheet to track complaints will work for most small to mid-size organizations. What matters is that it exists, that it's documented, and that someone actually uses it Less friction, more output..
Review your Notice of Privacy Practices. And make sure it includes information about how to file a complaint. That's the document you're already required to give patients. If it doesn't, update it.
Test it. Now, pick a random Tuesday and ask yourself: if someone called right now wanting to file a HIPAA complaint, could your front desk direct them to the right person in under two minutes? If the answer is no, that's a gap to fix.
And if you're a patient who's experienced a potential HIPAA violation and you're hitting a wall: you can file a complaint directly with the Office for Civil Rights. You don't need the covered entity's permission. You don't need a lawyer. Because of that, the OCR complaint form is available on their website, and it's free to submit. That option exists precisely because not all covered entities do a good job with their own internal processes Small thing, real impact..
FAQ
Can a covered entity be fined just for not having a complaint process, even if no one ever complained?
Yes, technically. Worth adding: the requirement exists independently of whether complaints have been filed. In practice, OCR typically focuses on the underlying violation when complaints do come in, but a missing or inadequate complaint process can add to the list of compliance failures Which is the point..
Does the complaint process have to be formal?
It should be documented, but it doesn't need to be overly bureaucratic. A simple written procedure that identifies who receives complaints, how they're tracked, and how complainants are responded to is sufficient for most organizations No workaround needed..
What if a complaint involves a third-party business associate?
The covered entity is still responsible. If a complaint involves a vendor (like a billing service or IT company) that handles PHI on the covered entity's behalf, the covered entity's complaint process should still capture it, investigate it, and work with the business associate to resolve it Small thing, real impact..
How long does a covered entity have to respond to a complaint?
HIPAA doesn't specify an exact deadline, but reasonableness applies. Prompt acknowledgment (within a week or two) and a substantive response after a thorough investigation (typically within 30-60 days for straightforward matters) is the standard most compliance advisors recommend.
Can patients file complaints with OCR even if they didn't first complain to the covered entity?
Absolutely. You're not required to go through the covered entity first. If you're uncomfortable doing that, or if you already did and weren't satisfied, you can file directly with the Office for Civil Rights at www.hhs.gov/ocr/privacy/hipaa/complaints.
The Bottom Line
Here's what it comes down to: if you're a covered entity, having an established complaint process isn't a nice-to-have or a bureaucratic checkbox. Practically speaking, it's a clear requirement under HIPAA, and it's one of the easier ones to get right. You don't need a massive compliance department. You need a documented process, a designated person, and a commitment to take complaints seriously.
And if you're a patient who's ever been told "we don't have a process for that" — now you know that's not okay. You have the right to file a complaint, and you have the right to expect the organization to handle it properly. The fact that many don't is a problem worth talking about Less friction, more output..
