A HIPAA (Health Insurance Portability and Accountability Act) investigation can be triggered by several events or circumstances that suggest a covered entity or business associate may have violated HIPAA regulations.
A HIPAA investigation is a formal inquiry conducted by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services to determine whether a covered entity or a business associate has violated HIPAA regulations related to the privacy, security, or breach notification of protected health information (PHI).
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
One of the most common ways HIPAA investigations are triggered is through patient complaints. According to the HHS, “If you [patient] believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR). OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates.”
Examples of patient-initiated triggers:
OCR is required to investigate all complaints that meet the following criteria:
OCR may resolve minor complaints through voluntary compliance or technical assistance, but more serious issues could trigger a full investigation or compliance review.
Example
An example of a HIPAA investigation triggered by a patient complaint involves a private practice physician who denied a patient access to her medical records due to an outstanding balance. The Office for Civil Rights (OCR) investigated and clarified that, under the HIPAA Privacy Rule, patients have the right to access their medical records regardless of payment status. Following the investigation, the physician provided the requested records and revised their access procedures to comply with HIPAA regulations.
Go deeper: All Case Examples
Another major trigger for HIPAA investigations is the occurrence of a data breach. Under the HIPAA Breach Notification Rule, covered entities and their business associates are required to notify affected individuals, the media (in some cases), and OCR when a breach involving unsecured PHI occurs.
Breaches involving 500 or more individuals are particularly scrutinized. In fact, OCR automatically investigates all such breaches. These larger breaches are posted publicly on OCR’s Breach Portal.
Common causes of HIPAA-reportable breaches include:
Even breaches involving fewer than 500 individuals can trigger an investigation, especially if the entity has a history of noncompliance or the breach involves particularly sensitive or egregious violations.
Example
In January 2025, Marlboro-Chesterfield Pathology, P.C. discovered unauthorized access to its IT systems, later attributed to the SAFEPAY ransomware group. The breach, reported to HHS OCR on May 9, affected 235,911 individuals and exposed sensitive data, including medical and insurance information. A forensic investigation confirmed data exfiltration, and legal and regulatory investigations are ongoing.
Go deeper: Marlboro-Chesterfield Pathology breach impacts 236k
While complaints and breaches are reactive triggers, HIPAA audits can be proactive. OCR periodically conducts audits of covered entities and business associates to assess compliance with HIPAA requirements. These audits are part of the HIPAA Audit Program, which was first implemented as a pilot in 2011.
Entities may be selected randomly or based on risk factors such as “size, affiliations, location, and whether an entity was public or private.”
These audits assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Key areas of focus include:
If significant issues are found during an audit, OCR may launch a full investigation and require corrective action.
Example
An example of a HIPAA investigation triggered by an OCR audit involves Health Fitness Corporation, a wellness services provider. In March 2025, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) announced a settlement with Health Fitness Corporation for potential violations of the HIPAA Security Rule. The investigation, initiated as part of OCR's Risk Analysis Initiative, revealed that the company failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). This oversight led to a settlement agreement, emphasizing the critical importance of regular risk analyses to safeguard patient data.
Employees, contractors, or other insiders often serve as important watchdogs when it comes to HIPAA violations. A whistleblower may contact OCR if they observe unethical or unlawful behavior related to the handling of PHI.
Whistleblowers might report:
HIPAA includes protections for whistleblowers who report violations in good faith. OCR may choose to initiate an investigation based on credible allegations even if no formal complaint is submitted.
Example
An example of a HIPAA investigation triggered by a whistleblower report is the Winkler County nurse whistleblower case. In 2009, two nurses at Winkler County Memorial Hospital in Texas anonymously reported concerns about a physician's practices to the Texas Medical Board. Their identities were disclosed, leading to their termination and criminal charges.
Read more: Nurse Whistle-Blower Not Guilty for Reporting Doctor
Not all HIPAA investigations begin with formal complaints or breach reports. Sometimes, widespread media coverage or public exposure of privacy violations can prompt OCR to take action.
High-profile cases may involve:
Example
In 2009 media reports alleged that CVS employees were improperly disposing of physical records containing protected health information (PHI) in unsecured dumpsters accessible to the public. These reports prompted the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) to initiate an investigation. As a result, CVS agreed to pay a $2.25 million settlement and implement a Corrective Action Plan to strengthen its disposal policies and procedures.
Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, state attorneys general are authorized to bring civil actions for HIPAA violations on behalf of residents. If a state-led investigation uncovers significant concerns, OCR may become involved as well.
These state-level investigations often focus on local healthcare providers, insurance companies, or business associates and may lead to monetary penalties, consent decrees, or operational changes.
Example
In January 2023, the Attorney General's office found that the NewYork-Presbyterian Hospital's website used advertising tools that collected and shared visitors' private and personal information with third-party tech companies. This practice violated HIPAA regulations and as a result, NewYork-Presbyterian Hospital agreed to a $300,000 settlement and committed to implementing enhanced privacy safeguards and controls.
Go deeper: New York medical center faces hefty fine for privacy violations
It varies by case complexity, but investigations can take several months to over a year to complete.
Yes. OCR typically sends a formal notification of investigation outlining the issue, what documentation is required, and timelines for response.