top of page



You have responsibilities to report breaches of unsecured PHI. To learn more about these requirements and HIPAA enforcement, visit Chapter 7 of the Guide [PDF - 323 KB]. CEs and BAs that fail to comply with the HIPAA Rules could face civil and criminal penalties.


Civil Penalties


The Office for Civil Rights (OCR) is able to impose civil penalties for organizations that fail to comply with the HIPAA Rules. The potential civil penalties are substantial. Your good faith effort to be in compliance with the HIPAA Rules is essential. State attorneys general also may bring civil actions and obtain damages on behalf of state residents for violations of the HIPAA Rules. 


Learn more about OCR’s HIPAA enforcement; HIPAA Privacy, Security, and Breach Notification Audit Program; and HIPAA Enforcement Rule.  


Criminal Penalties


The U.S. Department of Justice investigates and prosecutes criminal violations of HIPAA. Under HIPAA, the Justice Department can impose criminal penalties for:


• Knowing misuse of unique health identifiers 

• Knowing and unpermitted acquisition or disclosure of Protected Health Information (PHI)

bottom of page