The Office for Civil Rights investigates and enforces compliance with the HIPAA Privacy Rule and the HIPAA Security Rule through complaint investigations, compliance reviews, and breach-related inquiries.
OCR Role and Enforcement
The Office for Civil Rights within the U.S. Department of Health and Human Services enforces the HIPAA Privacy Rule and the HIPAA Security Rule. Enforcement activity includes investigating complaints submitted to the agency, conducting compliance reviews, and performing education and outreach activities intended to support compliance. Certain matters may be referred to the Department of Justice for potential criminal violations.
How Complaints Are Filed
A complaint may be submitted through the Office for Civil Rights complaint portal or through phone, fax, or email. The submission typically identifies the covered entity or business associate involved and provides a brief description of the alleged conduct. A complaint is expected to be submitted within 180 days of the alleged violation. The Office for Civil Rights may allow additional time when the complainant demonstrates good cause for filing after the 180 day period.
Which Complaints OCR Investigates
The Office for Civil Rights reviews complaints it receives and opens investigations that meet jurisdictional and timeliness criteria. The alleged action must have occurred within the prior six years. The complaint must be against an entity subject to the HIPAA Privacy Rule and the HIPAA Security Rule. The allegations must describe conduct that could constitute a violation. The complaint must also meet the 180 day filing timeframe, subject to an extension for good cause.
What Happens After a Complaint Is Accepted
When the Office for Civil Rights accepts a complaint for investigation, the agency notifies the complainant and the covered entity. The parties are requested to provide information regarding the incident and related practices. The agency may request specific documentation or written responses to establish the facts and assess compliance. Covered entities are required to cooperate with complaint investigations and respond to requests for information.
Complaint Investigations vs Breach Investigations
Complaint investigations and breach investigations follow different initiation paths but can involve similar compliance issues and similar document production expectations. Complaint investigations begin with allegations submitted to the agency. Breach investigations may follow breach reporting obligations under the HIPAA Breach Notification Rule. Both processes can require production of policies, procedures, training records, and other documentation that supports compliance with the HIPAA Privacy Rule and the HIPAA Security Rule.
Breach Reporting Requirements Under the HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities to notify the Secretary of Health and Human Services of breaches of unsecured protected health information. Breaches affecting fewer than 500 individuals are reported to the Secretary no later than 60 days after the end of the calendar year in which the breach occurred. Covered entities may report these events as they occur or submit them in a consolidated annual submission. Breaches affecting 500 or more individuals are reported without unreasonable delay and no later than 60 days from discovery of the breach. Reporting delays can become part of the agency’s review when assessing compliance.
What to Expect When OCR Opens a Breach Investigation
A breach investigation typically begins when the organization receives written notice from the Office for Civil Rights. The notice may identify potential violations under the HIPAA Privacy Rule and the HIPAA Security Rule and may require production of a set of documents for review. The initial request frequently has a short deadline, commonly around 20 days. Additional requests for information may follow. Subsequent deadlines can be shorter than the initial deadline. Investigation duration varies. Some matters resolve in months while others extend longer based on scope, responsiveness, and the agency’s review needs.
How OCR Resolves Cases
When the Office for Civil Rights identifies indications of noncompliance, the agency seeks to resolve the matter through voluntary compliance. Resolution may require corrective actions to address identified deficiencies. A resolution agreement may include a financial settlement and documented corrective action obligations. Some matters resolve without a formal resolution agreement when the agency accepts demonstrated corrective measures and compliance commitments.
Lessons Learned Summary
Organizations reduce enforcement exposure by maintaining documented compliance with the HIPAA Privacy Rule and the HIPAA Security Rule. A HIPAA risk assessment supports identification of vulnerabilities and administrative, physical, and technical safeguards. Written policies and procedures support consistent operational behavior. HIPAA training must be provided to all staff handling PHI and must include testing to prove that the training lessons have been acquired by staff because self attestation will not be accepted by the OCR as proof of HIPAA training during an investigation. A written process for responding to an individual’s request for access to records supports compliance expectations for timely access. Business associate agreements should be executed and maintained. Cybersecurity measures and system activity monitoring support detection and prevention controls relevant to breach investigations.