Who Investigates HIPAA Complaints? HHS Office for Civil Rights (OCR) Explained

OCR Jurisdiction and Complaint Eligibility

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the federal agency that investigates HIPAA complaints and leads compliance enforcement for health information privacy and security. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules.

OCR’s jurisdiction covers each HIPAA-covered entity—health care providers that conduct standard electronic transactions, health plans, and health care clearinghouses—and any business associate that creates, receives, maintains, or transmits protected health information (PHI) for them. PHI includes identifiable health information in any form or medium.

OCR performs a jurisdiction determination at intake. It verifies that the respondent is a HIPAA-covered entity or business associate, that the alleged conduct involves PHI, and that HIPAA—not another law—governs the records. For example, educational records covered by FERPA or an employer’s non-PHI personnel files typically fall outside HIPAA.

To be eligible, a complaint must be in writing, name the entity (or business associate), describe the suspected violation, and generally be filed within 180 days of when you knew or should have known of the issue. OCR may extend this deadline for good cause. There is no filing fee, and you may file on your own behalf or (with proper authorization) for someone else.

Investigation Process and Methods

OCR follows a consistent, evidence-driven process designed to be fair, efficient, and focused on remediation where appropriate. If a complaint passes jurisdiction determination and screening, OCR opens a case and notifies the entity.

• Intake and triage: OCR reviews the submission, may request clarifications, and decides whether to investigate, provide technical assistance, or close for lack of jurisdiction or insufficient information.
• Document requests: OCR seeks policies, risk analyses, training records, business associate agreements, access logs, incident reports, and other artifacts relevant to the allegations.
• Interviews and data analysis: OCR interviews workforce members or vendors, assesses system configurations and safeguards, and analyzes how PHI was created, accessed, transmitted, or disclosed.
• On-site visits (as needed): For complex cases, OCR may conduct on-site assessments to verify safeguards and practices.
• Findings and resolution: OCR evaluates compliance with the HIPAA Rules and determines appropriate corrective steps or enforcement actions.

Throughout the investigation, OCR considers the entity’s size, complexity, risk environment, and good-faith efforts to comply. Prompt, complete cooperation and swift remediation often influence outcomes.

Enforcement Actions and Penalties

When OCR identifies noncompliance, it selects an enforcement path proportionate to the issues and risks to health information privacy. Options range from technical assistance and voluntary compliance to formal agreements and penalties.

• Technical assistance or voluntary corrective action for limited or low-risk issues, often with follow-up verification.
• Resolution Agreement with a Corrective Action Plan (CAP) that binds the entity to specific steps, deliverables, and timelines under OCR oversight.
• Civil money penalty (CMP) for serious, uncorrected, or willful neglect violations. CMPs are tiered by culpability and subject to statutory maximums, with amounts adjusted periodically for inflation.
• Referral to the U.S. Department of Justice for potential criminal investigation when misconduct appears intentional or egregious.

Where willful neglect is found and not timely corrected, HIPAA requires formal enforcement. OCR also conducts compliance reviews independent of individual complaints when patterns or breach reports suggest systemic risk.

Corrective Action Plans

A corrective action plan is a negotiated, enforceable roadmap for returning to and sustaining compliance. It translates investigation findings into measurable obligations and timelines.

• Core elements: governance improvements, designation of responsible leaders, comprehensive risk analysis, risk management and remediation, policy and procedure updates, and workforce training.
• Verification: periodic progress reports to OCR, production of documentation (e.g., training rosters, revised policies), and sometimes independent assessments or audits.
• Accountability: CAPs typically run for multiple reporting periods. Failure to meet milestones can lead to extensions, additional requirements, or civil money penalty exposure.

Done well, a corrective action plan not only fixes the problem that triggered the complaint but also reduces enterprise risk and strengthens day-to-day privacy and security operations.

Privacy Practices Improvement

Even when no formal penalties are imposed, OCR expects sustainable improvements that protect PHI. Embedding these practices helps you prevent violations and demonstrate ongoing good-faith compliance.

• Governance and risk: maintain an enterprise-wide risk analysis, manage risks to reasonable and appropriate levels, and review controls after technology or workflow changes.
• Safeguards: apply administrative, physical, and technical safeguards such as role-based access, encryption, audit logging, and secure disposal for all PHI.
• Vendor management: execute and monitor business associate agreements; ensure subcontractors meet HIPAA obligations; document due diligence and remediation.
• Workforce readiness: provide role-specific training, manage user access promptly, enforce sanctions for violations, and reinforce “minimum necessary” use and disclosure.
• Incident readiness: sustain an incident response plan, test breach assessment and notification procedures, and record lessons learned to refine controls.

Rights of Complainants

HIPAA protects individuals who raise concerns in good faith. Covered entities and business associates may not retaliate against you for filing a complaint or participating in an OCR investigation. You may ask OCR to keep your identity confidential from the entity; OCR generally honors such requests but may disclose information if necessary for the investigation or required by law.

You can submit additional information while the case is open and expect communications on key steps, such as case opening, requests for information, and closure. OCR’s role is compliance enforcement; it does not award personal damages. However, OCR’s actions can drive systemic fixes that protect you and others going forward.

OCR provides language access and disability accommodations. There is no fee to file, and you do not need a lawyer to start the process.

In short, if you wonder who investigates HIPAA complaints, the HHS Office for Civil Rights is your federal partner. Its mission-centered approach—fact-finding, corrective action plans, and, when necessary, civil money penalty authority—protects health information privacy while promoting practical, lasting compliance.

FAQs

Who can file a HIPAA complaint?

Anyone who believes a HIPAA-covered entity or its business associate violated the HIPAA Privacy, Security, or Breach Notification Rules can file. You may file for yourself, for someone else with written authorization, or as a whistleblower. Complaints should be in writing and generally submitted within 180 days of learning about the issue.

What happens after a HIPAA complaint is filed?

OCR screens the complaint for jurisdiction and timeliness. If accepted, OCR notifies the entity, requests documents, and may conduct interviews or site visits. Outcomes range from technical assistance and voluntary compliance to a resolution agreement with a corrective action plan or, for serious violations, a civil money penalty. OCR keeps you informed of key milestones and closure.

How does OCR determine if a violation occurred?

OCR confirms whether the respondent is a HIPAA-covered entity or business associate, whether PHI was involved, and which HIPAA provisions apply. It reviews policies, risk analyses, training, access controls, logs, and incident handling to assess whether safeguards were reasonable and appropriate and whether any noncompliance was corrected promptly.

What enforcement actions can OCR take?

Depending on the facts, OCR may provide technical assistance, obtain voluntary corrective action, enter a resolution agreement with a corrective action plan, or impose a civil money penalty. When intentional or criminal conduct is suspected, OCR can refer the matter to the Department of Justice.