#hhs-ocr

#hhs-ocr

As Theresa Defino recently reported, HHS OCR will prioritize risk assessments and expand its investigations into risk management in 2026. Alisa Chestler and Layna Cook Rush of Baker Donelson have summarized some recent recommendations from HHS OCR's January 2026 Cybersecurity Newsletter that regulated entities may want to pay increased attention to at this point: Patching Is a Required Risk Management Activity Legacy Systems and Unpatchable Vulnerabilities Are Not Excuses Unnecessary Software and Default Accounts Create Hidden Risk

OCR continues to execute its enforcement mission under its statutory and regulatory authorities regarding civil rights, exercise of conscience, and health information privacy and security, and breach notification. OCR continues to investigate complaints filed, to conduct compliance reviews, and to review breaches of unsecured protected health information. OCR will be responsive to the HIPAA trends and compliance issues within OCR's jurisdiction that are affecting the public and the regulated industry.

In June, in an escalation of the Trump administration's pressure on Harvard University to bow to its demands, a federal Office for Civil Rights announced that the institution was violating federal law. The office released a nearly 60-page report accusing Harvard of "deliberate indifference" to ongoing discrimination against Jewish and Israeli students, which is illegal under Title VI of the Civil Rights Act of 1964.