OCR announces the formation of a new Enforcement Division

The U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division. Is more HIPAA Enforcement on the way?

The newly established Strategic Planning Division will coordinate the OCR’s authorities to protect civil rights and health information privacy as well as expand data analytics and coordinate data collection across the HHS leadership.

“As a trusted advisor and leader of the newly established division, Luis Perez will direct the standalone Enforcement Division that will provide vital integration between our regional offices and headquarters staff to swiftly investigate and determine appropriate steps for all complaints we receive,” said Director Fontes Rainer. “This structure will enable OCR staff to leverage its deep expertise and skills to ensure that we are protecting individuals under the range of federal laws that we are tasked with enforcing.”

The OCR will rename the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC).

The OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022.

There were approximately 33,660 related to health care. If you calculate this into 246 workdays (including vacation time), this equals to about 137 per day and 20 per hour! Of these, 717 were investigated, equating to nearly 3 per business day.

By the time you finish reading this blog you could be next!

Would the Office for Civil Rights open an investigation for:

  • Missing your Notice of Privacy Practices on your website, or missing a patient signature for it, probably not.
  • For an incorrect patient sign-in sheet, probably not.
  • Lack of no-surprise billing notice on your website, probably not.

Would the Office for Civil Rights open an investigation for:

  • Privacy complaint from a patient, YES.
  • Information blocking complaint from a patient, YES.
  • Report from a disgruntled employee, YES.

HOWEVER, one patient or disgruntled employee’s complaint opens the door for the OCR. Then, they will review ALL your HIPAA compliance efforts. Including the items listed above that they would not start an investigation with. With this new enforcement division, this has crossed a new threshold.

Is your practice at risk of being one of the three to be investigated tomorrow? The best way to avoid a HIPAA desk audit is through proper HIPAA documentation.

Most investigations can be avoided by supplying the OCR with proper documentation! How well do you trust yours?

If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Cyber Security – how to prepare!

 

By Aris Medical Solutions

 

Cyber attacks are on the rise in healthcare, and are one of the leading cause of data breaches. Disgruntled employees are another and patients that believe their information has been compromised round out the top three. Although nothing is 100% secure, there are a few simple things you can do to prevent nearly all of these attacks.

First and foremost prepare and plan for a breach. Implement a Breach Notification plan. Understand the difference between an internal and external breach. Make sure you have your security team in place!

Too many practices think they can ignore the possible threat because they use a cloud based EHR. Most hacks and unauthorized access are caused internally due to an employee that is uneducated in security. Employees that use their work computers to access personal email or use their work email for personal use expose the practice to this uncertainty. This could potentially allow viruses and malware into your network. It only takes one person to surf the web and pick up keylogging malware or click on an email attachment or link and bring your entire organization to a halt. Best practices to share security information with your staff at least monthly. Continual education of the possible threats are necessary. You can never be TOO diligent in the area of security!

Make sure you use a Termination Checklist to remind you of all of the access points that must be removed should an employee leave. This is a huge oversight that we see a lot of when we are conducting network security audits. Employees leave and some of their login credentials are removed but not all of them.

Last but certainly not least; if you have a patient that complains about their privacy being violated, take it seriously and resolve the issue as quickly as possible. Make sure you document the process.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC