HIPAA Changes 2026
Recent HIPAA changes in 2024 have included a new section of the HIPAA Privacy Rule, changes to Part 162 of HIPAA to improve continuity of care, and an increase in the penalties for HIPAA violations. Potential HIPAA changes for 2026 include updates to the HIPAA Privacy Rule to accommodate CMS’ Advancing Interoperability initiative, a final rule implementing changes to the HIPAA Privacy Rule first proposed in 2020, and changes to the HIPAA Security Rule to meet the goals of HHS’ Healthcare Cybersecurity Strategy.
It was a busy year for HIPAA changes in 2024. While the headline update to HIPAA was the changes to the HIPAA Privacy Rule to protect the privacy of reproductive health information, there were also smaller HIPAA updates taking place to improve the continuity of care when a patient changes payers, and an increase in the penalties for HIPAA violations. However, it could be an even more eventful year for HIPAA changes in 2026.
The main HIPAA change in 2024 did not remain in effect for very long. In June 2025, the Biden administration’s update to the HIPAA Privacy Rule to strengthen reproductive health information privacy was vacated by a Texas judge following a legal challenge. The ruling vacated the final rule nationally, including the updates to definitions of a person, the new term ‘reproductive health information’, the banning of disclosures of that information to support investigations into procedures performed legally where the care was provided, and the requirement to obtain an attestation that the disclosed information would not be used for a prohibited purpose. The HHS chose not to appeal the Texas court’s decision.
Proposals to accommodate CMS’ Advancing Interoperability initiative could see further changes to the HIPAA Privacy Rule, and a final rule may be issued for the HIPAA Security Rule update proposed in the final days of the Biden administration. In addition to the above, there are several outstanding HIPAA NPRMs (Notices of Proposed Rulemaking) covering topics such as recognized security practices, settlement sharing, and e-signatures – notwithstanding that healthcare providers and payers in Part 2 programs have until February 2026 to comply with the changes announced in the 42 CFR Part 2 Final Rule.
The recent HIPAA changes – and those which are in the pipeline – not only require changes to HIPAA policies and procedures. Under §164.530(b) of the HIPAA Privacy Rule, members of the workforce must receive refresher HIPAA training when their functions are affected by a material change to policies and procedures – such as the attestation requirements of §164.509.
Future HIPAA Privacy Rule Changes
HIPAA Privacy Rule changes between 2013 and 2023 were infrequent, minor, and most often in response to a new law or an Executive Order that impacted an existing standard. For example, in 2014, a change attributable to the Clinical Laboratory Improvement Amendments removed an exception to patients’ rights of access in §164.524 (Access of Individuals to PHI). Two years later, a new clause was added to §164.512 (Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is Not Required) in response to an Executive Order. The change to the HIPAA Privacy Rule permits covered entities to disclose the identities of certain individuals to the National Instant Criminal Background Check System (NICS).
In 2021, the HHS’ Office for Civil Rights published a comprehensive HIPAA NPRM (OCR-0945-AAOO) that proposed multiple changes to the HIPAA Privacy Rule in order to accommodate CMS’ Advancing Interoperability initiative and the Department’s “Regulatory Sprint to Coordinated Care”. The major provisions in the proposed update include:
- Modifying patients’ rights so they can access copies of PHI within 15 days, take photos of PHI, and send copies to a third-party provider or app.
- Amending the definition of health care operations to permit disclosures of PHI for individual-level care coordination and case management.
- Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures.
- Replacing language referring to “professional judgment” with “good faith belief” (that disclosures are in the best interests of individuals).
- Changing the wording of disclosures to avert a threat to health and safety to “serious and reasonably foreseeable” from the stricter “serious and imminent”.
- Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a treatment provider’s Notice of Privacy Practices.
Due to the complexity of the HIPAA NPRM and attempts to align patients’ rights with HHS’ Advancing Interoperability initiative, the proposed changes have not yet been finalized. Comments were collected from healthcare industry stakeholders; however, the comment period has long since closed. The proposed updates have not been forgotten, although they may have been shelved under the Biden administration. In January 2026, OCR Director Paula Stannard announced a Tribal consultation on the proposed HIPAA Privacy Rule changes would take place in February 2026, showing clear progress toward a final rule, potentially in mid to late 2026. It remains to be seen if these proposed HIPAA changes are combined with other proposed HIPAA changes (discussed below) and finalized in an Omnibus HIPAA Final Rule 2026.
HIPAA Security Rule Changes
Since its publication in 2003, the only change to the HIPAA Security Rule occurred in 2013 when language was added to clarify that business associates were required to comply with all applicable standards and implementation specifications. However, an amendment to the HITECH Act in 2021 instructed HHS’ Office for Civil Rights to consider a breached entity’s “recognized security practices” when considering HIPAA sanctions and other remedies.
The HHS’ Office for Civil Rights has struggled to define “recognized security practices” and, in 2022, published a Request for Information seeking input from the public. The agency also released a video providing more information about what security practices it considers as “recognized” and discussing comments it received in response to the Request for Information. Nonetheless, no new HIPAA rules have been published to provide guidance.
This may be about to change following the publication of HHS’ Healthcare Cybersecurity Strategy and subsequent Cybersecurity Performance Goals (CPGs). When the strategy was originally published, it stated, “HHS Office for Civil Rights will begin an update to the HIPAA Security Rule in spring of 2024 to include new cybersecurity requirements”. In addition, although the CPGs are voluntary, HHS stated they “will inform future rulemaking”.
Proposed Updates to HIPAA Security Rule
The “future rulemaking” materialized in January 2025, when the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking (NPRM) “to strengthen the cybersecurity of electronic Protected Health Information”. The NPRM proposes updates to the HIPAA Security Rule to incorporate the Cybersecurity Performance Goals, adds measures relating to risk analyses, and introduces timeframes for the frequency of security reviews.
Although this update to HIPAA is in the “proposed” stage, it could take effect by the end of 2026, depending on the goals of the HHS under the Trump administration. OCR requested feedback on the proposed changes, and the comment period closed on March 7, 2025. A considerable amount of negative feedback was submitted in response to the proposed rule. While health systems, providers, and industry groups appreciate the need for improved cybersecurity, the extensive security updates required by the proposed rule will place a considerable administrative burden on regulated entities as well as a financial burden. For these reasons, amongst others, many stakeholders are against the proposed updates. A coalition of industry grloups nad healthcare organizations led by CHIME has petitioned the HHS Secretary to rescind the proposed rule.
It is unclear whether the request will be heard or will fall on deaf ears. Since there is a clear need to improve healthcare cybersecurity, and HIPAA-regulated entities have had two years to adopt the voluntary CPGs, the HHS may proceed with the release of a final rule implementing some or all of the proposed changes. Therefore, it is important for HIPAA-covered entities and business associate to review the current level of their HIPAA compliance and prepare for HIPAA changes such as:
- The proposed requirement to develop a technology asset inventory and map the movement of electronic PHI through assets and information systems.
- The technology asset inventory and network map must be reviewed at least annually, and a risk assessment must be conducted to identify threats and vulnerabilities.
- Contingency plans and security incident responses must be prepared to recover systems and data within seventy-two hours of a cyberattack.
- Covered entities and business associates will be required to conduct annual security audits, and covered entities will be required to verify business associate audits.
- All electronic PHI will have to be encrypted at rest and in transit, including when it is transmitted by mobile devices, which must also comply with the Technical Safeguards before use.
- Vulnerability scans will be required twice a year, with penetration tests and other security tests conducted and documented at least annually.
- Mandatory cybersecurity measures such as multifactor authentication, network segmentation, and anti-malware protection.
- More specific requirements for the risk analysis, including a review of the technology asset inventory and network map, identification of all reasonably anticipated threats and vulnerabilities, and an assessment of the level of risk each poses and the likelihood of exploitation.
- Importantly, it has been proposed that most “addressable” implementation specifications become “required“ – limiting regulated entities’ “flexibility of approach”.
HIPAA Enforcement Rule Changes
In 2009, Section 13410(d) of the HITECH Act amended §1176 of the Social Security Act to introduce a four-tier civil monetary penalty structure for violations of HIPAA according to the level of culpability. The amendment also removed the previous affirmative defense to the imposition of penalties if a covered entity (or, from 2013, a business associate) did not know and, with the exercise of reasonable diligence, would not have known of the violation.
Under the HITECH Act amendment, the maximum penalty per violation type per year was set at $1,500,000; however, following the passage of the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, the minimum and maximum penalties in each penalty tier have been increased annually to account for inflation. As of December 2024, the civil monetary penalties for violations of HIPAA are detailed in the table below. There was no inflation multiplier applied for 2025, even though it was required by the Office of Management and Budget, and the increase to apply the 2026 multiplier is now due. Both increases will likely be applied at the same time at some point in 2026.
| Penalty Tier | Level of Culpability | Minimum Penalty per Violation Type | Maximum Penalty per Violation Type | Annual Penalty Limit |
| Tier 1 | Lack of Knowledge | $141 | $35,581 | $35,581 |
| Tier 2 | Lack of Oversight | $1,424 | $71,162 | $142,355 |
| Tier 3 | Willful Neglect | $14,232 | $71,162 | $355,808 |
| Tier 4 | Willful Neglect not Corrected in 30 days | $71,162 | $2,134,831 | $2,134,831 |
As well as increases to the minimum and maximum penalties, a potential HIPAA change in 2026 could result in settlement sharing with victims of data breaches who have experienced harm. This requirement of the HITECH Act has yet to be enacted. In April 2022, HHS published a Request for Information soliciting comments on the types of harm that should be considered and the methodologies for distributing funds, but there has been no apparent progress toward implementing this requirement since.
Other HIPAA Rule Changes
The CMS has exercised its authority to publish HIPAA rule changes to Part 162 of the HIPAA Administrative Simplification Regulations on several occasions. In 2014, the agency changed the compliance date for previously published ICD-10 transaction standards, and in 2019, a more recent HIPAA change rescinded a previous Rule requiring the adoption of a standard unique health plan identifier following four years of “enforcement discretion”.
However, the most significant CMS HIPAA changes occurred in 2020 when the agency published the “Interoperability and Patient Access” Final Rule (85 FR 25510). Among other provisions, this Rule requires covered entities (and business associates where applicable) to implement and maintain a standards-based Patient Access API that allows patients to use an app of their choosing to access PHI held by or on behalf of a covered entity.
While this Rule does not amend any HIPAA standards other than those in Part 162, it has implications for complying with patient rights mandated by the HIPAA Privacy Rule and the risk assessment standards of the Security Rule. This is because covered entities will not be able to refuse access requests if there is no provable risk to the security of electronic PHI maintained by the covered entity while a third-party app is connected to the Patient Access API.
More recent HIPAA rule changes introduced to improve the continuity of care include measures to streamline prior authorization processes and standards to facilitate payer-to-payer data exchanges, while an earlier NPRM proposes HIPAA e-signature requirements for healthcare attachments that could be extended to other HIPAA processes. The e-signature requirements are likely to be among many HIPAA changes in 2026.
Other Rules and Changes that Impact HIPAA Compliance
HIPAA is not the only federal law that imposes standards for the privacy of health information. In 2017, the Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR Part 2) was updated for the first time in 22 years – creating a two-tier scenario in which some individually identifiable health information had fewer permissible uses and disclosures than other health information.
Now known as the Confidentiality of Substance Use Disorder Patient Records, or Part 2 Regulations for short, this Part of the Public Welfare Code was again updated in 2020 to “align the regulations with advances in the health care delivery system”. Further updates were finalized in February 2024 that align Part 2 regulations with those of the HIPAA Privacy Rule to make it easier for covered entities to use and disclose Part 2 records. It should be noted that the requirement to update HIPAA Notices of Privacy Practices has a deadline of February 16, 2026.
In addition to other regulations in the Public Welfare Code, other federal laws, and Executive Orders, state rules – and changes to them – can also impact HIPAA compliance. The best example of this is the Texas Medical Records Privacy Act, as amended by HB 300, which classifies all entities that assemble, analyze, use, evaluate, store, or transmit the PHI of a Texas citizen as covered entities.
Conversely, other state laws can exempt HIPAA-covered entities from complying with state privacy and/or breach notification regulations. This can result in a scenario in which an Organized Health Care Arrangement or other healthcare group can operate on two sides of a state border and be subject to different privacy, security, and breach notification regulations and procedures.
Other Law Changes Related to Health Information Privacy and Security
The Federal Trade Commission (FTC) has been actively enforcing compliance with the FTC Act, which prohibits deceptive and unfair business practices and has taken action against multiple healthcare companies for failing to notify consumers that the information collected via website tracking technologies is disclosed to third parties for advertising purposes.
The FTC has also started enforcing its Health Breach Notification Rule, and in 2024, issued a final rule updating the Health Breach Notification Rule. The final rule broadens definitions to ensure the rule applies to health apps and similar technologies not covered by HIPAA, and that it covers data security breaches and unauthorized disclosures.
The final rule also expands the use of electronic notices to consumers, clarifies what information must be included in notices, and changes the time frame for issuing notices. Now in effect, the change to the FTC Act affects HIPAA-covered entities and business associates who maintain non-health information (i.e., marketing data) in different data sets from electronic PHI.
How to Keep Up to Date with HIPAA Changes in 2026
Due to the HIPAA update to the HIPAA Enforcement Rule that removed the affirmative (“did not know”) defense to the imposition of penalties for HIPAA violations, it is important that covered entities and business associates keep up to date with HIPAA changes. There are many sources of HIPAA news, but the best place to find the latest changes to HIPAA laws is the HHS website.
The most effective way to keep up to date with HIPAA changes in 2026 is to sign up for HHS’ Email Updates. The best of the update services to subscribe to is the “Weekly News Digest” because these are easier to scan to see if there are any recent HIPAA changes that affect your organization. You can also comment on open rules (i.e., Requests for Information and NPRMs) via the HHS Laws and Regulations Home Page.
If your interest extends beyond proposed HIPAA changes to the Office for Civil Rights’ enforcement actions, guidance, and other press releases, the HHS website hosts a dedicated HIPAA Newsroom web page; while the best place to identify proposals that may lead to future new HIPAA regulations – particularly those relating to Part 162 of HIPAA – is the CMS Newsroom.
HIPAA Changes 2024-2026: FAQs:
What did the Omnibus Final Rule changes to HIPAA in 2013 do?
The Omnibus Final Rule changes to HIPAA in 2013 implemented most of the changes stipulated by the HITECH Act 2009. These included increasing the limitations on uses and disclosures of PHI, making business associates directly liable for HIPAA violations, and expanding patients’ rights. The Omnibus Final Rule also finalized changes to the HIPAA enforcement Rule that, up to that point, had been governed by an Interim Rule.
When was HIPAA last updated?
HIPAA was last updated in August 2024 with the publication of the CMS Final Rule implementing measures to streamline prior authorization processes and standards to facilitate payer-to-payer data exchanges. The Final Rule was amended in October 2024 to correct technical issues, although the technical issues did not relate to the HIPAA update.
Prior to this change to Part 162 of HIPAA, HIPAA was last updated in April 2024 with the publication of the Final Rule relating to the privacy of reproductive health Information. The compliance date for this update to HIPAA was December 23, 2024, except for the requirement to update HIPAA Notices of Privacy Practices (February 16, 2026); however, all but the Notice of Privacy Practices changes were vacated by a Texas judge following a legal challenge.
What were the changes to HIPAA in 2017?
There were no changes to HIPAA in 2017. However, there were changes to the Public Welfare Code (42 CFR Part 2) that impacted HIPAA-covered entities who create, receive, use, store, or transmit patient records that include information about substance abuse disorders. This information is currently subject to stricter uses and disclosures than PHI despite HIPAA changes in 2024 that aligned 42 CFR Part 2 more closely with the HIPAA Privacy Rule.
Where is the best place to find the latest changes to HIPAA law?
The best place to find the latest changes to HIPAA law – or at least changes to the Administrative Simplification Regulations that resulted from the passage of HIPAA – is the HHS’ Office for Civil Rights website. As mentioned in the above article, the opportunity exists to sign up for a “Weekly News Digest” that will deliver the latest changes to HIPAA law to your email inbox.
How will HHS announce HIPAA law changes in 2026?
HHS will announce HIPAA law changes in 2026 via one or more Final Rules published in the Federal Register. Final Rules tend to be long-winded, but they do provide the background to why a standard is being added, amended, or rescinded, and reference the standard in the Code of Federal Regulations so it can be viewed in the context of other standards in the same section.
Where can you find the latest version of HIPAA?
You can find the latest version of HIPAA via the online eCFR system (https://www.ecfr.gov/). The HIPAA Administrative Simplification Rules are in three Parts – 45 CFR 160, 162, and 164. If you only want to find the latest version of the HIPAA Privacy Rule, you can navigate directly to 45 CFR Part 164 Subpart E. (The Security Rule is in Subpart C and the Breach Notification Rule is in Subpart D).
