After the Investigation: How HHS Resolves HIPAA Complaints Informally (45 CFR § 160.312)

Executive Summary

When the Office for Civil Rights (OCR) investigates a HIPAA complaint, enforcement isn’t always the final outcome. In fact, many complaints are resolved informally through voluntary compliance, corrective action plans, or technical assistance without the need for formal penalties. Under 45 CFR § 160.312, the Department of Health and Human Services (HHS) outlines this informal resolution process. For small healthcare practices, understanding how informal resolution works can mean the difference between a manageable compliance correction and a costly enforcement action. This guide explains what happens after a HIPAA investigation and how small practices can navigate informal resolution effectively.

Introduction

Most small practice owners are familiar with HIPAA’s requirements to protect patient privacy and security. However, fewer understand what actually happens when OCR investigates a complaint. The assumption is often that investigations always lead to civil monetary penalties (CMPs) or resolution agreements, but in reality, that’s not always the case.

OCR has the discretion to resolve HIPAA complaints informally under § 160.312, particularly when the violation is minor, unintentional, or corrected promptly. Informal resolution often includes technical assistance, policy adjustments, or staff retraining without the need for public settlements or fines.

This article walks small practice owners through what to expect after an investigation concludes, what informal resolution entails, and how to increase the likelihood of resolving a complaint without escalating to enforcement.

Understanding § 160.312: Informal Resolution Authority

Under 45 CFR § 160.312, OCR is permitted but not required to attempt informal resolution before taking formal enforcement action. The regulation states:

“If the matter is not resolved informally, the Secretary may issue a written notice of proposed determination in accordance with § 160.420.”

This provision allows OCR to:

• Work directly with the covered entity to resolve findings
• Offer technical assistance
• Accept voluntary corrective actions in lieu of formal enforcement
• Avoid issuing a formal notice of violation or penalty

For small practices, this creates an important opportunity to demonstrate good faith, correct deficiencies, and avoid public scrutiny.

What Triggers Informal Resolution

Informal resolution is most likely when:

• The violation is minor or resulted from a misunderstanding
• The covered entity takes immediate corrective action
• There’s no pattern of repeated or willful misconduct
• The incident did not result in significant harm or data misuse
• The entity cooperates fully during the investigation

OCR uses its discretion to assess whether formal enforcement is necessary. If you’re responsive, proactive, and transparent, informal resolution becomes a very real possibility.

What Informal Resolution Looks Like

• Technical Assistance: OCR explains how to come into compliance and provides relevant resources.
• Voluntary Compliance: The entity agrees to make changes without a formal enforcement order.
• Corrective Action Plan (CAP): A written plan is developed to address the specific issues identified.
• No Violation Found: In some cases, OCR closes the investigation without identifying a HIPAA violation.

These outcomes are not publicized on the HHS website, and no civil monetary penalties are assessed.

A Case Study: Avoiding Formal Enforcement Through Cooperation

In 2022, a solo dermatology practice in Florida received a letter from the Office for Civil Rights (OCR) after a patient filed a complaint about not receiving their medical records despite submitting two written requests over a 60-day period. HIPAA requires providers to respond to such requests within 30 days, with one possible 30-day extension if properly documented.

The practice investigated and discovered that a clerical error caused the request to be misfiled and overlooked. Within one week of receiving the OCR letter, the practice fulfilled the patient’s request, issued a formal apology, waived all copying fees, updated its internal record request procedures, and retrained staff on HIPAA’s right-of-access rules.

OCR acknowledged the practice’s prompt corrective action and chose to provide technical assistance rather than pursue formal enforcement. The case was closed without a violation finding or public posting.

This case illustrates how even small practices can face HIPAA complaints due to administrative errors, but also how quick, transparent, and cooperative responses can lead to informal resolutions. By acting in good faith, documenting actions taken, and improving internal processes, the practice avoided penalties and reinforced its commitment to patient rights and regulatory compliance.

What Happens After an OCR Investigation

1. Initial Complaint Review — OCR assesses whether the complaint warrants an investigation. If so, it notifies the covered entity in writing.
2. Investigation Phase — OCR may request policies, correspondence, logs, or interviews. The entity must respond truthfully and promptly.
3. Informal Resolution Attempt — If the issue appears minor or correctable, OCR will work with the entity to resolve the matter cooperatively.
4. Corrective Action or Technical Assistance Issued — If successful, OCR closes the case and informs the complainant. No penalty is imposed.
5. If Not Resolved Informally — OCR may issue a Notice of Proposed Determination, triggering the formal enforcement process under § 160.420.

Common Pitfalls That Block Informal Resolution

• Ignoring or delaying response to OCR: Delayed communication increases the likelihood of formal enforcement.
• Failing to acknowledge the issue: Denial or deflection may be interpreted as non-cooperation.
• Incomplete corrective action: Making partial changes or failing to retrain staff undermines credibility.
• Repeat complaints or violations: A history of prior noncompliance weighs against informal resolution.
• Lack of documentation: Verbal assurances are not enough, OCR needs written proof of compliance.

Expert Tips for Small Practices Facing an Investigation

• Respond quickly and professionally to all OCR communications.
• Document every step taken to investigate and resolve the issue.
• Correct the problem immediately, even before OCR concludes its investigation.
• Provide OCR with updated policies, training records, and incident logs.
• Avoid defensive or evasive communication, demonstrate willingness to improve.

Simplified Informal Resolution Readiness Checklist

Regulatory References and Official Guidance

• Informal Resolution Process – 45 CFR § 160.312
• OCR Complaint Handling Overview
• HIPAA Right of Access Initiative
• OCR Technical Assistance and FAQs
• HIPAA Enforcement Rule (45 CFR §§ 160.300–312)
• HIPAA Privacy and Security Training Materials

Concluding Recommendations and Next Steps

Not every HIPAA investigation results in a penalty, nor does every mistake lead to enforcement action. The Department of Health and Human Services (HHS), under § 160.312, possesses the authority to resolve complaints informally. This offers small practices a crucial opportunity to correct compliance issues without facing public scrutiny or severe financial penalties.

Should your practice receive an inquiry from the Office for Civil Rights (OCR), immediate and decisive action is paramount. Take responsibility for any identified shortcomings, swiftly correct the underlying issues, and meticulously document every step of your remediation efforts. Full cooperation with the OCR investigation is essential, demonstrating your unwavering commitment to HIPAA compliance. Embracing this informal resolution pathway seriously can help small practices not only avoid enforcement actions but also significantly strengthen their operational procedures, enhance the protection of patient data, and ultimately preserve their professional reputation.