Who Investigates Covered Entities and Business Associates for HIPAA Breaches?

When a potential HIPAA breach occurs, multiple authorities may investigate covered entities and business associates. This guide explains who leads Covered Entity Investigations, how Business Associate Risk Assessments fit in, and what you should expect from a Protected Health Information Investigation from start to finish.

You will see how HIPAA Privacy Rule Enforcement and HIPAA Security Rule Compliance play out in practice, who coordinates Breach Notification Rule Procedures, and the legal consequences that can follow.

HHS Office for Civil Rights Enforcement

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is the primary federal agency enforcing the HIPAA Privacy, Security, and Breach Notification Rules. OCR investigates complaints from patients and workforce members, breach reports submitted by covered entities and business associates, and patterns of noncompliance uncovered through compliance reviews and audits.

When OCR opens a case

• Complaints alleging impermissible uses/disclosures, lack of patient access, or inadequate safeguards.
• Breach reports, especially those involving 500 or more individuals or recurring incidents.
• Indicators of systemic noncompliance, such as missing policies, deficient training, or absent risk analyses.

How an OCR investigation proceeds

• OCR issues data requests and interviews key personnel to evaluate HIPAA Privacy Rule Enforcement and HIPAA Security Rule Compliance.
• Technical assistance may resolve minor gaps; significant issues can lead to resolution agreements, corrective action plans, and civil monetary penalties.
• OCR may coordinate with the HHS Office of Inspector General and refer egregious conduct for criminal review by the Department of Justice.

Business associates under OCR scrutiny

Business associates are directly liable for HIPAA violations. OCR examines Business Associate Risk Assessments, security controls, subcontractor oversight, and contract terms (BAAs) to confirm that protected health information (PHI) receives appropriate administrative, physical, and technical safeguards.

State Attorneys General Authority

State Attorneys General (AGs) can bring civil actions in federal court for violations affecting residents, often working in parallel with OCR. Their goals include stopping unlawful practices, securing restitution, and deterring future misconduct through penalties and injunctive relief.

How state AGs act

• Pursue HIPAA and complementary state privacy or consumer protection claims arising from the same incident.
• Issue subpoenas, take testimony, and negotiate settlements that require stronger privacy and security controls.
• Coordinate with OCR to avoid duplicative demands and to align remedial measures for covered entities and business associates.

CMS Oversight of EHR Incentive Programs

The Centers for Medicare & Medicaid Services (CMS) oversees EHR Incentive Programs (now generally referred to as Promoting Interoperability initiatives). CMS audits attestations and may recoup incentive payments or adjust reimbursements when requirements are not met.

Where CMS intersects with HIPAA

• Security risk analysis: Program requirements expect you to complete and act on a risk analysis aligned to the HIPAA Security Rule.
• Program integrity: If attestations are inaccurate—such as claiming a completed risk analysis when it was incomplete—CMS can impose financial consequences independent of OCR actions.
• Coordination: CMS oversight complements, but does not replace, OCR’s enforcement of HIPAA Privacy and Security standards.

HIPAA Privacy and Security Rule Compliance

Effective compliance reduces breach risk and demonstrates due diligence during investigations. You should maintain documented policies, workforce training, and BAAs; apply minimum necessary standards; and honor individuals’ rights to access and receive an accounting of disclosures.

Security essentials for ePHI

• Risk analysis and risk management addressing threats, vulnerabilities, and likelihood/impact.
• Access controls, authentication, and audit logging; encryption for data in transit and at rest where feasible.
• Incident response plans that define roles, decision criteria, and evidence preservation steps.
• Vendor oversight through Business Associate Risk Assessments and continuous monitoring.

Proving compliance during investigations

• Produce timely documentation: policies, risk analyses, training records, system inventories, and BAA files.
• Show recent corrective actions, technology updates, and monitoring results that demonstrate ongoing HIPAA Security Rule Compliance.

Breach Notification and Investigation Procedures

When you suspect a breach, your Protected Health Information Investigation should begin immediately. Activate incident response, contain the event, and preserve logs and forensics while you assess whether PHI was compromised.

Conducting the breach risk assessment

• Nature and extent of PHI involved (identifiers and sensitivity).
• The unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which risk has been mitigated (e.g., confirmed destruction, encryption effectiveness).

Breach Notification Rule Procedures

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• For incidents involving 500 or more individuals in a state or jurisdiction, notify prominent media and report to HHS within 60 days; for smaller breaches, report to HHS annually.
• Business associates must notify the covered entity without unreasonable delay and provide details needed for patient notification.
• Document decisions, evidence, and mitigation steps to support any OCR or state AG review.

Legal Consequences of HIPAA Violations

Outcomes range from technical assistance to settlement agreements with corrective action plans and civil monetary penalties. State AGs can seek injunctive relief and monetary remedies, and the Department of Justice may prosecute willful, egregious misconduct criminally.

Factors that influence penalties

• Timeliness and completeness of breach notification and cooperation with investigators.
• Quality of your risk analysis and risk management program, plus evidence of ongoing improvements.
• Scope and duration of noncompliance, patient impact, and prior history.
• Adoption of recognized security practices that can mitigate enforcement outcomes when well-documented.

Conclusion

OCR leads federal HIPAA enforcement, state AGs add powerful consumer protection tools, and CMS safeguards the integrity of EHR Incentive Programs that reinforce HIPAA Security expectations. By sustaining strong governance, thorough risk analyses, and disciplined Breach Notification Rule Procedures, you position your organization to prevent incidents—and to respond decisively if one occurs.

FAQs

Who is responsible for enforcing HIPAA breaches?

HHS’s Office for Civil Rights is the primary federal enforcer of the HIPAA Privacy, Security, and Breach Notification Rules. OCR investigates complaints and breach reports, conducts compliance reviews, and can impose corrective action plans and civil penalties. It may coordinate with state AGs and refer criminal matters to the Department of Justice.

What role do state attorneys general play in HIPAA investigations?

State attorneys general can bring civil actions on behalf of residents, seek injunctions and monetary relief, and enforce related state privacy and consumer protection laws. They often coordinate with OCR, and their cases can run in parallel with federal investigations following a HIPAA breach.

How does CMS contribute to HIPAA compliance oversight?

CMS audits EHR Incentive Program (Promoting Interoperability) attestations, including completion of a security risk analysis aligned with the HIPAA Security Rule. While CMS does not replace OCR’s enforcement role, it can recoup incentives or adjust reimbursements when program requirements tied to security and interoperability are not met.