Pramote Lertnitivanit/istock via
How does HHS resolve HIPAA complaints?
The HHS Office for Civil Rights evaluates every HIPAA complaint it receives and resolves each with an appropriate resolution, from technical assistance to corrective actions.
The HHS Office for Civil Rights is responsible for enforcing HIPAA rules. A core part of OCR's enforcement responsibilities is evaluating every HIPAA complaint filed to the department and reaching a resolution for each case.
Any individual who believes that their health information privacy rights were violated by a HIPAA-covered entity can file a complaint with OCR. However, OCR will only take action on complaints involving incidents that occurred in the past six years, are filed against a HIPAA-covered entity or business associate and are filed within 180 days of when the complainant reasonably knew about the alleged violation.
HHS data shows that OCR has received more than 374,000 HIPAA complaints from April 2003 to October 2024, and has resolved 99% of those cases. Understanding how OCR evaluates and investigates HIPAA complaints can help covered entities understand top compliance challenges and proactively address them.
Understanding the HIPAA complaint resolution process
When OCR receives a HIPAA complaint, it goes through an intake process to determine how to proceed. In some cases -- 15,561 to date -- OCR finds that no violation occurred, and the case is resolved.
In just 2,419 cases in OCR's HIPAA enforcement history, the office has referred cases to the Department of Justice to handle criminal investigations. Such a referral might occur if a covered entity knowingly disclosed or obtained protected health information in violation of HIPAA.
In many other cases, OCR provides technical assistance to covered entities and their business associates, without having to launch a formal investigation.
Alternatively, OCR might reach a settlement agreement that requires the covered entity to commit to corrective actions to rectify security and privacy failures.
To date, in more than 255,000 cases, OCR has determined that the complaint was not eligible for enforcement due to its timing or OCR's jurisdiction.
As such, only a handful of cases (152) have resulted in OCR imposing civil money penalties. At an HHS conference held in October 2024, OCR leaders stressed that many of the office's cases end in OCR providing technical assistance -- rather than seeking out financial penalties -- in an effort to help covered entities rather than punishing them.
While OCR will continue to enforce HIPAA to its fullest extent, it typically attempts to resolve cases through voluntary compliance, corrective action and resolution agreements, resorting to monetary penalties "if the covered entity does not take action to resolve the matter in a way that is satisfactory."
Considering this, specific enforcement data can help covered entities understand the most common HIPAA violations and the factors that have historically led to OCR enforcement actions and fines.
What HIPAA enforcement results say about compliance challenges
The HIPAA complaints that OCR receives speak to common HIPAA compliance pitfalls. From April 2003 to October 2024, the following compliance issues have been most frequently alleged within HIPAA complaints, according to OCR data:
- Impermissible uses and disclosures of PHI.
- Insufficient safeguards for PHI.
- Lack of patient access to their PHI.
- Lack of administrative safeguards of PHI.
- Use or disclosure of more than the minimum necessary PHI.
The covered entities subject to these alleged violations span various organization types, from general hospitals to private practices, pharmacies, and outpatient facilities.
Recent resolution agreements show that OCR is committed to addressing these HIPAA deficiencies and underscoring compliance risks to covered entities.
For example, OCR has issued more than 50 enforcement actions under its HIPAA right of access initiative, which aims to address instances where patients did not receive access or timely access to their PHI.
Other enforcement actions stem from investigations launched after OCR receives a breach report, rather than complaints.
For example, in January 2025, OCR settled two ransomware investigations under its risk analysis initiative, which aimed to shed light on risk analysis gaps within HIPAA-covered entities. The first involved Elgon Information Systems, a Massachusetts-based electronic medical record and billing support vendor, following a March 2023 ransomware attack and data breach.
Elgon and HHS reached an $80,000 settlement and Elgon agreed to a corrective action plan in which it would review its risk analysis processes, update its enterprise-wide risk management plan and provide workforce training.
OCR also reached a $90,000 settlement with Virtual Private Network Solutions in January 2025, imposing a similar corrective action plan to address risk analysis deficiencies.
Major retailers have also been subject to HIPAA scrutiny. In February 2025, OCR announced a $1.5 million fine against eyewear retailer Warby Parker following a 2018 credential stuffing cyberattack. As exemplified by the timing of the fine, it can take OCR multiple years to complete an investigation.
OCR's enforcement priorities are bound to shift under the new administration. However, understanding how OCR typically resolves HIPAA violation cases brought forth via complaints or breach reports can help covered entities and their business associates prioritize top compliance risks.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
