Last week, the U.S. Department of Health and Human Services (HHS) named Paula Stannard as the new director of the Office for Civil Rights (OCR), the agency responsible for HIPAA enforcement. Stannard was a former legal adviser and counsel at HHS previously under the first Trump administration and also during the George W. Bush administration.

Paula Stannard Has a Solid Background in HIPAA

Before this appointment, Stannard served as chief legal counsel at the Montana Department of Public Health and Human Services, where she led the office of legal affairs. In that role, Stannard advised and “represented the state agency and its components on a wide range of significant legal issues pertaining to the laws the agency is responsible for implementing and the programs it operates,” HHS said.

In addition to her work in the public sector, Stannard was in private practice as a lawyer for 16 years: six years as counsel in the healthcare practice group at Alston and Bird, LLP in Washington, D.C., and 10 years as a litigation associate at Skadden, Arps, Slate, Meagher and Flom in Chicago.

HIPAA privacy experts generally agree that Stannard comes to the job with a deep background in health privacy and security and is well-suited to the job. It is not clear, though, what her policy priorities might be.

Adam Greene, regulatory attorney at Davis Wright Tremaine LLP, posted on LinkedIn,

 “I think she brings greater familiarity with HIPAA than we have tended to see in past OCR directors, which will be helpful. Because she has traditionally served in a legal counsel or policy advisor role, it’s hard to predict what her own policy priorities will be.”

HealthcareInfoSecurity.com reported on other reactions to the appointment. For example, attorney Jodi Daniel, a partner at the law firm Wilson Sonsini Goodrich & Rosati, said she worked closely with Stannard when HHS revised the original HIPAA Privacy Rule early in the Bush Administration, commented,

“Paula knows the HIPAA Privacy Rule inside and out. She is a smart lawyer who knows administrative law and HHS policy from many years of experience.”

Daniel also worked at HHS, serving for 15 years, including a decade at the Office of the National Coordinator for Health IT, where she helped lead the development of health information privacy and security policies.

In a statement, Stannard said she is “excited and honored to lead the Office for Civil Rights at HHS under the leadership of President Trump and Secretary Kennedy.”

“I look forward to advancing the significant and highly visible priorities of OCR and protecting the civil rights of Americans who participate in the programs or organizations that HHS operates and funds.”

Challenges Ahead at HHS

Stannard faces staggering challenges. The workload at OCR has grown substantially in recent years, but it remains under-resourced.

• The number of major health data breaches is rising every year, including those caused by hacking. Additionally, the number of HIPAA complaints from individuals increases annually.
• OCR faces pressure from a government watchdog agency (the Office of Inspector General or OIG) to resume its HIPAA audit program.
• OCR is actively engaged in rulemaking, including a proposed major update to the 20-year-old HIPAA Security Rule. The update, drafted by the previous Biden administration, is controversial, with outside critics calling for it to be rewritten.
• OCR may have an expanded role in the enforcement of Part 2 regulations under SAMHSA (Substance Abuse and Mental Health Services Administration). The recent modifications to Part 2, designed to better align with HIPAA, mean that OCR may need to direct resources there.

While OCR has a full roster of responsibilities, its budget has remained flat in recent years, placing additional pressure on leadership. Then, in March, HHS Secretary Kennedy announced a restructuring and budget cuts that will affect OCR. Those cuts are expected to leave HHS with about 62,000 full-time employees, down from 82,000. The restructuring also includes consolidating HHS’ 28 divisions into 15 new units and closing five of HHS’ 10 regional offices.

HHS’ Future Budget Depends on Congress

The federal budget bill is currently before the Senate, and although its future is uncertain, it is expected to be resolved in the coming weeks.

HHS’ recent fiscal year 2026 budget-in-brief document said,

“OCR requests non-trust fund budget authority levels that will maintain its current programmatic activities and continue defending the public’s right to nondiscriminatory access to HHS funded health and human services and enforcing health information privacy and security laws.”

In fiscal 2025, HHS sought an OCR budget of $57 million.

“OCR is experiencing an increase in its case backlog due to the recent sharp decrease in the number of investigators on staff. At the close of FY 2024, the backlog stood at 6,532, whereas in May 2025 it stands at 13,274.”

Stay the Course and Follow HIPAA

Although OCR faces challenges, it is clear that HIPAA enforcement is continuing with the resources available. Prioritize HIPAA risk analysis and workforce training to reduce risks and protect patient data.

Remember too, that lawsuits are becoming more common in health privacy breaches. The best defense against regulatory investigations and private lawsuits is strong HIPAA compliance.