Handling Complaints and Mitigation (Updated) - Retired

Editor’s note: This update replaces content presented in the November 2003 practice brief “Handling Complaints and Mitigation.”

Many HIM professionals are experienced at managing various types of complaints that arise in day-to-day health information operations. HIM professionals consult with physicians about chart completion, lost records, and missing dictation. They also work with patients and their families who sometimes have differing expectations of what services should be provided and at what cost.

The HIM professional is uniquely qualified to handle different types of complaints, including privacy and security complaints, because of his or her related knowledge and experience. However, effective conflict and dispute resolution may not always exist in our professional skill set and, therefore, must be learned.1

Legal and Accreditation Requirements

Joint Commission

The Elements of Performance Standard RI 01.07.01 address the resolution of patients’ complaints. The standards require a complaint resolution process and informing individuals about the process. The standards also require response by the organization and the organization informing patients about their right to file complaints with the state authority.2


General Administrative Requirements

HIPAA addresses complaints made to the secretary of the Department of Health and Human Services in §160.306. In addition, the Office for Civil Rights (OCR) Web site gives instructions to individuals who wish to make a complaint. The covered entity is required to cooperate with any investigation OCR makes on receipt of a complaint and must permit OCR access to any of the information it deems necessary. Although OCR states its purpose is to provide assistance and guidance toward resolution, the covered entity should try to resolve patient and individual complaints before they become complaints to the OCR.

Privacy Rule

Section 164.530 (d) requires a covered entity to provide a process for individuals to make complaints concerning the covered entity’s privacy policies or its compliance with them. A covered entity must document all complaints, their disposition, and the application of appropriate sanctions to members of the workforce when noncompliance of privacy policies and procedures is indicated.3

Security Rule

In 2010, the OCR was also made responsible for the enforcement and compliance of the HIPAA security rule, which was originally the responsibility of the Centers for Medicare and Medicaid Services. The OCR provides further instructions for filing a security complaint on its Web site.

State Laws

Covered entities should examine applicable state laws, if any, for additional guidance.


What is the philosophy your organization demonstrates regarding complaints? It is realistic to expect that complaints will occur. The organization should be prepared to respond in a constructive manner and consider that the complaint will offer an opportunity for improvement.4

Your organization should be aware that OCR’s complaint process is accessible by Web, mail, fax, and e-mail. OCR also offers assistance to the public via telephone.5 It is important to consider that receiving and responding to complaints should be as convenient for the individual at your facility as it is for him or her through OCR.

If HIM professionals understand that much patient frustration stems from misunderstanding and misinformation rather than the actual denial of rights, we can be more proactive about how we communicate and welcome chances to improve our organizations’ communication.6

Guidelines for Administering and Resolving Patient Complaints

Make it easy for individuals to voice a concern. Your organization must make sure the process is delineated in your notice of privacy practices. It should also state to whom and where a concern or complaint should be addressed.

If an individual arrives in person to complain, consider talking with him or her about his or her complaint rather than asking the individual to fill out a form. If your organization has a form, you might consider filling it out yourself. There are advantages to asking the individual to fill out the form, including getting the complaint in his or her own words, obtaining the individual’s signature, and making sure all the information you would like to have is recorded.

The biggest disadvantage of requesting that individuals fill out a complaint form is that it depersonalizes the process and may appear as though you are asking the individual to “jump through hoops.” Whatever method you choose to capture the complaint, be sure to make the individual feel welcome to express his or her unhappiness.

When you receive a written complaint, call and make an appointment with the individual to discuss the complaint. It would be best to see the individual in person if it is a complaint you cannot manage over the telephone.

The Interview

Begin the interview with an open-ended request such as, “Tell me what happened.” In your notes, capture the words the individual is using. Be open to the possibility that his or her issue is valid and worth complaining about. If you are not welcoming and open, the individual will not believe you are there to assist him or her in the resolution of the complaint, which may escalate the individual’s decision to report his or her complaint to the OCR or other reporting authority.

During this process, listen for two things: the reason the individual is making the complaint (which may not be the reason initially stated) and what the individual wants out of the process (an apology may be all that is needed). Toward the end of the interview, ask the individual what he or she hopes to gain from the complaint process. You may ask the individual, “What do you think will make this right?” if it seems appropriate.

At the end of your interview, thank the individual for coming in to talk about the issue and promise a response within a reasonable time frame. One week might be reasonable for some issues, but two or three weeks might be more reasonable for others, depending on what needs to be investigated. Whatever you decide, make a commitment to get back to the individual within a certain time frame and keep this promise.

Quickly follow up with a letter thanking the individual and reiterating the complaint he or she made, along with what you have promised to do in follow-up. Be sure to document the commitment to get back to the individual by a certain time or date.

Investigate the complaint after your conference is concluded. Interview the people involved and review the medical record if it is relevant to the complaint. Note the information that supports the complaint and the information that refutes the complaint.

Reporting to Risk Manager, Insurance Representative, and Attorney

You may be required to report the complaint to your organization’s malpractice insurance carrier. Some carriers require all complaints be reported at the time of the complaint, whereas others require notice only if there will be an insurance claim. If you are required to report the complaint, you will need to work closely with your organization’s risk manager and insurance claims representative to make sure the organization’s process is set up correctly.

You may also need to determine if the complaint will require assistance from legal counsel. Some malpractice insurance carriers require notification before attorneys are contacted. If this is the case, you should involve your organization’s risk manager. If the individual with the complaint has already obtained an attorney, then it is best to notify the proper individuals and get legal advice before proceeding.

Resolution and Mitigation

At this point, you may want to determine what the cost to your organization will be, from both a financial and a public relations standpoint, if you do not resolve the conflict in a mutually satisfactory manner. What will it cost to meet the expectations of the individual? Compare that to the cost of a possible OCR or other authority’s investigation. Also compare the costs of possible litigation and attorney fees should the complaint go that far. Your organization will need to determine, perhaps on a case-by-case basis, when it is important to be “right” and when it is important to resolve a matter quickly by negotiating with the individual even if you do not believe you have made an error.

When your organization has made an error and/or a breach, consider the damages to the individual. What has happened to the individual and what is the seriousness of the damage? Review the HIPAA regulations and the regulations under the American Recovery and Reinvestment Act’s (ARRA’s) Health Information Technology for Economic and Clinical Health (HITECH) provisions to ensure all requirements and regulations are met.

What else can be done to help mitigate the outcomes of the errors and/or breach? Some suggestions are below:

  • An apology for the situation
  • Disciplinary action against employees (This requires your organization’s human resources department’s involvement and the involvement of the employee’s supervisory staff; you will not be able to explain this process to the individual filing the complaint because these procedures are generally considered private within an organization.)
  • Repair of whatever system or process caused the complaint or breach (requires policy changes and education of staff)
  • A cash amount based on work loss, expenses incurred, or another actual financial loss

Also consider the following gestures of good will and good public relations for more minor issues:

  • Gift certificates for dinner
  • Movie or theater tickets
  • Flowers

Anything more than this type of mitigation will require the involvement of either the facility insurance company or legal counsel. Again, understanding the boundaries and processes used by both is very important.

Proactive Mitigation

An organization may discover an error or confidentiality breach of which the patient is unaware. The organization must then consider how it will inform the patient and determine the necessary mitigation. If the error is a breach of protected health information, then ARRA’s HITECH breach regulations must be followed and appropriate measures taken for compliance with the investigation and notification requirements. The Joint Commission’s standards require that patients’ family members, when appropriate, be informed about the outcomes of care, including unanticipated outcomes.7 Organizations must determine:

  • In what circumstances notification should occur
  • How they will notify an individual of an error or breach
  • How mitigation will be carried out


Set up your documentation at the beginning of the process. Make detailed notes of every conversation and record any decisions or promises made by any person participating in the process. Record dates of any action taken and any mitigation offered and accepted.

If the complaint is privacy related, your organization must keep this documentation for at least six years, according to the HIPAA privacy rule. You will need to compare that law with your state retention laws, which may be more restrictive.

Organizations should consider using any existing incident reporting system to track and follow individual complaints. There are a number of advantages to using such a system, such as protection in some states from this information being discovered in the legal process. Covered entities should remember that the object of the complaint process is resolution and the avoidance of escalation to an OCR complaint investigation, audit, or litigation, if possible.


1. Odidison, Joyce. How Can We Assist Clients in Becoming More Successful at Conflict Resolution? November 2002. Available online at www.mediate.com/articles/odidisonj.cfm.

2. The Joint Commission. Comprehensive Accreditation Manual for Hospitals Edition. Oakbrook Terrace, IL: Joint Commission, 2010.

3. US Department of Health and Human Services. Administrative Simplification. 45 CFR, Subtitle A, Subchapter C, Parts 160, 162, and 164, §530(d). Available online at http://aspe.hhs.gov/admnsimp/bannerps.htm.

4. McCleave, Spencer H. “How to Respond to a Formal Patient Complaint.” Seminars in Medical Practice 4, no. 2 (2001). Available online at www.turnerwhite.com/pdf/smp_jun01_complaint.pdf.

5. US Department of Health and Human Services, Office for Civil Rights. How to File a Health Information Privacy Complaint with the Office for Civil Rights. Revised August 2008. Available online at www.hhs.gov/ocr/privacyhowtofile.htm.

6. Cerminara, Kathy L. “Deal with Patient Complaints Before Arrival of Subpoenas.” Managed Care Magazine, June 9, 2003. Available online at http://www.managedcaremag.com/archives/0302/0302.conflict.html

7. Joint Commission. Comprehensive Accreditation Manual for Hospitals.


AHIMA. “Analysis of the Interim Final Rule, August 24, 2009: Breach Notification for Unsecured Protected Health Information.” 

Emery, Steve, Jan McDavid, and Deborah Robb. “Compliance in Practice: Mitigating Risk in Clinics and Physician Practices.” Journal of AHIMA 81, no. 3 (Mar. 2010): 28–31.

Hjort, Beth. “Handling Complaints.” Presentation at the AHIMA “Getting Practical with Privacy and Security” seminars, 2003.

Prepared by

Angela K. Dinh, MHA, RHIA, CHPS

Prepared by (original)

Jill Burrington-Brown, MS, RHIA, FAHIMA

Acknowledgments (original)

Jill Callahan Dennis, JD, RHIA
Beth Hjort, RHIA, CHPS 
Connie Matthews 
Carol Ann Quinsey, RHIA, CHPS
Mary Rauwolf, RHIT 

Article citation:
AHIMA; American Medical Informatics Association (AMIA). "Handling Complaints and Mitigation (Updated) - Retired." Journal of AHIMA (Updated June 2010).