The HIPAA Guide - Celebrating Over 15 Years Online

New HIPAA Regulations 2026

January 14, 2026HIPAA Regulatory Updates0

New HIPAA regulations are published more often than many people realize, and because most new regulations only involve minor changes, or impact only a small number of covered entities and business associates; they generally go unnoticed. However, in 2024, there were several significant HIPAA changes and updates, and HIPAA Notices of Proposed Rulemaking that could well progress to final rules, resulting in significant HIPAA changes and updates in 2026.

Notable recent HIPAA changes that will be covered in more detail below are the 2024 update to the HIPAA Privacy Rule to strengthen reproductive health information privacy and an amendment to the HITECH Act in 2021, which required the Department of Health and Human Services (HHS) to consider an entity’s compliance with a recognized security framework when determining the scale of a corrective action plan and/or the amount of a civil monetary penalty for a violation of HIPAA. However, the most important HIPAA change in 2026 could be an update to the HIPAA Privacy Rule. A Notice of Proposed Rulemaking was issued by the HHS in 2021 during President Trump’s first term to update the HIPAA Privacy Rule to improve care coordination and reduce the compliance burden on HIPAA-covered entities. A final rule was not issued by the HHS under the Biden administration, but it is now looking likely that the HHS will at last implement the proposed changes, potentially later this year.

The new HIPAA regulations discussed below will result in material changes to policies and procedures, and that means that covered entities and business associates will need to provide HIPAA training on the updated policies and procedures to members of the workforce, in addition to the annual refresher HIPAA training they should already be providing. It is important for covered entities and business associates to keep up to date with HIPAA changes because a lack of knowledge is not a valid defense for a HIPAA violation in the eyes of regulators. It should also be noted that in a December 2023 Security Rule “Concept Paper,” the HHS stated that it intends to ask Congress for more resources to investigate data breaches and complaints about potential HIPAA violations. The HHS is also petitioning Congress to increase the maximum fines for HIPAA violations.

Rule Changes Related to HIPAA Compliance

Rule changes that affect HIPAA compliance can happen at both the state and federal levels. For example, when the Texas Medical Privacy Act was amended by HB 300, covered entities that collect, receive, use, or transmit PHI relating to Texas citizens had to consider the increased patients’ rights and fewer permissible disclosures under the Texas law, as HB 300 added further requirements to the minimum standards of the HIPAA Rules.

Other non-HIPAA rule changes can affect covered entities nationwide. One example is the changes to the 42 CFR Part 2 (The Confidentiality of Substance Use Disorder Patient Records) regulations in 2017 and 2020. The Part 2 regulations apply only to SUD patient records, so there is a two-tier system for the privacy of some Protected Health Information. In February 2024, the HHS attempted to fix this two-tier system by publishing a Final Rule more closely aligning the Part 2 requirements with the HIPAA Privacy Rule. The Final Rule includes measures allowing re-disclosures of Part 2 records by HIPAA-covered entities, provided the disclosures are permitted under the HIPAA Privacy Rule, aligning SUD Patient Notices with the HIPAA Notices of Privacy Practices, and requiring breach notifications to be issued for breaches of SUD records consistent with the requirements of the HIPAA Breach Notification Rule. The deadline for updating Notices of Privacy Practices to accommodate the Part 2 rule changes is February 16, 2026.

HIPAA Changes Attributable to Advancing Interoperability Initiative

There have also been several rule changes to Chapter IV of the Public Health Code – particularly with regard to the HHS Advancing Interoperability initiative. Some of the changes affect HIPAA-covered entities inasmuch as covered entities will be required to implement a Patient Access API that allows patients to use an app of their choosing to access PHI held by or on behalf of a covered entity.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

The requirements of the “CMS Interoperability and Patient Access” Final Rule (85 FR 25510) not only have implications for complying with Privacy Rule standards relating to patients’ rights but also for complying with HIPAA Security Rule standards relating to risk analyses. The HHS’ Office for Civil Rights will consider it a violation of HIPAA to deny a patient access to their PHI via an app unless it can be demonstrated that their systems would be endangered if they were to engage with a specific third-party application through an API.

New HIPAA Regulations 2024-2026

The most significant new HIPAA Rules in 2024 related to an update to the HIPAA Privacy Rule to strengthen reproductive health information privacy, although in June 2025, the final rule was vacated by a federal judge following a legal challenge. The Texas judge ruled that the update was unlawful as it exceeded the HHS’s statutory authority and limited the ability of states to enforce their own laws related to abortion and gender affirming care. The HHS chose not to appeal the decision, so the final rule was rescinded, although the section requiring Notices of Privacy Practices to be updated (by February 16, 2026) per the Part 2 changes remains.

In 2021, a proposed update to the HIPAA Privacy Rule was issued, and feedback on the proposed rule was collected from HIPAA-regulated entities, healthcare stakeholders, and the public. The HHS has had ample time to review the feedback; however, a final rule was not issued by the HHS under the Biden administration, as there were other priorities, such as strengthening reproductive health information privacy. and updating the HIPAA Security Rule to improve healthcare cybersecurity.

The administration change in January 2025 and the return of President Trump made a final rule to implement the HIPAA Privacy Rule changes more likely; however, the HHS had other priorities during the first year, and faced significant disruption and staff cuts.  While there were no signs last year that a final rule would be released, in January 2026, OCR Director Paula Stannard announced that a Tribal Consultation on Proposed Modifications to the HIPAA Privacy Rule will take place in February 2026, indicating that OCR intends to publish a final rule. Potentially still to come is a rule relating to code sets and transactions proposed by the Centers for Medicare and Medicaid Services (CMS) – although that too has yet to progress to a final rule. A final rule implementing the changes could well be released in 2026.

What looks less likely to proceed to a final rule in 2026 is the proposed update to the HIPAA Security Rule. A Notice of Proposed Rulemaking was published by OCR in the final days of the Biden Administration, seeking to update the HIPAA Security Rule with a swathe of new cybersecurity requirements, including several measures detailed in the voluntary Health and Public Health Sector Cybersecurity Performance Goals (HPH CPGs), published by OCR in January 2024. In 2025, OCR collected extensive feedback on the proposed rule, a considerable amount of which was negative. Health systems, provider organizations, and industry groups have voiced strong opposition to the proposed changes due to the significant financial and administrative burden the proposed rule will place on covered entities. A coalition of health systems and industry groups, led by CHIME, has petitioned the Secretary of the HHS to rescind the proposed HIPAA Security Rule update.

Final Rule to Implement Proposed Updates to the HIPAA Privacy Rule

OCR has yet to issue a final rule implementing proposed modifications to the HIPAA Privacy Rule that were first announced in December 2020 and published in the Federal Register in early 2021. The comment period has long since passed, although consultations are taking place in early 2026, after which OCR is expected to issue a final rule to implement the proposed changes, although they may be altered to a degree based on the feedback collected during the comment period and subsequent consultations.

The proposed update includes many changes to the HIPAA Privacy Rule to give individuals more rights over their health information while also removing some of the barriers to information sharing, care coordination, and case management.

  • Permitting patients to inspect their health records in person and take notes and photographs of their health records, free of charge
  • Changing the fee structure to allow copies of electronic records to be obtained free of charge
  • Covered entities are required to post on their websites their estimated fee schedules for providing individuals access to their PHI
  • Shortening the time frame for providing copies of requested health records from 30 days to 15 days, including shortening the maximum permitted extension to 15 days
  • Creating an exception to the Minimum Necessary Standard for disclosures of PHI for individual-level care coordination and case management.
  • Permitting disclosures of PHI when needed to help individuals with substance use disorder, serious mental illness, and emergency circumstances.
  • Permitting disclosures of PHI for individual-level care coordination and case management (to avoid confusion about whether consent is required).
  • Broadening the definition of healthcare operations to cover care coordination and case management
  • Expanding the scope of the armed forces’ authorization to use or disclose PHI
  • Addressing the form of PHI access to include individuals’ personal health applications and transfers of PHI to third parties via a Patient Access API.
  • Reducing the requirements for verifying the identity of an individual exercising their access rights so the individual does not experience an “unreasonable burden”.

The final two proposals will likely send shivers down the spines of compliance officers concerned about unsecured, unencrypted apps with significantly reduced verification requirements remotely accessing PHI. However, in a subsequent proposed interoperability rule (87 FR 76238), HHS commented that covered entities can only warn patients that apps are unsecured – they cannot block access to PHI “absent an unacceptable security risk to the covered entity’s own system”.

While this seems to contradict the objectives of the Security Rule (“to protect individuals’ electronic PHI [and] ensure the confidentiality, integrity, and security of electronic PHI”), HHS has stated the proposed new HIPAA regulations do not increase the risk of a HIPAA security breach because, if PHI is breached in transit or at rest once it has left the covered entity’s servers for a permissible use or disclosure, the vendor of the app to whom PHI is transmitted is liable.

CMS Proposed New HIPAA Regulations in 2024 Regarding Transaction Codes for Healthcare Attachment Transactions

In addition to the proposed modifications to the Privacy Rule and adjustments to the CMS Interoperability and Patient Access Final Rule, CMS has also proposed the addition of three new transaction codes for healthcare attachment transactions. While these new HIPAA regulations will not affect many covered entities or business associates, the Proposed Rule (87 FR 78438) stipulates HIPAA e-signature requirements for when the transaction codes are used.

The significance of stipulating HIPAA e-signature requirements is that electronic signatures are used in a number of healthcare transactions – not only those covered by the transaction and code set rules in HIPAA Part 162, but also for activities such as digitally signing Business Associate Agreements, acknowledging receipt of a Notice of Privacy Practices, remotely authorizing uses and disclosures of PHI not permitted by the HIPAA Privacy Rule, and e-prescribing.

If the HIPAA e-signature requirements are more widely adopted throughout the HIPAA Administrative Simplification Regulations, the new HIPAA regulations could – in theory – be applied to patients connecting to covered entities’ Patient Access APIs via personal health apps. This could potentially resolve the issue of verifying patient ID without an unreasonable burden to – at the least – ensure the person connecting to the Patient Access API is who they claim to be.

HIPAA Privacy Rule Changes Concerning Uses and Disclosures of Reproductive Health Information (Vacated)

The final rule announced by OCR on April 22, 2024, to strengthen reproductive health information privacy has been vacated nationally following a legal challenge. The decision could have been appealed, but OCR chose to take no action. The HIPAA update is still included, as it was a significant HIPAA update in 2024, and demonstrates that HIPAA changes are not necessarily permanent. 

The HIPAA Privacy Rule changes (in 88 FR 23506) concern how reproductive healthcare information can be disclosed for civil, criminal, or administrative proceedings, such as investigations of out-of-state abortions that are legally provided in one state but are prohibited under state law where the patient resides.

Following the decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization that overturned Roe v. Wade and removed the federal right to an abortion, many states introduced laws that prohibit or restrict access to abortion care. As a result, women in those states who seek abortions are required to travel out of state to a more permissive state to receive the care they need, where it can be legally provided.

Authorities in states with abortion bans or restrictions may seek to prosecute individuals who obtain that care legally out of state, as well as the healthcare professionals who facilitate those procedures. While the HIPAA Privacy Rule did not compel healthcare providers to respond to requests for information about procedures performed, such disclosures were permitted. The HHS believes that the risk of disclosure of reproductive health information may discourage patients from sharing important health information with physicians, which could negatively impact the level of care they receive. Because of this risk, the agency has updated the HIPAA Privacy Rule to strengthen reproductive health information privacy.

The reproductive health care final rule creates a new definition for “reproductive health care,” which is defined as “health care [as currently defined under HIPAA] that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” When an individual is seeking, obtaining, providing, or facilitating reproductive health care, and that health care is lawful in the state in which it is provided, a covered entity or business associate must restrict the uses and disclosures of that information. Due to the broad definition of reproductive health care, the new limitations apply to other pregnancy-related events such as contraception, miscarriage, and fertility treatment.

The Final Rule:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires regulated health care providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive health care privacy.

The Final Rule took effect on June 25, 2024, and the compliance date was December 23, 2024, for all requirements of the Final Rule, apart from updates to HIPAA Notices of Privacy Practices – the compliance date for which is February 16, 2026. As previously stated, this rule was vacated by a federal judge in June 2025 and is no longer in effect.

The December 2023 Security Rule Concept Paper

In December 2023, HHS published a Concept Paper outlining a cybersecurity framework to improve cyber resiliency and better protect patient data. At the heart of the framework was a plan to develop “voluntary” cybersecurity goals and incentivize healthcare providers to adopt best practices to help them reach Cybersecurity Performance Goals (CPGs), which were published by OCR in January 2024.

The HPH-specific CPGs include high-impact cybersecurity practices that are likely to significantly improve resilience to cyber threats and are split into ‘essential’ and ‘enhanced’ CPGs. The essential CPGs should be adopted by all HIPAA-regulated entities first before they mature their cybersecurity programs by adopting the enhanced CPGs. To ease the burden on low-resourced healthcare providers, OCR has requested funds to provide financial assistance to help those healthcare providers implement the CPGs. While these CPGs are currently voluntary, OCR indicated some will become mandatory through future rulemaking, some of which have been included in the proposed update to the HIPAA Security Rule. The CMS will also be adding new cybersecurity requirements that will be a condition of participating in the Medicare and Medicaid programs, although there is no timescale for when that will happen.

Proposed New HIPAA Regulations Updating the Security Rule

Further to the 2023 Concept Paper and 2024 HPH CPGs, OCR published a Notice of Proposed Rule Making in January 2025, which substantially updates the existing HIPAA Security Rule, introduces new cybersecurity measures, and includes HIPAA changes that reflect court decisions that have affected OCR’s enforcement of the HIPAA Security Rule. The proposed new HIPAA regulations in 2025 run to 393 pages and include extensive changes to make the HIPAA Security Rule more focused on risk identification and remediation. The proposed new HIPAA regulations in the 2025 update include:

  • Technology asset inventory and network map – The requirement to develop a technology asset inventory and network map illustrating the movement of ePHI through electronic information systems. A review of the inventory and network map will be required at least every 12 months.
  • Risk analysis – If finalized, the new HIPAA regulations will include more specific requirements for risk analysis, including a review of the technology asset inventory and network map, predispositions to the regulated entity’s electronic information systems, and an assessment of the risk level for each identified threat or vulnerability.
  • Contingency planning and security incident response – Time limits are being proposed for how long HIPAA-regulated entities have to restore systems and data following a cybersecurity attack. The proposals suggest a 72-hour limit will be imposed, allowing for restoration priority according to criticality.
  • HIPAA Security Rule compliance audits – The proposed 2025 changes to the HIPAA Security Rule will make it mandatory for HIPAA-covered entities and business associates to conduct and document an internal HIPAA Security Rule compliance audit at least every 12 months.
  • Reviews and tests of security measures – Reviews and tests of the security measures must be conducted at least every 12 months, with the exception of vulnerability scans, which must be conducted every six months. It will also be necessary for HIPAA-covered entities to verify business associate security measures annually.
  • Other proposed HIPAA rule changes include: Technical safeguards must be applied to mobiles, tablets, and other portable devices, all electronic PHI must be encrypted at rest and in transit, extraneous software must be removed from electronic information systems maintaining electronic PHI, multifactor authentication must be implemented, networks must be segmented to hamper lateral movement, and anti-malware software must be implemented.

One further change to the HIPAA Security Rule affecting all implementation specifications is that the distinction between “required” and “addressable” implementation specifications will be removed. This change makes it clear that all requirements must be implemented, although there are limited exceptions to certain implementation specifications.

FTC Publishes Final Rule Updating the Health Breach Notification Rule

While OCR, the CMS, and state Attorneys General are the enforcers of compliance with the HIPAA Rules, the Federal Trade Commission (FTC) has rules that apply to healthcare data and the non-HIPAA-covered organizations that collect, store, and process that information. The FTC enforces the FTC Act – which prohibits deceptive and unfair business practices – and the Health Breach Notification Rule. The FTC’s Health Breach Notification Rule applies to non-HIPAA-regulated entities and requires notifications to be issued when healthcare data is breached. The FTC has been actively enforcing the FTC Act and the Health Breach Notification Rule and has taken action against several organizations that collect, process, and share health data.

In April 2024, the FTC published a final rule that updates the Health Breach Notification Rule to better protect consumers’ sensitive health data and make sure that the decade-old rule keeps pace with changes in the health marketplace. The definition for “Personal Health Record (PHR) identifiable health information” has been modified and new definitions have been added for “covered health care provider” and “health care services or supplies” to ensure that the rule applies to health apps and similar technologies not covered by HIPAA. The change means that the rule applies to data generated from interacting with apps, as well as standard health information such as diagnoses and medications. The final rule has a classification of emergent health data, which includes purchase records related to healthcare and location data that can be used to make inferences about a person’s medical history.

The rule has new requirements for what information must be provided to consumers in breach notifications, such as the entities that have impermissibly received the health data. The new requirements permit breach notifications to be made via email and other electronic methods, and the timescale for issuing notifications has been changed. Notifications must be issued without undue delay and within 60 days of the discovery of a breach, and the FTC must be notified at the same time if the breach involves 500 or more individuals. The final rule took effect on July 29, 2024.

New HIPAA Regulations: FAQs

Where is the best place to find the latest changes to HIPAA law?

The best place to find the latest changes to HIPAA law that relate to Parts 160 and 164 of the HIPAA Administrative Simplification Regulations is the HIPAA Newsroom on the HHS website. Alternatively, you can sign up for HHS’ Email Updates or navigate through the items in the CMS Newsroom to find changes to Part 162 of the HIPAA Administrative Simplification Regulations and other proposals that may affect compliance with the HIPAA Privacy and Security Rules.

How long does it take for Proposed Rules to become new HIPAA regulations?

The time it takes for proposed rules to become new HIPAA regulations depends on the number and complexity of the proposals and the processes required by the Administrative Procedure Act. For example, the three new transaction codes and the e-signature requirements proposed in December 2022 are relatively straightforward, yet have still not become new HIPAA regulations in 2026. The modifications to the HIPAA Privacy Rule proposed by OCR in January 2021 have yet to progress to a final rule after 5 years; however, the proposed update to the HIPAA Privacy Rule to strengthen reproductive health information privacy progressed to a final rule rapidly, although the changes were vacated the following year.

Are there further 2026 HIPAA changes in the pipeline?

There are further 2026 HIPAA changes in the pipeline. In April 2022, HHS’ Office for Civil Rights published a Request for Information (RFI) with regards to implementing two requirements of the HITECH Act – the first being what constitutes a recognized security framework for the purposes of complying with the 2021 “Safe Harbor” amendment, and the second relating to a provision of the HITECH Act relating to “settlement sharing” when a civil monetary penalty is imposed.

How soon after publication do new HIPAA rules take effect?

How soon after publication new HIPAA rules take effect varies according to the complexity of the rules. For example, some new HIPAA Rules have an effective date of ninety days after publication. However, CMS has given covered entities required to implement Patient Access APIs three years to acquire the software, ensure it complies with the HIPAA Security Rule, develop policies on the software’s use, and train members of the workforce.

In some cases, part of a HIPAA rule change can have one effective date, while a part of the same HIPAA rule change can have a different effective date. When the HHS’ Office for Civil Rights published the new HIPAA rules in 2024 relating to reproductive health, the effective date was June 25, 2024, except for the requirement to update HIPAA Notices of Privacy Practices. The requirement to update HIPAA Notices of privacy practices was delayed until February 16, 2026, in order to align the changes with those required by the 42 CFR Part 2 Final Rule 2024.

How likely is a HIPAA Omnibus Final Rule in 2026 similar to the HIPAA Omnibus Final Rule in 2013?

The likelihood of a HIPAA Final Rule in 2026 similar to the Omnibus Final Rule in 2013 is quite remote due to the volume of new HIPAA regulations in 2024 and the dissimilarities between the proposals in outstanding HIPAA NPRMs. Logically, there are connections between the Advancing Interoperability Initiative, the new transaction codes for e-signatures, and the 2023 Security Rule Concept Paper, but the synchronization of these connections into a 2026 HIPAA Omnibus Final Rule seems unlikely.

When were the last HIPAA Privacy Rule changes?

The last HIPAA Privacy Rule changes were in April 2024 when the HIPAA Final Rule to Support Reproductive Healthcare Privacy was published. However, the changes were vacated by a Texas judge in June 2025 following a legal challenge. The changes to the Part 2 regulations have also impacted HIPAA-covered entities and business associates who create, receive, maintain, process, or transmit Protected Health Information relating to substance use disorders, and those requirements remain in effect.

What are the HIPAA training requirements for the 2024 HIPAA updates?

The HIPAA training requirements for the 2024 HIPAA updates are that training must be provided to any member of the workforce whose functions are affected by a material change in the covered entity’s or business associate’s policies and procedures.

If a covered entity or business associate has revised their policies and procedures “with respect to Protected Health Information” in order to comply with the new attestation requirements of §164.509 or disclosure requirements of the 42 CFR Part 2 Final Rule 2024, it will be necessary to provide training to all affected members of the workforce on the revised policies and procedures.

However, due to the sensitive nature of healthcare information governed by these requirements, it is advisable to make all members of the workforce aware of the changes if PHI created, collected, maintained, processed, or transmitted by the organization includes information relating to reproductive health or substance use disorders.

What new Rules were added to HIPAA in 2024?

No new Rules were added to HIPAA in 2024. The new HIPAA regulations in 2024 relating to the privacy of reproductive health information added a new section to the existing HIPAA Privacy Rule, but were not a new Rule, and besides, they have now been vacated by a Texas judge.  It is conceivable that new HIPAA changes and updates for 2026 result in a new Rule being added to HIPAA, depending on how the proposed cybersecurity strategy, “safe harbor”, and penalty-sharing provisions are implemented.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.