HHS Restructures OCR to Better Handle Increased HIPAA Complaint Volume

February 28, 2023 - The HHS Office for Civil Rights (OCR) announced new restructuring efforts, including the formation of three new divisions, in order to better manage its increased volume of HIPAA and HITECH complaints and compliance reviews.

OCR’s new Enforcement Division, Policy Division, and Strategic Planning Division will all play roles in providing “a more integrated operational structure for civil rights, conscience protections and privacy protections and cybersecurity protection,” HHS stated.

“OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022– an increase of 69 percent between 2017 and 2022 – with 27 percent alleged violations of civil rights, 7 percent alleged violations of conscience/religious freedom, and 66 percent alleged violations of health information privacy and security laws,” said OCR Director Melanie Fontes Rainer.

“Today’s reorganization improves OCR’s ability to effectively respond to complaints, puts OCR in line with its peers’ structure and moves OCR into the future.”

OCR’s updated structure will mirror that of the Department of Education’s Office for Civil Rights and other federal civil rights offices.

Specifically, OCR will reorganize the roles and responsibilities within its current Health Information Privacy, Operations and Resources, Civil Rights and the Conscience and Religious Freedom divisions into the Policy, Strategic Planning, and Enforcement divisions.

Within these divisions, staff “will work in their areas of expertise based on skill set to drive greater implementation and enforcement of the law,” HHS noted.

The Strategic Planning Division will facilitate public outreach to further protect civil rights and health information privacy while expanding the Office’s data analytics and data collection efforts.

OCR will also rename the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) in order to better represent the team’s cybersecurity efforts.

“For example, breaches of unsecured protected health information (PHI), including electronic PHI, reported to OCR affecting 500 or more individuals (large breaches) increased from 663 large breaches in 2020 to 714 large breaches in 2021,” the announcement stated.

“This trend is continuing and to date, hacking accounts for 80 percent of the large breaches OCR has received. HIPDC will continue to meet the growing demands to address health information privacy and cyber security concerns.”

“This structure will enable OCR staff to leverage its deep expertise and skills to ensure that we are protecting individuals under the range of federal laws that we are tasked with enforcing,” Fontes Rainer said.