Violations —
Who Enforces HIPAA and How to Stay Compliant
HIPAA is enforced by the HHS OCR. Stay compliant with risk assessments, training, breach response, and BAAs.
Share this article
Who Enforces HIPAA and How to Stay Compliant
HIPAA enforcement is handled by the Department of Health and Human Services' Office for Civil Rights (OCR) — but "OCR investigates complaints" undersells what actually happens procedurally, and most organizations' mental model of enforcement risk is calibrated wrong as a result. The real picture, drawn from OCR's own published enforcement data, is more specific and, in most cases, less immediately punitive than the vague "OCR will fine you" framing suggests.
What Actually Triggers an OCR Case
OCR opens cases from three sources: complaints filed by individuals, breach reports required under the Breach Notification Rule, and compliance reviews OCR initiates on its own — often triggered by media coverage, referrals from other agencies, or patterns across multiple complaints.
What happens next isn't automatically an investigation. Per OCR's own enforcement data, the majority of resolved cases never reach a settlement or penalty at all: OCR has provided technical assistance — direct guidance to fix the issue, without a formal investigation — in tens of thousands of cases, far outnumbering the 152 cases that have resulted in a settlement or civil money penalty since HIPAA's enforcement began. Most complaints that don't qualify for enforcement are closed for jurisdictional reasons (the entity isn't actually covered by HIPAA) or because the alleged conduct didn't violate the rules in the first place.
This matters for how organizations should actually think about enforcement risk: OCR's default posture is corrective, not punitive. The cases that escalate to a financial settlement are disproportionately ones involving repeated risk, ignored prior guidance, or willful neglect — not first-time, good-faith mistakes that get fixed promptly.
The Four Penalty Tiers
When OCR does pursue a financial penalty, the amount is set by culpability, not just the violation itself. As of the most recent 2026 inflation adjustment, the four tiers are:
Tier 1 — Did Not Know: $145 to $73,011 per violation, with a $2,190,294 annual cap for repeated violations of the same provision
Tier 2 — Reasonable Cause: up to $73,011 per violation, with a $146,053 annual cap
Tier 3 — Willful Neglect, Corrected: higher per-violation penalties, with correction within the required timeframe reducing the ultimate penalty
Tier 4 — Willful Neglect, Not Corrected: the highest tier, reserved for violations that were both willful and left unaddressed
The practical implication: how quickly and thoroughly an organization corrects a problem after discovering it has a direct, codified effect on the penalty tier it falls into. A Tier 3 violation, corrected promptly, can land in a meaningfully different financial position than the same underlying violation left unresolved into Tier 4.
What OCR Is Actually Prioritizing Right Now
OCR's enforcement focus shifts over time, and the current priority is concrete: in late 2024, OCR launched a Risk Analysis Initiative specifically targeting Security Rule risk analysis failures — a deliberate choice based on data showing inadequate risk analysis is the most frequently cited violation across OCR's investigations. Resolution agreements from 2025 reflect this directly: of ten settlements announced in the first five months of 2025 alone, nearly all cited a missing or inadequate risk analysis as a central finding, with penalties ranging from $25,000 to $3 million depending on severity and aggravating factors. Conducting a HIPAA Risk Assessment covers the specific requirement OCR is currently scrutinizing most closely.
This pattern has precedent: OCR's prior major enforcement initiative, the 2019 Right of Access Initiative, drove roughly 50 enforcement actions over five years and measurably improved compliance with patients' record-access rights in that time. A targeted OCR initiative isn't a temporary spotlight — it tends to run for years and produce a steady drumbeat of settlements in that specific area.
Staying Compliant in Practice
Given what actually drives OCR's enforcement decisions, the practical priorities are:
A current, genuinely thorough risk analysis — not a template filled out once and never revisited, given this is OCR's stated top enforcement focus right now
Policies and procedures that match operational reality, reviewed on a real cadence rather than left static after initial compliance
Documented, ongoing employee training — not a single onboarding session, since training gaps repeatedly surface as contributing factors in OCR's resolution agreements
A functioning breach detection and response process, given the Breach Notification Rule's 60-day reporting requirement and OCR's explicit position that late reporting can itself constitute willful neglect
Business Associate Agreements that are actually current and enforced, not signed once and forgotten — since OCR holds business associates directly liable, not just the covered entities that hired them
Aligning Enforcement Readiness Across Frameworks
Since OCR's current enforcement focus centers on risk analysis quality, organizations already maintaining a rigorous risk assessment process for ISO 27001 or SOC 2 have a real head start — the underlying discipline of identifying, documenting, and treating risk transfers substantially across frameworks, even though HIPAA's specific risk analysis requirement under the Security Rule has its own documentation expectations. Aligning SOC 2 and HIPAA Compliance covers where that overlap is real and where HIPAA's requirements diverge.
In the Spotlight

Start your HIPAA compliance journey with DSALTA's complete checklist.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive health information. Any organization handling protected health information (PHI)— from hospitals to SaaS vendors serving healthcare—must comply.
HIPAA compliance may feel overwhelming, but with DSALTA®’s automation, you can reduce manual work, continuously monitor safeguards, and stay prepared for audits. This checklist outlines the essential steps to meet HIPAA requirements.
Read more about HIPAA compliance with DSALTA.
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.




