medcomply.ai
News
OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security RuleOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security Rule

Rule Update

OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement

TL;DR

HHS restructured its Office for Civil Rights by creating three new divisions: an Enforcement Division dedicated to investigating complaints, a Policy Division focused on regulatory guidance, and a Strategic Planning Division for data analytics and coordination. The restructuring was prompted by a 69% increase in complaints between 2017 and 2022 and has contributed to the increase in settlements and civil money penalties seen in 2025 and 2026.

HHS restructured its Office for Civil Rights by creating three new divisions: an Enforcement Division dedicated to investigating complaints, a Policy Division focused on regulatory guidance, and a Strategic Planning Division for data analytics and coordination. The restructuring was prompted by a 69% increase in complaints between 2017 and 2022 and has contributed to the increase in settlements and civil money penalties seen in 2025 and 2026.

HHS restructured its Office for Civil Rights, creating three new divisions to handle a 69% increase in complaints. Here is how the new structure works and what it means for HIPAA investigations.

medcomply.ai editorial teamPublished May 15, 2026Updated May 15, 20264 min read

Understanding how OCR is organized helps covered entities and business associates understand how HIPAA investigations are conducted, why investigation timelines vary, and what has driven the increase in enforcement activity in 2025 and 2026.

Why OCR restructured

The driving force behind OCR's internal restructuring was simple: complaints were rising faster than resources.

OCR's caseload increased to over 51,000 complaints in 2022 — a 69% increase between 2017 and 2022. Reported data breaches increased 58% between 2017 and 2021. With a flat budget and a rapidly growing caseload, OCR needed to do more with the same resources. The restructuring was designed to improve efficiency through specialization.

The three new divisions

HHS created three new divisions within OCR: an Enforcement Division, a Policy Division, and a Strategic Planning Division.

The Enforcement Division

The Enforcement Division is a standalone division providing dedicated integration between OCR's regional offices and headquarters to ensure complaints are swiftly investigated. It has a particular focus on cybersecurity breaches, which represent approximately 80% of large breach reports.

45 CFR §160.306

This is the division that handles HIPAA enforcement investigations — the team that reviews your documentation when OCR opens an investigation. The integration between regional offices and headquarters creates a more coordinated national enforcement posture, reducing the variability that previously existed between regional offices.

The Policy Division

The Policy Division focuses on regulatory guidance — developing the FAQs, guidance documents, and official interpretations that help covered entities understand their HIPAA obligations. When OCR publishes guidance on HIPAA and AI, clarifies right of access requirements, or releases updated model Notices of Privacy Practices, that work flows through this division.

For compliance professionals, Policy Division output often matters as much as formal rulemaking. OCR guidance documents, while not legally binding, carry significant practical weight in determining what OCR expects during investigations.

The Strategic Planning Division

The Strategic Planning Division coordinates public outreach, expands data analytics capabilities, and coordinates data collection across HHS leadership. The data analytics function has direct enforcement implications — by analyzing complaint and breach data systematically, OCR can identify which sectors have the highest complaint rates, which violation types are most common, and target enforcement resources accordingly. This data-driven approach underlies targeted initiatives like the Risk Analysis Initiative and Right of Access Initiative.

The 2025 broader HHS restructuring

The internal OCR reorganization is distinct from the broader HHS restructuring announced in March 2025 under the Trump administration, which:

  • Created a new Assistant Secretary for Enforcement to oversee OCR, the Departmental Appeals Board, and Medicare hearing appeals
  • Consolidated HHS from 28 divisions to 15
  • Reduced OCR regional offices from ten to five

The reduction in regional offices from ten to five has practical implications for how complaints are routed and investigated geographically. Whether OCR's policymaking and regulatory roles remain distinct under the new Assistant Secretary for Enforcement structure remains an open question that compliance professionals should monitor.

What this means for HIPAA investigations

Faster cybersecurity breach investigations. The Enforcement Division's dedicated focus means large breach reports are more likely to trigger investigations and move through the process more efficiently.

More consistent outcomes. Improved headquarters-regional integration reduces the variability in investigation quality and outcomes that previously existed between regional offices.

More analytical enforcement targeting. OCR's improved data analytics capacity means enforcement initiatives are increasingly data-driven — targeting sectors and violation types where the data shows the greatest compliance gaps.

More regulatory guidance. A dedicated Policy Division is likely to produce more interpretive guidance, which benefits compliance officers navigating ambiguous HIPAA questions.

The funding constraint remains

Despite efficiency gains from restructuring, OCR's fundamental resource constraint is unresolved. OCR has been pushing Congress to increase HIPAA penalty maximums — not primarily to impose larger fines, but to generate enforcement revenue that funds additional capacity.

The broader HHS restructuring adds further uncertainty. How OCR's enforcement priorities interact with the Trump administration's deregulatory agenda — and whether the new Assistant Secretary for Enforcement structure affects HIPAA-specific enforcement — remains one of the more consequential open questions in the current HIPAA landscape.

Note

The most practical implication of OCR's restructuring: investigation timelines may be shorter and outcomes more consistent. If your organization receives an OCR document request, respond promptly, completely, and accurately. The Enforcement Division's dedicated focus means investigations are likely to proceed with more efficiency than the pre-restructuring backlog suggested.

OCR restructured to handle a 69% increase in complaints with the same budget, creating a more specialized and coordinated enforcement operation. The increase in settlements and penalties in 2025 and 2026 is partly a product of this restructuring. Covered entities should assume that breach reports and complaints will be investigated more quickly and consistently going forward.

Sources & citations

  • HHS OCR Restructuring AnnouncementOpen
  • HIPAA Journal — HHS Restructuring EffortOpen
  • 45 CFR §160.306 — Complaints to the SecretaryOpen

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

What are OCR's three new divisions?
OCR created three new divisions: (1) the Enforcement Division, dedicated to investigating HIPAA complaints with a focus on cybersecurity breaches; (2) the Policy Division, focused on developing regulatory guidance; and (3) the Strategic Planning Division, which coordinates public outreach, data analytics, and cross-division coordination.
Why did OCR need to restructure?
OCR's caseload increased dramatically while its budget remained flat. Complaints increased 69% between 2017 and 2022, reaching over 51,000 in 2022. Reported data breaches increased 58% between 2017 and 2021. The restructuring allows OCR to make better use of existing staff through specialization.
How does the Enforcement Division change HIPAA investigations?
The Enforcement Division provides dedicated integration between OCR's regional offices and headquarters, enabling faster and more consistent investigation of complaints. It has a particular focus on cybersecurity breaches, which represent approximately 80% of reported large breaches.
Does OCR have enough funding to enforce HIPAA effectively?
OCR has consistently reported it is underfunded relative to its caseload. The restructuring improves efficiency with existing resources but does not resolve the underlying funding gap. OCR has been pushing Congress to increase HIPAA penalty amounts to generate more enforcement revenue.
How does the 2025 HHS dramatic restructuring affect OCR?
In March 2025, HHS announced a broader restructuring creating a new Assistant Secretary for Enforcement to oversee OCR, the Departmental Appeals Board, and Medicare hearing appeals. This is separate from the earlier internal OCR reorganization. It also reduces OCR's regional offices from ten to five, which may affect complaint routing and investigation timelines.

Related intelligence

Rule Update

HIPAA Security Rule Final Rule: May Deadline Passes With No Announcement

5 min read

Rule Update

Reproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now

6 min read

Rule Update

Patient Rights Under HIPAA — A Practical Guide for Healthcare Providers

8 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.