HIPAA Compliance May 29, 2026 10 min read

First 72 Hours After an OCR Investigation Letter: What Healthcare Practices Should Do

By Sam Cherkaoui, CIPP/US Certified Data Privacy Advisor

Quick Answer

Hour 1: Photograph or scan the letter. Note the deadline. Do not respond yet.
Day 1: Identify the specific issue OCR is asking about. Locate your written HIPAA Risk Analysis.
Day 1-2: Place a litigation hold on all related records. Do not modify or backfill any document.
Day 2: Decide whether you need outside counsel. If the letter mentions civil monetary penalties or a breach over 500 records, retain a healthcare regulatory attorney before responding.
Day 3: Draft your timeline of compliance actions and start gathering the documents OCR has requested.

An envelope from the Office for Civil Rights arrived at your practice. You read it twice. You are not sure if it is a notice, an investigation, or a fine. Your stomach drops. You search the internet and find a hundred articles telling you to “stay calm” without telling you what to actually do.

This guide is what to actually do. Step by step. In the order the next three days should unfold.

What Kind of Letter Did You Actually Receive?

OCR sends several different types of letters and the right response depends on which one you received. Before you do anything else, identify which category applies to your situation.

Complaint Inquiry. Someone, usually a patient or former employee, filed a complaint with OCR alleging your practice violated HIPAA. OCR is reviewing the allegation and asking for your side. These letters typically request your Notice of Privacy Practices, the relevant patient’s records access history, and any related policies. Most complaint inquiries close after your initial response when you can demonstrate compliance.

Breach Notification Review. You or a business associate filed a breach report through the HHS portal and OCR is following up. The letter will reference the breach report number and request your Risk Analysis, breach assessment, and notification timeline. Breaches affecting fewer than 500 patients receive lighter review. Breaches over 500 trigger broader investigation including potential on-site visit.

Compliance Review. OCR is conducting a proactive review under its Risk Analysis Initiative or another enforcement program. These reviews are not triggered by a specific complaint or breach. They are part of OCR’s ongoing audit work. Compliance reviews still focus heavily on whether you have a written Risk Analysis and Risk Management Plan that meet 45 CFR 164.308(a)(1)(ii)(A) and (B).

Formal Investigation. OCR has determined that a complaint or breach warrants enforcement review under 45 CFR Part 160 Subpart C. This is the most serious category. The letter will reference specific regulatory citations and may discuss potential civil monetary penalties. If you receive this type of letter, retain healthcare regulatory counsel before responding.

The letter itself will tell you which category applies through the subject line, the specific regulations cited, and the documents requested. If you are not sure, the safest assumption is to treat it as a formal investigation until proven otherwise.

Hour 1: What to Do Before You Do Anything Else

Before you draft a response, before you call your IT vendor, before you tell anyone what is happening, do these three things.

Scan or photograph the letter. Keep a digital copy in a secure folder you can access from anywhere. The original goes in a file you will not move for the duration of the investigation.

Note the exact response deadline. Most OCR data requests give you 14 to 30 days. Write the deadline on a calendar and on a sticky note on your desk. The single most common mistake in the first week is misreading the deadline by one week.

Identify the issue OCR is asking about. Read the letter three times. Highlight the specific regulation cited, the specific patient or incident referenced, and the specific documents requested. Most letters cite one of five common provisions: 45 CFR 164.308 (Administrative Safeguards), 164.524 (Right of Access), 164.502 (uses and disclosures), 164.400 series (breach notification), or 164.530 (Privacy Rule administrative requirements).

Do not respond to the letter yet. Do not call OCR. Do not start composing emails to your team. Spend the first hour orienting yourself to what was actually requested.

Day 1 and 2: Preserve Everything

From the moment you read the letter, every related record becomes a litigation document. That means three things.

Do not modify any policy, training record, BAA, or Risk Analysis document. If you find a policy with a typo, you do not fix the typo. If you discover your Risk Analysis is dated incorrectly, you do not correct the date. If a training log has a missing signature, you do not add the signature.

Do not delete anything. Emails, internal chat messages, vendor communications, software audit logs, file deletion logs. Place a hold on automatic deletion policies for related systems. If your EHR has an auto-purge for old documents, suspend it for the duration of the investigation.

Document the date and time you became aware of the OCR letter. This becomes the start of your litigation hold. Every action you take after that point should be documented in a timeline.

The reason these steps matter goes beyond ethics. OCR can verify document creation dates through file metadata, prior responses to other inquiries, and forensic analysis if necessary. Backfilling documents, even with good intentions, transforms a compliance gap into a finding of willful neglect. Willful neglect penalties start at $68,928 per violation and rise to $2,067,813 per violation per year in 2026 dollars under 45 CFR 102.3. You can model your potential exposure with our HIPAA penalty calculator. The mistake is not the gap. The mistake is hiding the gap.

Day 2: Do You Need an Attorney?

Not every OCR letter requires outside counsel. Spending $15,000 on healthcare regulatory representation for a basic Right of Access inquiry is overkill. Spending nothing on a formal investigation involving a 5,000-record breach is malpractice.

Retain healthcare regulatory counsel before responding if any of these signals appear in your letter:

The letter references 45 CFR 160 Subpart C enforcement procedures
The letter mentions potential civil monetary penalties
The letter references a breach affecting 500 or more individuals
OCR has requested an on-site visit
The complaint alleges willful neglect or pattern of violations
You discover during preservation that you have a significant gap such as no written Risk Analysis at all

You can typically respond directly without counsel for routine complaint inquiries, single-patient Right of Access reviews, and breach notification follow-up where you already have compliant documentation. A CIPP/US certified privacy advisor can help prepare the response in those cases at substantially lower cost than retained counsel.

If you do retain counsel, your privacy advisor and your attorney should coordinate. The attorney handles the legal strategy and the response language. The privacy advisor handles the compliance documentation and the operational changes the response will commit your practice to making.

Day 3: Build Your Response Timeline

By the third day, you should have a working document that captures three things.

First, the specific documents OCR has requested. List each one. Note whether you have it, where it lives, and who is responsible for producing it. Common requests include your written Risk Analysis, Risk Management Plan, current BAAs with vendors handling ePHI, workforce HIPAA training records, Notice of Privacy Practices, breach notification logs, and any policies related to the specific issue cited.

Second, the compliance actions your practice has taken in the past 24 months. OCR weighs prior good-faith compliance efforts. If you completed a Risk Analysis in 2024, conducted training in 2025, and updated your BAAs in 2026, those facts go in your timeline. They are not separate cover letters. They are factual entries that OCR can verify against the documents you submit.

Third, the actions you have already taken since receiving the letter. Document the preservation hold. Document the gap analysis. Document any corrective action you have begun. OCR’s enforcement approach favors practices that recognize gaps and address them. The opposite approach, denying any issue exists, signals non-cooperation and escalates exposure.

What OCR Is Actually Looking For

OCR enforcement against small healthcare practices clusters around a small number of documentation gaps. Knowing what OCR will check helps you prioritize what to produce.

The single most-cited finding is the missing or inadequate Risk Analysis. 45 CFR 164.308(a)(1)(ii)(A) requires every covered entity and business associate to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. OCR’s Audit Protocol evaluates Risk Analyses against five criteria: scope, data collection, identification of threats and vulnerabilities, assessment of current security measures, and likelihood and impact determination. A Risk Analysis that consists of a vendor questionnaire is not a Risk Analysis under this standard.

The second most common gap is missing or stale Business Associate Agreements. If a vendor touches your patient data, including IT support, EHR providers, billing companies, document destruction services, and certain marketing tools, you need a current BAA. OCR will request a list of all your business associates and ask you to produce the corresponding BAAs.

The third gap is workforce training. HIPAA Privacy Rule training is required for all members of the workforce under 45 CFR 164.530(b)(1). Training records should show dates, content covered, and individual completion. A folder of generic certificates without training content does not satisfy this requirement.

The fourth gap is the Notice of Privacy Practices itself. The NPP must comply with 45 CFR 164.520, be posted in your office, available on your website, and provided to patients with documented acknowledgment of receipt.

The fifth gap, in breach-related cases, is your breach notification timeline and risk assessment. 45 CFR 164.402 requires a documented assessment of whether a use or disclosure constituted a breach. Skipping this step and treating an incident as a non-breach without documentation creates exposure if OCR disagrees.

The Most Expensive Mistakes Small Practices Make

Across the OCR settlements published in 2024 and 2025, four mistakes account for the majority of substantial penalties against small healthcare practices.

Backdating documents. Producing a Risk Analysis dated 2023 that you actually drafted last week. OCR has multiple ways to verify creation dates. Backdating transforms a compliance gap, which OCR often resolves through corrective action, into a finding of willful neglect, which carries substantially higher penalties.

Ignoring the letter. The deadline passes. OCR sends a follow-up. The follow-up is ignored. By the third notice, OCR has moved the case from inquiry to investigation and the response posture is now defensive. Even if you intend to respond, send acknowledgment of receipt and a request for extension before the original deadline.

Lying or shading the truth. Telling OCR you have a Risk Analysis when you do not. Saying you have BAAs with all vendors when you have BAAs with some. False statements to a federal regulator extend liability and can support criminal referral under 18 USC 1001. The honest path, acknowledging gaps and showing what you have done since the letter, produces better outcomes.

Treating the letter as a one-time event rather than a compliance program reset. The practices with the smallest OCR settlements are the ones that use the investigation as the trigger to build the program they should have had, often starting with a proper written Risk Analysis. The practices with the largest settlements treat the response as the entire engagement and have nothing in place six months later when OCR conducts a follow-up review. Buying a HIPAA compliance seal will not save you here either.

What Happens After You Respond

Most complaint inquiries close after your initial response. You receive a closure letter from OCR within 90 to 180 days confirming the case is resolved. No penalty. No corrective action. No public listing.

Some cases lead to a Voluntary Corrective Action plan. OCR identifies specific compliance gaps. You agree to address them within a defined timeline. You provide periodic evidence of completion. The case closes when the corrective actions are documented complete. No civil monetary penalty.

Cases involving willful neglect, repeated violations, or substantial patient harm can lead to a Resolution Agreement with a monetary settlement. Public listing on the HHS enforcement page. A multi-year Corrective Action Plan with regular reporting requirements. The smallest published settlements against individual healthcare practices in 2024 and 2025 ranged from $30,000 to $170,000. Larger entities have settled for substantially more.

The path between these outcomes is not luck. It is the quality of your documentation, the speed and honesty of your response, and the corrective action you take while the investigation is open.

One Last Thing

The hardest part of receiving an OCR letter is that it feels personal. Someone reported you, or a system you trusted failed, or a routine inquiry suddenly threatens the practice you spent years building. The instinct is to push back, to explain, to make it go away quickly.

The OCR investigators reading your response are not trying to destroy your practice. They are checking whether you took HIPAA seriously, whether you can document what you did, and whether you are willing to address what you missed. Practices that engage with that process honestly usually come out the other side with a stronger program and no penalty. Practices that resist usually do not.

If you are reading this because a letter is sitting on your desk right now, take the next hour to scan it, note the deadline, and identify what was actually requested. The next two days are for preservation and gap assessment. The next ten days are for the response itself. Three days of careful work at the start determines most of the outcome.

Frequently Asked Questions

Do I need to hire an attorney before responding to an OCR investigation letter?

Not always. If the letter is a basic complaint inquiry or a Right of Access compliance review, you can usually respond directly with your existing documentation. If it is a formal investigation involving a breach over 500 records, an enforcement action, or a complaint alleging a willful violation, retain healthcare regulatory counsel before responding. The key signal is whether the letter mentions potential civil monetary penalties or refers to 45 CFR 160 Subpart C enforcement procedures.

How much time do I have to respond to OCR?

Most OCR data request letters give you 14 to 30 days to respond. The letter will state a specific deadline. If you need additional time, you can request an extension in writing before the deadline. OCR generally grants reasonable first extensions. Missing the deadline without a request signals non-cooperation and increases your exposure.

What is OCR actually looking for in the documents they request?

OCR is checking that you have the compliance documentation HIPAA requires. The most commonly requested items are your written HIPAA Risk Analysis (45 CFR 164.308(a)(1)(ii)(A)), your Risk Management Plan, current Business Associate Agreements with vendors that touch ePHI, workforce HIPAA training records, your Notice of Privacy Practices, breach notification logs, and policies addressing the specific issue that triggered the investigation.

Can I create my Risk Analysis after receiving the letter?

You can complete a current Risk Analysis to comply going forward, but you cannot backdate it. OCR can verify creation dates through file metadata, drafting history, and prior responses to other inquiries. Submitting a backdated document as evidence of past compliance is fraud and substantially worsens your exposure. The honest path is to acknowledge the gap and demonstrate you have addressed it.

Will OCR fine me even if I respond fully and cooperate?

Many investigations close without penalty when the practice cooperates and provides reasonable evidence of compliance efforts. OCR's enforcement approach favors corrective action over civil monetary penalties for small healthcare practices that demonstrate good faith. Penalties typically follow cases involving willful neglect, repeat violations, refusal to cooperate, or evidence of breaches harming patients. Settlements against small practices in 2024 and 2025 ranged from $30,000 for Right of Access failures to several hundred thousand dollars for documented Risk Analysis failures combined with breach exposure.

What is the difference between an OCR complaint inquiry and an OCR investigation?

A complaint inquiry is OCR's initial review of an allegation a patient or third party filed against your practice. Many complaint inquiries close after your initial response. A formal investigation means OCR has determined the complaint warrants further review under 45 CFR Part 160 Subpart C, or OCR identified a potential violation through a breach report, audit, or referral. Investigations involve broader document requests, may include on-site visits for larger entities, and can lead to a Resolution Agreement, Corrective Action Plan, or civil monetary penalty.

Last updated: May 29, 2026. This article reflects current US HIPAA and state privacy law enforcement practice. NPA is not a law firm; for case-specific legal advice, consult licensed counsel in your jurisdiction.

Need help with HIPAA compliance or US data privacy law?

NPA helps small healthcare practices and small to mid-sized businesses build and maintain audit-ready compliance programs. CIPP/US certified. Houston-based, serving practices nationwide.

Book a Consultation