Medical symbol image on high tech blue background

On February 27, 2023, the U.S. Department of Health and Human Services (HHS) announced that its law enforcement agency – the Office for Civil Rights (OCR) – will reorganize, adding new divisions to better address the rapid increase in cases it is charged with handling. Tellingly, the title of HHS’s announcement focuses on the need to better address the “growing need” for enforcement. The OCR will now have three new divisions: the Enforcement Division, Policy Division and Strategic Planning Division. OCR Director Melanie Fontes Rainer indicated these new divisions are needed due to the OCR’s caseload having increased 69 percent between 2017 and 2022.

Before implementation of the new Divisions, the OCR’s organizational chart found on HHS’s website looked like this:

The changes to the organizational structure and nomenclature include:

  • Renaming the Health Information Privacy Division as the Health Information Privacy, Data, and Cybersecurity Division “to be more reflective of their work and role in cybersecurity,” as hacking-related breaches account for 80 percent of all breaches reported to the OCR.
  • Reorganizing the responsibilities of the four current divisions “into new functional crosscutting areas: for Policy, Strategic Planning, and Enforcement where staff will work in their areas of expertise based on skill set to drive greater implementation and enforcement of the law.”
  • Creating the Strategic Planning Division, which will coordinate public outreach related to the various divisions’ focus “as well as expand data analytics and coordinate data collection across HHS leadership.”

Of the 51,000 complaints made to the OCR in 2022, 66 percent were related to alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), 27 percent were related to allegations of civil rights violations, and 7 percent were related to allegations of conscience/religious freedom. The press release noted that in addition to HIPAA and HITECH, the OCR enforces 33 “civil rights, conscience and privacy statutes” and “investigates complaints, conducts compliance reviews, develops policy, promulgates regulations, provides technical assistance, and educates the public about federal civil rights, privacy, and conscience laws.”

HHS appears hopeful that the reorganization will result in an organizational structure that “reflects that of other federal civil rights offices, namely the Department of Education’s Office for Civil Rights.” The press release stated that the OCR believes the restructuring will “provide a more integrated operational structure” across the divisions and will “better use OCR’s limited resources by moving to a skill set model, where teams are organized by skill set and focus on a full set of legal issues.” The ultimate goal is “a more integrated approach to case management and allows for direct engagement between policy, enforcement, and investigations.”

For years, healthcare entities have experienced a wide range of investigation timelines for OCR breach investigations – some remaining open, without OCR contact, for several years. While investigations never will be pleasant, many entities will likely prefer a more predictable cadence of investigations and quicker resolutions.