Close up of doctor working on computer in doctor's office. Physician doing paperwork and administration.
Listen to this post

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

On March 27, 2025, the U.S. Department of Health and Human Services (HHS) announced a sweeping reorganization under the Department of Government Efficiency Workforce Optimization Initiative. The plan consolidates 28 divisions into 15, reduces the number of regional offices from 10 to 5, and introduces a new entity: the Administration for a Healthy America (AHA). This transformation aims to modernize HHS’s structure and operations, improve efficiency, and strengthen oversight across federal health programs.

Workforce and Operational Changes: What to Expect

HHS anticipates reducing its workforce from approximately 82,000 to 62,000 full-time employees, generating an estimated $1.8 billion in annual savings. Core administrative functions—including Human Resources, IT, Procurement, External Affairs, and Policy—will be centralized under the Office of the Secretary. A smaller HHS workforce may lead to slower response times to Office for Civil Rights (OCR) inquiries or breach investigations, longer appeals cycles for matters before the Departmental Appeals Board (DAB) or Office of Medicare Hearings and Appeals (OMHA), and reduced day-to-day oversight, with less frequent outreach, fewer audits, or delays in policy interpretation. These changes introduce new uncertainties for healthcare organizations that rely on predictable enforcement timelines and engagement from agency staff.

The Creation of the Administration for a Healthy America (AHA)

The centerpiece of this reorganization is the formation of AHA, which will integrate programs previously housed in the Office of the Assistant Secretary for Health (OASH), Health Resources and Services Administration (HRSA), Substance Abuse and Mental Health Services Administration (SAMHSA), Agency for Toxic Substances and Disease Registry (ATSDR), and National Institute for Occupational Safety and Health (NIOSH). This consolidation aims to break down program silos and unify prevention, behavioral health, environmental health, and workforce development. For privacy and security professionals, this shift will likely mean broader data integration and sharing across formerly separate agencies, and an increased volume and variety of sensitive data flowing through unified AHA systems.

Budget and Strategic Priorities: New Focus Areas

For Fiscal Year 2026, AHA’s Congressional Justification requests $20.6 billion in funding, which prioritizes:

  • telehealth modernization,
  • behavioral health initiatives (including suicide prevention and opioid overdose reduction),
  • environmental health research,
  • and rural health workforce programs.

Consolidating these programs could streamline data sharing and reporting. It also heightens the need for robust privacy and security safeguards—especially for sensitive behavioral health and rural population data.

Enforcement Realignment: OCR’s New Reporting Structure

A significant change for privacy and security practitioners is the creation of a new Assistant Secretary for Enforcement, who will oversee all enforcement and appeals functions across HHS, including OCR, DAB, and OMHA. OCR, responsible for enforcing HIPAA Privacy and Security Rules, will now report directly to centralized enforcement leadership. This may increase coordination across civil monetary penalties, appeals, and administrative decisions. It may also lead to more uniform and potentially targeted enforcement, especially in high-profile areas like behavioral health. However, operational delays or variability may arise if workforce reductions impact OCR’s capacity.

Key Implications for Privacy, Security, and Oversight

This restructuring will have broad implications for privacy, security, and compliance in the healthcare sector:

  • Centralized oversight may shift HIPAA enforcement patterns, with a more unified and strategic approach across agencies.
  • Unified public health data will require stronger data governance, privacy protocols, and cross-system access controls.
  • Workforce reductions may lead to slower investigation and audit cycles, delayed issuance of guidance or policy updates, and potential inconsistencies as remaining staff are tasked with broader responsibilities. For healthcare organizations and their compliance teams, this may mean longer wait times for regulatory clarification and delays in the resolution of ongoing matters, creating a period of uncertainty that requires proactive risk management.
  • Centralized budget and procurement functions will likely result in updated contract and grant terms, and the adoption of standardized compliance frameworks. These updates are likely to emphasize strengthened privacy and security controls as well as more rigorous reporting and audit requirements.

What Healthcare Organizations Should Do Now

Given these significant changes, healthcare organizations should take proactive steps to manage their compliance posture and mitigate risk. Consider the following recommended actions:

1. Monitor Regulatory Developments:
Stay alert for new OCR guidance, AHA data-sharing frameworks, and revisions to contract and grant requirements as HHS standardizes procurement and policy functions.

2. Review and Strengthen Data Governance:
Update privacy and security protocols for multi-party data use, cross-system authentication, and sensitive data categories—especially those related to behavioral health, rural health, and telehealth.

3. Prepare for Delays and Increased Scrutiny:
Anticipate longer timelines for investigations, appeals, and regulatory responses. Maintain thorough documentation and be ready for increased scrutiny of compliance practices.

4. Audit HIPAA and Related Compliance Programs:
Conduct a proactive review of your HIPAA compliance posture and enforcement readiness, with a focus on areas likely to receive targeted attention under the new structure.

5. Engage Early with AHA Initiatives:
Early participation in AHA pilot programs, particularly in telehealth and rural health, may offer opportunities to help shape privacy-preserving technology standards.

Contact us 

HHS’s restructuring and the formation of AHA represent a pivotal shift in federal health governance. Husch Blackwell will continue to provide timely updates and strategic guidance as these changes unfold. For assistance navigating HIPAA compliance or assessing how these developments may affect your organization, please reach out to Noreen Vergara or a member of our Healthcare Privacy & Regulatory team.