A Single Complaint to the Wrong Agency Can Cost You Months
I got a call last year from a clinic administrator who had filed a HIPAA complaint with the FTC. She waited four months before someone told her she'd contacted the wrong agency entirely. If you've ever wondered who regulates HIPAA, you're not alone — and the answer matters more than you think.
The confusion is understandable. Multiple federal agencies touch healthcare privacy in some way. But HIPAA enforcement has a very specific chain of command, and understanding it can mean the difference between a swift resolution and a bureaucratic dead end. More importantly, if you're a covered entity or business associate, knowing who's watching keeps you from becoming the next cautionary tale on the HHS breach portal.
Who Regulates HIPAA? The Short Answer
The U.S. Department of Health and Human Services (HHS) is the primary federal agency that regulates HIPAA. Within HHS, the Office for Civil Rights (OCR) handles enforcement of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. OCR investigates complaints, conducts compliance reviews, and issues penalties.
That's the direct answer. But the full picture has more layers — and those layers are where most organizations get tripped up.
OCR: The Agency That Actually Knocks on Your Door
When people ask who regulates HIPAA, they're almost always asking about OCR. This is the office that receives breach reports, investigates patient complaints, and negotiates resolution agreements that come with six- and seven-figure penalties.
OCR has teeth. In 2023, Lafourche Medical Group paid $480,000 to settle potential HIPAA violations after a phishing attack compromised the ePHI of nearly 35,000 individuals. OCR's investigation found the practice had never conducted a risk analysis — a basic Security Rule requirement.
I've seen this pattern play out dozens of times. OCR doesn't just investigate the breach itself. They pull the thread and look at your entire compliance posture. Missing workforce training, absent policies, no risk analysis — these are the findings that turn a manageable incident into a crushing settlement.
You can review OCR's actual enforcement results on the HHS Resolution Agreements page.
HHS Sets the Rules — OCR Enforces Them
Think of it this way: HHS is the rulemaking body. OCR is the enforcement arm. HHS publishes the regulations under 45 CFR Parts 160, 162, and 164. OCR operationalizes those rules through investigations, audits, and corrective action plans.
HHS also houses the Centers for Medicare & Medicaid Services (CMS), which enforces HIPAA's administrative simplification provisions — the transaction and code set standards that govern electronic healthcare claims. Most people never think about CMS in a HIPAA context, but if your organization submits electronic claims, CMS has authority over how you format and transmit that data.
The division of labor looks like this:
- OCR: Privacy Rule, Security Rule, Breach Notification Rule
- CMS: Transaction and Code Set Rule, Unique Identifier Rules
Both sit under HHS. Both have regulatory authority. But OCR is the one issuing the fines that make headlines.
State Attorneys General: The Second Layer of Enforcement
Here's what catches many organizations off guard: state attorneys general can also enforce HIPAA. The HITECH Act of 2009 gave state AGs the power to bring civil actions on behalf of state residents for HIPAA violations.
This isn't theoretical. Indiana Attorney General Todd Rokita secured a $350,000 settlement from CarePointe ENT in 2024 after the practice failed to implement adequate security safeguards. State-level enforcement is growing, and it creates a second front that your compliance program needs to account for.
In my experience, state AGs tend to act when OCR is slow or when a breach disproportionately affects residents of a particular state. You can't assume that an OCR investigation is the only investigation you'll face.
The DOJ Steps In for Criminal Violations
OCR handles civil enforcement. But when HIPAA violations cross into criminal territory — think employees snooping on celebrity medical records or selling PHI — the Department of Justice (DOJ) takes over.
Criminal penalties under HIPAA can reach up to $250,000 in fines and 10 years in prison for offenses committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. The DOJ prosecutes these cases, not OCR.
I've consulted with hospitals where a single employee's curiosity led to a DOJ referral. These aren't massive data breaches. They're individual acts — a registration clerk looking up an ex-spouse's records, a nurse accessing a neighbor's chart. Your workforce training needs to make this risk visceral and real. Our HIPAA Introduction Training 2026 course covers exactly these scenarios in practical detail.
The FTC's Role: Adjacent but Separate
The Federal Trade Commission does not regulate HIPAA. Full stop. But the FTC does regulate health data privacy for entities that fall outside HIPAA's scope — health apps, wearable device companies, and other non-covered entities.
This is where the confusion from my opening story comes from. If a consumer's health data is compromised by a fitness app, the FTC has jurisdiction under the Health Breach Notification Rule. If a covered entity or business associate compromises PHI, that's OCR's territory.
Knowing which agency has authority over your specific situation saves you time, money, and frustration. The HHS HIPAA FAQ page breaks down these jurisdictional questions clearly.
What Does This Mean for Your Organization?
You're Accountable to More Than One Agency
If you're a covered entity or business associate, your compliance program needs to satisfy OCR's expectations at a minimum. But you're also potentially answerable to your state attorney general and, in criminal cases, the DOJ. A patchwork approach won't hold up under scrutiny from any of them.
Risk Analysis Isn't Optional — It's the First Thing They Check
Across nearly every major OCR settlement I've reviewed, the absence of a thorough risk analysis is a finding. Banner Health paid $1.25 million in 2023 after a breach affecting nearly 3 million individuals. Among OCR's findings: insufficient risk analysis and inadequate security measures. This is the baseline. You can read the full details of OCR's penalty structure at 45 CFR Part 160, Subpart D.
Training Is Where Most Programs Fail First
Every enforcement action I've studied shares a common thread: the organization either didn't train its workforce or couldn't prove it did. OCR expects documented, regular training on HIPAA policies and procedures. Not a one-time onboarding slideshow from 2019. Annual, role-specific, and documented.
If your organization needs to build or refresh its training program, our full course catalog gives you practical, up-to-date options that satisfy OCR's workforce training expectations.
The $1.9 Million Lesson Most Organizations Still Haven't Learned
In 2020, OCR settled with CHSPSC LLC for $2.3 million following breaches that affected over 6 million individuals. The corrective action plan required a complete overhaul of their risk analysis process, security policies, and workforce training. Every element that OCR regulates was found deficient.
That's the real takeaway when you ask who regulates HIPAA. It's not just knowing the agency names. It's understanding that OCR's enforcement priorities — risk analysis, access controls, workforce training, breach response — are the exact areas where your compliance program needs to be airtight.
Stop Guessing and Start Documenting
The organizations that survive OCR investigations aren't the ones with perfect security. They're the ones who can show a good-faith, documented effort to comply. They can produce training records, risk analysis reports, policy acknowledgments, and incident response logs.
If someone at your organization can't answer the question "who regulates HIPAA" within five seconds, that's a training gap. And training gaps are exactly what OCR looks for when they open an investigation.
Build the documentation. Train the workforce. Know who's watching. Because in 2026, the agencies that regulate HIPAA are more active than ever — and they're not slowing down.