How long does a HIPAA investigation take?


Though most HIPAA violations are avoidable, that some violations will occur is inevitable. Even the most diligent worker will occasionally make a mistake and, for example, send an email to the incorrect recipient. Incidental violations may also occur despite an individual’s best efforts. Should these violations occur, investigations will need to take place to determine their cause and scope. But how long does a HIPAA investigation take place? 

Unfortunately, there is no clear answer to this question. There are several steps involved in a HIPAA investigation, and how long each step will take will depend on the nature of the violation, how cooperative individuals are, and whether any protected health information (PHI) was breached as a result of the violation. 

So, when considering “how long does a HIPAA investigation take?” we must first consider each step involved in a HIPAA investigation.

In the first instance, if any employee has concerns regarding a potential HIPAA violation in their workplace, they should contact their workplace’s HIPAA Compliance Officer. Under HIPAA, all workplaces are required to appoint such an officer, who will also act as a point of contact for any members of the public who have HIPAA-related concerns.

Once the HIPAA Compliance Officer has received the complaint, they should then launch an internal investigation. This investigation should, in the first instance, ascertain whether a HIPAA violation did indeed occur; if the Compliance Officer determines that there was no violation, then the investigation will cease. 

In cases where there was a HIPAA violation, then the Compliance Officer will need to establish the cause of the violation, whether it was intentional, accidental, or incidental, and the scope. Usually, if the violation is minor, then the Compliance Officer may recommend additional training for the employees involved or, indeed, recommend that no further action is taken. 

However, if the violation is more severe – such as intentional access of PHI for personal gain, or if there was an outright data breach – then the case will be referred to the Office for Civil Rights. Part of the Department for Health and Human Services, the OCR oversees HIPAA compliance. Members of the public who are dissatisfied with the outcome of the organization’s internal investigation may also complain directly to the OCR. 

It is, again, difficult to put a timeline on these activities, but all violations must be reported to the OCR within 180 days of their discovery. There is some flexibility in this timeline, if there are mitigating circumstances. 

Again, once the OCR receives reports of the potential violation, it must determine whether a violation has occurred. Indeed, in the vast majority of cases, the OCR determines that there was no violation, or that too much time has elapsed since the violation occurred. 

If a violation did occur, the OCR has three possible means of resolving it. Which it will choose will depend on the nature of the violation and the outcomes of its investigation. Most commonly, it proposes a voluntary corrective action plan to help resolve the issues that caused the violation in the first place. The OCR may also issue civil penalties, whose value depends on the severity of the violation. 

Finally, if the OCR suspects that there was criminal activity, they will refer the case to the Department of Justice, who will then conduct their own investigation. 

So, how long does a HIPAA investigation take? It is very difficult to say. It is like that, at minimum, it will take a few weeks, but in criminal cases it may take considerably longer.