Yundra
← All articlesRisk & Audit

How to Handle a HIPAA Complaint as a Solo Therapist

12 min read

Getting a notification that a patient has filed a HIPAA complaint with the Office for Civil Rights is one of the most stressful moments in a solo therapist's career. Your first thought is probably panic. Your second thought is probably "What do I do now?"

The good news: a complaint is not a conviction. Most complaints against solo providers are resolved without fines, penalties, or public action. The outcome depends almost entirely on how you respond — and whether you have your compliance documentation in order.

How HIPAA Complaints Work

A patient (or anyone, technically) can file a complaint with OCR through the online portal at hhs.gov/hipaa/filing-a-complaint. Common triggers include:

  • A patient requested their records and didn't receive them within 30 days
  • A patient believes their information was shared without authorisation
  • A misdirected communication (email, fax, letter sent to the wrong person)
  • A patient overheard you discussing another patient's case
  • A billing dispute where the patient believes their clinical information was mishandled

OCR receives roughly 30,000-35,000 complaints per year. Not all lead to investigations — OCR triages based on severity, jurisdiction, and available evidence.

What Happens After a Complaint Is Filed

Step 1: OCR reviews the complaint (1-4 weeks)

OCR determines whether the complaint falls within their jurisdiction, whether it was filed timely (within 180 days of the alleged violation), and whether there's enough substance to warrant further action.

Step 2: You receive a notification letter

If OCR decides to investigate, you'll receive a letter — typically via email or certified mail — describing the complaint (in general terms) and requesting specific documentation.

Step 3: You respond with documentation

OCR will give you a deadline (usually 30 days, sometimes extendable) to provide the requested documents. This is where your preparation pays off or your lack of preparation becomes obvious.

Step 4: OCR evaluates your response

Based on your documentation, OCR determines whether a violation occurred and what action to take.

What OCR Will Ask For

Regardless of what the specific complaint is about, OCR almost always asks for the same core documents:

  1. Your Security Risk Analysis — completed, dated, covering your entire practice
  2. Your written policies and procedures — the security policies you follow
  3. Evidence related to the specific complaint — what happened, when, how you responded
  4. Your Notice of Privacy Practices — the version your patients received
  5. Training records — evidence that you (and any staff) completed HIPAA training
  6. Business Associate Agreements — for relevant vendors

If you have these documents ready, responding to a complaint is a straightforward (if stressful) administrative exercise. If you don't have them, the complaint investigation becomes an investigation into your entire compliance program.

How to Respond

Do:

Respond promptly. Meet every deadline. If you need more time, request an extension in writing before the deadline passes.

Be honest. If a violation occurred, acknowledge it. Describe what happened, what you've done to address it, and what you've changed to prevent recurrence. OCR views honesty and corrective action favourably.

Provide documentation. Send everything they ask for. Organised, dated, complete. If you don't have a document they requested, say so — don't fabricate one.

Document your response. Keep copies of everything you send to OCR, including cover letters and timestamps.

Consult legal counsel if needed. For serious allegations, having a healthcare attorney review your response before submission is worth the cost.

Don't:

Don't ignore the complaint. Non-responsiveness is treated as non-cooperation and escalates the investigation.

Don't retaliate against the patient. HIPAA explicitly prohibits retaliation against anyone who files a complaint. No terminating the therapeutic relationship, no altering their records, no discussing the complaint with other patients.

Don't destroy evidence. Preserve all records, communications, and logs related to the complaint period.

Don't create documents after the fact. If you didn't have a Security Risk Analysis before the complaint, creating one now and backdating it is fraud. Create one now with today's date — that shows you're taking corrective action.

Possible Outcomes

Technical assistance (most common for first-time issues). OCR provides guidance on how to fix the problem. No fine, no public record.

Voluntary resolution. You agree to fix the issue and OCR closes the case. May include a corrective action plan but no monetary penalty.

Resolution agreement. For more serious violations, OCR may require a formal corrective action plan and a monetary settlement. These are posted publicly.

Civil monetary penalty. Reserved for wilful neglect or repeated violations. Uncommon for solo providers responding in good faith.

Prevention: The Best Response

The best way to handle a HIPAA complaint is to have your compliance program in order before one arrives. Take the free assessment to identify your gaps now — not after a complaint arrives.

Your Compliance Pack generates all 7 documents OCR asks for, personalised to your practice. Having them ready turns a potential crisis into a routine documentation request.

Take the free HIPAA Risk Assessment →

Would your practice survive an OCR audit?

Find out in 25 minutes. Our free assessment identifies every gap an auditor would flag — and shows you how to fix them.

Free · See your score instantly