HIPAA PRIVACY COMPLAINT FORM

INTERNAL PRIVACY COMPLAINT — COVERED ENTITY USE

Organization Name: [________________________________]

Privacy Officer: [________________________________]

Privacy Officer Phone: [________________________________]

Privacy Officer Email: [________________________________]

Complaint Intake Number: [________________________________] (assigned by Privacy Officer upon receipt)

Date Complaint Received: [__/__/____]

Method of Receipt: ☐ In person ☐ Written/mail ☐ Email ☐ Phone ☐ Patient portal ☐ Anonymous drop box

SECTION 1: REGULATORY FRAMEWORK

1.1 Complaint Process Requirement

Under 45 C.F.R. § 164.530(d), every HIPAA covered entity must:

1. Provide a process for individuals to make complaints concerning the covered entity's policies and procedures required by the Privacy Rule or the covered entity's compliance with such policies and procedures or the Privacy Rule;
2. Document all complaints received and their disposition, if any; and
3. Designate a contact person or office responsible for receiving complaints (typically the Privacy Officer designated under 45 C.F.R. § 164.530(a)).

1.2 Anti-Retaliation Protection

45 C.F.R. § 164.530(g) strictly prohibits retaliation. A covered entity may not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against:

• Any individual for exercising any right established under the HIPAA Privacy Rule;
• Any individual for participating in any process provided for by the Privacy Rule, including filing a complaint;
• Any individual for filing a complaint with the U.S. Department of Health and Human Services;
• Any individual for testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing related to HIPAA; or
• Any person for opposing any act or practice made unlawful by the Privacy Rule, provided the person has a good faith belief that the practice opposed is unlawful.

This protection extends to patients, workforce members, and any other individual. The covered entity must refrain from intimidation and retaliation regardless of the outcome of the complaint investigation.

SECTION 2: COMPLAINANT INFORMATION

2.1 Complainant Identity

☐ Named Complaint — Complete Section 2.2 below
☐ Anonymous Complaint — Skip to Section 3 (Note: Anonymous complaints will be investigated to the extent possible, but the covered entity's ability to follow up may be limited.)
☐ Complaint Filed on Behalf of Another Individual — Complete Sections 2.2 and 2.3

2.2 Complainant Contact Information

2.3 Filing on Behalf of Another Individual

SECTION 3: INCIDENT DESCRIPTION

3.1 Incident Details

3.2 Category of Complaint

Check all that apply:

Unauthorized Use or Disclosure:
☐ PHI disclosed to unauthorized person(s)
☐ PHI used for unauthorized purpose
☐ PHI disclosed without valid authorization where authorization was required
☐ Verbal disclosure of PHI (overheard conversation, discussion in public area)
☐ PHI posted on social media or public platform
☐ PHI disclosed to employer for employment-related purposes
☐ PHI disclosed to family/friends without patient consent

Access Violations:
☐ Workforce member accessed records without legitimate need (snooping)
☐ Unauthorized individual accessed patient portal or EHR
☐ Denial of patient's right to access own records (45 C.F.R. § 164.524)
☐ Excessive fees charged for record access
☐ Failure to provide records within required timeframe (30 days + 30-day extension)

Amendment Issues:
☐ Denial of request to amend records (45 C.F.R. § 164.526)
☐ Failure to act on amendment request within 60 days
☐ Failure to provide written denial with basis for denial

Minimum Necessary Violations:
☐ More PHI disclosed than necessary for the stated purpose (45 C.F.R. § 164.502(b))
☐ Access to PHI not limited based on job role
☐ Entire medical record disclosed when only partial record was needed

Safeguard Failures:
☐ Physical safeguards — records left in unsecured area, unattended computer screens
☐ Technical safeguards — lack of encryption, inadequate access controls
☐ Administrative safeguards — lack of training, no policies in place

Authorization Issues:
☐ Authorization form did not comply with HIPAA requirements (45 C.F.R. § 164.508)
☐ Conditioned treatment on signing an authorization
☐ Used expired or revoked authorization

Confidential Communications:
☐ Failure to accommodate reasonable request for confidential communications (45 C.F.R. § 164.522(b))
☐ Communications sent to wrong address or phone number after request to change

Restriction Requests:
☐ Failure to comply with agreed-upon restriction (45 C.F.R. § 164.522(a))
☐ Failure to restrict disclosure to health plan for self-pay services (45 C.F.R. § 164.522(a)(1)(vi))

Accounting of Disclosures:
☐ Failure to provide accounting of disclosures upon request (45 C.F.R. § 164.528)
☐ Incomplete or inaccurate accounting

Breach Notification:
☐ Failure to provide timely breach notification (45 C.F.R. § 164.404)
☐ Inadequate breach notification content

Other:
☐ Other: [________________________________]

3.3 Detailed Narrative Description

Provide a detailed description of the incident, including what happened, how you became aware of it, who was involved, and any other relevant information:

[________________________________]
[________________________________]
[________________________________]
[________________________________]
[________________________________]
[________________________________]
[________________________________]

3.4 Individuals Involved

List any individuals who were involved in or witnessed the alleged violation:

3.5 PHI Involved

If known, describe the types of PHI that were allegedly affected:

☐ Patient name
☐ Date of birth
☐ Social Security number
☐ Medical record number
☐ Diagnosis/clinical information
☐ Treatment information
☐ Mental health records
☐ Substance use disorder records
☐ HIV/AIDS status
☐ Genetic information
☐ Financial/billing information
☐ Insurance information
☐ Contact information (address, phone, email)
☐ Photographs/images
☐ Other: [________________________________]

Estimated number of individuals whose PHI was affected: [____]

3.6 Supporting Documentation

Please attach or reference any supporting documentation:

☐ Copies of correspondence
☐ Photographs or screenshots
☐ Written statements from witnesses
☐ Authorization forms at issue
☐ Request/denial letters
☐ Other: [________________________________]

SECTION 4: REQUESTED RESOLUTION

Describe the outcome you would like to see as a result of this complaint:

[________________________________]
[________________________________]
[________________________________]

☐ Investigation of the incident
☐ Corrective action by the individuals involved
☐ Policy or procedure changes
☐ Additional staff training
☐ Written apology
☐ Assurance that PHI will be properly secured going forward
☐ Mitigation of harm caused by the violation
☐ Other: [________________________________]

SECTION 5: COMPLAINANT CERTIFICATION

5.1 Certification (Named Complaints)

I certify that the information provided in this complaint is true and accurate to the best of my knowledge. I understand that:

☐ This complaint will be investigated by the Privacy Officer or designee.
☐ I will be informed of the outcome of the investigation to the extent permitted by law and organizational policy.
☐ I will not be subject to retaliation or intimidation for filing this complaint (45 C.F.R. § 164.530(g)).
☐ I may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (see Section 8).
☐ I may also file a complaint with my state attorney general (see Section 9).
☐ Filing this internal complaint does not waive any rights to file external complaints with government agencies.

Complainant Signature: ______________________________

Printed Name: [________________________________]

Date: [__/__/____]

5.2 Anonymous Complaint Acknowledgment

For anonymous complaints, the following is documented by the receiving staff member:

☐ Complaint was received anonymously on [__/__/____].
☐ Complainant was informed that anonymous complaints will be investigated to the extent possible but that follow-up communication may not be feasible.
☐ Complainant was informed of the right to file a complaint with OCR (provided contact information).

Received By (Staff Name): [________________________________]
Title: [________________________________]
Date: [__/__/____]

SECTION 6: INTERNAL INVESTIGATION TRACKING

(This section is completed by the Privacy Officer or designated investigator. Do not provide this section to the complainant.)

6.1 Investigation Assignment

6.2 Investigation Steps

6.3 Investigation Findings

SECTION 7: RESOLUTION AND CORRECTIVE ACTION

7.1 Resolution

7.2 Corrective Actions

7.3 Sanctions Applied (45 C.F.R. § 164.530(e))

If the investigation confirms a workforce member violated HIPAA policies:

7.4 Complainant Notification

SECTION 8: ESCALATION — OCR COMPLAINT FILING INFORMATION

8.1 Filing a Complaint with the U.S. Department of Health and Human Services

Individuals have the right to file a complaint directly with the HHS Office for Civil Rights (OCR) if they believe a covered entity or business associate has violated the HIPAA Privacy, Security, or Breach Notification Rules.

Filing Deadline: Complaints must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred. OCR may extend the 180-day period if there is "good cause" for the delay (45 C.F.R. § 160.306(b)(2)).

How to File:

☐ Online: OCR Complaint Portal — https://ocrportal.hhs.gov/ocr/cp/wizard_cp.jsf

☐ Mail: Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F HHH Bldg., Washington, D.C. 20201

☐ Email: [email protected]

☐ Phone: 1-800-368-1019 (voice) / 1-800-537-7697 (TDD)

Required Information for OCR Complaint:
- Name and contact information of the person filing the complaint
- Name and address of the covered entity or business associate against whom the complaint is filed
- Description of the acts or omissions believed to violate HIPAA
- Date(s) the alleged violation occurred (or the date the complainant became aware)
- Signature of the complainant (electronic or written)

Note: OCR generally does not investigate complaints filed without identifying information about the complainant.

8.2 OCR Investigation Process

After OCR receives a complaint:
1. OCR reviews the complaint for jurisdiction and timeliness.
2. If accepted, OCR notifies the complainant and the covered entity.
3. OCR investigates by requesting documentation, conducting interviews, and reviewing records.
4. OCR may resolve through voluntary compliance, corrective action, or a resolution agreement.
5. If a violation is confirmed and not resolved, OCR may impose civil monetary penalties.
6. OCR proceedings do not preclude the complainant from pursuing other remedies available under state law.

8.3 Potential Penalties

Civil Monetary Penalties (42 U.S.C. § 1320d-5):
- Tier 1 (Did Not Know): $137 to $68,928 per violation; $2,067,813 annual maximum
- Tier 2 (Reasonable Cause): $1,379 to $68,928 per violation; $2,067,813 annual maximum
- Tier 3 (Willful Neglect — Corrected): $13,785 to $68,928 per violation; $2,067,813 annual maximum
- Tier 4 (Willful Neglect — Not Corrected): $68,928 per violation; $2,067,813 annual maximum

(Penalty amounts adjusted for inflation annually per 45 C.F.R. § 160.404.)

Criminal Penalties (42 U.S.C. § 1320d-6):
- Tier 1: Up to $50,000 fine and 1 year imprisonment
- Tier 2 (under false pretenses): Up to $100,000 fine and 5 years imprisonment
- Tier 3 (intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm): Up to $250,000 fine and 10 years imprisonment

SECTION 9: STATE ATTORNEY GENERAL AND REGULATORY FILING INFORMATION

Under the HITECH Act (42 U.S.C. § 17939(d)), state attorneys general have the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules.

9.1 State-Specific Filing Information

California:
- California Attorney General — Privacy Section
- Website: https://oag.ca.gov/privacy/filing-complaint
- Additional remedy: Private right of action under CMIA (Cal. Civ. Code § 56.35-56.36) — $1,000 per violation plus actual damages, attorney's fees, and costs
- California Department of Public Health complaint process for licensed facilities

Texas:
- Texas Attorney General — Health and Consumer Protection Division
- Website: https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint
- Civil penalties up to $250,000 per violation under Tex. Health & Safety Code § 181.201
- Texas Medical Board for physician-specific complaints

Florida:
- Florida Attorney General — Consumer Protection Division
- Website: https://www.myfloridalegal.com/
- Florida Department of Health complaint process for licensed practitioners (Fla. Stat. § 456.057)
- Florida Agency for Health Care Administration for facility complaints

New York:
- New York Attorney General — Health Care Bureau
- Website: https://ag.ny.gov/
- New York Department of Health for facility-related complaints
- Additional protections under SHIELD Act (N.Y. Gen. Bus. Law § 899-aa) and Mental Hygiene Law § 33.13

SECTION 10: COMPLAINT LOG INTEGRATION

(For Privacy Officer use — integrate into master complaint log.)

SECTION 11: RECORD RETENTION AND DOCUMENTATION

11.1 Retention Requirements

Per 45 C.F.R. § 164.530(j), the covered entity must retain documentation of:

☐ All complaints received (this form)
☐ The disposition of each complaint
☐ Investigation records and findings
☐ Corrective actions taken
☐ Sanctions applied
☐ All related correspondence

Minimum retention period: Six (6) years from the date of creation or the date last in effect, whichever is later.

11.2 Confidentiality of Complaint Records

Complaint investigation records should be maintained in a confidential file separate from employee personnel files and patient medical records. Access should be limited to:

☐ Privacy Officer
☐ Security Officer (if security-related)
☐ Legal counsel
☐ Senior management (as needed for sanctions or corrective action)
☐ Human resources (if sanctions involve workforce members)

Sources and References

• U.S. Department of Health and Human Services, "Filing a Health Information Privacy Complaint": https://www.hhs.gov/hipaa/filing-a-complaint/index.html
• HHS OCR, "HIPAA Complaint Process": https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html
• 45 C.F.R. § 164.530 — Administrative Requirements: https://www.law.cornell.edu/cfr/text/45/164.530
• 45 C.F.R. § 164.530(d) — Complaints to Covered Entities: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
• 45 C.F.R. § 164.530(g) — Anti-Retaliation: https://www.brickergraydon.com/insights/resources/key/HIPAA-Regulations-The-Administrative-Requirements-Refraining-from-Intimidating-or-Retaliatory-Acts-164-530-g
• 45 C.F.R. § 160.306 — Complaints to HHS: https://www.law.cornell.edu/cfr/text/45/160.306
• HHS OCR, "How OCR Enforces the HIPAA Privacy & Security Rules": https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html
• HIPAA Journal, "HIPAA Violation Fines — Updated for 2026": https://www.hipaajournal.com/hipaa-violation-fines/
• HIPAA Privacy Rule Administrative Requirements (45 CFR 164.530) Complete Guide: https://www.accountablehq.com/post/hipaa-privacy-rule-administrative-requirements-45-cfr-164-530-complete-guide