Report on Patient Privacy 25, no. 4 (April, 2025)
Today, the HHS Office for Civil Rights (OCR) stands shoulder-to-shoulder with the likes of the Office of Inspector General and Office of General Counsel, one of just a dozen or so agencies reporting directly to the secretary. But in the coming months, it is expected to move to a new umbrella agency—the Office of the Assistant Secretary for Enforcement.
With the barest of details, HHS Secretary Robert F. Kennedy Jr. announced the change on March 27, and HHS did not respond to RPP’s request for specifics. OCR’s transfer merited a single line in Kennedy’s announcement, which unveiled what he called a “dramatic restructuring” aligned with an executive order on “workforce optimization.” This same news release heralded HHS’ plan to cut its workforce from 82,000 to 62,000 full-time employees and preceded by five days the start of mass terminations, which are effective June 1.[1]
With a workforce of perhaps less than 250, OCR’s leaders have long pleaded for additional funding to correct chronic understaffing and fuel more enforcement efforts. Yet it wasn’t immune to the firings, losing staff in several of its most active enforcement offices, Melanie Fontes Rainer, the most recent OCR director, told RPP.
Even prior to the restructuring announcement and terminations, OCR’s Acting Director Anthony Archeval, appointed by the Trump administration, had imposed what appears to be significant expansion of the agency’s priorities, with recent announcements that it is conducting investigations into medical schools’ admissions practices and commencement ceremonies, with a focus on alleged antisemitism and discriminatory admissions, and into Maine’s purportedly illegal allowance of men in women’s sports, to name just a few recent examples.
In a wide-ranging interview with RPP, Fontes Rainer called the terminations worrisome and said the restructuring raises questions about OCR’s future independence. She also voiced concerns that these developments could prompt OCR to take its eye off cybersecurity at a time when the health care industry is increasingly facing ransomware attacks and still struggling to recover from last year’s massive Change Healthcare breach—an event that affected 190 million individuals and which Congress and others have said should be met with increased enforcement and new regulatory requirements on health care organizations.
“Do I think that these are things that are more or less important than cybersecurity? No. I think probably cybersecurity affects more people and [breaches are] more detrimental to the health care system,” Fontes Rainer said, referring to the new OCR investigations. “I understand the politics of why the administration is taking these actions. I don't necessarily agree with them, but I do hope that as they decide to take such steps, they aren’t leaving the health care system out, cut and dry, on cybersecurity and privacy, which I think are really the bread and butter of OCR.”
Fontes Rainer also discussed enforcement actions that occurred during her tenure, the future of the proposed Security Rule revision and which initiatives she hopes will continue under the next OCR director, who has not yet been appointed. RPP will feature these comments in a future issue.
New OCR Efforts Don’t Concern HIPAA
In recent weeks, Archeval released three HIPAA enforcement actions, all finalized under Fontes Rainer, including a $228,000 settlement with a business associate that failed to conduct a risk analysis.[3] Otherwise, Archeval hasn’t mentioned privacy and security, although two agency officials recently gave addresses at a national HIPAA conference—an apparent thawing of HHS’ earlier communication freeze on its staff.
In February, Archeval announced that OCR had launched compliance reviews of four medical schools following complaints of “antisemitism incidents during their commencement ceremonies in 2024” and of the Maine Department of Education, including the University of Maine, “based on information that Maine intends to defy” an executive order it said prohibits “biological males to compete in women’s sports.”[3]
On the same day the restructuring was announced, Archeval said that OCR had begun its fifth investigation into “certain medical schools and hospitals that receive HHS funding” that “may operate medical education, training, or scholarship programs for current or prospective workforce members that discriminate on the basis of race, color, national origin, or sex.” He added that “national policy under Executive Order 14173 directs federal agencies to enforce long-standing civil rights laws and ‘to combat illegal private sector [diversity, equity and inclusion] DEI preferences, mandates, policies, programs, and activities.’”[4]
Joining OCR in the new enforcement office will be the Departmental Appeals Board and the Office of Medicare Hearings and Appeals, HHS said, “to combat waste, fraud, and abuse in federal health programs.” As the hundreds of thousands of HIPAA covered entities and business associates know, OCR’s authority extends far beyond federal health programs and, until now, has never been associated with “waste, fraud and abuse” reduction efforts.
The restructuring calls for HHS to merge its 28 divisions into 15 and reduce the number of regional offices from 10 to five. OCR’s locations don’t correspond directly to HHS’ and as noted, no details about specific changes have been announced. As of December, OCR had offices in Boston, New York, Philadelphia, Atlanta, Chicago, Kansas City, Dallas, Denver and San Francisco.
Fontes Rainer told RPP her biggest concern is ensuring that OCR remains independent and doesn’t lose its ability to conduct independent investigations, adding that the planned reorganization must not “interfere with OCR’s ability to quickly respond to things that are occurring in our health care system and potentially hindering how people get care.”
Regarding OCR’s recently announced probes, “I would say it’s important in those investigations to make sure that they’re not arbitrarily and preemptively making a covered entity be guilty and inferring that they’re guilty, whether in the media or through their actions,” Fontes Rainer said.
Some workers throughout HHS began receiving emailed termination notices on March 28, but many weren’t told until 5 a.m. on April 1; others found out when they could not enter their buildings or when they signed on to their work computers. Based on RPP’s interviews with affected workers, the apparently standard procedure at HHS was to put employees on immediate administrative leave, cut off their access to their work email and make terminations effective 60 days later.
According to Fontes Rainer, OCR employees in New York, Chicago, Dallas and California received termination notices; she could not provide a total number. But the cuts are particularly troubling for the future, Fontes Rainer said, especially because staff in New York and California are “heavy contributors to HIPAA compliance” efforts.
For example, New York staff negotiated the Feb. 6, 2024, $4.75 million settlement with Montefiore Medical Center that resulted from 11 breaches the hospital experienced from 2010-2022. They also closed the investigation into Warby Parker, which ended with a $1.5 million fine that OCR announced Feb. 20 of this year. The California staff brokered the $1.3 million settlement with L.A. Care that OCR announced in September 2023.
‘People Should Be Asking Questions’
“I am worried that this could have a severe impact on the agency’s ability to be responsive to cybersecurity and to do its job on cyber compliance,” Fontes Rainer said, noting that OCR investigators “don’t just investigate civil rights. They do civil rights, they do religion, they do cybersecurity and HIPAA, which [requires] a pretty dense skill set. And so having a seasoned cybersecurity investigator is really important to the work.”
In light of the terminations and restructuring, “people should be asking questions: How will this impact that work? What steps are you taking to mitigate that? How can we make sure these cuts don’t impact cybersecurity?” Fontes Rainer said. “We’re seeing more and more ransomware and other attacks to our health care system. It’s critical for the HHS secretary, for the industry, for Congress to understand how these changes are going to impact the agency’s ability to be responsive to those moments.”
Among its responses to the Change Healthcare breach, for example, OCR issued a Dear Colleague Letter, created an FAQ webpage it has consistently updated and began its own investigation into the organization.
Enforcing just the three primary HIPAA regulations—privacy, security and breach notification—with its limited staff is already a “very tall order, which is why it’s really important to do so much front-end work,” such as talking to providers and associations and making sure OCR is “driving compliance voluntarily,” she said. Fontes Rainer said she did not know whether being placed under an “enforcement” department would change that approach.
She noted that OCR itself has “already been consolidating. When you run a small organization with a really important mission that’s underfunded, no matter who is there, you have to figure out how to more efficiently do that, because otherwise you’re not going to get all the things done” that are needed, Fontes Rainer told RPP.
OCR handles some 40,000 complaints per year despite being “small,” she added. “There just isn’t much fat at all because it’s a shoe-string budget. It’s been flat-funded for over two decades. It has a growing number of mandates. It’s in charge of 55 different statutes, including the big ones, all the civil rights [laws], as well as HIPAA,” she said.
Congress Historically Rejects OCR Funding Increases
Fontes Rainer said that during her tenure, OCR had a staff of between 120 and 150 employees who are supported by some 90 contracted investigators. According to its fiscal year (FY) 2025 budget request, OCR sought an increase of $17 million, which would have brought its total discretionary budget of $39.798 million to $56.798 million. The largest portion of the increase—$13 million—would have been used to hire “71 regional investigators to address complaints, breaches, compliance reviews” to add to its 115 full-time equivalent (FTE) employees. At the time, it cited a backlog of 8,000 cases.
OCR also estimated it would have $10 million in civil monetary penalties—a drop of $9 million collected in FY 2023. It was hoping to bring its total FTEs to 234 from 163 in both FY 2023 and 2024. For comparison, its 2016 funding was $38.798 million. Congress did not approve the FY 2025 budget request, and like the rest of the federal government, the agency is now funded under a series of continuing resolutions that reflect no increases from 2024.
The Trump administration has not yet released its FY 2026 budget request, but given all the cuts occurring governmentwide, it is unlikely to call for an increase.
Fontes Rainer also noted that the two other agencies joining OCR under the new enforcement office “may all have different statutory language around their creation and their delegations.” There should be assurances that the individual agencies remain “compliant” with them, Fontes Rainer said, “and that instructions from Congress are being followed appropriately.”
Senators Schedule Hearing With Kennedy
Some members of Congress also expressed concerns.
On April 1, more than three dozen Senate Democrats wrote to Kennedy “demanding answers about the tens of thousands of federal health workers that have been fired this week and the unquestionable impact on Americans’ health and well-being.” They requested replies to a series of questions, including about the scope and rationale for the firings, by April 4. “The American people deserve the ‘radical transparency’ you have repeatedly promised them, yet failed to deliver at every opportunity,” the letter said.[5]
They specifically called out the changes to OCR, saying its “consolidation…into an agency to fight ‘waste fraud and abuse’ leaves patients and providers without critical protections. OCR enforces our nation’s federal civil rights laws as well as health privacy and patient safety laws. Those protections of American’s fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy cannot be diluted. Any consolidation or de-prioritization of the vital work of OCR will harm patients’ access to health and human services,” they wrote.
Also, on April 1, Sens. Bill Cassidy, R-La., and Bernie Sanders, I-Vt., requested that Kennedy appear before the Health, Education, Labor and Pensions Committee on April 10 to address the restructuring and layoffs. As of RPP’s deadline, Kennedy had not publicly responded.
On April 4, HHS announced that Kennedy was launching a “Make America Healthy Again” tour, with stops in Utah, Arizona and Nevada. He plans to visit two community health centers, “discuss the role of tribal self-governance in advancing patient care, innovation, and community wealth,” and talk with Navajo tribal leadership about “food sovereignty initiatives, wellness programs, and the first-ever junk food tax implemented by a tribe.”
HHS also said Kennedy will “visit a Pre-K to 11th grade charter school that integrates healthy eating and physical fitness into its daily student life.” The tour will run from April 7 to 9.
1 U.S. Department of Health and Human Services, “HHS Announces Transformation to Make America Health Again,” news release, March 27, 2025, https://bit.ly/3E73aiE.
2 Theresa Defino, “Fifth Risk Analysis Settlement Includes $227K Payment; Priciest of Cases So Far,” Report on Patient Privacy 25, no. 4 (April 2025).
3 Theresa Defino, “$1.5M Warby Parker Fine a Holdover; OCR Focuses On Men in Sports, Antisemitism, ‘Biological Truth,’” Report on Patient Privacy 25, no. 3 (March 2025), https://bit.ly/4clCVSj.
4 U.S. Department of Health and Human Services, “HHS’ Civil Rights Office Investigates California Medical School for Discriminatory Race-Based Admissions,” news release, March 27, 2025, https://bit.ly/3YiNoIe.
5 U.S. Senator Mark Warner et al., letter to Health and Human Services Secretary Robert F. Kennedy Jr., April 1, 2025, https://bit.ly/4cF5EBP.
[View source.]
