HIPAA Security Rule Update Delayed Until 2027; Privacy Rule Update Imminent
A final rule updating the HIPAA Security Rule has been delayed until mid-2027, giving regulated entities more time to prepare for and implement the proposed security measures. A final rule implementing 2021’s proposed changes to the HIPAA Privacy Rule is due for release in August 2026, according to the updated HHS regulatory timetable.
HIPAA Security Rule Final Rule Delayed by A Year
The update was first proposed by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in December 2024, with the official Notice of Proposed Rulemaking published in the Federal Register in January 2025 in the final days of the Biden-Harris administration. The update was proposed in response to the significant increase in hacking incidents and rampant ransomware attacks in healthcare, and to bring the two-decade-old rule up to date to reflect changes in technology and operating environments.
The HIPAA Security Rule was enacted in 2003, and while updates were made in 2013, an overhaul of the implementation specifications of the HIPAA Security Rule was long overdue. The original Security Rule was written in a technology-agnostic manner, largely avoided mandating specific technologies, and was flexible, allowing regulated entities to implement safeguards best suited to their size and unique operating environments.
It is clear from the huge number of successful cyberattacks and large data breaches that the required safeguards and the language of the HIPAA Security Rule needed updating. In 2010, the first full year of data breach reporting, as mandated by the HITECH Act, OCR received 199 reports of data breaches affecting 500 or more individuals. By 2019, that figure had more than doubled, and tripled by 2020. For the past five years, more than 700 large healthcare data breaches have been reported each year, with a new record set in 2025 when 772 large data breaches were reported to OCR.
For such a highly regulated sector that stores huge volumes of highly valuable data, access to which is vital to ensure patient safety, it may seem surprising to outsiders to learn that data encryption and multifactor authentication are not mandatory, and annual risk assessments, vulnerability scans, and penetration tests are not currently legal requirements and are only best practices.
The proposed rule introduced a swathe of new mandatory security requirements, coupled with a change in the language of the Security Rule that removed some of its flexibility. The proposed rule removed the distinction between addressable and required implementation specifications. While addressable never meant optional, the update makes that clear. All implementation specifications are required.
There are new requirements for encryption, multifactor authentication, anti-malware software, network segmentation, penetration tests, vulnerability scans, and more prescriptive requirements for risk analyses, which must be conducted at least annually. Regulated entities will also be required to maintain an accurate and up-to-date technology asset inventory, and a network map showing how ePHI flows through the organization.
Implementing the proposed changes will not be cheap. The HHS anticipates an initial industry year one cost of $9 billion, dropping to $6 billion a year for the following five years. The proposed rule change did not go down well, due to the cost of implementation, the initial and ongoing burden of compliance, the short timeline for compliance, and the lack of flexibility of the proposed rule. OCR received more than 4,700 comments in response to the proposed rule, and considerable negative feedback from hospitals, health systems, trade organizations, and stakeholder groups.
The changes to the Security Rule are coming, but regulated entities have more time to implement the required changes, as the final rule is not due until at least July 2027, and may even be delayed further still.
HIPAA Privacy Rule Final Rule Given Priority
In addition to the Security Rule update, OCR has been working on an update to the HIPAA Privacy Rule. The update was proposed by OCR in 2021 in the final days of the Trump administration, but it was not prioritized by OCR during the Biden years. The updated regulatory agenda for 2026 shows that OCR is now prioritising the update to the HIPAA Privacy Rule. The final rule implementing the proposed changes to the Privacy Rule is due for release next month (August 2026).
The Privacy Rule update will expand individuals’ rights over their protected health information, improve care coordination and family and caregiver involvement in the care of individuals, expand permission to use and disclose the PHI of individuals in the Armed Services, and reduce the administrative burden on HIPAA-covered entities.
The HHS is also working on information sharing initiatives and enhancing health IT interoperability, including expanding API capabilities, which are being prioritized over the proposed security requirements. Also, later this year in November, OCR plans to issue a notice of proposed rulemaking regarding the time covered entities are given to respond to requests for patient access to PHI.
