The AMA statement is correct. It is a fact (written in the law) that enforcement of the HIPAA Administrative Simplification rules is complaint-driven only – and at least for the foreseeable future. Privacy rule complaints go to the U.S. Department’s Health and Human Services’ (HHS) Office for Civil Rights. The OCR handles civil penalties and refers potential criminal complaints to the Department of Justice. All other rules under Administrative Simplification, including the security rule, will be enforced by HHS’ Centers for Medicare and Medicaid Services (CMS) Office of HIPAA Standards. This is true of all “covered entities” large and small. There is no government agency or other body that officially audits proactively for HIPAA compliance.