HIPAA enforcement: How it works, who enforces it, and what’s at stake

The Health Insurance Portability and Accountability Act (HIPAA) is enforced by a range of federal and state agencies, each with unique responsibilities. The U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) is the primary enforcer, leading investigations, audits, and penalty actions when organizations fail to safeguard protected health information. Yet enforcement doesn’t stop there.
State attorneys general, the Department of Justice, and even the Federal Trade Commission play critical roles when violations overlap with criminal conduct, state-level consumer protections, or health tech outside HIPAA’s traditional boundaries.
In this blog, you’ll explore which agencies enforce HIPAA, the mechanisms they use, and what their roles mean for your organization’s compliance strategy.
Who enforces HIPAA?
HIPAA enforcement is not limited to one body. Several federal and state agencies share responsibility, each focused on a different piece of the compliance puzzle:
1. U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR)
OCR is the main enforcement arm for HIPAA. As part of HHS, its mission is to protect individuals’ health information rights. OCR investigates complaints filed by patients, reviews reports of large data breaches, conducts compliance audits, and ensures corrective actions are taken. It has the authority to levy civil monetary penalties and oversee long-term corrective action plans.
2. Centers for Medicare & Medicaid Services (CMS)
CMS is best known for running Medicare and Medicaid, but it also enforces HIPAA’s Administrative Simplification standards. These rules cover standardized electronic transactions, national provider identifiers, and code sets that ensure interoperability across the healthcare system. By enforcing these, CMS promotes efficiency and consistency in the way health data flows between providers, insurers, and clearinghouses.
3. U.S. Department of Justice (DOJ)
The DOJ enforces HIPAA’s criminal provisions. Its involvement typically arises in cases of willful misconduct, such as selling PHI on the black market or using it for personal or financial gain. Depending on the violation, penalties can include substantial fines and prison sentences of up to 10 years.
4. State attorneys general
Since the HITECH Act of 2009, state attorneys general have had the authority to bring HIPAA cases in federal court. They can act on behalf of residents whose HIPAA rights were violated, seeking financial damages or injunctions against organizations. This role gives patients another path to accountability at the state level.
5. Federal Trade Commission (FTC) (Indirect enforcer)
The FTC is not a direct HIPAA enforcer but plays a special role in the broader health data landscape. It regulates entities that fall outside HIPAA, such as mobile health apps, fitness trackers, and direct-to-consumer health platforms. Through the Health Breach Notification Rule and its authority under the FTC Act to act against unfair or deceptive practices, the FTC ensures that sensitive health data beyond HIPAA’s scope is still protected.
How HIPAA enforcement is enacted by HHS

HIPAA enforcement by the OCR within HHS follows a structured process. The goal is not just to punish violations but also to bring organizations into compliance and ensure future protection of health information. Enforcement actions typically move through three main channels: complaint investigations, compliance audits, and resolution agreements or corrective action plans.
1. Complaint investigation process
The most common way HIPAA violations come under scrutiny is through complaints filed by patients, employees, or other individuals. Complaints are submitted directly to OCR, which first determines whether HIPAA rules apply. If the complaint is accepted, OCR notifies the covered entity or business associate and requests information about the incident.
From there, several outcomes are possible:
- No violation found – OCR closes the case without further action.
- Voluntary compliance – the entity acknowledges the issue and corrects it promptly.
- Resolution agreement – OCR and the entity enter a formal settlement requiring specific actions.
- Civil money penalties (CMPs) – if compliance is not achieved, OCR can impose fines.
In cases where OCR suspects criminal intent, such as knowingly selling or misusing protected health information (PHI), the matter is referred to the Department of Justice. Entities also have the right to request a hearing before an HHS administrative law judge if they wish to contest OCR’s findings.
2. Compliance audits and reviews
Beyond responding to complaints, OCR also initiates compliance reviews and audits. A compliance review is triggered when OCR believes a systemic issue may exist within an organization.
OCR also runs the HIPAA Audit Program, established under the HITECH Act, to proactively examine how organizations implement Privacy, Security, and Breach Notification Rules. Audits are not random; they are designed to assess a cross-section of covered entities and business associates to identify common compliance gaps. OCR evaluates policies, risk assessments, staff training, and breach response procedures to see whether rules are being followed in practice.
These audits are meant as both an enforcement tool and a learning opportunity, helping OCR refine guidance and highlight best practices across the industry.
3. Resolution agreements and corrective action plans
When noncompliance is confirmed, OCR may negotiate a resolution agreement with the entity. This is a formal settlement that often includes a financial settlement and a multi-year monitoring requirement.
Corrective action plans (CAPs) are typically part of these agreements. They outline the exact steps an organization must take, such as:
- Conducting or updating a security risk analysis
- Revising policies and procedures
- Training workforce members
- Implementing stronger access controls
- Providing regular progress reports to OCR
In many cases, entities are able to resolve violations through voluntary compliance and corrective action without financial penalties. However, when organizations fail to take corrective steps or the violation is severe, OCR does not hesitate to issue civil money penalties.
What are the consequences for HIPAA violations?
Enforcement under HIPAA isn’t limited to guidance or warnings. When organizations fall short, they face financial, civil, and even criminal consequences. The severity of penalties depends on whether the violation was accidental, negligent, or intentional.
Civil Monetary Penalty (CMP) Tiers 2025
The HHS OCR uses a tiered penalty structure that scales based on culpability:
OCR may also apply caps from its “Notice of Enforcement Discretion,” which establishes lower annual limits for Tiers 1–3 ($35,581; $142,355; $355,808, respectively), though these are not binding and subject to OCR's interpretation.
Criminal penalties (2025)
According to the American Medical Association (AMA), which tracks official DOJ guidance:
- Up to $50,000 in fines and up to 1 year in prison for knowingly obtaining or disclosing PHI in violation of HIPAA.
- If the offense is committed under false pretenses, penalties increase to up to $100,000 in fines and up to 5 years in prison.
- If the violation involves intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious purposes, the maximum penalties rise to $250,000 in fines and up to 10 years in prison.
State-level penalties and cases
- Authority: Since the HITECH Act, state attorneys general (AGs) can bring HIPAA cases in federal court on behalf of residents.
- Scope: AGs often combine HIPAA claims with state data security or consumer protection laws, making cases broader than federal enforcement alone.
- Penalty cap: Up to $25,000 per violation category, per year, though multistate cases and combined violations can drive settlements into the millions.
- Recent actions: State AGs have pursued cases tied to ransomware attacks, unauthorized disclosures, and inadequate data safeguards, often resulting in multi-million-dollar penalties.
- Unique value: Adds a local layer of accountability, ensuring patients have a direct path to redress beyond federal enforcement.
Case examples in HIPAA enforcement
- Anthem (2018): Anthem agreed to pay $16 million, the largest HIPAA settlement in records, following a cyberattack that exposed the protected health information of nearly 79 million people.
- Premera Blue Cross (2020): Premera settled for $6.85 million, the second-largest OCR penalty on record, after a breach impacted 10.4 million individuals.
- Cignet Health (2011): Issued a $4.3 million civil money penalty for repeatedly denying patient access to their medical records and failing to cooperate with OCR's investigation.
- Children’s Hospital Colorado (2024): Paid $548,265 for violations of the HIPAA Privacy and Security Rules.
- Warby Parker (2025): Fined $1.5 million for deficiencies in conducting security risk analysis and failing to monitor system activity adequately.
- Lifespan Health System Affiliated Covered Entity (2020): Paid $1,040,000 following an investigation into the theft of an unencrypted laptop that contained electronic PHI for over 20,000 individuals.
Which entities and business associates are covered under HIPAA?
HIPAA doesn’t apply to every organization in healthcare—it specifically targets those that create, receive, maintain, or transmit PHI. These groups, known as covered entities and business associates, carry the legal responsibility to protect PHI and ensure it is used and shared appropriately. Understanding whether your organization falls into one of these categories is the first step toward compliance.
Covered entities
HIPAA applies to these three main types of organizations or individuals:
- Healthcare providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies, but only if they transmit any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
- Health plans, including health insurers, HMOs, employer-sponsored plans (with the exception of group health plans with fewer than 50 participants, which, if administered solely by the employer, are not considered covered entities), and government programs like Medicare and Medicaid, are covered entities.
- Healthcare clearinghouses, which process or translate nonstandard health data into standardized formats (and vice versa).
What they must do:
- Follow the Privacy Rule (limits PHI sharing, ensures patient rights).
- Apply the Security Rule (secure electronic PHI).
- Follow the Breach Notification Rule (report data breaches promptly).
Business associates
These are third-party individuals or organizations that perform services or functions involving PHI on behalf of covered entities. Examples include billing companies, legal counsel, IT consultants, or transcription services.
What they must do:
- Sign a Business Associate Agreement (BAA) with the covered entity. This contract outlines permitted PHI uses, security obligations, breach reporting, and limits on further disclosure.
- Ensure they safeguard PHI with appropriate administrative, physical, and technical controls.
For a deeper look, check out this internal resource: Do you need to be HIPAA-compliant? A quick checklist
If I am unsure whether my business falls under HIPAA rules, how should I proceed?
If you’re not sure whether HIPAA applies to your organization, start by asking:
- Do you create, receive, store, or transmit PHI?
- Do you provide services to an organization that handles PHI, where you might access that information?
If the answer to either is yes, you likely qualify as a covered entity or a business associate, and HIPAA requirements will apply.
The safest approach is to:
- Conduct a compliance assessment to determine your classification.
- Review whether you need Business Associate Agreements (BAAs) in place.
- Seek legal or compliance guidance to confirm your obligations.
When in doubt, assume HIPAA applies and build safeguards accordingly. Being proactive is far less costly than facing an enforcement action for noncompliance.
How to maintain HIPAA compliance

HIPAA compliance is not a “once and done” exercise. It’s an ongoing commitment to securing PHI across people, processes, and technology. To stay compliant, organizations need to build safeguards into their daily operations and continuously monitor for gaps.
Here are the essential practices every covered entity and business associate should follow:
1. Start with a risk assessment
Map out where PHI lives in your systems, how it flows, and where vulnerabilities exist. This gives you a baseline for what needs to be secured.
2. Implement layered safeguards
HIPAA requires protections in three areas:
- Administrative - written policies, clear accountability, and staff training.
- Physical - facility access controls, device security, and disposal procedures.
- Technical - encryption, role-based access, audit logging, and regular monitoring.
3. Assign a compliance lead
Designate a HIPAA compliance officer (or team) to oversee policies, handle incidents, and ensure documentation is up to date. Leadership accountability is key to avoiding oversights.
4. Train your workforce regularly
Employees are often the weakest link in data protection. Training should be simple, practical, and repeated, covering everything from phishing risks to proper handling of patient records.
5. Manage business associate relationships
Anyone outside your organization who touches PHI, like billing vendors, IT contractors, or cloud providers must sign a BAA. This legally binds them to the same level of protection you are responsible for.
6. Prepare for breaches
Even with strong controls, incidents can occur. Have a playbook that covers how to investigate, contain, and report breaches. HIPAA requires notifying affected individuals and OCR within set timelines.
7. Document everything
Keep thorough records of risk assessments, policies, training logs, BAAs, audits, and breach responses. Documentation is your proof of compliance when OCR comes knocking.
8. Audit yourself often
Don’t wait for an OCR review. Conduct periodic internal audits to spot weaknesses, track remediation, and improve your security posture.
9. Adapt as risks evolve
HIPAA is consistent, but threats change. Cyberattacks, ransomware, and new technologies all introduce risks. Continuous monitoring and timely policy updates ensure you stay ahead.
Leadership takeaway: HIPAA compliance is less about a checklist and more about building trust. CEOs and CISOs should view it as an investment in resiliency, protecting both patients and the business.
Stay ahead of HIPAA enforcement with Scrut
HIPAA compliance is more than just avoiding fines; it’s about protecting patient trust and proving your commitment to data security. With Scrut, you can:
- Automate evidence collection across 100+ integrations.
- Monitor HIPAA controls continuously instead of relying on annual check-ins.
- Manage Business Associate Agreements and vendor risks in one place.
- Get audit-ready with built-in policy templates and guided workflows.

FAQs
Who enforces HIPAA at the federal level?
The HHS Office for Civil Rights (OCR) is the primary enforcer. The DOJ handles criminal cases, CMS enforces administrative simplification standards, and the FTC oversees health data not covered by HIPAA.
Can State Attorneys General take enforcement actions?
Yes. Since the HITECH Act, state AGs can file civil actions in federal court for HIPAA violations, often combining them with state consumer or data protection laws.
What steps should I take if I believe HIPAA was violated?
You can file a complaint with the HHS Office for Civil Rights (OCR) online, by mail, or by email. Complaints must be submitted within 180 days of when you knew of the violation. OCR will review the case and may investigate, resolve through corrective action, or impose penalties if a violation is confirmed.
What’s the difference between civil and criminal HIPAA enforcement?
Civil enforcement is handled by HHS OCR and involves monetary penalties or corrective action plans for violations. Criminal enforcement, led by the DOJ, applies when PHI is knowingly misused; penalties can include fines up to $250,000 and prison terms of up to 10 years.
How does OCR handle complaints?
OCR reviews each complaint to confirm it falls under HIPAA. If accepted, OCR notifies the organization, requests information, and investigates. Cases may end in voluntary compliance, a resolution agreement with corrective actions, or civil monetary penalties if violations are confirmed.
How is HIPAA monitored and regulated throughout the United States?
HIPAA is monitored federally by HHS OCR through complaint investigations, compliance reviews, and audits. The DOJ handles criminal cases, CMS oversees transaction standards, and state attorneys general can enforce violations locally. Together, this creates nationwide oversight of HIPAA compliance.
In what year did HIPAA become enforceable?
- 1996 — HIPAA was signed into law.
- 2003 — The Privacy Rule became enforceable, setting standards for how PHI is used and disclosed.
- 2005 — The Security Rule became enforceable, requiring safeguards for electronic PHI (ePHI).
Does the Food and Drug Administration (FDA) have any role in enforcing HIPAA?
No. The FDA regulates medical devices, drugs, and certain health technologies but does not enforce HIPAA. HIPAA enforcement rests with HHS OCR, DOJ, CMS, and state attorneys general.
How often does HHS conduct HIPAA audits?
HIPAA audits are not conducted on a fixed schedule. HHS OCR runs audit programs periodically, often in phases, to assess compliance across covered entities and business associates. Most enforcement still comes from complaints, breach reports, or compliance reviews rather than routine audits.
Do all HIPAA violations result in a fine?
No. Many cases are resolved through voluntary compliance, technical assistance, or corrective action plans. Fines are typically imposed only when violations are severe, involve willful neglect, or remain uncorrected.
Who regulates HIPAA?
HIPAA is regulated by the U.S. Department of Health and Human Services (HHS). Within HHS, the Office for Civil Rights (OCR) is the primary enforcer, supported by the Department of Justice (DOJ), the Centers for Medicare & Medicaid Services (CMS), and state attorneys general for specific areas of enforcement.