Skip to main content

What Federal Agency Regulates HIPAA?

What Federal Agency Regulates HIPAA?
16 Apr 2026
By Danielle Kelvas MD

The federal agency that enforces HIPAA is the U.S. Department of Health and Human Services Office for Civil Rights (OCR). OCR handles investigations, audits, and civil penalties related to HIPAA compliance. To reduce enforcement risk, many organizations implement online HIPAA training as part of their compliance strategy.

This guide breaks down the full landscape of federal HIPAA oversight, including OCR’s central role, how enforcement escalates to agencies like OIG and DOJ, and what happens when a violation occurs.

Table of Contents

What Is HIPAA and Why Does It Require Federal Oversight?

HIPAA, which stands for the Health Insurance Portability and Accountability Act, is a U.S. federal law that safeguards patients’ protected health information (PHI).

It does so through the:

  • Privacy Rule, which specifies the conditions under which PHI can be used and disclosed;
  • Security Rule, which sets the physical, technical, and administrative safeguards required to keep PHI (and electronic PHI or ePHI) secure;
  • Breach Notification Rule, which requires security breaches and improper disclosures to be announced promptly to certain parties;
  • Enforcement Rule, which sets the penalties for HIPAA violations.

HIPAA is a massive piece of legislation with many moving parts. In addition to protecting PHI, it also sets administrative and billing rules for the healthcare industry. The breadth of the regulations means that the question of which government agency is responsible for HIPAA compliance is a complicated one, because no single agency is perfectly equipped to enforce all the rules in HIPAA.

To ensure that each area of HIPAA compliance is handled with care and expertise, enforcement of HIPAA provisions is spread across multiple agencies, which then have to coordinate with one another.

The Primary Federal Agency That Enforces HIPAA: HHS Office for Civil Rights (OCR)

When people speak of HIPAA federal agencies, the first one they typically think of is the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Not only did it handle the bulk of HIPAA enforcement in the early years, but it’s still responsible for the enforcement of key HIPAA provisions.

OCR’s Authority

HIPAA’s Office for Civil Rights has enforcement authority over the Privacy, Security, and Breach Notification Rules.

Specifically, OCR’s HIPAA enforcement addresses violations of these rules from a non-criminal standpoint. In other words, they deal with the civil aspects of enforcement and pass any criminal actions along to the Office of the Inspector General, which we’ll discuss below.

OCR’s Role in HIPAA Enforcement

Under the color of its authority over Privacy, Security, and Breach Notification, the OCR attacks potential violations from many angles.

It’s the OCR who investigates HIPAA violations, in most cases. Investigations may start with a report or complaint, or a violation might be found through the regular compliance reviews and audits that the OCR conducts.

When the OCR determines that violations of the Privacy, Security, or Breach Notification Rules have been found, the OCR can issue civil monetary penalties and hold organizations to resolution agreements and corrective action plans.

They may also refer individuals’ actions to their state licensing board, which can result in the revocation, suspension, or probation of their professional license.

The OCR also acts through prevention. They provide FAQs, guidance, and technical assistance to covered entities and business associates who have questions about how to remain HIPAA compliant.

When OCR Gets Involved

How does OCR get involved in the first place?

There are a few ways OCR’s attention may be drawn to a non-compliant organization, including:

  • Breach Reports. The Breach Notification Rule requires breaches to be promptly reported to OCR, which may then launch an investigation.
  • Patient Complaints. Patients who believe their HIPAA rights have been violated can open an OCR investigation by filing a complaint. This includes not just breaches and disclosures but denial of access to a patient’s own records.
  • Compliance Reviews and Audits. The OCR conducts regular compliance reviews and audits. Violations can be found through this process.
  • Patterns of Violations. When an organization has a history of violations that add up to a pattern of non-compliance, the OCR can place them under ongoing scrutiny.

The HHS Office of Inspector General (OIG): For Escalation and Fraud

The Office of the Inspector General (OIG) also falls under the U.S. Department of Health and Human Services (HHS).

You’ll sometimes see the differences between OCR and OIG HIPAA enforcement explained as OCR handles civil violations while the OIG handles criminal, but it’s a bit more complicated than that.

In reality, criminal HIPAA violations can only be prosecuted by the U.S. Department of Justice (DOJ). OIG HIPAA investigations may involve criminal actions since their focus is fraud, but they also serve as an escalation point for HIPAA violations that can’t be resolved by the OCR.

What OIG Handles

The main purview of the OIG is to investigate fraud, waste, and abuse related to HHS programs. Under this umbrella, they handle civil, administrative, and fraud-related kinds of HIPAA violations.

HIPAA violations are handled by OIG when they involve:

  • Willful Neglect, meaning conscious, intentional failure or reckless indifference.
  • Failed Resolutions, in which HIPAA violators cannot reach a resolution agreement with OCR or act in a way that breaches their agreed-upon corrective action plan.
  • Information Blocking, when developers, networks, and exchanges knowingly and unreasonably interfere with the access, exchange, or use of ePHI
  • Whistleblower Reports over fraud and abuse that come directly to the OIG.

As with the OCR, when the OIG encounters HIPAA violations that involve malicious intent or personal gain, they refer these cases to the DOJ. The OIG may cooperate with the DOJ to support criminal investigations, though.

OIG Penalties

As with the OCR, the OIG largely deals in civil penalties, settlement agreements, and corrective action plans.

However, the agency has several additional tricks up its sleeve, including:

  • Corporate Integrity Agreements (CIAs), which require hiring a compliance officer to monitor and improve a company’s compliance program for (typically) 5 years.
  • Exclusion from Federal Healthcare Programs as a penalty for CIA non-compliance.
  • Information Blocking Penalties of up to $1 million per violation.

The U.S. Department of Justice (DOJ): Enforcing Criminal HIPAA Violations

When the OCR or OIG finds that a HIPAA violation involves willful misuse, personal gain, or malicious intent, they refer these matters to the U.S. Department of Justice (DOJ) as a criminal matter.

Criminal Penalty Tiers

The DOJ categorizes criminal HIPAA violations into three categories with increasingly harsh penalties. These categories include:

  • Tier 1: Willful misuse or disclosure of PHI.
  • Tier 2: Acting under false pretenses, such as by lying, misrepresenting their identity, or using unauthorized credentials.
  • Tier 3: Acting for commercial advantage, personal gain, or malicious harm.

Examples of Criminal HIPAA Violations

Examples of Tier 1 criminal HIPAA violations include:

  • Emailing PHI to a personal email for convenience
  • Snooping on someone’s medical records when you don’t “need to know” as part of your professional role
  • Downloading patient data to take with you before leaving a job (if it’s for non-malicious personal use)
  • Discussing identifiable patient details in public (if there’s no payment or malicious intent)

Examples of Tier 2 criminal HIPAA violations include:

  • Using a coworker’s credentials to gain access to patient files
  • Disclosing someone’s PHI while falsely claiming you have patient authorization
  • Misusing legitimate access just because you’re curious
  • Impersonating a family member or doctor to get PHI

Examples of Tier 3 criminal HIPAA violations include:

  • Stealing PHI to commit identity theft for yourself
  • Selling patient data to marketing or personal injury firms
  • Publicly releasing records to cause harm
  • Using PHI for blackmail or extortion

Other Federal Agencies Involved in HIPAA Regulation

There are a few other HIPAA federal agencies involved in enforcement.

Centers for Medicare & Medicaid Services (CMS)

From within HHS, the Centers for Medicare and Medicaid Services (CMS) enforces administrative aspects of HIPAA through the Office of eHealth Standards and Services (OESS). This includes enforcing administrative simplification rules, code sets, and NPI requirements .

OESS investigates complaints, conducts audits, and provides guidance to help entities comply with these aspects of HIPAA.

Office of the National Coordinator for Health IT (ONC)

The Office of the National Coordinator for Health Information Technology (ONC) works from within HHS to improve healthcare through the secure, interoperable exchange of health data.

Their responsibilities include certifying Electronic Health Record (EHR) technology, promoting interoperability (clearer data transfer between EHR systems), and supporting the improvement of privacy and security in health IT systems.

Federal Trade Commission (FTC)

The Federal Trade Commission (FTC) is an independent agency of the U.S. government whose mission is to protect consumers from deceptive and unfair practices and data privacy breaches.

The FTC plugs a few gaps that occur because HIPAA only applies to covered entities and their business associates. For example, HIPAA doesn’t apply to companies like personal health record (PHR) vendors, PHR-related entities, health apps, fitness trackers, and similar health technologies. Consumers might think they have data privacy protected by HIPAA on these platforms, but they don’t.

To resolve that discrepancy, the FTC has its own Health Breach Notification Rule (HBNR) that places data breach notification requirements on these data sources.

Additionally, the FTC may penalize companies for sharing sensitive health data with third parties without user consent through its unfair/deceptive practice protections.

Are HIPAA Federal Agencies The Only Enforcement Mechanism?

While most HIPAA investigations and enforcement actions are handled at the federal level, HIPAA is sometimes also enforced by state attorneys general (state AGs).

State AGs typically step in when a breach or violation involves a large number of state residents, in cases of systemic negligence, and when the HIPAA violations overlap with state consumer protection laws.

Sometimes these lawsuits can turn into multi-state actions, where state AGs from multiple states collaborate on a case.

When state AGs take action, they typically do so in coordination with the OCR.

How HIPAA Enforcement Has Evolved Over Time

The federal government has been involved in the supervision and enforcement of HIPAA since its passage in 1996, but how HIPAA is regulated in the U.S. has changed a lot over the course of 30 years.

Here are some of the ways HIPAA has evolved over time.

Expansion of Electronic Health Records (EHRs)

When the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009, its goal was to encourage healthcare providers to switch from paper records to digital ones.

This push for more digital data meant that privacy and security provisions needed to evolve to cover the relevant access and security problems that came with EHRs.

Stronger Breach Notification Requirements

The HITECH Act introduced modern breach notification requirements so that affected individuals would be aware of their vulnerability.

Additionally, it increased the penalties for privacy and security breaches, which encouraged companies to invest more resources into prevention.

More Frequent Audits and Investigations

The HITECH Act also mandated periodic audits of covered entities and their business associates.

In the following decade, OCR steadily expanded the scope of proactive audits designed to catch HIPAA violations. This has led to an increase in enforcement actions and greater vigilance on the part of HIPAA-covered entities.

Increased Interagency Coordination

HIPAA federal agencies work together now, more than ever. In particular, the rise in hacking incidents has called for increased interagency coordination.

The Office for Civil Rights (OCR), Office of the Inspector General (OIG), Department of Justice (DOJ), Centers for Medicare & Medicaid Services (CMS), and Federal Trade Commission (FTC) all exchange information and cooperate in one another’s investigations.

What Happens When a HIPAA Violation Occurs?

Now that you understand who does what, let’s put it all together. When a HIPAA violation occurs, how does the process work?

OCR Investigation Process

When violations come to OCR’s attention, whether through a breach report, patient complaint, or compliance audit, the OCR has to review the situation and triage. Depending on the presence of a violation and the severity, they might close the case, provide technical assistance, or open a formal investigation.

If an investigation is opened, the OCR notifies the covered entity and requests documentation like policies, procedures, risk analyses, and training records. Investigators may also interview staff and perform site visits.

Assuming non-compliance is found, the entity can choose to voluntarily comply with the OCR’s recommendations, or they may force the OCR to issue a formal multi-year corrective action plan. When the entity complies and pays any monetary penalty, the OCR case is closed.

If the covered entity fails to comply or if the case involves fraud, the OCR may refer the case to the OIG. If the investigation reveals commercial advantage, personal gain, or malicious harm, the OCR (or OIG) will refer the case to the DOJ for criminal prosecution.

Civil Penalties

Civil monetary penalties (CMPs) are separated into four tiers based on the degree of negligence involved.

The tiers and their 2024/2025 penalty amounts are:

  • Tier 1: An entity or individual unknowingly violates HIPAA. Parties are only eligible for Tier 1 violations if they have exercised reasonable diligence. Tier 1 violations involve fines between $141 and $71,162 per violation.
  • Tier 2: An entity or individual failed to take reasonable preventative precautions. Tier 2 violations mean the party had knowledge of the risk, or they should have with the exercise of reasonable diligence. Tier 2 violations involve fines between $1,424 and $71,162 per violation.
  • Tier 3: These violations involve willful neglect and a knowing disregard of the rules. Parties are eligible for Tier 3 if they have taken corrective action within 30 days of discovering the violation. Tier 3 violations involve fines of between $14,232 and $71,162 per violation.
  • Tier 4: These violations involve both willful neglect and a failure to correct. Tier 4 violations involve fines between $71,162 and $2,134,831 per violation.

There’s an annual cap of $2,134,831 in fines for all tiers.

Criminal Penalties

Criminal penalties, if there are any, are handed out by the DOJ, and we discussed the three tiers earlier.

The penalties for the criminal tiers of violations are:

  • Tier 1 (willful misuse): up to $50,000 fine and/or 1 year in prison
  • Tier 2 (false pretenses): up to $100,000 fine and/or 5 years in prison
  • Tier 3 (for gain or harm): up to $250,000 fine and/or 10 years in prison

Tier 3 violations are prosecuted as felonies, while Tier 1 and Tier 2 violations may be kept as misdemeanors.

How Organizations Can Stay Compliant

Now that you understand how HIPAA is regulated in the U.S., you know the stakes for staying compliant.

To maintain HIPAA compliance, your organization must:

  • Maintain HIPAA-compliant policies and procedures
  • Follow breach notification requirements
  • Audit access logs and PHI handling
  • Conduct regular risk assessments
  • Provide annual HIPAA training

Get HIPAA Training Online to Strengthen Compliance

HIPAA compliance is complicated enough without having to design and implement your own role-specific training program.

The good news is you don’t have to!

We offer online HIPAA compliance courses targeted for healthcare workers, medical offices, business associates, dental teams, and more! Our courses are self-paced, mobile-friendly, and available 24/7 for maximum flexibility.

These courses help prepare employees for understanding the responsibilities of HIPAA, safe PHI practices, and how HIPAA is enforced.

Visit our website to get started today!

Open chat support