5 min read

What triggers a HIPAA investigation?

Tshedimoso Makhene June 20, 2025

HIPAA Compliance

A HIPAA (Health Insurance Portability and Accountability Act) investigation can be triggered by several events or circumstances that suggest a covered entity or business associate may have violated HIPAA regulations.

What is a HIPAA investigation?

A HIPAA investigation is a formal inquiry conducted by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services to determine whether a covered entity or a business associate has violated HIPAA regulations related to the privacy, security, or breach notification of protected health information (PHI).

What it entails

Initiation: Investigations are usually triggered by a patient complaint, data breach report, audit, or whistleblower allegation.
Evidence gathering: OCR requests relevant documents such as privacy policies, risk assessments, training records, and breach reports.
Interviews and site visits: Staff may be interviewed and site inspections conducted to verify compliance.
Findings and outcomes:
- If no violation is found, the case is closed.
- If noncompliance is identified, OCR may issue:
  - Technical assistance
  - A Corrective Action Plan (CAP)
  - A resolution agreement
  - Or impose civil monetary penalties

HIPAA investigation triggers

Patient complaints

One of the most common ways HIPAA investigations are triggered is through patient complaints. According to the HHS, “If you [patient] believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates.”

Examples of patient-initiated triggers:

A patient is denied access to their medical records.
Medical staff discuss a patient’s condition in public areas where they can be overheard.
A healthcare worker shares patient information with unauthorized individuals.
A patient receives marketing materials without giving prior authorization.

OCR is required to investigate all complaints that meet the following criteria:

The complaint is filed within 180 days of the suspected violation.
The entity named is subject to HIPAA.
The complaint is made via mail, fax, e-mail, or the OCR Complaint Portal

OCR may resolve minor complaints through voluntary compliance or technical assistance, but more serious issues could trigger a full investigation or compliance review.

Example

An example of a HIPAA investigation triggered by a patient complaint involves a private practice physician who denied a patient access to her medical records due to an outstanding balance. The Office for Civil Rights (OCR) investigated and clarified that, under the HIPAA Privacy Rule, patients have the right to access their medical records regardless of payment status. Following the investigation, the physician provided the requested records and revised their access procedures to comply with HIPAA regulations.

Go deeper: All Case Examples

Data breaches

Another major trigger for HIPAA investigations is the occurrence of a data breach. Under the HIPAA Breach Notification Rule, covered entities and their business associates are required to notify affected individuals, the media (in some cases), and OCR when a breach involving unsecured PHI occurs.

Breaches involving 500 or more individuals are particularly scrutinized. In fact, OCR automatically investigates all such breaches. These larger breaches are posted publicly on OCR’s Breach Portal.

Common causes of HIPAA-reportable breaches include:

Lost or stolen laptops or mobile devices containing unencrypted PHI
Ransomware or other cyberattacks that compromise patient data
Misaddressed emails or faxes that expose PHI to unintended recipients
Improper disposal of paper records containing sensitive information

Even breaches involving fewer than 500 individuals can trigger an investigation, especially if the entity has a history of noncompliance or the breach involves particularly sensitive or egregious violations.

Example

In January 2025, Marlboro-Chesterfield Pathology, P.C. discovered unauthorized access to its IT systems, later attributed to the SAFEPAY ransomware group. The breach, reported to HHS OCR on May 9, affected 235,911 individuals and exposed sensitive data, including medical and insurance information. A forensic investigation confirmed data exfiltration, and legal and regulatory investigations are ongoing.

Go deeper: Marlboro-Chesterfield Pathology breach impacts 236k

OCR audits

While complaints and breaches are reactive triggers, HIPAA audits can be proactive. OCR periodically conducts audits of covered entities and business associates to assess compliance with HIPAA requirements. These audits are part of the HIPAA Audit Program, which was first implemented as a pilot in 2011.

Entities may be selected randomly or based on risk factors such as “size, affiliations, location, and whether an entity was public or private.”

These audits assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Key areas of focus include:

Privacy Rule: Policies and procedures for safeguarding protected health information (PHI), ensuring individuals' rights, and handling complaints.
Security Rule: Administrative, physical, and technical safeguards to protect electronic PHI (ePHI), including risk analysis and management.
Breach Notification Rule: Processes for identifying, reporting, and responding to breaches of unsecured PHI.

If significant issues are found during an audit, OCR may launch a full investigation and require corrective action.

Example

An example of a HIPAA investigation triggered by an OCR audit involves Health Fitness Corporation, a wellness services provider. In March 2025, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) announced a settlement with Health Fitness Corporation for potential violations of the HIPAA Security Rule. The investigation, initiated as part of OCR's Risk Analysis Initiative, revealed that the company failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). This oversight led to a settlement agreement, emphasizing the critical importance of regular risk analyses to safeguard patient data.

Whistleblower reports

Employees, contractors, or other insiders often serve as important watchdogs when it comes to HIPAA violations. A whistleblower may contact OCR if they observe unethical or unlawful behavior related to the handling of PHI.

Whistleblowers might report:

Lack of basic privacy or security safeguards
Pressure to access or disclose PHI without proper authorization
Retaliation against staff who raise HIPAA concerns
Inadequate training on privacy procedures

HIPAA includes protections for whistleblowers who report violations in good faith. OCR may choose to initiate an investigation based on credible allegations even if no formal complaint is submitted.

Example

An example of a HIPAA investigation triggered by a whistleblower report is the Winkler County nurse whistleblower case. In 2009, two nurses at Winkler County Memorial Hospital in Texas anonymously reported concerns about a physician's practices to the Texas Medical Board. Their identities were disclosed, leading to their termination and criminal charges.

Media coverage and public incidents

Not all HIPAA investigations begin with formal complaints or breach reports. Sometimes, widespread media coverage or public exposure of privacy violations can prompt OCR to take action.

High-profile cases may involve:

Celebrities’ medical information being accessed or leaked
PHI being found in dumpsters or posted online
Security lapses reported by investigative journalists

Example

In 2009 media reports alleged that CVS employees were improperly disposing of physical records containing protected health information (PHI) in unsecured dumpsters accessible to the public. These reports prompted the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) to initiate an investigation. As a result, CVS agreed to pay a $2.25 million settlement and implement a Corrective Action Plan to strengthen its disposal policies and procedures.

State attorney general enforcement

Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, state attorneys general are authorized to bring civil actions for HIPAA violations on behalf of residents. If a state-led investigation uncovers significant concerns, OCR may become involved as well.

These state-level investigations often focus on local healthcare providers, insurance companies, or business associates and may lead to monetary penalties, consent decrees, or operational changes.

Example

In January 2023, the Attorney General's office found that the NewYork-Presbyterian Hospital's website used advertising tools that collected and shared visitors' private and personal information with third-party tech companies. This practice violated HIPAA regulations and as a result, NewYork-Presbyterian Hospital agreed to a $300,000 settlement and committed to implementing enhanced privacy safeguards and controls.

Go deeper: New York medical center faces hefty fine for privacy violations