Enforcement Process

OCR enforces the Privacy Rule in several ways:

by investigating complaints filed with it,
conducting compliance reviews to determine if covered entities are in compliance, and
performing education and outreach to foster compliance with the Privacy Rule’s requirements.

Additional enforcement information

How OCR Enforces the Privacy Rule

During Intake & Review of a Complaint

The Enforcement Rule

OCR also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA and with the Centers for Medicare & Medicaid Services (CMS) in investigating possible violations of the HIPAA Security Rule.

HIPAA Privacy Rule Complaint Process Chart shows that a Complaint goes into Intake and Review - from there it could go to Resolution. From Intake and Review it could go to three possible channels. It could be a Possible Criminal Violation and go to DOJ. It could be a Possible Privacy Rule Violation and go to OCR Investigation. It could be a Possible Security Rule Violation and go to CMS.

Text description of HIPAA Privacy Rule Complaint Process