In February 2023, the Office for Civil Rights settled with a dental practice in New England for $30,000 after the organization failed to provide a patient access to their records within the required timeframe. It was a small practice. A routine complaint. And it resulted in a federal enforcement action. If you've ever asked which governmental entity is responsible for enforcing HIPAA, that case gives you the clearest possible answer: it's the Office for Civil Rights within the U.S. Department of Health and Human Services.

Which Governmental Entity Is Responsible for Enforcing HIPAA — And Why It Matters

The Office for Civil Rights (OCR), a division of HHS, is the primary federal agency charged with enforcing the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. OCR has held this role since the Privacy Rule took effect in April 2003, and its enforcement authority expanded significantly under the HITECH Act of 2009 and the Omnibus Rule of 2013.

Understanding this isn't academic. When your organization receives a complaint, suffers a breach of protected health information (PHI), or faces a compliance review, OCR is the entity that investigates, determines violations, and imposes penalties. Every covered entity and business associate operates under OCR's jurisdiction.

How OCR Enforces HIPAA: Complaints, Audits, and Breach Investigations

OCR enforces HIPAA through three primary mechanisms. Each one can result in corrective action plans, monetary settlements, or civil monetary penalties against your organization.

Patient Complaints

Any individual can file a complaint with OCR if they believe a covered entity or business associate has violated their HIPAA rights. OCR has received over 350,000 complaints since the Privacy Rule's compliance date. Most are resolved through technical assistance or voluntary compliance, but a significant percentage trigger formal investigations.

Breach Reports

Under the Breach Notification Rule (45 CFR §§ 164.400-414), covered entities must report breaches of unsecured PHI. Breaches affecting 500 or more individuals are posted on OCR's public breach portal — commonly known as the "Wall of Shame" — and automatically trigger an OCR investigation. In my work with covered entities, this is the scenario that generates the most anxiety, and rightfully so.

Compliance Reviews and Audits

OCR also initiates its own compliance reviews independent of any complaint. The agency conducted a formal audit program in 2016-2017 focused on risk analysis, breach notification practices, and the Notice of Privacy Practices. While a large-scale audit program hasn't been repeated since, OCR has signaled it may resume audits, and targeted compliance reviews remain an active enforcement tool.

The Penalty Structure That Gives OCR Teeth

OCR's enforcement authority includes a tiered civil monetary penalty structure established under the HITECH Act and codified at 45 CFR § 160.404. The four penalty tiers are based on the level of culpability:

  • Tier 1 — Did Not Know: $137 to $68,928 per violation
  • Tier 2 — Reasonable Cause: $1,379 to $68,928 per violation
  • Tier 3 — Willful Neglect (Corrected): $13,785 to $68,928 per violation
  • Tier 4 — Willful Neglect (Not Corrected): $68,928 to $2,067,813 per violation

These amounts are adjusted annually for inflation. A single compliance failure that affects multiple patients can generate penalties in the millions. OCR's $4.75 million settlement with New York-Presbyterian Hospital and Columbia University in 2014 remains one of the most cited enforcement actions in healthcare compliance history.

OCR Isn't the Only Enforcer: State Attorneys General and DOJ

While OCR is the primary answer to which governmental entity is responsible for enforcing HIPAA, it's not the only one. The HITECH Act granted state attorneys general the authority to bring civil actions on behalf of state residents for HIPAA violations. Several states — including Indiana, Massachusetts, and New Jersey — have exercised this authority independently.

Additionally, the Department of Justice (DOJ) handles criminal enforcement of HIPAA. When individuals knowingly obtain or disclose PHI in violation of the law, DOJ can pursue criminal charges carrying penalties up to $250,000 and up to 10 years of imprisonment under 42 U.S.C. § 1320d-6.

Healthcare organizations consistently struggle with the misconception that HIPAA enforcement comes from a single source. In reality, your organization faces potential action from OCR, your state AG, and DOJ — each with distinct authority and penalty mechanisms.

What OCR Looks for During an Investigation

When OCR opens an investigation into your organization, the agency evaluates several core compliance elements. Based on published resolution agreements and corrective action plans, here's what draws the most scrutiny:

  • Risk Analysis: Has your organization conducted a thorough, documented risk analysis as required under 45 CFR § 164.308(a)(1)? This is the single most common deficiency OCR identifies.
  • Workforce Training: Can you demonstrate that every workforce member with access to PHI has received HIPAA training appropriate to their role? A robust HIPAA training and certification program is essential evidence of compliance.
  • Minimum Necessary Standard: Does your organization limit PHI access and disclosure to the minimum necessary for the intended purpose?
  • Business Associate Agreements: Are your business associate agreements current, complete, and compliant with the Omnibus Rule requirements?
  • Policies and Procedures: Do you maintain written, regularly updated HIPAA policies — including your Notice of Privacy Practices?

Organizations that cannot produce documentation in these areas face significantly higher penalties and longer corrective action plans.

The Workforce Training Requirement Most Organizations Underestimate

OCR has made clear in multiple enforcement actions that workforce training is not optional and not a one-time event. The Privacy Rule at 45 CFR § 164.530(b) requires training for all workforce members, and the Security Rule at 45 CFR § 164.308(a)(5) mandates security awareness and training programs.

Healthcare organizations that rely on annual slide decks with no assessment, tracking, or role-based content are taking a significant risk. When OCR investigates, they want to see documented evidence that training occurred, when it occurred, and that it covered the regulatory requirements relevant to each workforce member's function.

Investing in comprehensive workforce HIPAA compliance isn't just a best practice — it's the documentation your organization needs if OCR ever comes knocking.

Practical Steps to Prepare for OCR Enforcement

Knowing which governmental entity is responsible for enforcing HIPAA is the starting point. Preparing for that enforcement is what separates compliant organizations from those that end up on the Wall of Shame.

  • Conduct and document a comprehensive risk analysis annually — not just when a breach occurs.
  • Implement ongoing, role-based workforce training with documented completion records.
  • Review and update business associate agreements at least annually.
  • Maintain an incident response plan that meets Breach Notification Rule timelines — 60 days for individual notification, 60 days to HHS for breaches affecting 500+.
  • Designate a Privacy Officer and Security Officer with clear authority and accountability.

OCR's enforcement activity has increased steadily, with the agency resolving over 30 enforcement actions in 2022 alone. The question is never whether OCR will enforce — it's whether your organization will be ready when it does.