A $4.75 Million Wake-Up Call from an Agency You've Probably Underestimated

In 2024, the Office for Civil Rights slapped a $4.75 million penalty on Montefiore Medical Center after a workforce member stole the protected health information of 12,517 patients. The breach had gone undetected for months. The hospital's internal controls failed. And the agency that caught them? Not the FBI. Not local police. It was HHS's Office for Civil Rights — the same small federal office that most healthcare workers couldn't name if you asked them on the spot.

If you've ever searched who enforces HIPAA, you're asking the right question. Because knowing the answer changes how seriously your organization treats compliance. It's not an abstract regulation floating in the ether. Real agencies investigate real complaints, audit real organizations, and impose real penalties — penalties that have collectively exceeded $142 million since 2003.

Let me walk you through exactly who has the authority to come knocking on your door, what triggers their attention, and how you stay off their radar.

Who Enforces HIPAA? The Primary Agency You Need to Know

The short answer: the U.S. Department of Health and Human Services (HHS), specifically through its Office for Civil Rights (OCR). OCR is the primary federal agency responsible for enforcing the HIPAA Privacy Rule, the Security Rule, and the Breach Notification Rule.

OCR investigates complaints filed by individuals who believe their health information has been mishandled. They also conduct compliance reviews and audits on their own initiative. When they find violations, they can impose corrective action plans, resolution agreements, and civil monetary penalties that range from $141 per violation up to nearly $2.13 million per violation category per year (adjusted for inflation).

I've seen organizations treat OCR like a paper tiger. That's a mistake. Between 2008 and 2024, OCR resolved more than 30,000 cases and collected penalties from organizations as small as solo dental practices and as large as major hospital systems. You can review their full enforcement record on the HHS Resolution Agreements page.

How OCR Investigations Actually Start

Most OCR investigations begin with a complaint. Any person — a patient, a former employee, a concerned family member — can file a complaint with OCR within 180 days of discovering a potential HIPAA violation. OCR then reviews the complaint, determines jurisdiction, and decides whether to investigate.

But complaints aren't the only trigger. Large breaches affecting 500 or more individuals automatically land on OCR's desk because covered entities must report them through the HHS Breach Portal. That portal is public, by the way. Your breach will be listed there for anyone to see. In my experience, that public exposure often causes more organizational damage than the penalty itself.

The Department of Justice: When HIPAA Violations Turn Criminal

OCR handles civil enforcement. But when a HIPAA violation crosses into criminal territory — think intentional theft of PHI, selling patient data, or obtaining records under false pretenses — the Department of Justice (DOJ) steps in.

Under 42 U.S.C. § 1320d-6, criminal penalties for HIPAA violations can reach up to $250,000 in fines and ten years in prison. The DOJ typically prosecutes individuals, not organizations. These are cases where a hospital employee snoops through celebrity medical records for personal gain, or a nurse sells patient information to an identity theft ring.

The DOJ doesn't handle the high-volume complaint work that OCR does. But when they get involved, the consequences are career-ending and life-altering. I've watched workforce members lose their licenses, their freedom, and their futures because they assumed no one was watching.

State Attorneys General: The Enforcement Layer Most People Forget

Here's what catches many covered entities off guard: state attorneys general have independent authority to enforce HIPAA. The HITECH Act of 2009 gave every state AG the power to bring civil actions on behalf of state residents for HIPAA violations.

This matters because state AGs often move faster and more aggressively than OCR. They have local political incentives to protect constituents. And they can seek damages as well as injunctive relief.

Indiana's Attorney General filed one of the earliest state-level HIPAA enforcement actions against WellPoint (now Elevance Health) in 2011, resulting in a $100,000 state penalty on top of the federal resolution. Since then, states like New York, New Jersey, Massachusetts, and Connecticut have become particularly active.

If your organization operates across multiple states, you're not just answering to OCR. You could face simultaneous investigations from several state AGs. Your compliance program needs to account for that reality.

Can Patients Sue Directly for HIPAA Violations?

No. HIPAA does not create a private right of action. Individual patients cannot sue a covered entity in court solely for a HIPAA violation. However — and this is a critical distinction — patients routinely use HIPAA violations as evidence in state-law negligence, breach of contract, or state privacy lawsuits. So while HIPAA itself doesn't give patients standing to sue, the underlying facts of a HIPAA violation absolutely fuel civil litigation.

The Centers for Medicare & Medicaid Services Had a Role Too

Before OCR consolidated most HIPAA enforcement, CMS handled enforcement of certain HIPAA administrative simplification provisions — specifically the transaction and code set standards. CMS still maintains a complaint process for these provisions, though most healthcare professionals today associate HIPAA enforcement almost exclusively with OCR.

If your organization submits electronic healthcare transactions, CMS retains some oversight authority. You can review these requirements on the CMS Transactions and Code Sets page.

What Triggers the Biggest Penalties

After years in this field, I can tell you that the enforcement actions grabbing headlines share common threads. Here's what gets organizations into the most trouble:

  • Failure to conduct a risk analysis. OCR cites this in nearly every major settlement. Anthem's $16 million resolution in 2018 — the largest HIPAA settlement in history — centered on this exact failure.
  • No workforce training. Your staff handles PHI every day. If you can't prove they've been trained on HIPAA requirements, OCR views that as willful neglect.
  • Delayed breach notification. The Breach Notification Rule gives you 60 days to notify affected individuals after discovering a breach. Miss that window, and you've handed OCR an easy violation to document.
  • Lack of access controls for ePHI. Shared passwords, unencrypted laptops, and missing audit logs show up repeatedly in enforcement actions.

The pattern is clear. Organizations don't get hit with massive fines for one-off mistakes. They get hit because they never built the compliance infrastructure in the first place.

How Your Organization Stays Ahead of Enforcement

Knowing who enforces HIPAA is step one. Step two is making sure your organization never gives those agencies a reason to investigate.

Start with training. Every workforce member who touches PHI — from front-desk staff to C-suite executives — needs documented HIPAA training. Not a one-time onboarding video from five years ago. Annual, updated training that covers current threats and regulatory changes. Our HIPAA Introduction Training 2026 course covers exactly what your team needs to stay current.

If you operate a home health agency, your compliance challenges are even more complex. PHI travels in cars, into patient homes, and across mobile devices. The HIPAA Training for Home Health Care Agencies course addresses these field-specific risks head-on.

Build a Culture, Not Just a Checklist

I've audited organizations that had beautiful policy binders gathering dust on a shelf. Policies mean nothing if your workforce doesn't live them. Conduct your risk analysis annually. Document everything. Encrypt your ePHI. Train your people. And when something goes wrong — because eventually something will — report it promptly and cooperate fully.

OCR has explicitly stated that organizations demonstrating good-faith compliance efforts receive more favorable treatment during investigations. That's not a guarantee, but it's a significant factor in how penalties are calculated.

The Enforcement Landscape Is Getting More Aggressive, Not Less

OCR's budget and enforcement activity have expanded in recent years. The agency launched a HIPAA Right of Access Initiative that has already produced more than 45 enforcement actions against providers who failed to give patients timely access to their own records. Penalties in those cases ranged from $3,500 to $240,000.

State AGs are filing more actions. The DOJ continues to prosecute criminal cases. And with healthcare data breaches hitting record numbers — over 167 million individuals affected by reported breaches in 2023 alone, according to HHS data — the agencies that enforce HIPAA have more work than ever.

Your organization's best defense isn't hoping you stay invisible. It's building a compliance program strong enough to withstand scrutiny. Explore our full HIPAA training catalog to find the right course for every role in your organization.

The agencies that enforce HIPAA aren't going away. The question is whether you'll meet them as a compliant organization — or as a cautionary tale on the breach portal.