OCR
What is OCR?
OCR, or the Office for Civil Rights, is the arm of the US Department of Health and Human Services (HHS) specifically tasked with enforcing federal civil rights laws, conscience and religious freedom laws, and HIPAA regulations. The Office protects Americans’ fundamental rights and freedoms and, in the context of HIPAA investigates data breaches, fields complaints from the public, and ensures healthcare organizations uphold the rights of individuals under HIPAA.
How Does OCR Enforce HIPAA Compliance?
OCR has the authority to:
- Investigate reported breaches of PHI
- Conduct random or targeted audits of healthcare organizations
- Impose civil monetary penalties for noncompliance
- Negotiate and publish Corrective Action Plans (CAPs) with violators
- Offer compliance resources and educational materials, including HIPAA compliance training requirements
OCR is also responsible for providing individuals with a pathway to file complaints if they believe their health information privacy rights have been violated.
What Should Organizations Know About OCR?
Healthcare organizations and vendors should view OCR not only as a regulator, but as a resource for education and compliance. Following OCR’s published guidance on administrative safeguards, breach prevention, and HIPAA compliant email systems can significantly reduce risk and demonstrate a “good faith effort” during any potential enforcement proceedings.
Regularly reviewing and updating HIPAA policies, as well as conducting OCR-style risk assessments, are best practices for staying compliant and prepared in case of audits or investigations.
Related Terms
Two Factor Authentication
End-to-End Encryption
Privacy Policy