Office for Civil Rights Restructuring – More HIPAA Enforcement on the Horizon?
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced a restructuring of its office. The agency is tasked with enforcing federal laws protecting civil rights including the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The restructuring will create three subject matter divisions, including the Health Information Privacy, Data, and Cybersecurity Division. OCR Director Paula Stannard stated that each OCR division will have a team with “subject matter expertise and distinct senior executive leadership.”
According to OCR, the restructuring will not result in a reduction in OCR’s workforce, and HIPAA complaints and breaches of unsecured protected health information (PHI) will continue to be handled through a centralized intake process and field office review/investigation. Health care organizations continue to face sophisticated cyber threats that have resulted in large data breaches over the past decade. However, the pace at which OCR has investigated and closed its review of large data breaches has considerably slowed.
In addition, OCR has continued to delay finalizing the proposed updates to the HIPAA Privacy Rule first introduced in January 2021 and HIPAA Security Rule updates introduced in January 2025. OCR has not publicly stated a timeline for these regulatory changes to be finalized.
Whether the restructuring results in stricter and/or more expedient review and enforcement of the HIPAA Privacy, Security, and Breach Notification Rules is yet to be seen. For covered entities and business associates, ongoing risk assessments, review of HIPAA policies and procedures, implementation of updated safeguards, and organization-wide training and awareness efforts continue to be proactive steps as part of a robust information privacy and security program.

