HHS’ Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. Since 2003, OCR’s enforcement activities have obtained significant results that have improved the privacy practices of covered entities. The corrective actions obtained by OCR from covered entities have resulted in systemic change that has improved the privacy protection of health information for all individuals they serve.
HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005. OCR became responsible for enforcing the Security Rule on July 27, 2009.
OCR enforces the Privacy and Security Rules in several ways:
- By investigating complaints filed with it,
- Conducting compliance reviews to determine if covered entities are in compliance, and
- Performing education and outreach to foster compliance with the Rules’ requirements.
OCR also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA