How to Prepare for an OCR Complaint

An OCR complaint notice is one of the more disorienting things a practice administrator can receive. The letter is formal, the deadline is short, and the documentation requests can feel overwhelming if the clinic has not kept records systematically.

The clinics that navigate OCR investigations most effectively built documentation habits before the investigation opened — not in the days after the letter arrived. This guide covers what to expect, what to prepare, and how to avoid the documentation gaps that turn a manageable investigation into a corrective action plan.

---

How OCR receives and processes complaints

Any person may file a HIPAA complaint with OCR—patients, former employees, business associates, or members of the public. Complaints can be filed online, by mail, or by fax. OCR does not require the complainant to have been directly harmed; a complaint about a clinic’s general practices is sufficient to trigger review.

When OCR receives a complaint, it conducts an intake review to determine:

• Whether the complaint was filed within 180 days of when the complainant knew or should have known of the violation (with limited exceptions)
• Whether the complaint involves a covered entity subject to HIPAA
• Whether the complaint describes conduct that, if true, would constitute a HIPAA violation

If the complaint passes intake review, OCR notifies the covered entity. This notification letter is typically the clinic’s first awareness that a complaint has been filed. The letter requests a written response and may include a list of initial documentation requests.

What not to do upon receiving a notification letter: Do not discard any records, do not alter any documentation, and do not contact the complainant. Preserve everything related to the complaint period and consult legal counsel before drafting the response letter.

---

What OCR typically requests

OCR’s complaint investigations follow a consistent documentary pattern. The same categories of records appear in every investigation. Organizing these materials in advance means the clinic can respond to any request without scrambling.

Document category	What OCR looks for	Common gaps at small clinics
Written HIPAA policies and procedures	Current, dated, signed policies covering Privacy, Security, and Breach Notification	Outdated policies; policies that exist but have never been reviewed or approved
Workforce training records	Training completion records and signed attestations for all current and former workforce members during the complaint period	Missing records for part-time or short-term staff; no attestations on file
Business Associate Agreements	Signed BAAs with every vendor that creates, receives, maintains, or transmits PHI	Missing BAAs; BAAs with expired or acquired vendors that were never updated
System access logs	Audit logs from EHR and other PHI-handling systems showing access patterns during the complaint period	Logs not retained; no process for reviewing logs
Incident and breach logs	Records of any incident or potential breach evaluated during the complaint period	No incident log; incidents handled verbally without documentation
Workforce sanctions log	Records of any disciplinary action taken for HIPAA violations	No sanctions log maintained
Risk analysis	Current written risk analysis	No written risk analysis; undated analysis that predates current systems

OCR’s audit protocol — available at hhs.gov — describes what documentation the agency looks for in each safeguard category. Reading it before an investigation is worthwhile even if the clinic never faces a complaint.

---

The 6-year retention rule and documentation gaps

Under 45 CFR § 164.530(j), covered entities must retain documentation required by the Privacy Rule for six years from the date of creation or the date it was last in effect, whichever is later. The Security Rule contains a parallel provision.

An OCR investigation that opens today can legitimately request documentation from six years ago. A clinic that did not maintain records in 2020 faces a current compliance problem in 2026, even if its current records are exemplary.

Practical implications:

• Training records must be retained for six years. A workforce member who was trained in 2021 and terminated in 2022 should still have training documentation in the clinic’s records today.
• BAAs must be retained for six years after the relationship ended. An expired vendor relationship from four years ago requires a BAA in the file.
• The risk analysis must be retained with evidence of when it was performed and who conducted it.
• Incident logs and breach notification decisions must be retained, including the analysis supporting any determination that an incident did not constitute a reportable breach.

Clinics that have not maintained a consistent, dated evidence archive across the six-year retention window are at heightened risk in any investigation that covers historical conduct.

---

Building a readiness binder

A readiness binder is a pre-organized collection of the documents OCR most commonly requests. Assembling it before any investigation opens converts a 30-day deadline from a crisis into a retrieval task.

Contents of a basic readiness binder:

1. Current policies and procedures — Privacy policy, Security policy, Breach Notification policy, Notice of Privacy Practices, workforce sanctions policy, device and media disposal policy, workstation use policy, emergency access procedure. Each document should be dated and show evidence of review.

2. Workforce training records — Completion records and signed attestations for all current workforce members. Maintain a retention archive for former workforce members covering the six-year window.

3. BAA register — A list of all current and former business associates with a signed BAA on file for each. Include the effective date and any termination date for inactive relationships.

4. Risk analysis — The current written risk analysis with the date it was performed, who conducted it, and a list of the systems and PHI flows it covers.

5. Incident and breach log — A running log of all incidents evaluated during the retention period, with documentation of the analysis and outcome for each.

6. Access review records — Dated logs showing periodic review of system access permissions.

7. Sanctions log — A record of any disciplinary actions taken for HIPAA violations, with dates and outcomes.

The binder does not need to be physical. A well-organized, access-controlled digital archive with a clear folder structure and consistent naming works better. What matters is that any document in the binder can be retrieved and printed within hours, not days.

---

Response timelines and what they mean

OCR’s initial response deadline is 30 days from the date of the notification letter. Missing it without requesting an extension in advance is treated as non-cooperation, which affects how the investigation proceeds and what remedial action OCR considers appropriate.

Response timeline in practice:

• Day 1–3: Receive notification letter, preserve all relevant records, notify legal counsel
• Day 5–10: Consult with counsel on response strategy; begin compiling documentation from the readiness binder
• Day 15–20: Draft initial written response with counsel review
• Day 25–28: Finalize and submit response with all requested documentation
• Day 30: Deadline

If the clinic cannot compile the required documentation within 30 days — a real risk when records are scattered — request an extension from OCR in writing before the deadline. OCR generally grants reasonable extension requests when the covered entity is actively cooperating. An extension request made the day before the deadline is not the same as one made in the first week.

---

When to involve legal counsel

Covered entities can respond to OCR without legal representation. Self-representation carries real risk because the written response sets the factual record for everything that follows.

Situations that strongly favor engaging HIPAA counsel:

• The complaint alleges a breach that the clinic believes it handled correctly, but the investigation could reopen that determination
• The clinic has documentation gaps that will be apparent from the records produced
• The investigation involves a current or former workforce member who may make additional claims
• OCR’s notification letter indicates it is conducting a compliance review beyond the specific complaint (a signal that the investigation scope may expand)
• Any prior OCR enforcement action is on the clinic’s record

The distinction between a covered entity attorney and HIPAA-specialized counsel matters. General healthcare counsel who handles contracts and employment matters is not the same as counsel with experience in OCR investigations and resolution agreement negotiation. If the clinic does not have an established HIPAA counsel relationship, establishing one before an investigation opens—not during one—is the appropriate preparation.

---

How cooperation affects outcomes

OCR’s published resolution agreements consistently reflect the quality of the covered entity’s cooperation. Clinics that produce documentation promptly, respond accurately, and implement remediation voluntarily tend to reach resolution faster and with less financial exposure than those that delay, produce incomplete records, or contest OCR’s jurisdiction.

Cooperation does not mean agreeing with OCR’s characterization of events. It means responding within deadlines, producing requested documentation without unnecessary withholding, and engaging constructively with the corrective action process when remediation is warranted.

The written response is not the place to argue the merits of the complaint. It is the place to present the clinic’s compliance program — its policies, its training, its BAA inventory, its access controls — accurately and completely. A response that demonstrates an active, maintained compliance program is a materially better starting position than one that reveals a program existing only on paper.

---

What small clinics most commonly lack

Based on OCR enforcement actions and resolution agreement disclosures, the documentation gaps most frequently cited in small clinic investigations are:

1. Signed BAAs with current vendors. Many small clinics have BAAs with their EHR vendor but not with billing services, transcription providers, IT support companies, or cloud storage vendors that handle PHI.

2. Current training records. Training attestations for part-time staff, temporary workers, and staff hired in the past two years are frequently missing or incomplete.

3. A written risk analysis. Some clinics have never performed a formal written risk analysis. Others have one from 2018 that predates their current EHR and patient portal.

4. An incident log. Incidents are handled when they occur, but not logged in a way that produces a retrievable record showing what happened, what was investigated, and what was determined.

5. Evidence of periodic review. Policies exist but have not been reviewed in years. Training happened but there are no completion records. Access reviews were never formalized.

Each of these gaps is correctable before an investigation opens. Fixing them now costs a fraction of the time spent explaining them to OCR with a 30-day deadline running.