With major staffing cuts and half of HHS’s regional offices shuttered, the Office for Civil Rights (OCR) is struggling to keep up with complaints and breach notifications. Investigations that previously took months are now facing indefinite delays, and some smaller complaints may not receive any follow-up at all (BankInfoSecurity).
At first glance, this might seem like less scrutiny—but in reality, more responsibility now falls on Covered Entities (CEs) and Business Associates (BAs). Here’s why:
🔍 Less Oversight Means Fewer Early Warnings
Routine OCR audits often uncover issues like outdated policies or missing training before they become major violations. Now, with fewer audits, these issues may go unnoticed until after a breach occurs.
⏳ Slower Investigations Prolong Exposure
Delays in enforcement mean vulnerabilities can persist longer. If OCR begins investigating long after a breach, the resulting penalties could be harsher due to the extended duration of noncompliance and exposure.
⚖️ HIPAA Still Applies—Whether or Not OCR Is Watching
The law hasn’t changed—just the watchdog. That means your legal and ethical responsibility to protect PHI is unchanged, even if OCR doesn’t show up tomorrow.
Signs of Enforcement Fatigue
Despite the turmoil, OCR has continued to finalize some enforcement actions, though most were initiated before the cuts. Notable 2025 settlements include:
- A $200,000 fine against Oregon Health and Science University for failing to provide timely access to patient records.
- A $1.5 million penalty against Warby Parker following a breach that exposed over 200,000 individuals’ data (BankInfoSecurity).
However, experts warn that this pace may not continue. The pipeline of new investigations is thinning, and smaller breaches may not receive any attention at all in the near term.
What This Means for Your Organization
Whether you’re a covered entity or a business associate, this new enforcement landscape puts more responsibility on you. With fewer government audits and slower investigations, proactive compliance is no longer optional, it’s critical.
Here’s what we recommend:
✅ Conduct Regular HIPAA Risk Assessments.
✅ Update Your Privacy and Security Policies Annually..
✅ Maintain a Breach Response Plan.
✅ Train All Staff on PHI Handling and Security Protocols.
✅ Document Everything — from access logs to training to vendor compliance. For CEs, this should include a spreadsheet of all third party companies you work with, whether they are considered a BA and whether you have a signed BAA with that vender (and the last update date).
OCR may not be knocking on your door today—but when they do, they’ll expect a full history of documented compliance.
Fortiva IT Can Help
We specialize in helping healthcare and dental organizations navigate HIPAA compliance, even as the regulatory landscape shifts. From staff training to risk assessments and policy development, we offer tailored services to keep your practice protected and audit-ready.
📞 Schedule a HIPAA Readiness Review Today
💬 Contact Us to learn more or book a free consultation.
Sources
- AP News: HHS to lay off 10,000 workers
- Axios: HHS enforcement lacking
- BankInfoSecurity: OCR response delays due to cuts