Emergency Response

OCR Investigation Letter: Your 30-Day Response Playbook

8 min read · Last reviewed May 23, 2026

If you received an OCR investigation letter, you have a defined response window — typically 20 to 30 calendar days from the date on the letter — to produce the requested records. Do three things in the first 48 hours: acknowledge receipt in writing, route all communication through outside healthcare counsel, and issue a litigation hold that freezes audit logs and email from the named time period.

What kind of OCR letter is this

The first move is identifying the letter. The deadline, document list, and stakes differ significantly across the four common types. Read the letter twice with counsel and confirm:

  • Complaint-driven investigation under 45 CFR § 160.306. A patient, former employee, or third party filed a complaint with OCR. The letter usually names the complaint subject area (right of access, breach, minimum necessary).
  • Compliance review initiated by OCR under 45 CFR § 160.308. OCR opened the review on its own, often after a public breach disclosure or pattern observed in other enforcement.
  • Breach-triggered investigation following a Breach Notification Rule report under 45 CFR § 164.408. The 500+ breach portal almost always generates one; smaller breaches sometimes do.
  • HIPAA Audit Program notice. Structured audit covering specific control areas in the HIPAA Audit Protocol. OCR restarted the audit program in 2024.

State Attorney General actions under 42 USC § 1320d-5(d) — the HIPAA state-AG civil action authority added by HITECH — are separate from OCR but use overlapping authority. Treat them with the same posture.

The first 48 hours

In an OCR investigation, the first 48 hours are the most consequential — they determine whether you have a documented response posture or a scramble.

  1. Acknowledge receipt in writing only. Confirm receipt by the channel the letter specifies (email or certified mail), name the docket number, and state that response will follow within the deadline. Do not answer substantive questions yet.
  2. Engage outside healthcare counsel. Counsel becomes the point of contact and works the response under attorney-client privilege. This is not optional for any letter naming a specific incident, complaint, or breach.
  3. Issue a litigation hold. Written notice to IT, billing, and clinical staff: do not delete email, do not purge audit logs, do not modify records from the time period named in the letter. Preservation failures convert a manageable investigation into one with spoliation exposure.
  4. Identify the Privacy Official and Security Official. Under 45 CFR § 164.530(a)) and 45 CFR § 164.308(a)(2)(2)). If the role is unassigned, assign it in writing today and document that assignment as part of the response.
  5. Inventory your binder. What is the date of the current Security Risk Analysis? What policies are on file? What training records exist? What BAAs are current? What incident logs? Counsel needs this before the response strategy can be finalized.

What OCR is actually asking for

OCR's standard data request maps directly to the HIPAA Audit Protocol. Expect requests across:

OCR's published Resolution Agreements show the absence of a current, written Security Risk Analysis is the single most-cited deficiency. If you cannot produce one dated within the last 12 to 18 months, that gap is the first one to remediate while the response is being prepared.

Building the response package

The response is structured, tabbed, and indexed against the OCR document list. Counsel produces the cover letter; the practice produces the evidence. Standard structure:

  • Cover letter from counsel describing the response structure and any privilege assertions
  • Tab-by-tab response, one tab per OCR document request item, with cross-reference to the CFR citation
  • A narrative explanation for any addressable specification where the practice implemented an equivalent control instead
  • A remediation plan with named owners and dates for any gap the response cannot close
  • A signed attestation from the Security Official confirming the documents are true and complete
  • A cumulative index so the investigator can find every item without re-reading the package

Submit by the channel specified in the letter, with proof of delivery, before the deadline.

What not to touch

  • Do not delete or modify any record from the time period named in the letter. Spoliation will dominate every other issue in the case.
  • Do not have practice staff communicate directly with the investigator. Counsel is the channel.
  • Do not produce documents that were not requested. Over-production widens the investigation surface.
  • Do not back-date or reconstruct a Security Risk Analysis. If one does not exist, the truthful response — and an immediate remediation — is the only defensible posture.
  • Do not assume an "addressable" specification means optional. Addressable specifications at 45 CFR § 164.306(d)(3)(3)) require either implementation or a documented equivalent measure.
  • Do not claim attorney-client privilege over the underlying records. Privilege attaches to the legal communications, not the operational documents.

After submission: the next 60 to 90 days

OCR typically responds with follow-up data requests, a request for a phone interview with the Security or Privacy Official, or a settlement negotiation framework. Possible outcomes:

  • Closure with no further action — most common when documentation is complete and no breach occurred
  • Closure with technical assistance — OCR provides written guidance; no penalty
  • Voluntary compliance resolutioncorrective action plan, often two to three years, with periodic evidence submissions
  • Resolution Agreement and Corrective Action Plan — the public settlement structure; published on the OCR enforcement page, typically with a monetary settlement
  • Civil Monetary Penalty under 45 CFR § 160.404 — used when settlement fails; penalty tiers under 45 CFR § 160.406 reach the statutory maximum

The OCR Right of Access Initiative settlements (forty-plus published through 2024 per the OCR press release log) are smaller-dollar but more numerous. Many start with a single patient complaint about records not delivered within the 30-day window at 45 CFR § 164.524(b)(2)(2)).

State-law overlay

Federal rules above; state law may impose stricter timelines or scope. Where state law is in play, both federal and state notification or response obligations run in parallel:

  • California: the Confidentiality of Medical Information Act (Civil Code §§ 56–56.37) imposes its own breach-notification timeline and the state Attorney General has independent enforcement authority.
  • Texas: HB 300 (Tex. Health & Safety Code Chapter 181) carries Texas Attorney General enforcement separate from OCR.
  • New York: the SHIELD Act (General Business Law § 899-bb) imposes its own data-security standard with Attorney General enforcement.
  • Massachusetts: 201 CMR 17 imposes written information security program requirements that overlap with the HIPAA Security Rule.

Counsel should map every OCR document request against any state-level investigative authority that has been engaged on the same incident.

Restraint about claims

No vendor or guide can promise an OCR outcome. OCR closes matters on the totality of evidence and the practice's good-faith remediation. The most predictable variable is the quality and timeliness of the response: a well-organized, source-grounded package produced through counsel materially outperforms a scrambled one.

How d3rx fits

The d3rx compliance binder assembles the underlying source-grounded documentation an OCR response is built from — Security Risk Analysis, policies, training log, BAA inventory, breach log. The d3rx audit defense workflow walks the first 48 hours, the document-hold steps, and the tab-by-tab response structure. d3rx does not represent the practice in any OCR proceeding and does not replace counsel; it is a point-in-time administrative documentation aid that counsel and the practice work from.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversOCR Investigation Letter: Your 30-Day Response Playbook. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

Can an OCR investigator visit our office unannounced?

It is uncommon at the initial-letter stage. OCR investigations almost always begin with a written data request under [45 CFR 160.306](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.306) or a compliance review under [45 CFR 160.308](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.308). On-site inspections under [45 CFR 160.310(c)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.310) do occur but generally follow document review. If an investigator appears, ask for credentials, decline to answer substantive questions, and call counsel immediately.

Should I call OCR back before talking to counsel?

No. Any statement you make becomes part of the investigative record. Acknowledge receipt in writing only, route all substantive communication through outside healthcare counsel, and confirm counsel will appear as the point of contact going forward. Phone calls with investigators should be scheduled, structured, and documented.

Can I ask for an extension on the OCR response deadline?

Yes. Extensions are routinely granted when requested in writing before the deadline and supported by a specific reason (counsel retention, volume of records, breach investigation in progress). Send the request through counsel, identify the new proposed date, and confirm in writing. Do not let the original deadline pass without a granted extension on file.

What is the difference between an audit, an investigation, and a compliance review?

An audit under the HIPAA Audit Program is a planned, structured review of selected control areas. An investigation under [45 CFR 160.306](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.306) is complaint-driven. A compliance review under [45 CFR 160.308](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.308) is OCR-initiated based on enforcement signals. The document requests look similar; the stakes and posture differ.

If we self-identified the issue and reported the breach, will OCR go easier on us?

Self-reporting and timely breach notification under [45 CFR 164.404](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.404) are weighted favorably in the penalty calculus at [45 CFR 160.408](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.408). They do not foreclose enforcement, but they shift the analysis from willful neglect toward reasonable cause, which materially changes Civil Monetary Penalty tiers.

Can I be personally liable as the practice owner?

Civil Monetary Penalties under [45 CFR 160.404](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404) attach to the covered entity. Criminal penalties at 42 USC 1320d-6 can attach to individuals who knowingly obtain or disclose PHI in violation of HIPAA. State medical-licensure boards also receive notice of significant federal enforcement actions, which is the more common indirect exposure for owners.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR § 160.306https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.306
  2. 45 CFR § 160.308https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-C/section-160.308
  3. 45 CFR § 164.408https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D/section-164.408
  4. HIPAA Audit Protocolhttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
  5. 45 CFR § 164.530(a)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(a
  6. 45 CFR § 164.308(a)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
  7. 45 CFR § 164.312(a)(2)(iv)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(a
  8. 45 CFR § 164.312(e)(2)(ii)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312#p-164.312(e
  9. 45 CFR § 164.530(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(b
  10. 45 CFR § 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504#p-164.504(e
  11. 45 CFR § 164.402https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.402
  12. 45 CFR § 164.306(d)(3)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-A/section-164.306#p-164.306(d
  13. OCR enforcement pagehttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
  14. 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
  15. 45 CFR § 160.406https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.406
  16. OCR press release loghttps://www.hhs.gov/hipaa/newsroom/index.html
  17. 45 CFR § 164.524(b)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524#p-164.524(b

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides