OCR Director Stannard Enforcement Widening To Encompass Risk Management Parents Access Health Care Compliance Association HCCA JDSupra

pppReport on Patient Privacy 26 no 1 January 2026ppPaula Stannard the newish director of the HHS Office for Civil Rights OCR plans to continue two enforcement initiatives with which covered entities CEs and business associates BAs likely are familiarbut shes expanding both in ways that should cause them to sharpen and refocus their compliance efforts RPP has learnedppI really am putting a great emphasis on the importance of taking Security Rule compliance to the next step as a followup to OCRs Security Risk Analysis Initiative Stannard told RPP during an exclusive interview in midDecember This initiative is being broadened to include a related determination as to whether CEs and BAs have also looked at the results of their risk assessment and taken the next step to figure out what security measures are appropriate to address the risks and vulnerabilities that are identified by the risk assessment she saidppIn addition to scrutinizing risk management plans OCR will expand its Right of Access Initiativewhich recently notched its 54th casewith a new focus on whether parents of patients in particular are being denied access to their childrens records Stannard saidppPutting Regulated Entities On NoticeppDuring a wideranging interview that marked the first extensive public comments she has made since her appointment in June Stannard said OCR plans to add staff and likely will be part of a new agency when an HHSwide reorganization goes forward She also discussed the future of the proposed Security Rule issued a year ago by the Biden administration Butspoiler alertshe gave no hint as to its fateippOCR directors are political appointees who change with administrations As such CEs and BAs typically like to get to know the OCR directors goals priorities and perhaps special interests to align their compliance programs better safeguard patients privacy and avoid enforcement actionsppStannard has twice served in HHS prior to her OCR appointmentand shes now more than six months into the postbut the health care community has seen less of her imprimatur related to HIPAA thus far This is due to a combination of factors including the government shutdown and OCRs involvement in less traditional activities such as investigations into alleged antisemitismppBut they should expect to learn more from her directly as Stannard also told RPP she intends to up her engagement with the community and stressed her familiarity with HIPAA which dates back decadesppStannard agreed to an interview with RPP in the fall but a scheduled call had to be postponed due to the shutdown As is its standard practice RPP submitted questions in advance all of which Stannard answered Stannards comments to RPP about risk management enforcement efforts are meant to put all of our regulated entities on notice that this is the next step she saidppCEs and BAs have had more than a year to up their security risk analysis gamethendirector Melanie Fontes Rainer launched the initiative in October 2024 OCR has announced nearly a dozen enforcement actions related to faulty risk assessments Industry experts however say both types of organizations are behind in completing risk analysesiippRisk Management Must Follow AnalysisppStannard called this a combined initiative because you cant do risk management unless youve done a good risk assessment If you havent done a risk assessment you cant do risk management So the twogo hand in handppAddressing CEs and BAs Stannard said its great if youre actually doing a risk assessment and you know where your risks and vulnerabilities are But its also important what you do with that information and thats what the risk management securityrequirement is designed to do Once you know where your risks and vulnerabilities are lets address them Lets make sure that youve looked at it and identified the security measures that will help you address those risks and vulnerabilitiesppAt the time of the interview OCR didnt have any particular cases in mind to make this point she saidppStannard Parents Thwarted in Access RequestsppAs part of this initiative OCR is working on a new risk management video which it announced in a listserv notice Dec 1 It solicited questions the agency could address allowing just a weeks deadline Stannard said OCR had hoped to issue the video during October which is cybersecurity month but it was delayed due to the shutdownppOCR planned to launch the risk management initiative with investigations beginning this yearppOn Dec 16 the day after she spoke to RPP Stannard announced OCR had completed its 54th enforcement action in its Right of Access Initiative a case that took seven years to settleiii Concentra Inc a Texas occupational health services provider agreed to pay 112500 It took the firm more than a year to provide an attorney representing a patient access to requested records RPP will explore this settlement in more detail in a future issueppThis initiative was first started by Roger Severino President Donald Trumps first OCR director in 2019 Keepingand expandingthe Right of Access Initiative reflects new concerns as well as longstanding patient challenges Stannard saidppFrom what Ive seen what we continue to see in the area of complaints that is still the number one or number two HIPAA area of complaints Stannard said We are expanding that In addition to the general focus on right of access we are specifically looking at parents rights to access their minor childrens health recordsppColleague Letter Signaled InterestppStannard explained that OCR has heard that certain large health care facilities or their electronic health record vendors were denying parents the right to access their minor childrens medical recordsit might be that they could access certain records until the childreached age 13 and then the child had to authorize access Other mechanisms may also have been in place that served to deny parents access despite what Stannard termed a black letter Privacy Rule requirement granting itppWhile this is a new area of focus Stannard signaled the approach last monthbut CEs and BAs may have missed the announcement and its implicationsppOn Dec 3 HHS said it was taking strong actions to protect the rights of parents within the practice of pediatric medicine including an investigation into a complaint that a Midwestern school illegally vaccinated a child with a federally provided vaccine without the parents consent by ignoring a religious exemption submitted under a state lawivppAt the same time HHS issued a threepage Dear Colleague letter from Stannard reminding health care providers about federal law requiring them to provide parents access to their childrens health information HHS noted that the letter spells out parents right to access their childrens protected health information specifically that a parent is the personal representative of his or her minor child where the parent has the legal authority to make health care decisions for the child and can exercise their childrens rights with respect to protected health information including the right of accessppThe announcement also disclosed that OCR was initiating compliance reviews of a number of large health care providers to ensure that parents receive timely access to their childrens health informationppReorganization Expected to Move ForwardppThe Dear Colleague letter was a way of drawing regulated entities attention to this aspect of the Privacy Rule and the very narrow exceptions to that Stannard told RPP But we also then initiated a number of compliance reviews to make sure that as a result of that Dear Colleague letter and announcement of the compliance reviews that well be getting more complaintsppOCR intends to investigate complaints as they arise Well make sure that people know when the right of access that weve found violated involved parents rights she said OCR is putting a marker down that this is something that health care entities have to pay attention to and they fail to do so at their own risk and that when we get a complaint about right of access well also be looking at the parental rights aspectppIn March HHS Secretary Robert F Kennedy Jr announced the agency would be undergoing a dramatic restructuring among the changes was creation of an Assistant Secretary for Enforcement an office to include OCR Department of Appeals Board Office of Medicare Hearings and Appeals Office for Human Research Protections OHRP and Office of Research Integrity ORIvppStannard said her understanding is that the reorganization will go forwardat some point in probably the relatively near future and she confirmed that the agencies involved are those Kennedy identified But less clear is what the new umbrella agency will be calledppStannard noted there are various steps that are involved in a reorganization of the department and part of that includes ultimately informing Congress She disclosed that there are departmental staff that on a daytoday basis are implementing the necessary steps on the macrolevel for departmental reorganization On the more focused part we are in communication with our counterparts in the other offices that would become part of what was at the time called the Assistant Secretary for EnforcementppOfficials dont know what the title will ultimately be but we believe that the reorganization is going to be going forward Stannard saidppHiring Would Begin After ApprovalppOCR also expects to be adding staff though Stannard didnt provide specifics She noted that some OCR employees voluntarily participated in workforce reduction programs such as the deferred resignation program voluntary early retirement and voluntary separation incentives As a result we are down some staffppAlong with the reorganization RPP previously reported that some OCR staff received reductioninforce RIF notices last spring Fontes Rainer for example told RPP that OCR employees in New York Chicago Dallas and California received termination notices although she could not provide a number Fontes Rainer said the cuts were troubling for the future noting that staff in New York and California were heavy contributors to HIPAA compliance efforts However HHS reversed some RIFs including at OCRppAlthough the government is still under a hiring freeze Stannard said agencies governmentwide are creating departmentlevel hiring plans OCR has contributed to HHS plan which contains a forecast for the department where we see our needsppOnce a departments plan is approved by the Office of Personnel Management then the department is relieved of the hiring freeze and could proceed in hiring in accordance with its hiring plan Stannard said OCR anticipates being involved in the hiring process as we go forward Stannard saidppThe realities of what 2025 looked like did take a toll on agency activities and thus OCR may not have as many settlements to announce she acknowledgedppWhile none of my fulltime equivalent employees ended up being RIFd we did lose a number of investigators and there was a period of time when some of my employed staff who had been RIFnotified were not working Stannard said Theyre now back and then there was the government shutdown So realistically that impacted our ability to investigateppWe Are Committed to EducationppGoing forward there may be some slowdown in settlement announcements but no one should think that that means that were not enforcing HIPAA and not investigating complaints because of hopefully a unique set of circumstances Stannard warnedppThe shutdown had other effects In recent years OCR directors have been frequent speakers at industry events part of the agencys traditional emphasis on education and outreach but the government shutdown and an early communication ban by HHS officials appointed by Trump meant new administration officials were mostly absent from regulated community circlesppStannard said she believes education and engagement are very important noting shell be talking about Part 2 topics as well as about HIPAAppI may be the first director who actually has some HIPAA experience in their past so its something Im eager to be speaking on and on all of the OCR portfolio Stannard said A combination of factors has dictated that I havent spoken on it I havent been speaking up much on it todate but I definitely anticipate doing so We continue to be committed to education of regulated entities and providing guidance whether its FAQs and otherwise to help inform regulated entities of how we see the HIPAA rules how we see Part 2ppAlso echoing her predecessors Stannard said OCR will continue to have less formal interactions with regulated entities pointing out that they can submit questions and requests for speakers through OCRs websiteppWe welcome those indications of areas of interest because it helps us guide our outreach and the education Stannard said We want to be sure that what we do provides the greatest benefit for the resources that we expend in producing that guidance OCR officials want to make sure that what we do issue is in areas where it will be most beneficial to the regulated publicppStannards Approach Informed by Past JobsppAt RPPs request Stannard also shared observations gleaned in her first six months leading OCR Among them is the realization that OCR with 55 laws to enforce has a bigger mission than civil rights offices in other departments she said And its remit has grown as OCR now has enforcement authority for Part 2 regulations which govern privacy and security of substance use disorder providers and patient recordsppWe looked at Part 2 authority and said As much as we dont need another job were the logical place to put it And so we suggested to the secretary that it would be appropriate to delegate that authority to us Stannard explained OCR has managed to secure additional funding from the department to address the startup implementation costs out of fiscal year 2025 funds so that we dont have to find all the resources within OCR to assume Part 2 oversight duties she said To date OCR has not announced any enforcement actions against Part 2 providersppIn addition to addressing HIPAA and Part 2 OCR officials also are leading implementation of the presidents bold civil rights agenda in health and human services including antisemitism racebased discrimination embedded or cloaked in diversity equity and inclusion programs she said Were reinvigorating enforcement of conscience and religious freedom laws Our work in these areas is highly visible Our portfolio is very significantppStannard as she noted isnt new to HIPAAsomething that might provide solace to CEs and BAs I was involved in the modifications to the Privacy Rule that were made in President George W Bushs first term Stannard recalled adding that she also led a team largely of attorneys in the general counsels office but also some OCR staff to do the first enforcement rule which was essentially a process ruleppMoreover in the first Trump administration she was senior counselor and advisor to thenHHS secretaries Tom Price and Alex Azar Stannards career also includes 16 years in private practice where her work included counseling on HIPAA both privacy and security breach notification and on transactions rules she told RPPppHer most recent position before returning to HHS and OCR was chief legal counsel of the Montana Department of Public Health and Human Services a hybrid CE We operated the states Medicaid program which obviously is a covered entity Stannard said The agency also had six or seven health care facilities that were responsible for operating the states mental hospital a couple of nursing homes etcppShe said her statelevel experience has been useful in understanding the demands on state agencies and other regulated entities that are partners with HHS while her legal work has informed how to approach the job hereppAnother observation Stannard shared with RPP had to do with the professionalism of OCR staff Its been rewarding to work with them again Theyre dedicated wellinformed and theyre engaged and committedppi Theresa Defino OCRs Stannard Mum on Fate of Security Rule NPRM Report on Patient Privacy 26 no 1 January 2026 4ppii Jane Anderson CEs BAs Grappling with Risk Analysis As OCR Expands into Risk Management Report on Patient Privacy 26 no 1 January 2026 8ppiii US Department of Health and Human Services HHS Office for Civil Rights Settles HIPAA Right of Access Investigation with Concentra Inc news release December 16 2025 httpsbitly44WPkcV ppiv US Department of Health and Human Services HHS Protects Parents Rights in Childrens Health Decisions news release December 3 2025 httpsbitly3N8wSYAppv Theresa Defino OCR Loses Staff Faces Move to New Enforcement Office Will HIPAA Focus Independence Suffer Report on Patient Privacy 25 no 4 April 2025 1ppReport on Patient Privacy 26 no 1 January 2026ppLearn more httpswwwhccainfoorgpublicationsnewslettersreportpatientprivacyppSee more pp
Health Care Compliance Association HCCA
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppPlease take our short survey your perspective helps to shape how firms create relevant useful content that addresses your needsppBack to TopppExplore 2025 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp