The OCR enforces both the HIPAA Privacy and Security Rules. However, several conditions must be met for the OCR to take on any complaints.
Firstly, the allegation must only be against a covered entity. This includes healthcare providers like psychologists, doctors, nurses, dentists, etc. Hospitals are also part of a covered entity. Schools, life insurers, and municipal offices are not included and are not expected to comply with these rules.
Secondly, if an allegation is made, the Rule must be violated after the implementation of the Security Rule. The commencement of compliance with the Security Rule occurred on April 14, 2003. The implementation of the Security Rule took place on April 20, 2005. So, any complaints made before these dates will not be investigated.
Thirdly, the violation should be reported within 180 days. However, the OCR can entertain reports if there are valid reasons for not reporting the violation sooner.