In a recent interview with Rachel Klugman Seeger of North Country Communications, she raised the question of how the current administration’s closures of six HHS regional offices would affect HHS OCR’s investigations into HIPAA breaches. It was a great question, so DataBreaches put the following questions to HHS OCR: (1) How many breach investigators have been furloughed or terminated by the government in recent months? (2) What are the administration’s current priorities in terms of investigating breaches of the HIPAA Security and Breach Notification rules? (3) Will the government investigate fewer data breaches this coming year due to layoffs?
They responded:
- OCR continues to execute its enforcement mission under its statutory and regulatory authorities regarding civil rights, exercise of conscience, and health information privacy and security, and breach notification. OCR continues to investigate complaints filed, to conduct compliance reviews, and to review breaches of unsecured protected health information.
- OCR will be responsive to the HIPAA trends and compliance issues within OCR’s jurisdiction that are affecting the public and the regulated industry. That said, there are four areas worth highlighting as priorities in OCR’s health information privacy and security portfolio, in no particular order.
- Continuing of the HIPAA Privacy Rule Right of Access Enforcement Initiative, with several new compliance reviews on parental access to minor children’s records.
- Building upon the HIPAA Security Rule Risk Analysis Initiative with an expansion to risk management.
- Emphasizing hacking and ransomware enforcement actions, as it is the main type of large breach reported to OCR.
- Preparing to begin receiving breach reports and complaints in February 2026 for a new enforcement program for the confidentiality of substance use disorder treatment records under 42 C.F.R. Part 2.
- In terms of investigations for breaches of unsecured protected health information, the following website lists all breaches of unsecured protected health information that affect 500 or more individuals reported within the last 24 months that are currently under investigation by the Office for Civil Rights. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
So they didn’t directly answer the first and third questions, but have responded by outlining some priorities for this year.
It does not sound like they are specifically making timely breach disclosure and notification a priority, but those issues may be part of hacking and ransomware enforcement actions, especially when a ransomware incident is not disclosed to HHS or to affected patients for many months.
It also sounds like they will be diving into entities’ risk analysis and risk management more in 2026 than in previous years. Hopefully, their investigations of risk analysis and risk management will include provisions and auditing of business associates, because as this site has previously reported, business associate breaches account for the greatest percentage of breached records (although not the greatest percentage of reports to HHS OCR).
Update: Following publication, Theresa Defino informed me that she had published a December interview with Paula Stannard, Director of HHS OCR. Stannard’s statements about risk analysis and management are consistent with what I expected based on HHS OCR’s email to me about their priorities. You can read Defino’s interview report from Report on Patient Privacy at JDSupra.