News
OCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule UpdateOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update

Rule Update

OCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement

TL;DR

On May 19, 2026, OCR announced it will create new offices dedicated to religious discrimination cases, including a unit focused on anti-Christian bias and anti-Semitism. The announcement comes after HHS cut 20,000 jobs and closed many regional offices, significantly reducing OCR's HIPAA enforcement capacity. Healthcare compliance observers are concerned that HIPAA breach enforcement will be deprioritized as OCR shifts resources toward Trump administration priorities — though OCR stated it will continue enforcing HIPAA privacy and security regulations.

On May 19, 2026, OCR announced it will create new offices dedicated to religious discrimination cases, including a unit focused on anti-Christian bias and anti-Semitism. The announcement comes after HHS cut 20,000 jobs and closed many regional offices, significantly reducing OCR's HIPAA enforcement capacity. Healthcare compliance observers are concerned that HIPAA breach enforcement will be deprioritized as OCR shifts resources toward Trump administration priorities — though OCR stated it will continue enforcing HIPAA privacy and security regulations.

OCR announced new offices focused on religious discrimination and anti-Christian bias on May 19, 2026 — raising serious questions about whether HIPAA breach enforcement will receive less attention as resources shift to administration priorities.

medcomply.ai editorial teamPublished May 22, 2026Updated May 22, 20266 min read

The most significant development in HIPAA enforcement this week did not involve a settlement, a penalty, or a new guidance document. It involved a reorganization that raises fundamental questions about whether the agency charged with enforcing healthcare privacy law will have the resources and focus to do so effectively.

What OCR announced

On May 19, 2026, the HHS Office for Civil Rights announced that it will create new organizational units focused on religious discrimination in healthcare. OCR announced it will stand up a new office dedicated to pursuing cases of religious discrimination alleged by healthcare workers and patients, as well as a new unit focused on matters such as anti-Christian bias and anti-Semitism.

The announcement was notable not just for what it added but for the context surrounding it. The latest shuffling of resources comes during a period of persistent cyberattacks and other breaches in the healthcare sector, as well as during a time when critical regulatory updates are in the works for both the HIPAA security and privacy rules. The number of civil servants available to enforce HIPAA shrank considerably during restructuring of the administration's first year in which HHS cut 20,000 jobs and closed many regional offices.

The enforcement capacity question

OCR's formal position is that the department will continue to enforce HIPAA privacy and security regulations. That commitment should be taken at face value — OCR has not announced any change to its enforcement initiatives, and the Risk Analysis Initiative and Right of Access Initiative remain formally active.

But enforcement is a resource-dependent activity. Every investigation requires investigators. Every complaint requires intake staff. Every settlement requires attorneys and compliance monitors. When an agency loses significant staff and closes regional offices — while simultaneously being asked to stand up new organizational units with different priorities — the practical capacity to enforce existing programs is affected regardless of formal commitments.

Close observers are worried that OCR will focus less on an epidemic of breaches and more on ideologically-charged Trump administration priorities, with data breach-related work already diminished.

This concern is not unreasonable. In 2024, OCR handled over 51,000 complaints with a staff that has since been significantly reduced. The math of fewer investigators processing more complaints — while also building new units for religious discrimination cases — creates pressure on HIPAA enforcement capacity that is structural, not cosmetic.

What has already changed

The regional office closures are the most concrete development with measurable enforcement implications. OCR's ten regional offices have historically been the primary points of contact for:

  • Complaint intake from individuals who believe their HIPAA rights were violated
  • Initial investigation of complaints before escalation to headquarters
  • Geographic coverage for on-site investigations when needed
  • Local relationships with covered entities in their regions

Closing regional offices does not eliminate OCR's enforcement authority. But it does concentrate enforcement capacity in fewer locations, extend the geographic reach each remaining office must cover, and lengthen the investigation timelines that have already been a source of frustration for complainants.

45 CFR §160.306

What this means for covered entities

The practical implications cut in two directions — and organizations should be careful not to draw the wrong conclusion from either.

What it does not mean: Reduced enforcement capacity is not an invitation to reduce compliance investment. Organizations that assume a smaller, distracted OCR means reduced enforcement risk are making a strategic miscalculation. A more constrained OCR is likely to be more selective — focusing its limited investigative resources on the largest breaches, the most egregious violations, and the cases most likely to produce significant financial penalties and corrective action plans. Being on the wrong end of that selection is potentially worse than being investigated by a well-staffed agency with broader enforcement bandwidth.

What it may mean: Investigation timelines for complaints and smaller breaches may lengthen. The Right of Access Initiative, which has historically pursued even modest violations following individual complaints, may see reduced activity if complaint volume exceeds investigative capacity. Organizations that have been counting on OCR to pursue right of access violations on their behalf may find the agency less responsive.

Note

The Security Rule final rule — which OCR listed as a May 2026 target — has not been published. The combination of staff reductions, new organizational priorities, and significant industry opposition makes the regulatory picture for 2026 more uncertain than it was six months ago. medcomply.ai will publish updates as developments occur.

The broader political context

This restructuring reflects a deliberate set of priorities by the Trump administration. Civil rights enforcement focused on religious discrimination and anti-Christian bias represents a clear ideological direction for OCR that is distinct from its historical focus on healthcare privacy and non-discrimination in healthcare access.

Privacy attorney Adam Greene of law firm Davis Wright Tremaine described the May 2026 date listed in the HHS regulatory agenda for the Security Rule final rule as "more aspirational than a deadline." That assessment, made before the latest restructuring announcement, looks even more accurate in light of the new organizational priorities OCR has now formalized.

The Federal Trade Commission's trajectory is also relevant context. The FTC, which during the Biden administration stepped up enforcement of consumer health data privacy and security issues, is expected to pull back on privacy efforts from the last administration in 2026. If both OCR and the FTC reduce their health privacy enforcement activity simultaneously, the regulatory environment for healthcare data security shifts materially.

What covered entities should do

The appropriate response to this uncertainty is not to reduce compliance investment — it is to strengthen the documentation that makes an organization defensible if and when OCR does investigate.

OCR investigations are triggered by two primary sources: individual complaints and mandatory breach reports. Neither of those triggers is affected by OCR's internal restructuring. When a patient files a complaint or a breach is reported to HHS, an investigation opens. Whether that investigation proceeds quickly or slowly, and whether it results in a settlement or technical assistance, depends heavily on what the organization can produce.

Organizations with current risk analyses, documented risk management plans, complete training records, executed BAAs, and evidence of prompt response to compliance issues consistently receive better outcomes than those that cannot produce documentation — regardless of the enforcement environment.

Warning

The organizations most likely to be harmed by a more selective, less resourced OCR are those that have relied on enforcement being slow or unlikely to avoid taking compliance seriously. If OCR does investigate your organization, a smaller agency with fewer cases may actually be more thorough, not less.

OCR's May 19 announcement of new religious discrimination units — combined with 20,000 HHS job cuts and regional office closures — raises legitimate questions about HIPAA enforcement capacity in 2026. The appropriate response is not reduced compliance investment but stronger documentation. A more selective OCR that investigates fewer cases may be more consequential when it does investigate, not less.

Sources & citations

  • BankInfoSecurity — HHS Revamps HIPAA Enforcement AgencyOpen
  • 45 CFR §160.306 — Complaints to the SecretaryOpen

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

Will OCR stop enforcing HIPAA under the new structure?
No. OCR has stated it will continue to enforce HIPAA privacy and security regulations. However, with significantly fewer staff following HHS's 20,000-job reduction and regional office closures, observers are concerned that the practical capacity to investigate breaches and process complaints will be reduced — even if the formal commitment to enforcement continues.
What new offices is OCR creating?
OCR announced it will create a new office dedicated to pursuing cases of religious discrimination alleged by healthcare workers and patients, and a new unit focused specifically on anti-Christian bias and anti-Semitism cases. These are in addition to OCR's existing civil rights enforcement functions.
How many HHS jobs were cut and how does that affect HIPAA enforcement?
HHS cut approximately 20,000 jobs during the restructuring of its first year under the Trump administration. OCR also closed many of its regional offices, which are the primary points of contact for HIPAA complaint intake and initial investigation. Fewer investigators means longer investigation timelines and potentially reduced enforcement activity.
What happened to OCR's regional offices?
The broader HHS restructuring closed many of OCR's regional offices. OCR previously operated ten regional offices covering the United States. The closures reduce OCR's geographic presence and local capacity to handle complaint intake and investigation.
Does this mean organizations face less HIPAA enforcement risk?
The honest answer is uncertain. Reduced staffing and a shift in organizational priorities could slow investigation timelines and reduce the volume of enforcement actions. However, OCR's Risk Analysis Initiative and Right of Access Initiative both remain formally active. Organizations that assume reduced enforcement capacity means reduced risk are making a strategic mistake — a smaller, more focused OCR may prioritize the most significant violations.

Related intelligence

Rule Update

OCR Director: The Cost of Doing Nothing Is Very High

4 min read

Rule Update

HIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means

7 min read

Rule Update

OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement

4 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.