HHS has delayed final action on its overhaul of the HIPAA Security Rule until at least July 2027, even as it moves ahead with a separate update to the HIPAA Privacy Rule this August, according to an updated federal regulatory agenda.

 

What happened

The Department of Health and Human Services' Office for Civil Rights (OCR) pushed back final action on its proposed HIPAA Security Rule overhaul, which it had previously targeted for May 2026. The rulemaking's status on the federal tracking site also shifted from "final rule stage" to "long-term actions," a sign that a final version remains well over a year away, according to a Davis Wright Tremaine analysis of the agenda. OCR still intends to finalize its separate update to the HIPAA Privacy Rule in August and plans additional rulemaking on health IT interoperability and certification requirements. Agency timetables aren't binding, so OCR could finalize the Security Rule earlier, revise it further, or withdraw it altogether, and the current Security Rule remains in force in the meantime.

Read also: What's changing with HIPAA in 2026

 

The backstory

OCR published the Security Rule proposal in the Federal Register on January 6, 2025, in the final days of the Biden administration, after issuing the underlying notice of proposed rulemaking on December 27, 2024. It would be the first major rewrite of the Security Rule since 2013. The comment period closed March 7, 2025.

The Privacy Rule update now set for August has a longer history. OCR first proposed those changes in January 2021, near the end of President Trump's first term, but the update sat mostly dormant through the Biden years before the current administration moved it back to the front of the queue.

 

Going deeper

If finalized as proposed, the Security Rule update would rework how covered entities and business associates protect electronic protected health information. Elements, drawn from the HIPAA Security Rule fact sheet and a summary from Faegre Drinker, include:

  • Eliminating the distinction between "required" and "addressable" implementation specifications, making safeguards like multifactor authentication, encryption, and network segmentation mandatory except in narrow circumstances
  • Requiring risk analyses to be reviewed and updated at least every 12 months, with eight new specific components
  • Mandating a written technology asset inventory and network map covering all systems that touch ePHI
  • Requiring vulnerability scans every six months and penetration testing every 12 months
  • Setting a 72-hour deadline to restore critical systems after a disruption, following a required criticality analysis
  • Requiring written documentation for all Security Rule policies, procedures, plans, and analyses

The August Privacy Rule update, by contrast, focuses on patient access rather than technical safeguards. Expanding rights to obtain PHI, easing information sharing for care coordination, and broadening family and caregiver involvement during emergencies, according to the 2021 proposal text.

 

What was said

OCR described its own goal for the Security Rule proposal as working to "improve cybersecurity and better protect the U.S." healthcare system.

Rachel Seeger, founder of consulting firm North Country Communications and a former longtime OCR adviser, told BankInfoSecurity that the broader pattern in the updated agenda is that HHS is prioritizing patient data access over new security mandates for now, and predicted the Security Rule could slip again past July 2027.

 

By the numbers

  • OCR received close to 5,000 public comments on the Security Rule proposal, 4,745, by OCR's own count as of a March 2025 update, with many healthcare organizations and industry groups arguing the requirements would be costly and hard to implement, per Becker's original reporting on the comment volume.
  • HHS's own Regulatory Impact Analysis projects roughly $9 billion in industry-wide compliance costs in year one, and about $6 billion annually in years two through five, according to Crowell & Moring's analysis.
  • OCR observed a 102% increase in breaches affecting 500 or more people between 2018 and 2023, per Ropes & Gray's Healthcare Law Insights summary of the rule's justification.
  • More than 100 organizations, led by CHIME, wrote to HHS urging it to reconsider the Security Rule proposal.

In the know

The HIPAA Security Rule and HIPAA Privacy Rule are separate regulations that OCR enforces together. The Security Rule, in place since 2003 and last updated in 2013, governs the technical, physical, and administrative safeguards covered entities and business associates must use to protect electronic PHI from cyber threats. The Privacy Rule instead governs who can access, use, and disclose PHI, and what rights patients have over their own records. That distinction explains why these two updates are moving on separate, unrelated timelines, one is a cybersecurity mandate, the other is a patient-rights and information-sharing update.

 

Why it matters

This delay does not change what regulated entities owe under the current Security Rule, and OCR has said its cybersecurity enforcement initiative already extends beyond risk analysis into risk management, meaning organizations are expected to act on the risks they identify, not just document them. Healthcare organizations that assumed a 2026 compliance deadline now have more time to build the asset inventories, encryption coverage, and MFA rollouts the proposal would require, before a final rule locks in a compliance date. Organizations that handle ePHI, including any vendor that exchanges health data by email, should plan for these requirements.

 

The bottom line

The Security Rule overhaul isn't withdrawn, it's just delayed, and OCR's own security adviser has said the agency is still holding organizations to a functioning risk management program under today's rules while the rulemaking plays out. Healthcare organizations, and the vendors that handle PHI on their behalf, should use the added time to close gaps in encryption, MFA, and asset inventories now rather than wait for a final rule.

Related: HIPAA Compliant Email: The Definitive Guide

 

FAQs

Does the current HIPAA Security Rule still apply while this update is pending?

Yes, the existing Security Rule remains fully in effect and enforceable until any final rule replaces it.

 

Who has to comply with the HIPAA Security Rule?

It applies to covered entities (health plans, healthcare clearinghouses, and providers who transmit health information electronically) and their business associates.

 

What counts as electronic protected health information (ePHI)?

ePHI is any individually identifiable health information that is created, received, maintained, or transmitted electronically.

 

Can HHS finalize only part of a proposed rule instead of all of it?

Yes, HHS can adopt some provisions, revise others, or drop parts of a proposal entirely before issuing a final rule.