On June 4, 2025, the U.S. Department of Health and Human Services (HHS) announced the appointment of Paula M. Stannard as the Director of the Office for Civil Rights (OCR). As Director, Stannard will lead the enforcement of the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as federal civil rights laws.
Director Stannard has an extensive background in healthcare regulation and public service at the state and federal levels. She served in HHS as Senior Counselor and Advisor to former HHS Secretaries Tom Price and Alex Azar during the Trump Administration, and as the Department’s Acting General Counsel and Deputy General Counsel during the Bush Administration. Notably, during the Bush Administration, Director Stannard played a key role in revising the original HIPAA Privacy Rule.
Given Director Stannard’s background in HHS policy, she is likely to support enforcing HHS policies that she helped bring to life. As Director Stannard begins her new role, she will likely address four key issues: i) the future of the proposed HIPAA Security Rule, ii) the use of artificial intelligence (AI) by HIPAA-covered entities and business associates, iii) the use of patient care decision support tools, and iv) the use of advertising technologies by digital health companies.
Proposed HIPAA Security Rule Modifications
The agency is considering significant proposed modifications to the HIPAA Security Rule, which were released under the Biden Administration. As discussed in a prior Wilson Sonsini alert, OCR published a proposed rule in January 2025 that would strengthen the security of electronic protected health information (ePHI) in response to emerging threats and technologies. Public comments to the proposed rule closed in March 2025. Eight industry associations co-signed a letter to President Trump calling for the proposed update to be rescinded. Representatives of the Administration have noted that HHS is reviewing comments carefully and will consider next steps. Director Stannard is likely to play a key role in this process.
Artificial Intelligence
With respect to the use of AI, OCR indicated in its proposed amendments to the HIPAA Security Rule that ePHI in AI training data, prediction models, and algorithm data that is maintained by a regulated entity for covered functions is protected by the HIPAA rules; and advised regulated entities to incorporate the use of AI tools in its risk analyses.
Patient Care Decision Support Tools
In May 2025, OCR published a final rule to implement Section 1557 of the Affordable Care Act, which, among other things, prohibits discrimination in the use of automated or non-automated patient care decision support tools. OCR indicated in the final rule that these tools include AI used to support clinical decision-making. Under the final rule, covered entities must make reasonable efforts to identify uses of patient care decision support tools that consider race, color, national origin, sex, age, or disability; and mitigate the risk of discrimination resulting from the tools’ use of such information.
Advertising Technologies
Finally, companies should watch for whether OCR, under Director Stannard, will take a position on the use of third-party online tracking technologies by HIPAA-covered entities on unauthenticated websites. As analyzed in a prior Wilson Sonsini alert, in December 2022, OCR issued guidance that would have restricted HIPAA-covered entities’ and business associates’ use of online tracking technologies not only on authenticated websites like patient portals, but also on unauthenticated websites (e.g., consumer facing websites). However, the U.S. District Court for the Northern District of Texas partially vacated the guidance in June 2024, reasoning that the agency overreached its authority by redefining the definition of “protected health information” under HIPAA. The guidance document indicates that HHS is evaluating its next steps in light of the district court’s order.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. If you have any questions or need assistance with HIPAA compliance, please do not hesitate to contact Maneesha Mithal, Jodi Daniel, Tracy Shapiro, Haley Bavasi, Hale Melnick, or any other member of our Data, Privacy, and Cybersecurity practice.
Taylor Stenberg Erb contributed to the preparation of this post.