Skip to main content
U.S. flag

An official website of the United States government

Return to Search

Enforcement Process, Index

This is an overview of OCR's enforcement process of the HIPAA Privacy and Security Rules. It is for covered entities and other stakeholders.


Issued by: Office for Civil Rights (OCR)

Issue Date: June 27, 1905

Enforcement Process

OCR enforces the Privacy and Security Rules in several ways: 

  • by investigating complaints filed with it, 
  • conducting compliance reviews to determine if covered entities are in compliance, and 
  • performing education and outreach to foster compliance with the Rules' requirements. 

OCR also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.

Text description of HIPAA Privacy & Security Rules Complaint Process

How OCR Enforces the Privacy & Security Rules

During Intake & Review of a Complaint

The Enforcement Rule

Back to Top

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.