Privacy Guidance: Filing a Complaint With a HIPAA-Covered Entity

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses the HIPAA Privacy Rule and Security Rule complaint rights - the right of individuals to make compalints concerning a covered entity's or business associate's HIPAA compliance.

What is the Right to Make a Complaint Requirement?

Under the HIPAA Privacy Rule, individuals have the right to make complaints concerning a covered entity's compliance with the HIPAA Privacy Rule, its Notice of Privacy Practices, and its HIPAA privacy policies and procedures. Individuals also have the right to make complaints concerning the covered entity's breach notification process, and compliance with the Breach Notification Rule.

The Privacy Rule also requires a covered entity to refrain from intimidating, threatening, coercing, discriminating against, or retaliating against any individual who has exercised one of the above rights.

Individuals have the right to make complaints concerning a covered entity's or business associate's compliance with the HIPAA Security Rule and its Security Rule policies and procedures.The Security Rule requires HIPAA-covered entities to refrain from intimidating, threatening, coercing, discriminating against, or retaliating against any individual who has exercised the right to complain.

The HIPAA Privacy Rule requires covered entities and business associates to maintain documentation of all complaints, and the disposition of each, for a period of at least six years. The HIPAA Security Rule must maintain documentation of all complaints received, and the disposition of each, for a period of at least six years. 

This article was last updated on August 12, 2025