The Office for Civil Rights investigates a HIPAA complaint by receiving and screening the submission for jurisdiction and timeliness, opening an investigation when acceptance criteria are met, notifying the complainant and the respondent, requesting and reviewing documentation and written statements, and pursuing resolution through voluntary compliance that may include corrective actions and a financial settlement.
OCR Authority and Scope
The Office for Civil Rights within the U.S. Department of Health and Human Services enforces the HIPAA Privacy Rule and the HIPAA Security Rule. Enforcement activity includes complaint investigations, compliance reviews, and education and outreach. Certain matters may be referred to the Department of Justice for potential criminal violations.
Complaint Submission
A complaint may be submitted through the Office for Civil Rights complaint portal or through phone, fax, or email. The submission identifies the covered entity or business associate involved and provides a brief description of the alleged conduct. Complaints are expected to be filed within 180 days of the alleged violation, with possible acceptance after 180 days when the complainant demonstrates good cause.
Screening and Acceptance Criteria
The Office for Civil Rights reviews complaints and opens investigations that meet jurisdictional and timeliness requirements. The alleged action must have occurred within the prior six years. The respondent must be an entity subject to the HIPAA Privacy Rule and the HIPAA Security Rule. The allegations must describe conduct that could violate HIPAA requirements. The complaint must meet the 180 day filing timeframe, subject to an extension for good cause.
Investigation Initiation and Notice
When the Office for Civil Rights accepts a complaint for investigation, it notifies the complainant and the covered entity. The agency requests information from both parties to establish the facts. The agency may request specific documentation and written responses to evaluate compliance. Covered entities are required to cooperate with complaint investigations and respond to Office for Civil Rights requests for information.
Information Requests and Review Activities
Investigation activity includes review of documentation and representations provided by the parties. Requests may include policies and procedures, HIPAA training documentation that includes proof of staff testing rather than self attestation, processes used to handle individual rights requests, and other materials relevant to the allegations. The agency may issue follow-up requests for information when initial submissions do not address the agency’s questions or when additional facts are required for a compliance determination.
Relationship to Breach-Related Reviews
A complaint investigation is initiated by a submission to the Office for Civil Rights, while breach-related investigations may arise from reporting under the HIPAA Breach Notification Rule. Both processes can require similar documentation and may involve assessment of the same compliance program elements under the HIPAA Privacy Rule and the HIPAA Security Rule.
Resolution and Closure
When the Office for Civil Rights identifies indications of noncompliance, the agency seeks voluntary compliance. Resolution may require corrective actions that address identified deficiencies. A resolution agreement may include a financial settlement and documented corrective action obligations. Some matters close without a formal resolution agreement when the agency accepts demonstrated corrective measures and compliance commitments.