What is the OCR and what does it do?

Civil rights book on desk

What is the Office for Civil Rights?

The Office for Civil Rights (OCR) is a department within the United States Department of Health and Human Services (HHS). It enforces federal civil rights laws that prohibit discrimination based on race, color, national origin, disability, age and sex in programs and activities that receive federal financial help from HHS.

This includes enforcing the Health Insurance Portability and Accountability Act (HIPAA), which sets standards for protecting certain health information. The OCR also provides technical guidance to help covered entities comply with these laws and regulations.

How does the OCR enforce HIPAA?

The OCR enforces HIPAA by investigating complaints and conducting compliance reviews to ensure that covered entities, such as healthcare providers and insurance companies, comply with HIPAA regulations. If the OCR finds that a covered entity has violated HIPAA, it can take a number of enforcement actions, including:

  • Issuing a warning letter to the covered entity
  • Imposing a monetary fine on the covered entity
  • Requiring the covered entity to implement a corrective action plan to address the violation
  • Terminating the covered entity’s ability to receive federal funding
  • Referring the case to the Department of Justice for criminal prosecution

The specific enforcement action that the OCR takes will depend on the severity of the violation and the covered entity’s history of compliance with HIPAA.

What are the different fines for violating HIPAA?

There are two categories of HIPAA violations: civil and criminal.

Civil HIPAA violations can result in fines ranging from $100 to $50,000 per violation, with a maximum fine of $1.5 million per year for multiple violations of the same requirement.

Criminal HIPAA violations can result in much more severe fines and prison sentences. For example, obtaining or disclosing individually identifiable health information with the intent to sell, transfer or use it for personal gain is a criminal HIPAA violation. It can result in a fine of up to $50,000 and up to one year in prison.

Other criminal HIPAA violations, such as obtaining or disclosing individually identifiable health information under false pretenses, can result in fines of up to $100,000 and up to five years in prison.

It’s important to note that these are maximum fines and prison sentences and that the actual penalties imposed by the courts may be lower. The specific penalty will depend on the circumstances of the case.

How do you report a HIPAA breach to the OCR?

If you suspect a HIPAA breach, you can report it to the OCR by:

  • Filing a complaint online: You can file a complaint through the OCR’s website. You will need to provide your name and contact information, as well as the name of the covered entity that you believe has violated HIPAA.
  • Contacting the OCR by phone: You can call the OCR’s toll-free hotline at 1-800-368-1019 to report a HIPAA breach.
  • Sending a written complaint: You can also send a written complaint to the OCR by mail or fax. The mailing address and fax number can be found on the OCR’s website.

It’s important to note that the OCR only has jurisdiction to investigate HIPAA violations by covered entities, such as healthcare providers, health plans and healthcare clearinghouses. If you want to report a HIPAA violation by a business associate of a covered entity, it’s best to contact the covered entity directly.

Try Paubox for free

Paubox Email Suite

Ensure every email is HIPAA compliant—without the hassle of portals or passcodes.

Start for free

About the author

Rick Kuwahara

Rick Kuwahara is COO and Chief Compliancy Officer for Paubox.

Read more by Rick Kuwahara

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport