Home Products Most Popular Contact
No items in your cart.
The page below is a sample from the LabCE course HIPAA Privacy and Security Rules. Access the complete course and earn ASCLS P.A.C.E.-approved continuing education credits by subscribing online.

Learn more about HIPAA Privacy and Security Rules (online CE course) »


The Secretary of HHS will investigate any HIPAA non-compliance complaint filed when a preliminary review of the facts indicates a possible violation due to willful neglect and may investigate any other non-compliance complaint that is filed.

An investigation may include a review of the pertinent policies, procedures, or practices of the covered entity or business associate and of the circumstances regarding any alleged violation.

When the initial written communication is received, the Secretary will communicate the acts and/or omissions that are the basis of the complaint with the covered entity or business associate.

If an investigation of a complaint indicates noncompliance, the Secretary may attempt to reach a resolution of the matter by informal means. Informal means may include demonstrated compliance or a completed corrective action plan or other agreement. If the matter is resolved by informal means, both the covered entity/business associate and the complainant will be informed of this in writing.

However, if the matter is not resolved by informal means, the Secretary will inform the covered entity/business associate and provide the covered entity/business associate with an opportunity to submit written evidence of any mitigating factors or affirmative defenses for consideration. The covered entity/business associate must submit this to the Secretary within 30 days of receipt of the notification.

If the Secretary finds that a civil money penalty should be imposed, the covered entity/business associate will be informed of this in a written notice of intent to impose a penalty.

When no violation is found after an investigation and it is determined that further action is not warranted, the Secretary will inform the covered entity or business associate and, if the matter arose from a complaint, the complainant, in writing.