The Office for Civil Rights (OCR) has statutory authority to enforce the HIPAA Privacy and Security Rules. And now, pursuant to HITECH, state attorneys general also have enforcement authority.
An investigation can start with a letter or a civil investigative demand (CID). A CID is similar to a subpoena but broader. Investigators will likely want to examine your documents and interview members of your organization about what happened.
Upon receipt of a notice of an impending audit or complaint investigation from OCR, immediately confirm the receipt. Then, provide OCR officials with the information they request in the notice. If you have questions, ask them. But most important is a timely response and documentation of that response. We recommend that you use e-mail or write a letter to document and have proof of your communication.