Ogletree Deakins Ogletree Deakins
Home > Insights & Resources > Blog Posts > HHS Restructuring and New Enforcement Signal Increased Focus on Privacy, Security, and Health Plans

HHS Restructuring and New Enforcement Signal Increased Focus on Privacy, Security, and Health Plans

By Stephanie A. Smithey, Stephen A. Riga, and Zachary V. Zagger
Download PDFPrintShare

On May 18, 2026, the U.S. Department of Health and Human Services (HHS) announced the restructuring of its Office for Civil Rights (OCR) enforcement efforts, establishing a dedicated unit for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA). The move, combined with a recent enforcement action over a ransomware attack, highlights the agency’s new enforcement focus on health plans and the employers that sponsor them.

hands typing on a laptop, close up from over shoulder, soft focus

Quick Hits

  • OCR will be divided into three divisions: the Conscience and Religious Freedom Division, the Civil Rights Division, and the Health Information Privacy, Data, and Cybersecurity Division.
  • HHS and plan sponsor Star Group (SG) reached an agreement to resolve alleged HIPAA violations related to Star Group’s health plan, imposing $245,000 in fines and an extensive corrective action plan.
  • The two-year corrective action plan will require the health plan to conduct a comprehensive HIPAA data security risk analysis, update training materials, and make annual reports to HHS.
  • This enforcement action emphasizes the need for employers to prioritize security measures for health plan protected health information (PHI) and electronic protected health information (ePHI), as ransomware incidents can trigger government scrutiny and potential penalties under HIPAA.

OCR Restructuring

In announcing the restructuring, HHS stated that the new structure would prioritize and reorganize enforcement efforts related to health information privacy and security by establishing a separate, dedicated division of its OCR as one of OCR’s three divisions: (1) the Conscience and Religious Freedom Division; (2) the Civil Rights Division; and (3) the Health Information Privacy, Data, and Cybersecurity Division.

According to a statement from OCR Director Paula M. Stannard, each new OCR division will have a team with “subject-matter expertise and distinct senior executive leadership” dedicated to enforcing HIPAA. Director Stannard further stated that the new structure “rightly prioritizes civil rights and conscience and religious freedom alongside health information privacy and security.”

In particular, this change will enable OCR to address its civil rights protections, specifically “to advance the protection of conscience rights, address race-based discrimination in a color-blind manner, eradicate antisemitism and anti-Christian bias, and restore biological truth,” HHS stated. Such a focus aligns with the Trump administration’s broader civil rights enforcement priorities.

SG Health Plan Enforcement Action and Corrective Action Plan

The OCR restructuring comes just weeks after the agency, on April 23, 2026, released a resolution agreement with the Star Group L.P. Health Benefits Plan (SG Health Plan), to resolve alleged HIPAA violations. Notably, the resolution agreement imposed a “Corrective Action Plan” (CAP) that highlights the agency’s focus on HIPAA enforcement and health plans’ duties to prevent and mitigate privacy breaches.

The alleged HIPAA violations stemmed from a reported October 22, 2021, ransomware attack that affected the PHI of approximately 9,316 individuals. After an investigation, HHS found that SG Health Plan “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”

While stipulating that SG Health Plan made no admission of liability, Star Group agreed to pay $245,000 in penalties and to enter a two-year CAP with extensive compliance obligations that go beyond mere payment of the fine.

Specifically, the CAP requires the SG Health Plan to:

  • Conduct a comprehensive risk analysis. SG Health Plan must “conduct a comprehensive and thorough Risk Analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of” ePHI. SG Health Plan must analyze all its electronic equipment, data systems, and applications that contain, store, transmit, or receive plan ePHI; develop a “Risk Management Plan to address and mitigate any security risks and vulnerabilities”; and provide that risk management plan to HHS for approval.
  • Revise policies and procedures to protect the privacy of PHI. SG Health Plan must review and revise its written policies and procedures as necessary to comply with federal standards for protecting ePHI. The review must address whether local devices have up-to-date external firewalls. SG Health Plan must distribute these policies and procedures to all members of its workforce who handle plan ePHI.
  • Review and update HIPAA training materials. SG Health Plan must submit its HIPAA training materials to HHS for approval and make any recommended revisions. SG Health Plan must also review its training materials “at least annually.”
  • Provide training to employees with access to PHI. After receiving final approval of the training materials, SG Health Plan must “provide training for each workforce member who has access to PHI” and do so at least every twelve months thereafter.
  • Report future breaches. SG Health Plan must report incidents in which a member of its workforce may have failed to comply with its policies and procedures with a “complete description of the event,” including facts and the persons involved, a “description of actions taken,” and intended actions to address the matter and mitigate harm.
  • Make Annual Reports to HHS. SG Health Plan must submit reports to HHS annually over the term of the CAP that include a training schedule and materials, an attestation that required employees attended the trainings, an attestation that required revisions to policies and procedures were made, and a summary of any reportable events.

Key Takeaways for Employers

The restructured OCR, with its dedicated commitment to HIPAA enforcement, and the recent enforcement action and resolution agreement targeting employer-sponsored health plan compliance, highlight the importance for employers of maintaining a robust compliance program to address HIPAA and protect plan PHI and ePHI.

As such, employers may want to evaluate their most recent comprehensive risk analysis and update it as needed to reflect current processes. Other steps include providing training on privacy protection standards to key personnel who handle PHI and ePHI and reviewing and revising privacy and security policies regarding ePHI.

Ogletree Deakins’ Employee Benefits and Executive Compensation Practice Group and Cybersecurity and Privacy Practice Group will continue to monitor developments and will provide updates on the Cybersecurity and Privacy, Employee Benefits and Executive Compensation, and Healthcare blogs as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Topics

Cybersecurity and Privacy , Employee Benefits and Executive Compensation , Healthcare

Browse More Insights

Podcasts Seminars Webinars
Close up of calculator, data and stethoscope
Practice Group

Employee Benefits and Executive Compensation

Ogletree Deakins has one of the largest teams of employee benefits and executive compensation practitioners in the United States. As part of a firm that focuses on labor and employment law, our Employee Benefits Practice Group has a special ability to relate technical experience to the client’s “big picture” issues.

Learn more
Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly, transmits easily, and—increasingly—is processed by artificial intelligence (AI) systems that introduce new dimensions of legal risk. 

Learn more
Midsection of senior woman and female healthcare worker with hands stacked at retirement home
Industry Group

Healthcare

The attorneys in Ogletree Deakins’ Healthcare Industry Group understand the unique legal challenges facing healthcare industry clients that must balance vital and demanding work with numerous compliance regimes and heavy regulation.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now