Patient complaint to OCR
A patient filed a complaint alleging a HIPAA violation. OCR is required to investigate every complaint that meets jurisdictional criteria. This is the most common trigger.
OCR investigation
OCR is investigating your practice. Do not panic — but do not ignore it.
This is a practical guide to what OCR asks for, what deadlines apply, and how to respond without making it worse. No fear-mongering. No sales pitch. Just the process, the penalties, and the steps that matter right now.
Updated for 2026·Penalty amounts current·45 CFR Part 160
Triggers
What triggers an OCR investigation.
OCR does not investigate randomly in most cases. Something initiated the review. Understanding which trigger applies to your situation changes how you respond.
Breach report follow-up
You reported a breach to HHS as required. OCR follows up to assess whether the breach resulted from systemic non-compliance or an isolated incident.
Compliance review
OCR initiated a proactive audit of your practice. These can be random, targeted based on risk indicators, or part of a broader enforcement initiative.
Referral from another agency
Another federal or state agency referred your practice to OCR based on findings from their own investigation or audit activity.
Documentation
What OCR asks for.
OCR’s data request will be specific to the allegations, but these eight categories cover what they almost always ask for. If you cannot produce these, you have a problem.
1
Risk assessment documentation
The single most common gap OCR finds. They want evidence of a thorough, organization-wide risk assessment — not a checklist you downloaded.
2
Policies and procedures
Written policies covering the Privacy Rule, Security Rule, and Breach Notification Rule — specific to your practice, not generic templates.
3
Business Associate Agreements
Executed BAAs with every vendor that touches ePHI — EHR systems, cloud storage, billing services, IT support, shredding companies.
4
Workforce training records
Evidence that all workforce members received HIPAA training, when they received it, and what material was covered. Annual training is the minimum.
5
Access control evidence
Documentation showing who has access to ePHI, how access is granted and revoked, and that you enforce minimum necessary standards.
6
Incident response documentation
Your breach response plan and evidence of how you handled past incidents — including the investigation, mitigation steps, and notifications.
7
Audit logs and system access records
Technical evidence showing you monitor who accesses ePHI, when, and from where. OCR expects audit controls under §164.312(b).
8
Evidence of corrective actions
If you had previous findings, complaints, or breaches — documentation proving you took corrective action and followed through.
Response protocol
How to respond. Step by step.
The first 48 hours after receiving an OCR notice set the tone for the entire investigation. Follow these steps in order.
1
Read the notice carefully
Identify the specific allegations, the regulatory provisions cited, and the response deadline. OCR notices are precise — your response needs to match that precision.
2
Do NOT destroy, alter, or create documents retroactively
Document spoliation is a separate violation. Backdating policies or fabricating training records will turn a correctable issue into a willful neglect finding. OCR investigators know what fresh ink looks like.
3
Engage legal counsel experienced in HIPAA enforcement
Not your general business attorney. You need someone who has handled OCR investigations specifically. The wrong response strategy can escalate a resolution agreement into a civil monetary penalty.
4
Gather existing documentation honestly
Collect everything you actually have — risk assessments, policies, training records, BAAs, audit logs. Organize it around the specific allegations. Do not create new policies to backfill gaps.
5
Respond within the stated deadline
OCR typically gives 30 days to respond to a data request. Missing the deadline signals non-cooperation and can escalate the investigation. If you need more time, request an extension in writing before the deadline.
6
Be cooperative but precise
Answer exactly what OCR asks. Provide the documentation they request. Do not volunteer information beyond the scope of the inquiry — every additional document you submit becomes part of the investigative record.
Enforcement
Penalty tiers under HITECH.
Penalties are assessed per violation, per year, based on the level of culpability. These are the 2024 inflation-adjusted amounts under 45 CFR §160.404.
Unknowing
$137 – $68,928
The covered entity did not know and, by exercising reasonable diligence, would not have known about the violation.
Reasonable cause
$1,379 – $68,928
The violation was due to reasonable cause and not willful neglect. The entity should have known but didn’t act with deliberate indifference.
Willful neglect, corrected
$13,785 – $68,928
The violation resulted from willful neglect, but the entity corrected it within 30 days of discovery. Correction reduces but does not eliminate the penalty.
Willful neglect, not corrected
$68,928 – $2,067,813
The violation resulted from willful neglect and was not corrected within 30 days. This tier carries the highest penalties and can include criminal referral.
Maximum: $2,067,813 per violation category per calendar year. Criminal penalties under 42 USC §1320d-6 can add fines up to $250,000 and imprisonment for knowing violations.
Patient Protect keeps audit-ready evidence from day one.
Automated risk assessments, policy management, training tracking, access controls, and audit logs — the exact documentation OCR asks for, generated continuously and stored securely. When the notice arrives, the evidence is already there.
FAQ
Common questions about OCR investigations.
What happens during an OCR investigation?
OCR sends a data request letter identifying the allegations and the specific documentation they need. You respond in writing with the requested evidence. OCR reviews it, may ask follow-up questions, and determines whether a violation occurred. Outcomes range from no violation found, to technical assistance, to a resolution agreement with corrective action, to civil monetary penalties. Most investigations are resolved through voluntary compliance or resolution agreements — not penalties.
How long does an OCR investigation take?
There is no fixed timeline. Simple complaint investigations can resolve in 3–6 months. Complex investigations involving systemic non-compliance, multiple violations, or large breach reports can take 1–3 years. During this time, you are expected to preserve all relevant documentation and respond to any additional data requests. The investigation remains open until OCR issues a closure letter.
Can I negotiate a settlement with OCR?
Yes. Most enforcement actions that result in financial penalties are resolved through resolution agreements — a negotiated settlement that includes a payment and a corrective action plan. The corrective action plan typically requires 2–3 years of monitored compliance improvements. Resolution agreements are public. OCR uses them as enforcement signals to the industry, which means your practice name, the violation, and the settlement amount will appear on the HHS breach portal.
What if I don’t have the documentation OCR asks for?
Be honest about it. Producing fabricated records is far worse than admitting gaps. If you lack a risk assessment, say so and describe what steps you are taking to complete one. If training records are incomplete, acknowledge it and present your remediation plan. OCR distinguishes between practices that were negligent and practices that are actively working to close gaps. Demonstrating good faith effort matters — it does not eliminate liability, but it significantly influences which penalty tier applies.