HHS restructures Office for Civil Rights

HHS said on May 18 that it is reorganizing the Office for Civil Rights, the unit that enforces federal health privacy and security rules, including the HIPAA Privacy, Security and Breach Notification Rules and confidentiality protections for substance-use-disorder patient records. The department said the overhaul returns OCR to a “program-based structure” and places staff into four components: civil rights, conscience and religious freedom, health information privacy, and operations. The announcement came as HHS continues broader workforce cuts and as industry watchers await a final HIPAA Security Rule update that could land as early as May 2026, according to a timetable cited by HIPAA Journal. ### What exactly did HHS change inside OCR? HHS said the reorganization creates a Deputy Director for Civil Rights, Conscience and Religious Freedom and a Deputy Director for Health Information Privacy, and groups OCR’s work into four offices. The department said the structure is meant to align OCR’s operations with its statutory responsibilities and improve oversight of civil rights, conscience protections and health information privacy and security. (hhs.gov) The May 18 release also restated OCR’s enforcement portfolio. HHS said OCR is the department’s law enforcement agency for civil rights, conscience and religious freedom, and health information privacy and security, including HIPAA and the confidentiality rules for substance-use-disorder records under 42 CFR Part 2. ### Why are health systems and vendors watching the privacy side so closely? (hhs.gov) HIPAA Journal reported on May 18 that a final rule updating the HIPAA Security Rule is due as early as May 2026, based on an OCR timetable published in spring 2025. The publication said the proposal would strengthen requirements to protect electronic protected health information and would have “major implications” for business associates of covered entities, though it also noted the rule could be delayed. (hhs.gov) OCR’s recent enforcement docket shows the office was already active before the restructuring. HHS posted settlements on ransomware-related HIPAA Security Rule investigations on April 23, 2026, and announced a civil enforcement program for substance-use-disorder confidentiality records on Feb. 13, 2026. ### How does this fit into the wider HHS shake-up? HHS had already announced a broader departmental restructuring that would place OCR under a new Assistant Secretary for Enforcement alongside the Departmental Appeals Board and the Office of Medicare Hearings and Appeals. (hipaajournal.com) In that earlier plan, HHS said the new enforcement office would help combat waste, fraud and abuse in federal health programs. Federal News Network reported on May 18 that HHS is sending reduction-in-force notices to 78 additional employees who were not cut in the department’s earlier layoffs. (hhs.gov) The same report said HHS is also preparing to convert hundreds of senior positions into a rebranded version of Schedule F, the employment category associated with easier removal of career federal staff. (hhs.gov) ### What does the near-term picture look like for regulated companies? Business associates, cloud vendors and other contractors that touch protected health data face two moving pieces at once: OCR’s internal reorganization and the pending Security Rule update. HHS has not said that HIPAA enforcement is being paused, and OCR’s public enforcement releases this year indicate investigations and settlements have continued. (federalnewsnetwork.com) The next concrete milestone is the final HIPAA Security Rule update, which HIPAA Journal said could arrive as early as May 2026 if OCR follows the timetable it previously circulated. HHS has not yet published that final rule, and the department’s May 18 OCR restructuring release did not give a separate date for it. (hipaajournal.com) (hhs.gov)