Knowing who can investigate you, what triggers their attention, and how the process unfolds takes much of the mystery out of HIPAA enforcement — and makes clear why a maintained program matters. Understanding who enforces the law clarifies the stakes of HIPAA compliance.
The Office for Civil Rights
Primary responsibility for enforcing HIPAA rests with the Office for Civil Rights (OCR), a part of the US Department of Health and Human Services. OCR oversees compliance with the Privacy, Security, and Breach Notification Rules, investigates complaints, and can impose penalties.
OCR is the body most organizations interact with on HIPAA matters. Understanding its role — investigator, enforcer, and educator — is central to understanding how the law operates in practice.
What OCR does
OCR’s responsibilities span several functions. It receives and investigates complaints, conducts compliance reviews (often after a breach), runs periodic audit programs, issues guidance to help organizations comply, and pursues enforcement — from corrective action to civil monetary penalties — when violations are found.
This combination of education and enforcement reflects OCR’s dual aim: to help organizations comply and to hold accountable those that do not.
State attorneys general
OCR is not the only enforcer. Since the HITECH Act, state attorneys general have been empowered to bring civil actions on behalf of state residents for HIPAA violations. This adds a second layer of enforcement and means organizations can face action at both the federal and state levels.
State enforcement varies in frequency and emphasis, but its existence broadens the landscape of accountability beyond OCR alone.
Free resource
HIPAA Compliance Kit
A practical checklist + policy starter pack to fast-track your program.
The role of HHS more broadly
While OCR leads HIPAA enforcement, it operates within the broader Department of Health and Human Services, which sets health policy and issues the regulations OCR enforces. HHS also coordinates with other agencies on related matters, such as the FTC’s authority over certain health data outside HIPAA.
This wider context matters because health-data obligations can extend beyond HIPAA, and different agencies may have overlapping interests in how that data is handled.
How complaints work
Anyone who believes their health-information rights have been violated can file a complaint with OCR, typically within 180 days of when they knew or should have known of the violation. OCR reviews complaints and decides whether to investigate.
Complaints are a major source of OCR activity, which is why responsive handling of patient rights — like timely access to records — is one of the best ways to avoid drawing attention.
How investigations begin
OCR investigations are triggered in several ways: a filed complaint, a breach report (especially for large breaches), a referral, or a compliance review. Large breaches in particular almost always prompt scrutiny, with the breach itself becoming the starting point for a broader look at the program.
Because many triggers are outside an organization’s control, the reliable defense is a program that can withstand examination whenever it comes.
The investigation process
Once an investigation opens, OCR requests information and documentation, reviews the organization’s compliance, and evaluates whether violations occurred. The organization is expected to cooperate, provide records, and respond to questions within set timelines.
How an organization responds — promptly, completely, and honestly — significantly shapes the tone and trajectory of the investigation.
Possible outcomes
Investigations can resolve in several ways. OCR may find no violation and close the matter; it may require voluntary compliance and corrective action; it may enter a resolution agreement with a settlement and a corrective action plan; or, in serious cases, it may impose civil monetary penalties.
Many matters resolve through corrective action rather than penalties, particularly where the organization cooperates and demonstrates good faith.
Resolution agreements and corrective action
A common outcome is a resolution agreement: the organization agrees to a settlement payment and a corrective action plan that addresses the deficiencies OCR identified, often under a period of monitoring. These agreements are publicly announced and serve as both remedy and deterrent.
Corrective action plans typically require concrete steps — updating policies, completing a risk analysis, training staff — with reporting to OCR over time.
Civil monetary penalties
When OCR imposes penalties, they are tiered by culpability, from lower amounts for unknowing violations to substantial sums for willful neglect that is not corrected, subject to annual caps for identical violations. The most severe penalties are reserved for organizations that ignored clear obligations.
These penalties can be significant, but they are far from automatic; they generally reflect serious or willful noncompliance rather than honest, promptly corrected mistakes.
Criminal enforcement
While OCR handles civil enforcement, knowing or intentional misuse of PHI can also draw criminal liability, which the Department of Justice pursues. Criminal cases are less common and target deliberate wrongdoing — such as stealing or selling health information — rather than compliance lapses.
This criminal dimension underscores that the most egregious mishandling of health data is treated as a serious offense, not merely a regulatory matter.
Enforcement priorities and trends
OCR’s enforcement has emphasized recurring themes: the failure to conduct a proper risk analysis, lack of access controls, unencrypted devices, missing Business Associate Agreements, and failures to provide patients timely access to their records. These themes signal where scrutiny concentrates.
Aligning your program with these priorities — ensuring you are strong precisely where OCR looks hardest — is a practical way to reduce enforcement risk.
How to stay on the right side of enforcement
The best protection against enforcement is a genuine, maintained program: a current risk analysis, real safeguards, signed BAAs, trained staff, responsive handling of patient rights, and prompt, documented breach response. Cooperation and good faith further improve outcomes if an issue does arise.
Enforcement is not something to fear if the underlying program is sound. Organizations that take their obligations seriously and can demonstrate it are well positioned regardless of who comes knocking.
OCR's educational role
Enforcement is only part of OCR’s mission. It also publishes extensive guidance, FAQs, and tools to help organizations understand and meet their obligations. This educational role reflects a recognition that most organizations want to comply and benefit from clear direction.
Engaging with OCR’s guidance is a practical way to align your program with the regulator’s own interpretation of the rules, reducing the chance of misunderstanding.
How OCR prioritizes cases
OCR receives far more complaints and breach reports than it can pursue in depth, so it prioritizes. Large breaches, patterns of noncompliance, cases involving vulnerable populations, and issues touching its enforcement initiatives tend to receive the most attention.
Understanding these priorities helps organizations focus their own efforts on the areas most likely to draw scrutiny if something goes wrong.
The breach portal
Organizations report breaches to OCR through an online portal, and breaches affecting 500 or more individuals are publicly listed — the so-called ‘wall of shame.’ This transparency is itself a form of accountability, exposing significant breaches to public view.
The public nature of large-breach reporting adds reputational pressure on top of regulatory consequences, reinforcing the incentive to prevent breaches in the first place.
Cooperation during enforcement
How an organization engages with OCR during an investigation matters. Cooperation, transparency, and a demonstrated commitment to fixing problems generally lead to better outcomes than defensiveness or delay. OCR has discretion in how it resolves matters, and good-faith engagement weighs in an organization’s favor.
This is another reason to treat compliance seriously before any inquiry: an organization with a genuine program has far more to point to when cooperating with regulators.
Enforcement as a feedback signal
Published enforcement actions are a valuable signal for everyone, not just the organizations involved. They reveal what OCR considers serious, which failures recur, and how the agency expects organizations to respond. Studying them helps others avoid the same mistakes.
Treating enforcement news as ongoing education — rather than just cautionary tales — keeps a program aligned with evolving regulatory expectations.
Why enforcement ultimately protects patients
The purpose of all this enforcement is to protect patients’ sensitive information. By holding organizations accountable, OCR and its partners create real incentives to safeguard health data, benefiting the individuals the law was written to protect.
Viewed this way, enforcement is not an adversary but the mechanism that gives HIPAA’s protections meaning — and a well-run organization has nothing to fear from it.
Free consultation
Need help with HIPAA?
Talk to our certified compliance team — we’ve supported 200+ audits.
Next
HIPAA Violations