CMA: Handling Complaints

Disclaimer:  CMA/PrivaPlan PrivaGuide: Handling Complaints.

The information provided in this document does not constitute, and is no substitute for, legal or other professional advice.  Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns.

  PrivaGuide: Handling Complaints

By Lesley Berkeyheiser and David Ginsberg



HIPAA requires that you provide your patients or their designated personal representatives with an opportunity to complain if they believe that their privacy rights have been violated. Specifically, this means:

  • You must appoint an official whose job it is to receive and investigate privacy complaints.
  • Your notice of privacy practices must describe how the patient may file a complaint.  Also, it must inform the patient of his or right to complain to the Secretary of the Department of Health and Human Services if the complaint is not resolved.
  • If you deny a request for access to or amendment of a medical record, the written denial must advise the requestor of your complaint procedures and must inform the patient of his or her right to complain to the Secretary of the Department of Health and Human Services.
  • You must keep a record of complaints you received and how you addressed them.
  • You must train all employees in your complaint procedures; and inform them that they may not retaliate against a patient who exercises his or her right to file a complaint.

How to do this:

In this section we document some practical suggestions for implementing your complaint procedure.  “Implementation” suggestions relate to the initial steps you take to get into HIPAA compliance. “Maintenance” suggestions relate to on-going activities.  Your implementation policy and procedure documentation should be based upon your specific needs and on your understanding of how the HIPAA privacy regulation applies to you.


Implementation Suggestions:

  1. Determine who will be responsible for receiving and processing complaints. More information and instruction on this is available in the PrivaGuide “Choosing a Privacy and Security Official”.
  2. Establish sanctions for violations of your privacy rules. These sanctions might range from a formal reprimand for unintended mistakes to termination for willful misconduct.  In some cases – for example, if an employee sold protected health information (PHI) for personal gain – the sanction might include a referral to the United States Justice Department for criminal prosecution.  If you find that a complaint is justified, part of the resolution will be informing the patient of the sanctions that have been imposed on the responsible individual.
  3. Ensure that your privacy policy prohibits intimidating or retaliatory acts directed against those who exercise their right to complain. Remember that even innocent acts may be perceived as “retaliatory.”  A patient who has filed a complaint is already sensitive to how he or she is being treated.  Difficulty in scheduling a future appointment, while perfectly innocent, may be interpreted as an attempt to persuade a patient to drop a complaint.
  4. Develop your process for receiving and handling complaints. HIPAA requires that you must maintain documentation of all complaints. [we strongly recommend that your organization require all complaints to be documented in writing. When the patient is not able to document these, the Privacy Official can assist the patient in completing a written complaint]. We suggest using the sample complaint form template found under Document Templates.
  5. Use the complaint and response/tracking forms to document complaints, your findings and responses regarding these complaints! Complaints need to be reviewed promptly and the patient must be informed about how you addressed the complaint. While it may be more convenient to keep complaint forms in the patient’s chart, your professional liability carrier may suggest that you maintain a separate file for these forms. If you determine that a complaint is valid your response must include how you will correct your policies and procedures to mitigate future privacy problems.
  6. If the complaint is from the patient’s personal representative, determine whether this individual can legally represent the patient. See the section on handling requests from personal representatives in the “Procedures Manual Template” under the Individual Permission Processing Procedure.

HIPAA enforcement will most likely be “complaint driven.”

The Department of Health and Human Services has indicated that HIPAA investigations will be “complaint driven”.  This means they will not conduct random compliance reviews but rather will investigate only if a subject individual has complained. Therefore, your handling of complaints is very important.  If a patient complains, it probably means that a HIPAA privacy procedure has broken down.  If you can successfully resolve a patient complaint you will have proven that your compliance plan works.

  1. Ensure that your staff-training program contains information about the patient’s right to complain. Consider incorporating this training into an overall “patient/customer” satisfaction program. Contact your professional liability carrier and see if they have materials or programs about effective patient communication and risk management that you can use.
  2. Ensure that your complaint procedure is adequately described in your notice of privacy practices. HIPAA requires that you describe your complaint procedure in your notice of privacy practices and indicate who in your organization is designated to receive complaints. We suggest you indicate the job title of the individual who receives complaints (for example “Our Office Manager/Privacy Official”).
  3. Keep the complaint forms for six years after the date of the complaint.
  4. At your regular staff meetings (please include the physicians) review any recent complaints and the actions taken.


About the Authors:

This PrivaGuide has been greatly improved and customized by the California Medical Association. Specifically, the work of Catherine I. Hanson, Vice President and General Counsel of the CMA and Steven M. Fleisher, Esq. of Fleisher and Associates.

Lesley Berkeyheiser

Ms. Berkeyheiser has over twenty years experience in the healthcare industry, most of it involving managed care, including direction and management of healthcare operations at various renowned health plans. She is Principal and founder of The Clayton Group, LLC, an independent consulting company specializing in healthcare issues including Health Insurance Portability and Accountability Act of 1996 (HIPAA) preparation work, business development and technology.   She either has created and/or maintains ownership in various HIPAA remediation products, including HIPAA training products, (PrivaPlanED), Gap Analysis (PrivaPlan), and HIPAA Policies and Procedures (Clayton MacBain HIPAA Templates) and actively participates as Co-Chair for Security and Privacy, and was past Leader of the Vendor Technologies Interdependencies subgroup of the workgroup for Electronic Data Interchange Strategic National Implementation Process (WEDI SNIP). This gives her an extensive and current knowledge of HIPAA remediation solutions. Ms. Berkeyheiser can be contacted at The Clayton Group, 53 Bethel Road, Glen Mills, PA 19342.  Telephone: (610)-558-3332.  Email:

David Ginsberg

Mr. Ginsberg is President of PrivaPlan Associates, Inc. and is one of the founders.David Ginsberg is a healthcare consultant with over twenty-five years experience. Most currently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California; during this time he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues.Mr. Ginsberg can be contacted at David A. Ginsberg Consulting, 3 Monte Alto Way, Santa Fe, NM 87508.  Telephone:  877-218-7707.  Email:

PrivaPlan Associates Privacy Policy

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates