What Happens When OCR Gets a Complaint About Your Clinic

A complaint to the HHS Office for Civil Rights (OCR) is one of the most common ways a small clinic first encounters HIPAA enforcement. The trigger can be mundane: a patient thinks staff talked too loudly at the front desk, a portal message was sent to the wrong person, a record request took too long, or a bill went to the wrong address. It can also be serious: an impermissible disclosure, a breach, or a pattern of access control failures. Either way, the moment OCR contacts your clinic, you are no longer dealing with a customer service problem. You are dealing with a federal investigation process that has defined intake rules, defined enforcement powers, and a paper trail that can outlive the original incident.

The good news is that most OCR matters do not end in headline-making penalties. OCR’s own enforcement description emphasizes that many cases are resolved through voluntary compliance, corrective action, and resolution agreements rather than civil money penalties. The bad news is that “most cases are resolved informally” is not the same thing as “most cases are painless.” If your documentation is thin, your policies are out of date, or your response is disorganized, the process can expand from the original allegation into a broader review of how your clinic runs privacy and security.

This article explains, in operational terms, what OCR looks at during complaint intake, what typically happens after OCR accepts a complaint for investigation, what kinds of information OCR can request, and how a clinic should respond when the first letter arrives. It focuses on the actual rules and OCR’s published process descriptions, not folklore.

Informational note: This report is for informational purposes only and does not constitute legal advice.

OCR’s role and what a complaint actually starts

OCR is the federal agency within HHS responsible for enforcing the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. One mechanism OCR uses is investigating complaints, and it also has authority to conduct compliance reviews. OCR’s published enforcement overview explains that if it accepts a complaint for investigation, it notifies both the complainant and the covered entity, collects information from both sides, and evaluates evidence to determine whether the covered entity complied with HIPAA. If noncompliance is indicated, OCR typically tries to resolve the matter through voluntary compliance, corrective action, and or a resolution agreement. If the matter is not resolved to OCR’s satisfaction, OCR may impose civil money penalties, and those penalties are subject to an administrative hearing process. 

Two practical implications fall out of that description. First, “OCR got a complaint” does not automatically mean “OCR has decided you violated HIPAA.” It means OCR has a claim to screen and, if accepted, an incident to investigate. Second, once OCR accepts a complaint for investigation, you should expect formal requests for information rather than informal back-and-forth. OCR is building a record.

OCR also notes that if a complaint describes conduct that could implicate HIPAA’s criminal provision, OCR may refer the matter to the Department of Justice for investigation. That is not the typical clinic scenario, but it is part of the system, and it is one reason accuracy and completeness matter when responding to OCR. 

What OCR screens for before it can take action

OCR does not take enforcement action on every complaint it receives. OCR’s intake criteria are straightforward and worth knowing because they explain why some complaints result in an investigation letter and others never progress past screening.

OCR states that, as a threshold matter, it may take action only on complaints that meet several conditions. The complaint must concern an entity required by law to comply with HIPAA, meaning a covered entity or business associate. The complaint must allege conduct that, if proven true, would violate the HIPAA Rules. The complaint must generally be filed within 180 days of when the complainant knew or should have known about the alleged violation, although OCR may waive this time limit for good cause. 

OCR also states a separate intake limitation that frequently gets misunderstood: OCR may take action only if the alleged action occurred in the past six years. That six-year window is not a promise that a complainant “has six years to file.” It is a limit on OCR’s ability to take action on older conduct, layered on top of the 180-day filing expectation. In other words, the complaint is supposed to be timely from the complainant’s perspective, and the underlying conduct must also fall within OCR’s enforcement window. 

For clinics, this is more than trivia. Intake rules drive OCR’s first questions. If a complaint is vague, OCR may look for enough detail to determine whether the allegation, if true, would violate HIPAA. If a complaint involves an entity that is not a covered entity or business associate, OCR may close it quickly. If the complaint appears untimely, OCR may evaluate whether good cause exists for waiver. The strongest early posture is being able to explain, in plain terms, what happened and how your HIPAA controls functioned at the time.

What the first OCR letter usually means

If OCR accepts a complaint for investigation, OCR’s enforcement description states that it will notify the covered entity and ask both the complainant and the covered entity to present information about the incident or problem. OCR may request specific information to understand the facts, and covered entities are required by law to cooperate with investigations. 

Separate from OCR’s narrative description, the HIPAA Enforcement Rule sets expectations about content and process. The regulation governing HIPAA complaints states that at the time of the initial written communication with the covered entity about the complaint, the Secretary will describe the acts and or omissions that are the basis of the complaint. That is a useful anchor point: the first communication should tell you the general subject matter and the alleged conduct, even if it does not include every detail you might want. 

Clinics often panic because the letter feels broad, and sometimes it is. A complaint about a single disclosure can create reasonable questions about your policies, your staff training, your minimum necessary controls, your access logging, or your breach assessment process. OCR’s authority is not limited to the exact sentence in the complaint. The investigation can include a review of pertinent policies, procedures, or practices and the circumstances regarding the alleged violation. 

There is another point worth stating plainly. A clinic should treat the first OCR letter as a formal regulatory intake, not as a negotiation. It is not the moment to guess, improvise, or submit a half-formed narrative. It is the moment to slow down, organize the response, preserve records, and make sure the clinic can prove what it says.

The clinic’s duty to cooperate and what OCR can require

HIPAA’s enforcement regulations require cooperation. The regulation on responsibilities of covered entities and business associates states that a covered entity or business associate must cooperate with the Secretary if the Secretary undertakes an investigation or compliance review of the entity’s policies, procedures, or practices. That same regulation provides that the entity must keep records and submit compliance reports in the time and manner and containing such information as the Secretary determines necessary to ascertain compliance, and it must permit access to information. 

OCR also has subpoena authority. The investigational subpoena regulation states that the Secretary may issue subpoenas to require the attendance and testimony of witnesses and the production of evidence during an investigation or compliance review. In practice, most clinic investigations do not start with subpoenas, but the existence of subpoena authority changes the dynamic. Ignoring OCR requests, providing incomplete information, or treating deadlines casually can escalate the matter in ways that do not help the clinic. 

The phases of an OCR complaint, from intake to closure

OCR’s “what to expect” guidance for complainants gives a concise description of the lifecycle. OCR reviews complaints and generally may take action only if the complaint is filed within 180 days and concerns a regulated entity. After investigation, OCR issues a letter describing the resolution. If OCR determines the entity may not have complied, OCR expects voluntary compliance, corrective action, or a settlement, and if the entity does not take satisfactory action, OCR may impose civil money penalties, subject to administrative hearing. 

From a clinic operations standpoint, it is useful to translate this into phases:

First, there is screening and acceptance. This is where jurisdiction, timeliness, and the nature of the allegation are evaluated against the intake criteria OCR publishes.

Second, there is fact development. OCR contacts the clinic, requests documents and narratives, and may seek clarification. The enforcement rule explicitly allows OCR investigations to include review of policies, procedures, or practices, not just the incident itself. 

Third, there is compliance analysis and resolution. If OCR finds no violation, the matter can be closed with a closure letter describing the resolution. If OCR sees noncompliance, the usual path is informal resolution through voluntary compliance or corrective action, sometimes formalized through a resolution agreement and corrective action plan. The enforcement regulations explicitly state that if an investigation or compliance review indicates noncompliance, the Secretary may attempt to reach a satisfactory resolution by informal means, including demonstrated compliance, a completed corrective action plan, or other agreement. 

Finally, there is escalation. If informal resolution is not satisfactory, OCR can move toward civil money penalties, with an administrative adjudication process. OCR’s enforcement overview notes that complainants do not receive a portion of civil money penalties collected, which matters because some complainants assume OCR is a damages vehicle. It is not. 

What OCR tends to ask for, and why “six years” matters twice

When OCR investigates a complaint, the clinic should expect requests that test whether the clinic had required HIPAA documentation and whether it was implemented in practice. HIPAA itself gives strong clues about what must exist and therefore what OCR will ask to see.

For Privacy Rule administration, the regulation requires covered entities to maintain certain documentation and retain it for six years from the date of creation or the date it last was in effect, whichever is later. That retention requirement matters because OCR investigations frequently ask for the policies and procedures that were in effect at the time of the alleged incident, not the policy version you rewrote last week after the letter arrived. If you cannot produce the “then” version, it becomes harder to demonstrate compliance. 

For Security Rule documentation, the regulation similarly requires retaining required documentation for six years from the date of creation or last effective date, whichever is later. If the complaint involves security of electronic PHI, access controls, audit logs, user provisioning, ransomware response, or similar issues, you should expect OCR to ask for security policies and procedures, risk management artifacts, and evidence that safeguards were actually implemented. 

That is the first “six years.” It is the clinic’s retention obligation for HIPAA documentation.

The second “six years” is OCR’s intake limitation that it may take action only where the alleged action occurred in the past six years. That is not a documentation rule, it is a boundary on OCR’s enforcement window. The two are related operationally because if OCR can act on events up to six years back, your ability to produce the relevant policies, procedures, logs, and records over that same timeframe becomes important. 

In addition to retention, HIPAA also requires process. A covered entity must provide a process for individuals to make complaints to the covered entity concerning its HIPAA policies and procedures or compliance with them. That internal complaint process is separate from the right to complain to OCR, but it often becomes relevant because OCR may ask how your clinic handles complaints, whether it documents them, and whether it prevents retaliation. 

Finally, OCR’s HIPAA Audit Protocol, which OCR uses in its audit program, provides a window into the kinds of documents and evidence OCR expects entities to produce when reviewed. OCR explicitly instructs entities to provide specified documents rather than dumping a full policy library, and it describes collection and submission mechanics through OCR’s secure portal in typical audit settings. While an audit is not identical to a complaint investigation, the protocol demonstrates how OCR operationalizes “show me your documentation” across Privacy, Security, and Breach domains. 

Common outcomes, and what they mean in practice

OCR describes several resolution pathways, and the language can be misleading if it is read casually. “No violation” can mean OCR concluded the facts do not establish a HIPAA violation, or that the evidence does not support the allegation, or that the conduct is permitted under the Privacy Rule. It is still common for OCR to provide technical assistance even when it closes a matter without enforcement, especially if it sees risk in how the clinic operates. That technical assistance can be a quiet signal to improve controls before the next complaint arrives.

“Voluntary compliance” and “corrective action” often mean the clinic agrees to fix something and can show it fixed it, sometimes quickly, sometimes over a defined period. “Resolution agreement” is a formal settlement instrument with obligations, often paired with a corrective action plan, and it is typically published when OCR chooses to publicize a case. OCR’s enforcement overview groups these as typical resolutions and states that most investigations conclude through these kinds of outcomes. 

Civil money penalties are the escalated path, and OCR notes that if penalties are imposed, the entity may request a hearing before an HHS administrative law judge. That implies a much more adversarial posture and usually a much heavier time and cost burden for the entity. 

What to do when the OCR letter arrives

A clinic that responds well to OCR is rarely the clinic that “has never had a problem.” It is the clinic that treats the letter as an engineering problem: define scope, preserve data, assign owners, build a clean evidence package, and remediate any ongoing exposure. The response quality matters because OCR’s process asks the covered entity to present information about the incident, and OCR evaluates evidence. Sloppy evidence invites follow-up requests and sometimes expands scope. 

Start by verifying authenticity in a disciplined way. OCR communications are usually written, and they should reference OCR as the sender, provide contact information, and identify the subject matter at least generally. If anything feels off, confirm through official channels rather than replying to a suspicious email thread. This is not paranoia. Scams exist, and a clinic that discloses PHI to an impersonator has just manufactured a new problem.

Next, designate a single point of contact and a small response team. OCR investigations involve deadlines, document production, and consistent narratives. When five people independently email OCR, the clinic creates contradictions. When one owner collects facts from stakeholders and submits a unified response, the clinic reduces noise and keeps control over the record.

Immediately implement preservation, even if the complaint seems small. This means pausing routine deletion of relevant emails, call logs, access logs, ticketing records, and EHR audit logs that could relate to the allegation. HIPAA’s enforcement rules require cooperation and access to records that the Secretary deems necessary to ascertain compliance. If your systems auto-delete logs after 30 days and you do nothing, you may later be unable to produce evidence that would have helped you. 

Then do a factual reconstruction. Identify the involved patient or record set, the date and time of the event, who touched the data, what systems were used, and what safeguards were in place. Treat this like an incident response root cause analysis, not like a blame exercise. OCR’s investigation framework focuses on facts and on policies, procedures, or practices, and a clean reconstruction will map facts to controls in a way OCR can assess. 

Finally, remediate any ongoing issue quickly and document the fix. If the complaint alleges misdirected faxes, update the fax workflow and add verification steps. If it alleges improper patient access delays, fix the access request workflow and tracking. If it alleges staff snooping, confirm role-based access, audit review, and sanctions. OCR’s own enforcement description emphasizes voluntary compliance and corrective action as a primary resolution pathway, and you want to be able to show both. 

Building a strong response packet

OCR’s first request often asks for a written narrative and supporting documentation. A strong packet reads like a controlled technical report: clear timeline, clear facts, clearly identified policy basis, evidence attachments labeled and referenced, and a remediation summary with dates and responsible roles. The objective is not to “win an argument.” The objective is to make it easy for OCR to verify what happened and what the clinic did about it.

The narrative should avoid speculation. If you do not know something, say so and describe how you are investigating. If you made an error, acknowledge it, fix it, and show the fix. OCR’s enforcement approach is built around evidence review and informal resolution when noncompliance is indicated, and credible transparency tends to produce smoother outcomes than defensive ambiguity. 

Documentation selection should be deliberate. HIPAA’s audit protocol guidance explicitly warns entities not to submit giant compendiums and expects entities to provide specified documents rather than forcing the reviewer to hunt. That logic applies here too. Provide the policies and procedures directly relevant to the allegation, in the versions that were in effect at the time, plus supporting evidence that they were implemented (training records, access logs, ticket closures, sanction actions where applicable). 

Retention details matter. HIPAA requires retaining Privacy Rule documentation for six years from creation or last effective date, and Security Rule documentation for six years on the same basis. When OCR asks for the policy that was in effect when the incident occurred, “we updated it last month” is not responsive. The packet should clearly identify the effective date of each document and, where policies were revised, include both the prior and current version with a short explanation of what changed and why. 

Mistakes that make OCR matters worse

The most common self-inflicted wound is over-disclosure. In response to a complaint, clinics sometimes send OCR more PHI than OCR requested, or they attach screenshots that include unrelated patients, or they forward entire EHR exports “just to be safe.” That is not being safe. It is multiplying the scope of sensitive material in the investigation file and increasing breach risk. Minimum necessary discipline still applies to disclosures, and a clinic can often explain the facts without sending unnecessary PHI.

The next common mistake is inconsistent stories. Staff may describe events from memory, timelines drift, and the response becomes internally contradictory. OCR asks for information to understand facts, and contradictions invite more questions. Build the timeline from system records, not from recollection alone, and treat written statements as controlled artifacts.

Another failure mode is treating the letter as a paperwork exercise rather than a control exercise. OCR is not only looking at the alleged incident. The enforcement rule allows review of policies, procedures, and practices. When a clinic responds with “we have a policy” but cannot show training or implementation, the policy becomes a liability rather than an asset.

Finally, ignoring internal complaint and non-retaliation requirements can turn a single complaint into multiple. HIPAA requires a process for individuals to complain to the covered entity, and OCR’s complaint process materials state that retaliation for filing a complaint is prohibited. If a clinic’s response includes adverse action against the complainant, even unintentionally, the clinic may have created a new, separate allegation. 

How to reduce the odds of getting an OCR letter in the first place

You cannot fully prevent complaints. You can, however, reduce both their likelihood and their impact. The highest leverage controls are not exotic. They are operational discipline around patient access, disclosure workflows, workforce training that matches real clinic tasks, role-based access and audit review, and a documented process for receiving and resolving privacy complaints internally. HIPAA requires you to offer a complaint process to individuals, and clinics that take internal complaints seriously often resolve issues before patients feel compelled to escalate externally. 

Documentation hygiene is also a real control, not bureaucracy. HIPAA’s six-year retention requirements for Privacy and Security documentation exist because regulated entities must be able to show what policies existed and what safeguards were implemented. In an investigation, documentation that is complete, versioned, and tied to implementation evidence reduces uncertainty and reduces follow-up. 

Finally, treat every complaint as a signal to test your system. OCR’s own enforcement model leans heavily on corrective action and voluntary compliance. If a complaint exposes a weakness, fix it, document it, and ensure the fix survives staffing turnover. That is how small clinics avoid repeat problems.

Sources

1. HHS OCR, “How OCR Enforces the HIPAA Privacy and Security Rules.” 

2. HHS OCR, “What OCR Considers During Intake and Review of a Complaint.” 

3. HHS OCR, “What to Expect” (HIPAA complaint investigations and outcomes). 

4. HHS OCR, “How to File a Health Information Privacy or Security Complaint” (requirements, 180-day filing and good cause waiver, retaliation statement). 

5. 45 C.F.R. § 160.306, “Complaints to the Secretary” (complaint requirements and investigation authority, including willful neglect investigations and initial written communication describing acts or omissions). 

6. 45 C.F.R. § 160.310, “Responsibilities of covered entities and business associates” (cooperation, records, and access). 

7. 45 C.F.R. § 160.312, “Secretarial action regarding complaints and compliance reviews” (informal resolution, corrective action plans, other agreements). 

8. 45 C.F.R. § 160.314, “Investigational subpoenas and inquiries.” 

9. 45 C.F.R. § 164.530, “Administrative requirements” (complaints to the covered entity; retention period for required documentation). 

10. 45 C.F.R. § 164.316, “Policies and procedures and documentation requirements” (Security Rule documentation retention for six years). 

11. HHS OCR, “OCR’s HIPAA Audit Program” and “Audit Protocol” (how OCR operationalizes document review and evidence expectations in oversight contexts). 

12. HHS OCR, “Resolution Agreements” (examples of formal settlements and corrective action plans used in enforcement).