HIPAA Enforcement Explained: Who Ensures the Safety of Health Data?

The Office for Civil Rights (OCR), a critical arm of the U.S. Department of Health and Human Services (HHS), is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA).


The Health Insurance Portability and Accountability Act (HIPAA), established in 1996, is pivotal legislation in the United States that safeguards patient health information and privacy. In an era where healthcare increasingly intersects with digital technology, comprehending the mechanisms of HIPAA enforcement is essential for healthcare providers and related entities. This blog post delves into the various agencies tasked with enforcing HIPAA regulations. It will elucidate their specific roles, the nature of their responsibilities, and the impact they have on upholding the confidentiality and security of healthcare data. Understanding who enforces HIPAA compliance is not just a regulatory requirement; it's a fundamental aspect of maintaining trust and integrity in the healthcare system, ensuring that patient information is protected in an ever-evolving digital landscape.

Who Enforces HIPAA

The Role of the Office for Civil Rights (OCR)

The Office for Civil Rights (OCR), a critical arm of the U.S. Department of Health and Human Services (HHS), is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA). Charged with the pivotal task of upholding the Privacy and Security Rules of HIPAA, the OCR's role is multifaceted and indispensable in the realm of patient privacy protection. It shoulders the responsibility of investigating complaints lodged by individuals who believe their health information has been handled in a way that violates HIPAA rules.

The OCR also conducts routine audits to ensure healthcare providers, insurers, and business associates comply with HIPAA mandates, thus safeguarding sensitive patient data. These audits are instrumental in identifying non-compliance issues and guiding entities towards corrective measures. In addition to responding to violations and breaches, the OCR plays a proactive role in educating healthcare providers and the public about the rights and obligations under HIPAA. This dual approach of enforcement and education helps to foster a culture of compliance and awareness, crucial in the ever-evolving healthcare sector.

So who is responsible for enforcing the HIPAA security rule? Who enforces HIPAA’s privacy provisions? Largely HHS’s Office for Civil Rights - but read on to learn more.

The Centers for Medicare and Medicaid Services (CMS)

The Centers for Medicare & Medicaid Services (CMS) have a specific role in HIPAA enforcement, primarily overseeing compliance with the Administrative Simplification provisions. This includes the enforcement of regulations related to Transactions and Code Sets, the National Employer Identifier Number, the National Provider Identifier, and the Operating Rules. CMS operates distinctively from the Office for Civil Rights (OCR) which enforces the Security Rule and Privacy Rules of HIPAA. The CMS's focused approach plays a vital part in streamlining healthcare processes, ensuring secure and efficient healthcare transactions, and maintaining the integrity of healthcare data exchanges.

For detailed information, you can view the HIPAA Enforcement Statistics on the CMS website.

The Role of State Attorneys General

The empowerment of State Attorneys General in HIPAA enforcement marks a significant evolution in the regulatory landscape. This shift, catalyzed by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, enabled state-level authorities to take a more active role in upholding HIPAA regulations. This development introduced a crucial layer of oversight, complementing federal enforcement efforts.

State Attorneys General are now authorized to file civil suits in instances where HIPAA violations impact residents of their states. This local level of enforcement allows for a more nuanced and immediate response to infractions, tailored to the specific needs and circumstances of the state's population. Their involvement has proven instrumental in several high-profile cases, demonstrating the effectiveness of state-level intervention in safeguarding patient privacy.

In addition to legal enforcement, State Attorneys General often engage in public awareness campaigns and educational initiatives around HIPAA compliance. These efforts are vital in fostering a culture of data privacy and security within the healthcare sector at the grassroots level.

The integration of State Attorneys General into the HIPAA enforcement framework underscores the importance of a collaborative approach between federal and state entities. This partnership ensures a comprehensive, robust, and responsive enforcement mechanism, crucial for protecting the privacy and security of health information in an increasingly digital healthcare environment.

See below for several notable examples of state AG enforcement of HIPAA.  

New York Attorney General's Settlement with University of Rochester Medical Center (URMC): In 2015, the New York Attorney General’s office reached a significant settlement with the University of Rochester Medical Center (URMC) following a HIPAA violation. The issue arose when a nurse practitioner, who was departing from URMC to another medical practice, shared patient information without obtaining proper authorization. This led to a breach of sensitive health information. The New York Attorney General's intervention resulted in URMC agreeing to pay a $15,000 penalty and undertake substantial corrective action, including conducting thorough risk assessments and implementing robust training programs for its staff.

California Attorney General's Case Against Cottage Health System: In 2018, the California Attorney General’s Office settled a case with Cottage Health System over alleged violations of both HIPAA and California’s Confidentiality of Medical Information Act. The case stemmed from multiple instances between 2011 and 2013 where patients’ electronic Protected Health Information (ePHI) was accessible on the internet without proper security measures. This breach exposed thousands of patients' records. The settlement included a $2 million penalty and required Cottage Health to upgrade its security practices.

Other Federal Agencies Involved

Apart from the Office for Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS), various other federal agencies play a role in enforcing HIPAA regulations. Among these, the Department of Justice (DOJ) stands out, particularly in cases involving criminal violations of HIPAA. The DOJ prosecutes individuals and entities that knowingly and willfully misuse patient health information for harm or personal gain. These criminal violations can include identity theft, fraud, or unauthorized access and disclosure of protected health information (PHI).

Another key agency involved in HIPAA enforcement is the Federal Trade Commission (FTC). While the FTC does not directly enforce HIPAA, it protects consumer data, including health information, under the FTC Act. In cases where the privacy and security of health data intersect with consumer protection, the FTC's role becomes crucial.

These agencies often collaborate in their enforcement efforts, ensuring a comprehensive and multifaceted approach to safeguarding patient health information. This inter-agency cooperation is vital in addressing the complex challenges of health data protection in the digital age. By working together, these federal entities ensure that the standards set by HIPAA are rigorously enforced, and any breaches or misuses of PHI are appropriately addressed, thereby maintaining the integrity and security of sensitive health information in the United States.

Time to Investigate

The process of reporting and investigating HIPAA violations is a critical component of ensuring compliance and protecting patient privacy. Both healthcare providers and individuals have the ability to report suspected violations of HIPAA rules. These reports are typically directed to the Office for Civil Rights (OCR), the primary body responsible for handling such complaints.

When a complaint is filed, the OCR initiates an investigation to determine whether a violation has occurred. This process involves a thorough review of the circumstances surrounding the alleged breach, including an examination of the healthcare entity's compliance history, the nature and extent of the potential violation, and the potential harm to affected individuals.

Healthcare organizations are also encouraged to conduct internal investigations and report any breaches in compliance to the OCR. This proactive approach is not only a regulatory requirement in cases of significant breaches but also a best practice for maintaining trust and transparency with patients. Learn about the Worst HIPAA Violation Cases in History.

The Importance of Compliance and Training

The best defense is a good offense, and so healthcare organizations who want to avoid a HIPAA breach must recognize the importance of regular HIPAA training for their staff (all of whom are typically required to be trained). This training should not only cover the basic tenets of HIPAA but also delve into the practical aspects of implementing these rules in daily operations. By ensuring that all employees, from front-line staff to senior management, are well-versed in HIPAA requirements, organizations can significantly reduce the risk of violations and enhance overall data security.

Furthermore, compliance training should be an ongoing process, adapting to changes in regulations and technology. Periodic refreshers and updates are essential to keep pace with evolving standards and practices in healthcare data management. Training programs should also be tailored to address the specific needs of various roles within the organization, ensuring that each employee understands their responsibilities in maintaining HIPAA compliance.

Offerings like TeachMeHIPAA can help prevent costly HIPAA breaches, and help easily satisfy the HIPAA training requirement.


Who enforces HIPAA is not as simple of a question as it seems! The enforcement of HIPAA is a multifaceted effort involving various federal and state agencies, each playing a pivotal role in safeguarding patient health information. Understanding the roles of the Office for Civil Rights, Centers for Medicare and Medicaid Services, State Attorneys General, and other federal agencies helps in appreciating the comprehensive nature of HIPAA enforcement. The processes of reporting and investigating violations, coupled with the emphasis on ongoing compliance and training, are critical in ensuring that healthcare organizations adhere to these vital privacy and security standards.

You've successfully subscribed to TeachMeHIPAA compliance blog
Great! Next, complete checkout to get full access to all premium content.
Error! Could not sign up. invalid link.
Welcome back! You've successfully signed in.
Error! Could not sign in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.