Which Government Agency Enforces HIPAA Rules?

December 27, 2025 James Keogh HIPAA Compliance Advice

The U.S. Department of Health and Human Services Office for Civil Rights enforces the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule for HIPAA Covered Entities and Business Associates, while the U.S. Department of Justice prosecutes criminal violations of HIPAA and the Centers for Medicare and Medicaid Services enforces HIPAA Administrative Simplification standards for certain electronic transactions.

The Office for Civil Rights administers the federal civil enforcement program for most HIPAA compliance obligations that apply to protected health information, including investigating complaints, reviewing breach reports, conducting compliance reviews, and resolving cases through corrective action and, when warranted, civil monetary penalties. Office for Civil Rights jurisdiction covers HIPAA Covered Entities and Business Associates and focuses on compliance with requirements for uses and disclosures of protected health information, safeguards for electronic protected health information, individual rights, administrative requirements, and breach notification obligations.

The U.S. Department of Justice has criminal enforcement authority for knowing misconduct involving protected health information, including prohibited obtaining or disclosure in circumstances addressed by the criminal provision of HIPAA. The Office for Civil Rights refers matters to the U.S. Department of Justice when facts indicate potential criminal conduct, and the U.S. Department of Justice determines whether to pursue investigation and prosecution under applicable federal criminal statutes.

The Centers for Medicare and Medicaid Services enforces HIPAA Administrative Simplification standards related to certain electronic transactions, code sets, unique identifiers, and operating rules that support standardized administrative health care transactions. State Attorneys General also have authority to bring civil actions in federal court on behalf of state residents for violations of the HIPAA Privacy Rule and HIPAA Security Rule, including seeking injunctive relief and monetary remedies within the limits set by federal law.

About James Keogh 149 Articles
James Keogh has been writing about the healthcare sector in the United States for several years. With several years of covering healthcare topics, he has developed expertise in HIPAA-related issues, including compliance, patient privacy, and data breaches. His work is known for its thorough research and accuracy, making complex legal and medical information accessible . James's articles are valuable resources for healthcare professionals and have been featured in reputable publications. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681.
Twitter LinkedIn