HIPAA Violations: How the HHS Office for Civil Rights Investigates

The HHS Office for Civil Rights (OCR) is the federal agency charged with enforcing HIPAA. When potential HIPAA violations arise, OCR evaluates them under the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, using its enforcement authority to investigate, resolve, and, when necessary, penalize noncompliance.

This guide walks you through how complaints are filed and screened, what prompts an investigation, how Compliance Reviews work, and the range of outcomes—from Voluntary Corrective Action to Civil Monetary Penalties. You’ll see what to expect and how to prepare if OCR contacts you.

Complaint Filing Process

Who can file a complaint

Anyone who believes a covered entity or business associate violated HIPAA may file a complaint with OCR. This includes patients, personal representatives, workforce members, and others who observed or experienced a potential violation involving protected health information (PHI).

When to file

Complaints should be filed promptly after learning of the issue. OCR generally expects complaints within a defined time window and may extend deadlines for good cause. Filing sooner helps preserve evidence and improves OCR’s ability to investigate.

How to file

You can submit a complaint electronically or by mail. Be prepared to identify the organization(s) involved, describe what happened, list key dates, and explain how PHI was used or disclosed. If you represent someone else, indicate your authority to act on their behalf.

What to include

Strong complaints provide clear, factual narratives; relevant documents (for example, letters, screenshots, notices); and your contact information. If a data breach is involved, include any notices you received under the Breach Notification Rule.

After you file

OCR acknowledges receipt, assigns a case number, and begins an intake review. You may be contacted for clarification or additional information. Keep copies of everything you submit and note all related dates.

Complaint Review and Jurisdiction

Jurisdiction check

OCR first confirms whether the complaint alleges conduct governed by HIPAA and involves a covered entity (such as a health plan, clearinghouse, or health care provider) or a business associate. It then maps the facts to the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule.

Reasons OCR may not proceed

OCR may close complaints that fall outside HIPAA (for example, disclosures by entities not subject to HIPAA), are untimely without good cause, or lack sufficient detail. When appropriate, OCR refers matters to another agency better positioned to address them.

Early technical assistance

In some matters, OCR resolves issues during intake by providing technical assistance to the entity or complainant. These resolutions emphasize education and prompt fixes over formal investigation when the risk and facts support that approach.

Investigation Initiation Criteria

When OCR opens an investigation

OCR initiates investigations when facts suggest a potential violation, the risk to individuals is significant, or there is a pattern of noncompliance. Allegations indicating possible willful neglect—conscious or reckless disregard of HIPAA—receive heightened attention.

Factors OCR weighs

Key factors include the sensitivity of PHI involved, number of individuals affected, duration of the conduct, prior history, corrective actions already taken, and whether the entity cooperated and mitigated promptly. Repeated Right of Access complaints often signal systemic issues.

Beyond complaints

OCR can open matters based on breach reports, media reports, or other information. Some of these become Compliance Reviews rather than complaint-driven cases, allowing OCR to assess broader organizational practices.

Investigation Procedures and Compliance Reviews

Notice and information requests

Entities typically receive a written notice describing the allegations and the information OCR needs. Expect requests for policies, risk analyses, training records, access logs, business associate agreements, and documentation of safeguards and mitigation steps.

Analysis and interviews

OCR analyzes whether uses and disclosures were permissible under the HIPAA Privacy Rule, whether administrative, physical, and technical safeguards met Security Rule standards, and whether breach notifications were timely and complete. OCR may interview workforce members and contractors.

On-site and desk reviews

Most matters are handled through desk reviews, but OCR can conduct on-site visits to observe practices, verify controls, and speak with staff. Timely, complete responses are critical; poor cooperation can elevate enforcement risk.

Compliance Reviews

Compliance Reviews evaluate overall compliance, not just a single incident. They often follow large breaches or patterns of complaints and may include targeted audits of specific requirements like risk analysis, access controls, or disclosure tracking.

Documentation and retention

HIPAA requires documentation of policies, procedures, and actions taken to achieve compliance, with retention for a defined period. Maintaining clear, current records streamlines OCR’s review and demonstrates a culture of compliance.

Resolution and Enforcement Actions

Non-punitive outcomes

When violations are not substantiated or risk is low, OCR may close the case or provide technical assistance. Many matters resolve through Voluntary Corrective Action, where the entity documents fixes without a monetary component.

Resolution Agreements and Corrective Action Plans

For more serious issues, OCR may negotiate a Resolution Agreement that includes a multi-year Corrective Action Plan (CAP). CAPs commonly require risk analysis, risk management, policy updates, training, monitoring, and regular reporting to OCR.

Civil Monetary Penalties

When settlement is not appropriate or an entity refuses to cooperate, OCR can impose Civil Monetary Penalties. Penalty tiering considers culpability (from reasonable cause to willful neglect), scope and duration, harm to individuals, prior history, and the entity’s size and resources.

Other consequences

OCR may refer potential criminal conduct to the Department of Justice. Even when monetary penalties are avoided, entities must complete corrective steps and may be subject to ongoing oversight until compliance is verified.

Statistical Overview of Complaints

OCR publishes aggregate statistics on complaints it receives and resolves each year. Reported data typically include total complaint volume, the share resolved through investigation versus early closure, and the most common allegation categories.

• Frequent issues include impermissible uses or disclosures, inadequate safeguards under the Security Rule, and delays in providing individuals access to their PHI.
• Right of Access complaints have become a prominent focus, reflecting patients’ statutory entitlement to timely records access.
• Large breaches often lead to broader Compliance Reviews that examine organizational controls beyond the initial incident.

These trends underscore the value of strong privacy practices, timely access processes, robust security safeguards, and well-rehearsed breach response programs.

Recent HIPAA Settlement Examples

Patterns seen in recent settlements

• Right of Access: entities delayed or denied patient record requests, resulting in corrective action and monetary settlements.
• Risk analysis and risk management gaps: ransomware or theft exposed ePHI where comprehensive risk analyses, encryption, or access controls were missing or outdated.
• Business associate oversight: failures to execute or enforce business associate agreements contributed to impermissible disclosures.
• Snooping and minimum necessary: workforce members accessed records without a job-related need, reflecting inadequate monitoring and sanctions.
• Breach Notification Rule: delayed or incomplete notices to individuals and HHS increased enforcement exposure.

Practical lessons for compliance

• Perform and update an enterprise-wide risk analysis; document risk management and verify that safeguards operate effectively.
• Maintain streamlined Right of Access workflows with tracked timelines, fee controls, and audit trails.
• Inventory business associates, execute agreements, and assess their security posture.
• Log and monitor access, investigate anomalies, and apply consistent workforce sanctions.
• Practice breach response: contain incidents, investigate root causes, and send accurate, timely notifications.

Conclusion

OCR’s approach is consistent: investigate significant risk, promote prompt remediation, and escalate where willful neglect or systemic failures exist. If you prioritize governance, document your HIPAA program, and respond quickly to issues, you materially reduce enforcement risk and protect individuals’ health information.

FAQs

How does the OCR determine if a HIPAA complaint is valid?

OCR checks whether the complaint alleges conduct covered by HIPAA, involves a covered entity or business associate, and was filed within the applicable timeframe. It then assesses whether the facts, if true, could violate the HIPAA Privacy Rule, Security Rule, or Breach Notification Rule and may request more information before deciding next steps.

What happens during an OCR HIPAA investigation?

OCR notifies the entity, requests documents, and analyzes policies, safeguards, logs, and actions taken. It may interview staff, conduct on-site or desk reviews, and evaluate mitigation and cooperation. Findings drive outcomes that range from technical assistance to a Resolution Agreement with a Corrective Action Plan or Civil Monetary Penalties.

Can entities appeal OCR enforcement actions?

Yes. Entities can challenge proposed Civil Monetary Penalties through the HHS administrative appeals process, which includes review by an Administrative Law Judge and potential further review by the Departmental Appeals Board. Settlements are typically negotiated resolutions, but entities may seek reconsideration of certain determinations.

What are common outcomes after an OCR investigation?

Common outcomes include closure with no violation, technical assistance, Voluntary Corrective Action, a Resolution Agreement with a multi-year Corrective Action Plan, or Civil Monetary Penalties. In rare cases suggesting criminal conduct, OCR may refer the matter to the Department of Justice.