Yundra
← All articlesRisk & Audit

What Happens If a Therapist Gets Audited by OCR? A Plain-English Guide

13 min read

The phrase "OCR audit" is enough to make most solo therapists break into a cold sweat. But the fear usually comes from not knowing what an investigation actually looks like — most therapists imagine something between a police raid and an IRS audit, when the reality is more structured and, if you've done your homework, manageable.

This guide walks through what actually happens when the Office for Civil Rights investigates a therapy practice: how investigations start, what OCR asks for, the timeline, potential outcomes, and — most importantly — what you can do right now to make a positive outcome far more likely.

How OCR Investigations Are Triggered

OCR doesn't randomly knock on therapists' doors. Investigations almost always start from one of three sources:

1. Patient complaints

This is the most common trigger. A patient files a complaint with OCR — usually through the online complaint portal at hhs.gov. Common complaint triggers include:

  • A therapist discussed their case with someone they shouldn't have
  • The patient requested their records and was denied or charged excessively
  • The practice experienced a data breach and didn't notify them
  • The patient noticed their information was sent to the wrong person
  • The therapist used an unsecured communication method (regular email, text messaging)

OCR receives roughly 30,000-35,000 complaints per year. Not all lead to full investigations, but every complaint is reviewed.

2. Breach reports

HIPAA requires you to report any breach of unsecured PHI to HHS within 60 days. When you file a breach report, OCR reviews it. For breaches affecting fewer than 500 individuals, OCR investigates selectively. For breaches affecting 500 or more, OCR investigates every single one.

Even small breaches can trigger an investigation if the circumstances suggest systemic problems — for example, if the breach resulted from a complete lack of encryption or access controls.

3. Compliance reviews

OCR has the authority to conduct "compliance reviews" — proactive investigations that aren't triggered by a specific complaint or breach. These are less common for solo practices but do happen, particularly in targeted industry sweeps.

In 2024-2025, OCR conducted a series of targeted reviews focused on small healthcare providers that had never conducted a Security Risk Analysis.

What OCR Asks for First

When OCR opens an investigation, they send a data request letter. For a therapy practice, here's what they typically ask for:

The first three requests (always)

1. Your Security Risk Analysis. This is request number one in virtually every OCR investigation. They want to see a completed, dated SRA that covers your entire practice — every system, every location, every device that touches ePHI.

If you don't have one, the investigation effectively becomes about why you don't have one. OCR has stated publicly that failure to conduct a risk analysis is "the most common HIPAA violation."

2. Your written policies and procedures. Your HIPAA security policies — the document that says "here's how our practice protects patient data." They want to see that you've thought about administrative, physical, and technical safeguards and written them down.

3. Evidence of workforce training. Did you (and anyone who works with you) receive HIPAA security training? When? Is there a training log?

Additional common requests

  • Business Associate Agreements with your vendors
  • Your Notice of Privacy Practices
  • Incident response and breach notification policies
  • Encryption documentation for devices and transmissions
  • Access control documentation (who can access what)
  • Evidence of the specific issue that triggered the investigation

The Investigation Timeline

OCR investigations are not fast. Here's a typical timeline for a solo practice investigation:

Weeks 1-2. You receive the data request letter via certified mail or email. It specifies exactly what documents OCR wants and gives you a deadline to respond (typically 30 days, sometimes extended upon request).

Weeks 2-6. You gather and submit the requested documentation. If you have everything organised, this is straightforward. If you don't have the documents, this is where the panic sets in.

Months 2-6. OCR reviews your submission. They may come back with follow-up questions. They may request additional documentation. There may be a long period of silence while your case sits in the queue.

Months 6-18. OCR reaches a determination. This is where one of several outcomes happens (see below).

The entire process typically takes 6-18 months, sometimes longer. During this time, your practice continues to operate normally — an OCR investigation does not shut you down or prevent you from seeing patients.

Possible Outcomes

1. No violation found

OCR determines that your practice was in compliance with HIPAA or that the specific allegation in the complaint doesn't constitute a violation. Case closed. This happens more often than you'd think, particularly when the practice can demonstrate good-faith compliance efforts.

2. Technical assistance

OCR determines there's a minor issue but it doesn't warrant a formal finding. They provide "technical assistance" — essentially guidance on how to fix the problem. No fine, no public record. This is the most common outcome for minor first-time issues.

3. Resolution agreement (corrective action plan)

OCR determines there's a violation but reaches a settlement. You agree to a Corrective Action Plan (CAP) that specifies exactly what you need to fix and by when. There may be a monetary settlement involved. The resolution agreement is posted publicly on OCR's website.

4. Civil monetary penalty

For serious or repeated violations, OCR can impose fines without a settlement. The penalty tiers are:

  • Tier 1: Did not know and could not have known — $141 to $71,162 per violation
  • Tier 2: Reasonable cause, not wilful neglect — $1,424 to $71,162 per violation
  • Tier 3: Wilful neglect, corrected within 30 days — $14,232 to $71,162 per violation
  • Tier 4: Wilful neglect, not corrected — $71,162 to $2,134,831 per violation

The annual cap for identical violations is $2,134,831.

5. Referral to DOJ

In cases involving criminal violations (knowingly obtaining or disclosing PHI), OCR refers the case to the Department of Justice for criminal prosecution. This is rare and typically involves intentional wrongdoing — not a therapist who forgot to encrypt their laptop.

Real Examples: Small Practice Settlements

These are real OCR enforcement actions against small practices. They illustrate what goes wrong and what the consequences look like.

Allergy Associates of Hartford — $125,000

A solo physician practice reported a breach when a doctor allowed a TV news crew to film in the office, and patients were visible on camera. OCR's investigation found: no risk analysis, no policies and procedures, no BAAs with vendors, no security awareness training. The $125,000 settlement was primarily because of the complete absence of compliance infrastructure, not just the breach itself.

Lesson: The breach was embarrassing but fixable. The absence of basic documentation turned it into a six-figure settlement.

Steven A. Porter, M.D. — $100,000

A solo physician accessed and disclosed patient records for a personal reason unrelated to treatment. OCR's investigation revealed the practice had never conducted a risk analysis and had no written policies.

Lesson: The inappropriate access was the trigger. The lack of documentation was the multiplier.

David Randolph, M.D. — $25,000 (Right of Access case)

A solo practitioner failed to provide a patient with their medical records within the required timeframe. The patient complained to OCR. The investigation found repeated delays and failure to comply with the HIPAA Right of Access rule.

Lesson: You have 30 days to provide records when requested. Ignoring or delaying this is one of OCR's enforcement priorities.

What Solo Therapists Get Wrong

Based on OCR enforcement patterns, here are the most common mistakes:

1. Thinking "I'm too small to be audited"

OCR has specifically targeted small practices in recent enforcement waves. Their Right of Access Initiative alone has resulted in dozens of settlements against individual providers. Practice size is not a shield.

2. Having no documentation at all

This is the worst possible position. Having imperfect documentation is infinitely better than having none. OCR distinguishes between "tried but had gaps" and "never tried at all."

3. Doing compliance once and forgetting about it

HIPAA requires ongoing compliance — annual risk analysis review, regular policy updates, continued training. A risk analysis from 2019 doesn't protect you in 2026.

4. Assuming the EHR handles everything

Your EHR provides tools — encryption, access controls, audit logs. But having the tools is not the same as having documented policies for using them, and it doesn't replace a proper risk analysis.

5. Not having BAAs with all vendors

Many therapists have a BAA with their EHR but not with their email provider, cloud storage, or billing clearinghouse. Every vendor that touches ePHI needs a BAA.

How to Prepare Right Now

If you're reading this and realising you have gaps, here's your priority list:

Priority 1: Complete a Security Risk Analysis (this week)

This is the single most impactful thing you can do. A completed, dated SRA is the first thing OCR asks for and the first thing they notice is missing. It doesn't need to be perfect — it needs to be thorough, honest, and documented.

Take Yundra's free HIPAA Risk Assessment →

Priority 2: Write your policies (this month)

Get your security policies in writing. Cover administrative, physical, and technical safeguards. Reference your specific EHR, email provider, and telehealth platform.

Priority 3: Get your BAAs in order (this month)

List every vendor that touches patient data. Verify you have a signed BAA with each one. If you don't, either get one signed or switch vendors.

Priority 4: Document your training (ongoing)

Complete HIPAA security training and log it. If you have staff, ensure they're trained too. Keep records of who completed training and when.

Priority 5: Create an incident response plan (this month)

Write down what you'd do if a breach happened. Include contact numbers, notification timelines, and documentation procedures. Having this plan before you need it is the entire point.

The Bottom Line

An OCR investigation is not the end of the world — but walking into one with zero documentation is the worst possible scenario. The difference between a "technical assistance" outcome and a five-figure settlement often comes down to whether you can show you took compliance seriously before the investigation started.

You don't need to be perfect. You need to be prepared.

Get your compliance documents in order →

Start with the free assessment. Twenty-five minutes now could save you thousands in fines and hundreds of hours of stress if OCR ever comes calling.

Would your practice survive an OCR audit?

Find out in 25 minutes. Our free assessment identifies every gap an auditor would flag — and shows you how to fix them.

Free · See your score instantly