The U.S. Department of Health and Human Services (HHS) has recently announced a significant reorganization that undoes numerous changes made during the Biden administration concerning the Office of the National Coordinator for Health IT (ONC). This marks a substantial policy shift within the department that impacts both internal and external technology initiatives.

Initially, the Biden administration expanded ONC’s name and scope, giving it a broader mandate that involved setting the department-wide technology, data, and AI policies. The reorganization represented an evolution in the ONC’s role from its original focus on certified electronic health records—a focus it has maintained since its establishment in 2009—to a wider range of responsibilities incorporating integrated health IT policy, standards, and certification processes.

As part of the recent restructure, the ONC has reverted to its narrower focus on health IT policy while allowing HHS’s Office of the Chief Information Officer (CIO) to regain control over internal enterprise-wide technology execution. This includes oversight of cybersecurity, cloud operations, artificial intelligence, and data management. Notably, functions previously reporting to the ONC, like the Chief Technology Officer (CTO), Chief Artificial Intelligence Officer, and Chief Data Officer, have been centralized back to the OCIO, effectively reestablishing the former delineation of responsibilities.

HHS articulated that this restructuring reinforces the OCIO’s statutory obligation concerning enterprise IT, cybersecurity, and data operations. At the same time, it allows the ONC to focus more effectively on health IT-related policy, standards, and certification efforts that aim to improve care while reducing costs. This reorganization signals a nuanced approach that prioritizes stability within the IT structure while enhancing operational efficiency—a necessity in the evolving landscape of healthcare technology.

Experts in the field have articulated their support for the HHS reshuffling, suggesting it could indeed assist in improving cybersecurity measures and managing critical IT functions. Lee Kim, an attorney and founder of the consulting firm Keytera, noted that this move positively aligns cybersecurity with data governance, innovation, and enterprise technology—all of which fall under the leadership of the CIO. Kim emphasized that effective coordination and governance are vital components for reducing enterprise-wide risks and fostering innovation while safeguarding sensitive data and organizational assets.

Additionally, Kim remarked that this transition offers an opportunity to adopt a more holistic, enterprise-wide approach to IT governance within HHS. Such an approach could mitigate technical debt, including challenges posed by legacy systems, and ensure that technological systems align with a broader strategic vision for IT, security, and innovation efforts.

The implications of emerging technologies, particularly secure AI and quantum computing, will likely steer the pace of progress and innovation within HHS. Under this new structure, the department is positioned to provide enhanced guidance to the private sector on governance and best practices in security and information sharing.

However, not all experts are convinced that the internal restructuring will address broader challenges in cybersecurity across the health IT domain. Lucia Savage, who served as the Chief Privacy Officer at ONC during the Obama administration, expressed skepticism about the impact of the realignment on external cybersecurity matters. She pointed out that while the separated offices may more effectively tackle internal security issues, there is little expectation of an immediate influence on external cybersecurity concerns across the broader healthcare ecosystem.

Nonetheless, Savage noted that there is potential for HHS’s impending decision regarding the proposed update of the HIPAA Security Rule to have widespread implications. This rule, which was introduced late in the Biden administration, could affect all covered entities and business associates that are not currently in compliance with its standards, such as those related to encryption. The introduction of this rule is anticipated to have a significant impact on divisions within HHS that fall under HIPAA regulations, emphasizing the importance of compliance in the evolving regulatory landscape.

As the restructuring unfolds, HHS is expected to take further action regarding the proposed rulemaking by the summer, suggesting that ongoing developments in the healthcare technology and cybersecurity arenas will remain dynamic and closely monitored.