How Are Most HIPAA Privacy Complaints Resolved? Typical Outcomes and What to Expect

Complaint Dismissal Rates

What counts as a “dismissal” in HHS-OCR Complaint Resolution

When you file a HIPAA privacy complaint, the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS-OCR) first checks jurisdiction and basic criteria. A complaint may be dismissed or closed at intake if the entity isn’t a HIPAA covered entity or business associate, the events are too old, the facts don’t allege a HIPAA violation, or the matter is better handled by another agency or court.

Typical closure patterns you can expect

Historically, most HIPAA privacy complaints do not lead to formal penalties. In a typical year, a substantial share—often the majority—are closed at intake or resolved through early outreach and technical assistance rather than a full investigation. Only a small fraction progress to findings that require a corrective action plan, a resolution agreement, or civil monetary penalties.

How to reduce the chance of dismissal

Be specific and complete. Identify the covered entity or business associate, provide dates and facts, and attach documentation (for example, denial letters for right-of-access issues or evidence of impermissible disclosures). Clear, well-supported complaints are more likely to be investigated and to result in corrective steps.

Technical Assistance Outcomes

What “technical assistance” looks like in practice

Technical assistance is HHS-OCR’s most common, non-punitive outcome for HIPAA privacy complaints. OCR may coach you on your rights or guide the organization on how to comply. The agency can point to specific Privacy Rule or Security Rule requirements and suggest practical fixes, such as updating a Notice of Privacy Practices, tightening minimum-necessary workflows, or improving authentication for patient portal access.

Why technical assistance is common

Many issues stem from misunderstandings or incomplete processes rather than willful violations. Technical assistance quickly corrects deficiencies, returns patients’ rights (for example, timely access to records), and improves privacy practices without lengthy enforcement. It is a hallmark of HHS-OCR Complaint Resolution because it achieves compliance with less burden for everyone involved.

What you should expect after technical assistance

You can expect the organization to implement the recommendations promptly. Covered entity obligations typically include updating policies, retraining staff, documenting changes, and monitoring for recurrence. If problems persist, OCR can escalate to a formal investigation or stronger enforcement measures.

Corrective Action Plans

When a Corrective Action Plan is used

A Corrective Action Plan (CAP) is imposed when OCR identifies noncompliance that requires structured, verifiable remediation. CAPs are more formal than technical assistance and frequently accompany resolution agreements following an investigation or a HIPAA compliance review. They aim to prevent recurrence and to prove sustained compliance.

What a CAP usually includes

Expect detailed tasks tied to covered entity obligations: risk analysis and risk management, policy revisions, workforce training, vendor (business associate) oversight, and reporting to OCR. CAPs often set deadlines, require executive attestation, and mandate periodic submissions—such as training rosters, security test results, or proof of access-request turnaround times.

Duration, monitoring, and consequences

CAPs commonly run for one to three years. OCR monitors progress through deliverables and may require independent assessments. Failure to meet CAP milestones can prompt additional enforcement, including civil monetary penalties if violations persist or willful neglect is found.

Civil Monetary Penalties

When civil monetary penalties are applied

Civil Monetary Penalties (CMPs) are reserved for serious or aggravated violations—especially willful neglect, repeated noncompliance, refusal to cooperate, or egregious harm. OCR weighs the nature and extent of the violation, the resulting harm, the entity’s size and resources, and its history of compliance before proposing penalties.

How OCR determines the amount

HIPAA’s penalty framework groups violations into tiers based on culpability, from “did not know” up to “willful neglect not corrected.” Within those tiers, OCR considers mitigating and aggravating factors, the number of violations, and the duration of noncompliance. CMPs can total in the millions in complex cases with extended, repeated violations.

Process and opportunities to respond

Before imposing CMPs, OCR issues a notice and provides an opportunity to submit written arguments or request a hearing before an administrative law judge. Many matters settle before a final penalty, often transitioning to a resolution agreement coupled with a CAP.

Criminal Referral Process

When a complaint becomes a criminal matter

Most HIPAA privacy complaints are civil. However, if OCR uncovers potential criminal conduct—such as knowingly obtaining or disclosing protected health information (PHI) for personal gain, malicious harm, or under false pretenses—it refers the matter to the Department of Justice (DOJ) for investigation.

What a criminal referral involves

After referral, DOJ leads. Potential penalties under 42 U.S.C. 1320d-6 range from fines and up to one year of imprisonment for basic offenses, up to five years for offenses under false pretenses, and up to ten years for offenses involving intent to sell, transfer, or use PHI for personal gain or malicious harm. Criminal referrals are comparatively rare and focus on intentional misconduct.

Resolution Agreements

What a resolution agreement does

A resolution agreement is a negotiated settlement between OCR and the organization. It typically includes a financial payment and a multi-year Corrective Action Plan but usually states there is no admission of liability. Resolution agreements close out investigations or HIPAA compliance reviews while ensuring concrete, monitored improvements.

When organizations choose settlement

Entities often resolve cases through resolution agreements to avoid the uncertainty, cost, and publicity of litigation or a CMP. The agreement memorializes corrective steps, timelines, and reporting obligations, giving OCR assurance that privacy and security risks will be fixed and verified.

Enforcement and Compliance Reviews

How HIPAA Compliance Reviews start

OCR doesn’t need a complaint to act. It can initiate HIPAA compliance reviews based on breach reports, patterns of noncompliance, or other intelligence. Reviews can be broad, covering Privacy, Security, and Breach Notification Rule requirements, or targeted to specific risk areas like access controls or vendor management.

What a compliance review examines

OCR evaluates governance, risk analysis and risk management, safeguards for electronic PHI, minimum-necessary practices, notices and authorizations, right-of-access operations, incident response, and business associate oversight. Documentation is critical—policies, risk assessments, training materials, audit logs, and evidence of ongoing monitoring.

Possible outcomes of a review

Outcomes mirror complaint-based enforcement: technical assistance, a letter of corrective action, a Corrective Action Plan, a resolution agreement with payment, or civil monetary penalties. Repeated or systemic gaps increase the likelihood of a CAP or financial settlement.

Covered Entity Obligations to prioritize

• Conduct an enterprise-wide risk analysis and update it regularly; implement risk management plans.
• Maintain current, enforceable policies for privacy, security, breach notification, and business associate management.
• Train the workforce and document attendance, comprehension, and retraining.
• Monitor access, use, and disclosures; enforce minimum-necessary standards.
• Respond promptly to right-of-access requests and track turnaround times.

Key takeaways

Most HIPAA privacy complaints are resolved without fines—often through dismissal at intake or technical assistance that corrects issues quickly. More serious or persistent noncompliance triggers structured corrective action plans, resolution agreements, or, in rare cases, civil monetary penalties or criminal referrals. Strong governance, documentation, and continuous risk management are your best defense.

FAQs

What percentage of HIPAA complaints are dismissed?

The percentage varies by year, but historically a large share—often the majority—are closed at intake because they lack HIPAA jurisdiction, are untimely, or don’t allege a violation, or they resolve early with technical assistance. Only a small fraction advance to findings that require a corrective action plan, a resolution agreement, or civil monetary penalties.

How does HHS-OCR provide technical assistance?

OCR contacts the complainant and/or the organization to explain applicable HIPAA requirements and practical steps to fix issues. This may include clarifying right-of-access timelines, tightening minimum-necessary practices, updating notices and authorizations, improving security safeguards, and retraining staff. Technical assistance is a core HHS-OCR Complaint Resolution tool designed to achieve rapid, sustainable compliance.

When are civil monetary penalties applied?

Civil monetary penalties are considered when violations are serious, repeated, or reflect willful neglect—especially if not promptly corrected. OCR applies a tiered penalty framework and weighs factors such as harm, duration, culpability, compliance history, and the entity’s financial condition. Many cases settle through resolution agreements with a Corrective Action Plan instead of a final penalty.

What happens in a criminal referral under HIPAA?

If OCR uncovers potential criminal conduct (for example, knowingly obtaining or disclosing PHI for personal gain or malicious harm), it refers the case to the Department of Justice. DOJ then investigates and may prosecute. Convictions can carry fines and imprisonment, with higher penalties for offenses under false pretenses or for profit-driven misuse of PHI.