What triggers an OCR HIPAA audit or investigation

OCR investigates covered entities through three channels: patient complaints, breach reports, and proactive enforcement initiatives. Here is how each channel works, what OCR does next, and how to reduce your practice's risk profile.

By CoreFolio

Published May 20, 2026Verified May 20, 20267-minute read

An investigation by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is not random. It follows from specific triggers. Understanding those triggers — and what each one sets in motion — is more useful than a general instruction to “be HIPAA compliant.”

OCR investigates covered entities through three primary channels: patient and workforce complaints, breach notification reports, and proactive compliance reviews. Each has its own mechanics, and each can result in the same outcome: a formal investigation with document requests, potential corrective action, and financial settlement.

Channel 1: patient and workforce complaints

Under 45 CFR § 160.306, any person who believes a covered entity has violated a HIPAA rule may file a complaint with OCR. Complaints are submitted through the OCR complaint portal at hhs.gov/ocr or by mail. OCR receives more than 20,000 complaints per year.

What OCR does with a complaint:

OCR screens complaints for jurisdictional requirements — the complaint must involve a covered entity or business associate, must be filed within 180 days of the alleged violation (unless OCR waives this for good cause), and must describe a potential HIPAA violation.

Complaints that pass screening may be resolved through:

Technical assistance — informal guidance without a finding of violation, for first-time minor issues
Early dispute resolution — the covered entity agrees to take corrective action voluntarily
Formal investigation — OCR opens a compliance review with document requests and findings

Common complaint categories in small-practice investigations:

Impermissible disclosures of PHI without patient authorization (disclosures to family members, employers, or unauthorized parties)
Denial or delay of patient right of access to records (OCR has brought more than 54 enforcement actions under its Right of Access Initiative, with settlements ranging from $3,500 to $300,000)
Insufficient safeguards resulting in an unauthorized person viewing ePHI (workstation positioning, shared login credentials)
Retaliation against a patient or workforce member for filing a HIPAA complaint (a separate violation under 45 CFR § 164.530(g))

Channel 2: breach notification reports

Under the Breach Notification Rule (45 CFR § 164.408), covered entities must report breaches to HHS:

Breaches affecting 500 or more individuals: within 60 days of discovery
Breaches affecting fewer than 500 individuals: in an annual log submitted within 60 days after the end of the calendar year

Both categories of breach reports are reviewed by OCR. Larger breaches appear immediately on the HHS “Wall of Shame” — the public breach portal at ocrportal.hhs.gov — and frequently prompt OCR to open an investigation.

What makes a breach report more likely to trigger investigation:

Large number of affected individuals
Nature of the incident (ransomware attacks, hacking, theft of unencrypted devices receive heightened scrutiny)
Evidence of systemic failure (such as multiple similar breaches from the same covered entity over time)
The covered entity’s response and documentation quality

Small breaches and the annual log: A covered entity reporting a handful of small incidents in its annual log may not trigger immediate investigation. But a pattern of repeated small breaches — particularly of the same type — can indicate systemic compliance failures that draw OCR attention.

The April 2026 four-practice ransomware settlement (combined $1,165,000 across four entities) illustrates how breach notifications can lead directly to enforcement: all four practices had reported ransomware incidents; OCR investigated and found missing or inadequate risk analyses in each case.

Channel 3: proactive enforcement initiatives

OCR has authority under 45 CFR § 160.308 to conduct compliance reviews on its own initiative, without a complaint or breach report. OCR has used this authority to target specific compliance categories with dedicated enforcement programs.

The Risk Analysis Initiative (launched October 2024)

OCR’s most active proactive program as of 2026 is the Risk Analysis Initiative, which selects covered entities for compliance reviews specifically around 45 CFR § 164.308(a)(1) — the requirement to conduct an accurate and thorough risk analysis.

As of May 2026, the initiative has produced 16 enforcement actions with combined settlements exceeding $2.5 million. Covered entities selected for the initiative have included small practices across multiple specialties, including neurology, substance use disorder treatment, and behavioral health.

OCR’s 2016–2017 audit found that only 14 percent of covered entities were substantially meeting their risk analysis obligations. The Risk Analysis Initiative is OCR’s response to that finding.

The Right of Access Initiative (launched 2019, ongoing)

OCR launched a dedicated enforcement initiative targeting covered entities that deny or delay patients’ right to access their records under 45 CFR § 164.524. As of late 2025, OCR had brought more than 54 enforcement actions under this initiative. Settlements have ranged from $3,500 (a small practice that provided records after OCR intervention) to $300,000. Concentra, Inc. settled in December 2025 for $112,500, marking the initiative’s 54th enforcement action.

The HIPAA Audit Program (periodic)

Under 45 CFR § 160.308, HHS may conduct audits to assess compliance across covered entities and business associates. The most recent formal audit program concluded in 2017; OCR announced in 2024 that current audit activity is targeting covered entity compliance with Security Rule provisions related to hacking and ransomware for 50 selected entities.

What happens after OCR opens an investigation

An OCR investigation begins with a written notification to the covered entity. The entity typically has 30 days to respond with documentation — the risk analysis, risk management plan, workforce training records, business associate agreements, policies and procedures, and incident logs are standard requests.

OCR reviews the documentation and may request additional materials or schedule a site visit. Investigations typically close in one of four ways:

No violation found — the covered entity’s documentation demonstrates compliance; the case is closed
Technical assistance — OCR identifies gaps but resolves through informal guidance without a penalty
Resolution agreement — a formal settlement document with a financial penalty and a corrective action plan (CAP). The CAP typically requires completing a risk analysis, developing a risk management plan, implementing workforce training, and submitting compliance reports to OCR for a monitoring period (often two years)
Civil money penalties — for serious or willful violations, OCR may impose penalties without a settlement agreement; the maximum annual penalty per violation category is $2,190,294 (effective January 28, 2026, indexed for inflation)

How to reduce investigation risk

The practices that fare best in OCR investigations are not necessarily the ones with the most sophisticated security. They are the ones with documentation that demonstrates they have assessed their risks and taken reasonable and appropriate action.

The minimum risk-reduction set:

A current risk analysis — the primary finding in every enforcement action; it must be dated within the past 12 months or updated after material environmental changes
A written risk management plan — with action items, timelines, and responsible parties
Prompt patient records access — respond to records requests within 30 days (or 60 days with a documented 30-day extension)
A written security incident response plan — so your practice has a procedure ready before an incident occurs
A breach log — maintained for all incidents, including those that did not rise to the level of reportable breach
Workforce training records — documentation that every staff member has been trained, when, and on what

A covered entity that can produce these documents is in a materially better position than one that cannot — regardless of the investigation channel that initiated the inquiry.

Sources: 45 CFR § 160.306 (complaints to the Secretary); 45 CFR § 160.308 (compliance reviews); 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.408 (HHS notification of breaches); 45 CFR § 164.524 (right of access to PHI); OCR Risk Analysis Initiative enforcement actions, hhs.gov/press-room; OCR Right of Access Initiative, hhs.gov/hipaa/for-professionals/compliance-enforcement; HHS HIPAA Audit Program, hhs.gov/hipaa/for-professionals/compliance-enforcement/audit; Civil monetary penalty adjustments effective January 28, 2026. Last verified May 20, 2026.

FAQ

Common questions

Can OCR investigate a small practice without a patient complaint?

Yes. OCR has the authority to initiate compliance reviews on its own motion under 45 CFR § 160.308, without a complaint or breach report. The Risk Analysis Initiative, launched in October 2024, uses exactly this authority — it selects covered entities for proactive investigation specifically around risk analysis compliance, independent of any complaint or incident.

How many complaints does OCR receive each year?

OCR receives more than 20,000 HIPAA complaints annually. It investigates a subset of those — prioritizing complaints that allege systemic failures, violations affecting multiple individuals, or patterns of non-compliance. The majority of complaints are resolved through voluntary compliance or technical assistance without formal investigation.

What happens when OCR opens an investigation into a small practice?

OCR notifies the covered entity in writing that it has received a complaint or is initiating a compliance review. The entity is asked to submit documentation — policies, procedures, risk analysis records, training records, BAAs — within a specified timeframe. OCR reviews the documentation, may request additional materials or conduct site visits, and issues a finding. Findings may result in technical assistance, a resolution agreement with corrective action plan, or referral to the Department of Justice for criminal violations.

Does a small breach (fewer than 500 patients) put a practice at risk of OCR investigation?

Yes. While OCR’s immediate notification procedures for large breaches (500+) make those more visible, small breaches reported in the annual log are reviewed and can trigger an investigation. Additionally, multiple small breaches from the same covered entity — even if each individually is below the 500-person threshold — may draw OCR attention to systemic failures.

Keep learning

Enforcement
HIPAA settlement patterns: what OCR finds when it investigates small practices
OCR has published more than 100 resolution agreements over the past decade. The findings in those agreements follow a consistent pattern. Here is what investigators actually find — and what it means for your practice.
May 7, 20265-minute read
Enforcement
The OCR Risk Analysis Initiative, explained
When OCR investigates a small practice — after a breach report, a ransomware attack, a vendor incident, or a patient complaint — the first thing they ask for is the risk analysis. Here is what changed in late 2024, what the rule actually requires, and what a defensible answer looks like.
May 14, 202615-minute read
How-to
HIPAA breach notification requirements: what your practice must do and when
The HIPAA Breach Notification Rule sets mandatory timelines and procedures for notifying patients and regulators after a security incident. Here is every obligation, every deadline, and the four-factor analysis that determines whether you must notify at all.
May 20, 20268-minute read