Who Investigates HIPAA Violations? OCR, DOJ, and State AGs Explained

When you ask who investigates HIPAA violations, three players lead the response: the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), the Department of Justice (DOJ), and state attorneys general (AGs). Each has a defined role tied to the HIPAA Privacy Rule, the HIPAA Security Rule, and HITECH Act Enforcement, ensuring protected health information (PHI) is safeguarded.

Role of the Office for Civil Rights

OCR is the primary civil enforcer of HIPAA. It investigates complaints, breach reports, and patterns of noncompliance by covered entities and business associates. Its focus spans impermissible uses and disclosures under the HIPAA Privacy Rule and failures to implement administrative, physical, and technical safeguards under the HIPAA Security Rule.

OCR’s toolbox ranges from technical assistance and voluntary corrective action to resolution agreements, civil money penalties, and multi‑year monitoring. It frequently emphasizes patient access rights, minimum necessary standards, and appropriate responses to a Protected Health Information Disclosure that was not authorized.

If you submit a complaint, OCR first confirms jurisdiction and timeliness (generally within 180 days of learning of the issue). When OCR identifies noncompliance, it may require corrective action plans, policy updates, staff training, risk analysis remediation, and evidence of sustained compliance.

Criminal Enforcement by the Department of Justice

DOJ handles Criminal HIPAA Prosecutions when conduct crosses from civil noncompliance into crime—such as knowingly obtaining or disclosing PHI without authorization, accessing records under false pretenses, or selling PHI for personal gain. Investigations are often run with the FBI and U.S. Attorney’s Offices, sometimes alongside cybercrime or identity theft charges.

Penalties can include substantial fines and imprisonment (with the most serious offenses carrying up to 10 years when PHI is misused for profit or malicious harm). OCR refers potential criminal matters to DOJ; in parallel, DOJ may pursue broader schemes involving fraud, conspiracy, or computer misuse tied to PHI.

Civil Actions by State Attorneys General

State AGs can bring civil enforcement actions under the HITECH Act Enforcement framework when residents are affected by HIPAA violations. They may seek injunctions, restitution, and other Civil Remedies for HIPAA Breaches, often coordinating with OCR to avoid duplication and maximize corrective results.

AGs also leverage state consumer protection and data breach statutes in tandem with HIPAA, producing settlements that require security program overhauls, third‑party assessments, and ongoing reporting. Multistate investigations are common when large breaches impact people across state lines.

HIPAA Compliance Review Process

Beyond complaint investigations, OCR initiates compliance reviews when breach reports, news events, or referrals suggest systemic issues. These Compliance Review Procedures are structured and evidence‑driven, emphasizing real‑world adherence to the HIPAA Privacy Rule and HIPAA Security Rule.

Typical steps you can expect

• Initiation and scope: OCR defines the issues (e.g., access rights, risk analysis, or improper disclosure) and identifies in‑scope systems and locations.
• Document requests: Policies, risk analyses, risk management plans, audit logs, training records, Business Associate Agreements, and incident/breach assessments.
• Interviews and validation: Discussions with leadership, privacy/security officers, IT, and frontline staff; sampling of cases and technical tests.
• Findings and remediation: A letter outlines violations with required corrective actions and timelines.
• Enforcement outcomes: Technical assistance, corrective action plans with monitoring, settlement amounts, or civil money penalties if issues persist.

Preparing proactively—through enterprise‑wide risk analysis, timely patching, access management, encryption, workforce training, and tested incident response—positions you well if OCR launches a review.

Collaboration Between Enforcement Agencies

OCR, DOJ, and state AGs coordinate frequently. OCR shares potential criminal referrals with DOJ; DOJ may provide information that informs OCR’s civil remedies. State AGs notify OCR when filing HIPAA cases, and joint or parallel actions are common when conduct violates multiple laws.

This collaboration avoids gaps, ensures appropriate remedies, and aligns corrective measures—particularly after large breaches, ransomware incidents, or widespread improper disclosures. The result is a layered enforcement model that addresses both compliance weaknesses and intentional misconduct.

Types of HIPAA Violations Investigated

Agencies investigate a wide spectrum of violations that jeopardize PHI or undermine patient rights. Common categories include:

• Impermissible uses/disclosures: Sharing PHI without authorization, marketing without valid authorization, or unnecessary disclosures violating the minimum necessary standard.
• Right of access failures: Not providing records in a timely manner, overcharging, or supplying formats that ignore patient requests.
• Security safeguards gaps: Missing risk analysis, weak access controls, inadequate encryption, poor audit logging, or unaddressed vulnerabilities leading to ePHI compromise.
• Improper disposal and snooping: Discarding paper records improperly, failing to wipe devices, or employee snooping in electronic records.
• Business associate noncompliance: Lacking Business Associate Agreements or failing to oversee vendors with access to PHI.
• Breach response errors: Not investigating incidents, skipping risk assessments, or failing to provide timely breach notifications.
• Criminal misconduct: Theft, sale, or trafficking of PHI, access under false pretenses, or identity‑theft schemes tied to PHI.

Together, these areas reflect where enforcement focuses to deter risk, drive improvements, and protect individuals’ health privacy.

Bottom line: OCR leads civil enforcement and compliance oversight, DOJ addresses criminal conduct, and state AGs add a powerful civil layer—especially for residents impacted by breaches. Understanding who investigates HIPAA violations and how cases move through Compliance Review Procedures helps you prioritize controls that satisfy the HIPAA Privacy Rule and HIPAA Security Rule.

FAQs.

Who files complaints with the OCR?

Patients, personal representatives, workforce members, and others can file complaints with OCR. Complaints should identify the covered entity or business associate, describe what happened, and are generally submitted within 180 days of learning of the issue. OCR also accepts referrals from other agencies and initiates reviews after significant breaches.

What types of violations does the DOJ prosecute?

DOJ prosecutes knowing, unauthorized access to or disclosure of PHI, obtaining PHI under false pretenses, and selling or using PHI for personal gain or malicious harm. These Criminal HIPAA Prosecutions often accompany charges like identity theft, wire fraud, or computer misuse when schemes target health data.

How can state attorneys general enforce HIPAA?

Under the HITECH Act Enforcement framework, state AGs may sue in federal court on behalf of residents for HIPAA violations. They can seek injunctions, consumer restitution, and other Civil Remedies for HIPAA Breaches, and they typically coordinate with OCR while also leveraging state consumer protection and data breach laws.