Paula Stannard, the newish director of the HHS Office for Civil Rights (OCR), plans to continue two enforcement initiatives with which covered entities (CEs) and business associates (BAs) likely are familiar—but she’s expanding both in ways that should cause them to sharpen and refocus their compliance efforts, RPP has learned.
“I really am putting a great emphasis on the importance of taking Security Rule compliance to the next step,” as a follow-up to OCR’s Security Risk Analysis Initiative, Stannard told RPP during an exclusive interview in mid-December. This initiative is being broadened to include a related determination as to whether CEs and BAs have also “looked at the results of their risk assessment and taken the next step to figure out what security measures are appropriate to address the risks and vulnerabilities that are identified by the risk assessment,” she said.
In addition to scrutinizing risk management plans, OCR will expand its Right of Access Initiative—which recently notched its 54th case—with a new focus on whether parents of patients, in particular, are being denied access to their children’s records, Stannard said.
Putting Regulated Entities ‘On Notice’
During a wide-ranging interview that marked the first extensive public comments she has made since her appointment in June, Stannard said OCR plans to add staff and likely will be part of a new agency when an HHS-wide reorganization goes forward. She also discussed the future of the proposed Security Rule issued a year ago by the Biden administration. But—spoiler alert—she gave no hint as to its fate.[i]
OCR directors are political appointees who change with administrations. As such, CEs and BAs typically like to get to know the OCR director’s goals, priorities and perhaps special interests to align their compliance programs, better safeguard patients’ privacy and avoid enforcement actions.
Stannard has twice served in HHS prior to her OCR appointment—and she’s now more than six months into the post—but the health care community has seen less of her imprimatur related to HIPAA thus far. This is due to a combination of factors, including the government shutdown and OCR’s involvement in less traditional activities, such as investigations into alleged antisemitism.
But they should expect to learn more from her directly, as Stannard also told RPP she intends to up her engagement with the community and stressed her familiarity with HIPAA, which dates back decades.
Stannard agreed to an interview with RPP in the fall, but a scheduled call had to be postponed due to the shutdown. As is its standard practice, RPP submitted questions in advance, all of which Stannard answered. Stannard’s comments to RPP about risk management enforcement efforts are meant to “put all of our regulated entities on notice that this is the next step,” she said.
CEs and BAs have had more than a year to up their security risk analysis game—then-director Melanie Fontes Rainer launched the initiative in October 2024. OCR has announced nearly a dozen enforcement actions related to faulty risk assessments. Industry experts, however, say both types of organizations are behind in completing risk analyses.[ii]
Risk Management Must Follow Analysis
Stannard called this a “combined initiative, because you can’t do risk management unless you’ve done a good risk assessment. If you haven’t done a risk assessment, you can’t do risk management. So, the two…go hand in hand.”
Addressing CEs and BAs, Stannard said, “it’s great if you’re actually doing a risk assessment and you know where your risks and vulnerabilities are. But it’s also important what you do with that information, and that’s what the risk management security…requirement is designed to do. Once you know where your risks and vulnerabilities are, let’s address them. Let’s make sure that you’ve looked at it [and identified] the security measures that will help you address those risks and vulnerabilities.”
At the time of the interview, OCR didn’t have “any particular cases in mind” to make this point, she said.
Stannard: Parents Thwarted in Access Requests
As part of this initiative, OCR is working on a new risk management video, which it announced in a listserv notice Dec. 1. It solicited questions the agency could address, allowing just a week’s deadline. Stannard said OCR had hoped to issue the video during October, which is cybersecurity month, but it was delayed due to the shutdown.
OCR planned to launch the risk management initiative with investigations beginning this year.
On Dec. 16, the day after she spoke to RPP, Stannard announced OCR had completed its 54th enforcement action in its Right of Access Initiative, a case that took seven years to settle.[iii] Concentra Inc., a Texas occupational health services provider, agreed to pay $112,500. It took the firm more than a year to provide an attorney representing a patient access to requested records. RPP will explore this settlement in more detail in a future issue.
This initiative was first started by Roger Severino, President Donald Trump’s first OCR director, in 2019. Keeping—and expanding—the Right of Access Initiative reflects new concerns, as well as long-standing patient challenges, Stannard said.
“From what I’ve seen, what we continue to see in the area of complaints, that is still the number one or number two HIPAA area of complaints,” Stannard said. “We are expanding that. In addition to the general focus on right of access, we are specifically looking at parents’ rights to access their minor children’s health records.”
‘Colleague Letter’ Signaled Interest
Stannard explained that OCR has “heard that certain large health care facilities or their [electronic health record] vendors were denying parents the right to access their minor children’s medical [records]—it might be that they could access certain records until the child…reached age 13, and then the child had to authorize” access. Other “mechanisms” may also have been in place that served to deny parents access, despite what Stannard termed a “black letter Privacy Rule” requirement granting it.
While this is a new area of focus, Stannard signaled the approach last month—but CEs and BAs may have missed the announcement and its implications.
On Dec. 3, HHS said it was taking “strong actions to protect the rights of parents within the practice of pediatric medicine,” including “an investigation into a complaint that a Midwestern school illegally vaccinated a child with a federally provided vaccine without the parents’ consent by ignoring a religious exemption submitted under a state law.”[iv]
At the same time, HHS issued a three-page Dear Colleague letter from Stannard “reminding health care providers about federal law requiring them to provide parents access to their children’s health information.” HHS noted that the letter “spells out parents’ right to access their children’s protected health information,” specifically that “a parent is the personal representative of his or her minor child where the parent has the legal authority to make health care decisions for the child,” and can exercise “their children’s rights with respect to protected health information, including the right of access.”
The announcement also disclosed that OCR was “initiating compliance reviews of a number of large health care providers to ensure that parents receive timely access to their children’s health information.”
Reorganization Expected to Move Forward
The Dear Colleague letter “was a way of drawing regulated entities’ attention to this aspect of the Privacy Rule and the very narrow exceptions to that,” Stannard told RPP. “But we also then initiated a number of compliance reviews to make sure that as a result of that Dear Colleague letter and announcement of the compliance reviews, that we’ll be getting more complaints.”
OCR intends to “investigate complaints as they arise. We’ll make sure that people know when the right of access that we’ve found violated involved parents’ rights,” she said. OCR is “putting a marker down that this is something that health care entities have to pay attention to, and they fail to do so at their own risk, and that when we get a complaint about right of access, we’ll also be looking at” the parental rights aspect.
In March, HHS Secretary Robert F. Kennedy Jr. announced the agency would be undergoing a “dramatic restructuring”; among the changes was creation of an Assistant Secretary for Enforcement, an office to include OCR, Department of Appeals Board, Office of Medicare Hearings and Appeals, Office for Human Research Protections (OHRP) and Office of Research Integrity (ORI).[v]
Stannard said her “understanding” is that the reorganization “will go forward…at some point in probably the relatively near future,” and she confirmed that the agencies involved are those Kennedy identified. But less clear is what the new umbrella agency will be called.
Stannard noted there are “various steps that are involved in a reorganization of the department, and part of that includes, ultimately, informing Congress.” She disclosed that there are “departmental staff that, on a day-to-day basis, are implementing the necessary steps, on the macro-level, for departmental reorganization. On the more focused part, we are in communication with our counterparts in the other offices that would become part of what was at the time called the Assistant Secretary for Enforcement.”
Officials “don’t know what the title will ultimately be, but we believe that the reorganization is going to be going forward,” Stannard said.
Hiring Would Begin After Approval
OCR also expects to be adding staff, though Stannard didn’t provide specifics. She noted that some OCR employees “voluntarily participated in workforce reduction programs, such as the deferred resignation program, voluntary early retirement and voluntary separation incentives.” As a result, “we are down some staff.”
Along with the reorganization, RPP previously reported that some OCR staff received reduction-in-force (RIF) notices last spring. Fontes Rainer, for example, told RPP that OCR employees in New York, Chicago, Dallas and California received termination notices; although she could not provide a number, Fontes Rainer said the cuts were troubling for the future, noting that staff in New York and California were “heavy contributors to HIPAA compliance” efforts. However, HHS reversed some RIFs, including at OCR.
Although the government is still under a hiring freeze, Stannard said agencies governmentwide are creating department-level hiring plans. OCR has contributed to HHS’ plan, which contains a “forecast for the department where we see our needs.”
Once a department’s plan is approved by the Office of Personnel Management, “then the department is relieved of the hiring freeze and could proceed in hiring in accordance with its hiring plan,” Stannard said. OCR “anticipate[s] being involved in the hiring process as we go forward,” Stannard said.
The “realities of what 2025 looked like” did take a toll on agency activities, and thus OCR “may not have as many settlements to announce,” she acknowledged.
“While none of my [full-time equivalent employees] ended up being RIF’d, we did lose a number of investigators and there was a period of time when some of my employed staff who had been RIF-notified were not working,” Stannard said. “They’re now back, and then [there] was the government shutdown. So, realistically, that impacted our ability to investigate.”
‘We Are Committed to Education’
Going forward, “there may be some slowdown in settlement announcements, but no one should think that that means that we’re not enforcing [HIPAA] and not investigating complaints because [of], hopefully, a unique set of circumstances,” Stannard warned.
The shutdown had other effects. In recent years, OCR directors have been frequent speakers at industry events, part of the agency’s traditional emphasis on education and outreach, but the government shutdown and an early communication ban by HHS officials appointed by Trump meant new administration officials were mostly absent from regulated community circles.
Stannard said she believes education and engagement are “very important,” noting she’ll be talking about Part 2 topics, as well as about HIPAA.
“I may be the first director who actually has some HIPAA experience in their past, so it’s something I’m eager to be speaking on [and] on all of the OCR portfolio,” Stannard said. “A combination of factors has dictated that I haven’t spoken on it, I haven’t been speaking up much on it to-date, but I definitely anticipate doing so. We continue to be committed to education of regulated entities and providing guidance, whether it’s FAQs and otherwise, to help inform regulated entities of how we see the HIPAA rules, how we see Part 2.”
Also echoing her predecessors, Stannard said OCR “will continue to have less formal interactions with regulated entities,” pointing out that they can submit questions and requests for speakers through OCR’s website.
“We welcome those indications of areas of interest because it helps us guide our outreach and the education,” Stannard said. “We want to be sure that what we do provides the greatest benefit for the resources that we expend in producing that guidance.” OCR officials “want to make sure that what we do issue is in areas where it will be most beneficial to the regulated public.”
Stannard’s Approach Informed by Past Jobs
At RPP’s request, Stannard also shared observations gleaned in her first six months leading OCR. Among them is the realization that OCR, with 55 laws to enforce, has a bigger mission than civil rights offices in other departments, she said. And its remit has grown, as OCR now has enforcement authority for Part 2 regulations, which govern privacy and security of substance use disorder providers and patient records.
“We looked at [Part 2 authority] and said, ‘As much as we don’t need another job, we’re the logical place to put it.’ And so, we suggested to the secretary that it would be appropriate to delegate that authority to us,” Stannard explained. OCR has “managed to secure additional funding from the department to address the startup implementation costs out of fiscal year 2025 funds, so that we don’t have to find all the resources within OCR” to assume Part 2 oversight duties, she said. To date, OCR has not announced any enforcement actions against Part 2 providers.
In addition to addressing HIPAA and Part 2, OCR officials also are “leading implementation of the president’s bold civil rights agenda in health and human services, including antisemitism, race-based discrimination embedded or cloaked in [diversity, equity and inclusion] programs,” she said. “We’re reinvigorating enforcement of conscience and religious freedom laws. Our work in these areas is highly visible. Our portfolio is very significant.”
Stannard, as she noted, isn’t new to HIPAA—something that might provide solace to CEs and BAs. “I was involved in the modifications to the Privacy Rule that were made in President [George W.] Bush’s first term,” Stannard recalled, adding that she also “led a team largely of attorneys in the general counsel’s office, but also some OCR staff, to do the first enforcement rule, which was essentially a process rule.”
Moreover, in the first Trump administration, she was senior counselor and advisor to then-HHS secretaries Tom Price and Alex Azar. Stannard’s career also includes 16 years in private practice, where her work included “counseling on HIPAA, both privacy and security,” breach notification and on transactions rules, she told RPP.
Her most recent position before returning to HHS and OCR was chief legal counsel of the Montana Department of Public Health and Human Services, a hybrid CE. “We operated the state’s Medicaid program, which obviously is a covered entity,” Stannard said. The agency “also had six or seven health care facilities that were responsible for operating the state’s mental hospital, a couple of nursing homes, etc.”
She said her state-level experience has been “useful in understanding the demands on state agencies and other regulated entities that are partners with HHS,” while her legal work “has informed how to approach the job here.”
Another observation Stannard shared with RPP had to do with the “professionalism” of OCR staff: “It’s been rewarding to work with them again. They’re dedicated, well-informed, and they’re engaged and committed.”
