Understand What You're Dealing With
When a patient (or anyone else) files a complaint with HHS's Office for Civil Rights, OCR is required to review it and determine whether to investigate. Receiving OCR's notice of the complaint doesn't mean you've been found guilty of anything — it means OCR is asking for your side of the story. How you respond matters enormously.
Step 1: Read the Complaint Notice Carefully
OCR's notice will describe the general nature of the complaint. Common complaint categories include:
- Denial of access to medical records
- Impermissible disclosure of PHI to a third party
- Use of PHI for marketing without authorization
- Failure to provide a Notice of Privacy Practices
- Inadequate safeguards for PHI
- Failure to honor a patient's request for restriction or amendment
Understanding the specific allegation helps you focus your internal investigation and response.
Step 2: Engage Legal Counsel
Contact HIPAA-experienced legal counsel before responding to OCR. Your attorney can:
- Help you draft a legally sound response that addresses OCR's questions without expanding the investigation's scope
- Advise on whether attorney-client privilege applies to communications with OCR
- Represent you in discussions with OCR investigators
- Negotiate if OCR proposes corrective actions or civil monetary penalties
Step 3: Conduct an Internal Investigation
Before responding, get the facts:
- Interview the workforce members involved in the alleged incident
- Pull relevant audit logs, access records, emails, and documentation
- Review your policies and procedures to determine whether they were followed
- Review your training records to confirm relevant employees received HIPAA training
- Reconstruct the timeline of events as accurately as possible
Be honest with yourself. If a violation occurred, acknowledge it internally and plan your corrective actions. OCR responds better to organizations that self-identify problems and fix them than to those who are defensive.
Step 4: Document Your Compliance Efforts
OCR will evaluate not just whether the alleged incident occurred, but whether you have a robust compliance program. Gather evidence of your program:
- Current policies and procedures (with last review date)
- Most recent Security Risk Analysis
- Training records for the workforce
- Business Associate Agreements
- Privacy and security policies relevant to the complaint
- Any previous similar complaints and how they were handled
Step 5: Respond to OCR Within the Required Timeframe
OCR's notice will include a deadline for your response — typically 30 days. Your response should:
- Address each element of the complaint specifically
- Provide documentary evidence supporting your position
- Acknowledge any actual violations honestly and describe corrective actions taken
- Demonstrate your overall compliance program
- Avoid speculation or providing more information than requested
Possible Outcomes
After reviewing your response, OCR may:
- Close the investigation — if they determine no violation occurred or the complaint lacks merit
- Technical assistance — informal guidance on how to achieve compliance without formal findings
- Corrective Action Plan (CAP) — a negotiated agreement where you agree to implement specific compliance improvements under OCR's oversight
- Resolution Agreement — for more serious violations; typically includes a financial settlement and monitored CAP
- Civil Monetary Penalty — in the most serious cases, OCR can impose fines
The vast majority of investigated complaints are resolved through technical assistance or corrective action plans — not fines. Your cooperation and demonstrated commitment to compliance are the most important factors in determining the outcome.
Step 6: Corrective Actions
Whether or not OCR requires it, implement corrective actions for any identified deficiencies. This demonstrates good faith and reduces the likelihood of future violations. Document every corrective action with a completion date and evidence of implementation.