OCR announces the formation of a new Enforcement Division

The U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division. Is more HIPAA Enforcement on the way?

The newly established Strategic Planning Division will coordinate the OCR’s authorities to protect civil rights and health information privacy as well as expand data analytics and coordinate data collection across the HHS leadership.

“As a trusted advisor and leader of the newly established division, Luis Perez will direct the standalone Enforcement Division that will provide vital integration between our regional offices and headquarters staff to swiftly investigate and determine appropriate steps for all complaints we receive,” said Director Fontes Rainer. “This structure will enable OCR staff to leverage its deep expertise and skills to ensure that we are protecting individuals under the range of federal laws that we are tasked with enforcing.”

The OCR will rename the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC).

The OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022.

There were approximately 33,660 related to health care. If you calculate this into 246 workdays (including vacation time), this equals to about 137 per day and 20 per hour! Of these, 717 were investigated, equating to nearly 3 per business day.

By the time you finish reading this blog you could be next!

Would the Office for Civil Rights open an investigation for:

  • Missing your Notice of Privacy Practices on your website, or missing a patient signature for it, probably not.
  • For an incorrect patient sign-in sheet, probably not.
  • Lack of no-surprise billing notice on your website, probably not.

Would the Office for Civil Rights open an investigation for:

  • Privacy complaint from a patient, YES.
  • Information blocking complaint from a patient, YES.
  • Report from a disgruntled employee, YES.

HOWEVER, one patient or disgruntled employee’s complaint opens the door for the OCR. Then, they will review ALL your HIPAA compliance efforts. Including the items listed above that they would not start an investigation with. With this new enforcement division, this has crossed a new threshold.

Is your practice at risk of being one of the three to be investigated tomorrow? The best way to avoid a HIPAA desk audit is through proper HIPAA documentation.

Most investigations can be avoided by supplying the OCR with proper documentation! How well do you trust yours?

If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC