Who Enforces HIPAA After the Omnibus Rule? OCR and State AGs

After the HIPAA Omnibus Rule, enforcement is led by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and supported by State Attorneys General (State AGs). If you create, receive, maintain, or transmit protected health information (PHI), you face oversight from both—often at the same time.

This article explains Omnibus Rule Enforcement Authority, the HITECH Act Enforcement Provisions that empower federal and state regulators, and what recent trends mean for your HIPAA Privacy Rule Compliance and breach response posture.

HIPAA Enforcement Authorities

OCR as the primary federal enforcer

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules. Following the HIPAA Omnibus Rule, business associates—and their subcontractors—became directly liable for compliance, placing vendors squarely within OCR’s reach. OCR can investigate complaints, conduct compliance reviews, and levy Civil Monetary Penalties when appropriate.

State AGs as co-enforcers

Under the HITECH Act Enforcement Provisions, State AGs may bring State AG Civil Actions on behalf of residents for HIPAA violations. They can seek injunctive relief, monetary remedies authorized by statute, and attorneys’ fees. State AGs often target widespread violations affecting consumers in their states, including failures tied to data breaches and access to records.

Criminal and other considerations

Willful wrongful disclosures may also trigger criminal enforcement by federal prosecutors. While criminal cases are distinct from OCR’s civil oversight, entities frequently address parallel risks by strengthening safeguards, auditing access, and documenting decision-making.

OCR Enforcement Actions

OCR Investigative Procedures

OCR opens cases from complaints, breach reports, and proactive compliance reviews. You can expect a document request, interviews, technical inquiries, and verification of corrective steps. Many matters close with technical assistance or voluntary compliance; more serious cases resolve through Resolution Agreements and Corrective Action Plans (CAPs), or, in egregious situations, Civil Monetary Penalties.

Core compliance focus areas

• Risk analysis and risk management aligned to your environment and threats.
• Role-based access, minimum necessary, and audit controls for HIPAA Privacy Rule Compliance.
• Business associate due diligence and written agreements that reflect Omnibus requirements.
• Workforce training, sanctions, contingency planning, and device/media protections.
• Timely, affordable patient access to records and clear fee practices.

HIPAA Breach Notification Requirements

When a breach of unsecured PHI occurs, you must perform a risk assessment and notify affected individuals without unreasonable delay, notify HHS, and, for large incidents, notify prominent media. OCR regularly enforces failures to conduct a proper assessment, to send complete and timely notices, or to address root causes that led to the incident.

State Attorneys General Enforcement

Where State AGs focus

State AGs commonly pursue cases involving delayed breach notifications, inadequate safeguards, improper disclosures, and barriers to patient record access. They may seek injunctions requiring security upgrades, vendor oversight, and consumer remediation, alongside civil penalties authorized by law.

How State AG Civil Actions unfold

Investigations typically begin with consumer complaints, multistate coordination, or referrals. Expect requests for policies, risk analyses, incident logs, tracking-technology assessments, and vendor contracts. Early transparency, clear remediation plans, and documented governance often reduce exposure.

Practical takeaways for entities

• Map data flows and vendors to meet Omnibus-era business associate duties.
• Center security on current threats (ransomware, phishing, lost devices, and web tracking).
• Use metrics and audits to prove sustained compliance, not one-time fixes.

Recent Enforcement Trends

Patient right of access remains a priority

OCR continues targeted enforcement to ensure patients receive timely, affordable access to their records. Expect scrutiny of request workflows, identity verification, turnaround times, and fees.

Security failures driving settlements

Large breaches tied to unpatched systems, weak authentication, missing encryption, poor logging, or inadequate vendor oversight remain common. Entities that cannot show a current, documented risk analysis and risk management plan often face stronger remedies.

Online tracking and data flows

Use of tracking technologies on patient-facing sites and apps is under the microscope. Regulators evaluate whether identifiers and page-view data could reveal PHI and whether safeguards and disclosures match that risk.

Evolving privacy sensitivities

Heightened attention surrounds sensitive services and location data. Clear consent practices, strict access controls, and data minimization help demonstrate accountability in this climate.

Penalty posture and remediation

Civil Monetary Penalties tend to target willful neglect or repeated noncompliance, while many cases resolve with robust Corrective Action Plans. Demonstrating prompt containment, thorough investigation, and verifiable remediation materially influences outcomes.

Coordination Between OCR and SAGs

Information sharing and referrals

State AGs notify OCR when they file HIPAA-related actions, and OCR may share relevant information or provide technical assistance. This coordination helps align remedies and avoid conflicting obligations for covered entities and business associates.

Parallel investigations and settlements

You may face simultaneous oversight. Agencies commonly synchronize timetables, reporting, and CAP milestones. Keep a single master register of all commitments so your team can prove consistent, enterprise-wide implementation.

Building a coherent response strategy

• Designate one executive sponsor and a cross-functional HIPAA response team.
• Harmonize remediation plans so they satisfy both OCR and State AG expectations.
• Document risk decisions, vendor corrections, and verification testing from day one.

Conclusion

In short, Who Enforces HIPAA After the Omnibus Rule? OCR and State AGs share the job. OCR leads federal oversight, while State AGs bring civil actions to protect residents. If you align to HITECH Act Enforcement Provisions, follow HIPAA Breach Notification Requirements, and prepare for coordinated reviews, you can reduce legal risk and strengthen patient trust.

FAQs.

What is the role of OCR in HIPAA enforcement?

OCR investigates complaints and breach reports, conducts compliance reviews, and resolves cases through technical assistance, corrective action, or Civil Monetary Penalties. Its scope covers the Privacy, Security, and Breach Notification Rules, including direct oversight of business associates after the Omnibus Rule.

How do State Attorneys General enforce HIPAA?

State AGs bring State AG Civil Actions on behalf of residents under the HITECH Act Enforcement Provisions. They typically seek injunctive relief and monetary remedies authorized by statute, especially where breaches, access delays, or systemic security gaps have harmed consumers.

What changes did the Omnibus Rule introduce to enforcement authority?

The Omnibus Rule made business associates and their subcontractors directly liable for HIPAA compliance, clarified standards for breach risk assessments, and strengthened accountability across the supply chain. These changes expanded practical enforcement reach for both OCR and State AGs.

How do OCR and State AGs coordinate enforcement actions?

State AGs notify OCR of filed actions, and the agencies share information and align remedies where possible. For entities, this often means integrated corrective action plans with synchronized timelines, reporting, and verification to satisfy both regulators efficiently.