HHS restructuring indicates stronger HIPAA enforcement 

A major restructuring within the U.S. Department of Health and Human Services (HHS) is signaling increased federal scrutiny of healthcare privacy, cybersecurity, and health plan compliance.

What happened

According to Ogletree Deakins, on May 18, 2026, HHS announced a reorganization of OCR's enforcement efforts. Under the new structure, the OCR will operate through three divisions: the Conscience and Religious Freedom Division, the Civil Rights Division, and the newly established Health Information Privacy, Data, and Cybersecurity Division. The dedicated privacy and cybersecurity division will focus on enforcing the Health Insurance Portability and Accountability Act (HIPAA) and related health information protections.

The backstory

The announcement came shortly after OCR reached a resolution agreement with the Star Group L.P. Health Benefits Plan following an investigation into a ransomware attack that affected approximately 9,316 individuals. OCR alleged that the health plan failed to conduct an accurate and thorough risk analysis to identify potential risks and vulnerabilities to electronic protected health information (ePHI), as required under the HIPAA Security Rule. Under the settlement, Star Group agreed to pay $245,000 and adopt a two-year corrective action plan that includes conducting a comprehensive risk analysis, implementing a risk management program, updating HIPAA policies and procedures, and providing workforce training.

Going deeper

As part of the restructuring, OCR will now operate through three specialized divisions, each focused on a core area of the agency's enforcement responsibilities. The Civil Rights Division will oversee the enforcement of federal civil rights laws in healthcare and human services programs, including investigations into discrimination complaints. The Conscience and Religious Freedom Division will be responsible for enforcing federal conscience protections and religious freedom laws within the healthcare sector. Meanwhile, the newly created Health Information Privacy, Data, and Cybersecurity Division will focus on protecting health information through the enforcement of HIPAA's privacy, security, and breach notification requirements.

What was said

In announcing the restructuring, HHS Secretary Robert F. Kennedy Jr. said the changes are intended to strengthen the OCR's enforcement capabilities across its key areas of responsibility. He stated that “this reorganization restores the HHS Civil Rights Division and the Conscience and Religious Freedom Division and strengthens the Office for Civil Rights’ ability to defend religious liberty, enforce conscience protections, and combat unlawful discrimination.” Kennedy added that the department would defend these rights with “clarity, accountability, and resolve.”

OCR Director Paula M. Stannard emphasized that the new structure elevates health information privacy and security alongside the OCR's other enforcement priorities, stating, “This reorganization reinstitutes a structure that rightly prioritizes civil rights and conscience and religious freedom alongside health information privacy and security.”

Stannard further noted that “all three areas are deserving of subject-matter expertise and distinct senior executive leadership for OCR to best serve the American people.”

According to HHS, the restructuring returns OCR to a program-based model with dedicated divisions for civil rights, conscience and religious freedom, and health information privacy, data, and cybersecurity, aligning the agency's organizational structure with its primary enforcement responsibilities.

Why it matters

The creation of three specialized divisions could allow OCR to dedicate more resources, expertise, and leadership to each of its core enforcement areas. Furthermore, the reorganization reflects the growing importance of cybersecurity in healthcare. With a 264% increased surge of ransomware attacks on healthcare organizations and as data breaches continue to affect the sector, HHS appears to be positioning OCR to respond more effectively to threats that place patient information at risk.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is the HHS Office for Civil Rights (OCR)?

The Office for Civil Rights (OCR) is the division within HHS responsible for enforcing HIPAA privacy, security, and breach notification rules, as well as federal civil rights and religious freedom laws in healthcare and human services programs.

Does the restructuring change HIPAA requirements?

No. The restructuring does not create new HIPAA requirements. However, it may lead to more focused enforcement of existing privacy and security regulations.

What should organizations do in response to the announcement?

Organizations should review their HIPAA privacy and security programs, ensure risk analyses are current, address identified vulnerabilities, update policies and procedures as needed, and provide workforce training on privacy and cybersecurity requirements.