The proposed overhaul of the HIPAA Security Rule, the biggest change to the rule in more than two decades, just got a longer runway. In July 2026, the Department of Health and Human Services (HHS) moved the target date for finalizing it from May 2026 to July 2027, giving healthcare organizations about a year of extra preparation, as reported by the HIPAA Journal.
It is still a proposal, not a final rule. The requirements it lays out, though, are clearly where the rule is heading, and the practical move is to build for them now rather than wait for the deadline to firm up.
What the update would require
The proposed rule, published by HHS as a Notice of Proposed Rulemaking, would turn many of the Security Rule's "addressable" recommendations into firm requirements. Per the HHS fact sheet, the notable proposals include:
- Removing the distinction between "required" and "addressable" implementation specifications, so controls that were once optional become mandatory.
- Encryption of electronic protected health information (ePHI) at rest and in transit.
- Multi-factor authentication (MFA) across systems.
- Network segmentation.
- A technology asset inventory and a network map.
- More specific risk analysis requirements.
- Vulnerability scanning every six months and penetration testing annually.
- Annual audits of compliance, and annual verification by business associates that their technical safeguards are in place.
Read the whole list before you plan around it, because the change from "addressable" to "required" reaches nearly every control a healthcare team already knows.
Watch: we walked through these proposed changes and what they mean for healthcare teams in a recent session. See the on-demand webinar on the HIPAA Security Rule changes.
Why the delay is not a reprieve
The extension happened partly because industry groups viewed the original implementation timeframe as unworkable, and partly because agencies are not strictly bound to their own target dates. Neither of those reasons is a signal that the requirements are going away.
Encryption, MFA, and segmentation are already baseline expectations in every other regulated industry and in most healthcare security frameworks. The proposed rule is catching HIPAA up to where the rest of security has been for years. A team that treats the delay as permission to wait will be doing the same scramble in 2027 that it could have avoided starting now.
What to do with the extra time
Treat the proposed controls as design requirements for anything you build this year, not as future homework.
- Encrypt ePHI at rest and in transit by default, so no configuration step stands between a message and its protection.
- Require MFA on every system that touches ePHI.
- Build the asset inventory and network map now. You cannot segment or protect what you have not catalogued, and the inventory is useful long before any rule makes it mandatory.
- Put vulnerability scanning and annual testing on the calendar as recurring work, not one-time projects.
The organizations that come out of this ahead are the ones already operating this way when the final rule lands.
If you are building AI on PHI
New AI infrastructure is the easiest place to build to the proposed rule, because you are standing it up from scratch. Every model, tool, and channel you add this year is a chance to bake in encryption, access control, and inventory rather than retrofit them.
Choosing vendors that encrypt by default and sign a business associate agreement (BAA) does double duty: it keeps you compliant with the Security Rule as it stands today, and it lines you up for the version that is coming. The Paubox Email API, for example, signs a BAA on every plan and enforces TLS 1.2+ encryption by default, so the outbound layer of an AI workflow already meets the encryption bar the rule is moving toward. For the full picture of building AI on PHI the right way, see our guide to building with AI in healthcare.
Start here
The deadline moved, but the direction did not. The proposed HIPAA Security Rule update tells you which controls are about to stop being optional, and the extra year is a chance to make them routine before they are required.
Build to encryption, MFA, segmentation, and inventory now, and choose vendors that already meet those bars, and the 2027 final rule becomes a box you have already checked.
