HIPAA Security Rule Update

For over a year, the healthcare industry has been bracing for significant HIPAA Security Rule updates.

In December 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) proposed the first significant update to the HIPAA Security Rule since 2013, in the form of a Notice of Proposed Rulemaking (NPRM). But the process for changing federal regulations takes time. Over the past fifteen months, the updates have been through internal review at OCR and a public comment period.

The rule is scheduled to be finalized in May 2026. Historically, this would suggest that major new HIPAA security requirements could take effect by the end of 2026. However, since December, 2024, the situation has shifted. The “imminent” updates may now be indefinitely postponed.

While the need for stronger cybersecurity has never been more urgent, a mix of industry resistance, policy shifts, and economic worries has slowed the regulatory process. For healthcare stakeholders, this creates a confusing gray area. Should you wait for the new rules to come out before upgrading, or proceed with the current ones?

Although the updates may be stalled, waiting to take action is a dangerous strategy because current cyber threats present costly risks. Covered entities and business associates can reduce those risks by strengthening cyber defenses voluntarily.

Why HIPAA Security Rule Updates Were Proposed

The drive for HIPAA Security Rule updates began before 2024, and is based on a simple reality: the landscape has drastically changed. The threats of 2026 look nothing like the threats of 2003. When the original rule was written, ransomware-as-a-service didn’t exist, and the “cloud” was something you looked at through a window.

The staggering increase in ransomware and other cyberattacks targeting healthcare in recent years has prompted HHS to push the industry to modernize and update its cybersecurity practices. In 2023, HHS began with revised voluntary guidelines.

One year before the NPRM, HHS published a Healthcare Sector Cybersecurity Strategy, and a few months later, HHS and the National Institute of Standards and Technology (NIST) released a revised guide on complying with the HIPAA Security Rule, known as Special Publication (SP) 800-66 Revision 2.

Both of these signaled changes to be included in the HIPAA Security Rule updates. The voluntary standards became “best practices,” and the Security Rule updates were going to make them mandatory. For example, multi-factor authentication and stronger encryption standards are becoming more common as the industry responds to real-world threats.

Some of the key changes listed in the HHS Fact Sheet include:

  • Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required, with specific, limited exceptions.
  • Require written documentation of all Security Rule policies, procedures, plans, and analyses.
  • Add specific compliance time periods for many existing requirements.
  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of electronic Protected Health Information (ePHI) throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis.
  • Strengthen requirements for contingency planning and responding to security incidents.
  • Require business associates and their subcontractors to: provide annual written confirmation of required technical safeguards; and notify covered entities within 24 hours when activating a contingency plan for a security incident, or if workforce access to ePHI changes or ends.

OCR Director Paula Stannard has been a vocal proponent of these updates. In recent public comments, Stannard emphasized that strengthening the Security Rule is not about adding red tape, but about developing a more secure healthcare infrastructure. Her position is that the current standards, while “flexible and scalable,” commonly lack the specificity needed to defend against highly skilled state-backed actors and aggressive ransomware cartels that now target hospitals with clinical exactness.

The Friction: Will the Update Be Delayed?

If delayed, the reasons may be one or more of the following.

Industry Pushback

Healthcare organizations, particularly rural hospitals and smaller provider groups, have strongly opposed the proposed changes. The primary complaints are twofold: financial burden and implementation timelines.

The “financial burden” argument has validity. Many healthcare providers are operating on slim margins due to rising labor costs and inflation. Investing in enterprise-grade cybersecurity tools, hiring staff, and conducting the detailed audits required by the new regulations is costly. Additionally, industry groups argue that the proposed implementation timelines are “unreasonable,” emphasizing that overhauling legacy IT systems in a 24/7 clinical setting cannot be done quickly without compromising patient care.

The Anti-Regulatory Stance of the Administration

The political climate in Washington has contributed to the slowdown. The Trump administration promotes a “deregulatory” agenda, often demanding that agencies remove existing regulations before implementing new ones.

Experts and policy analysts expect the Security Rule updates to stay in regulatory limbo for now. If a mandate is seen as a “job-killer” or an unfair burden on the private sector, it faces strong opposition to approval. In this environment, the OCR might struggle to advance any proposal that imposes high compliance costs on businesses.

Supply Chain Complexity

The recent rise in third-party breaches, especially targeting clearinghouses and billing platforms, has made it harder to create new rules. The largest of those occurred at the healthcare clearinghouse, Change Healthcare, in February 2024. That cyberattack ultimately affected over half the population of the United States and disrupted hundreds of thousands of healthcare providers for months, causing widespread financial strain, particularly for small to medium-sized providers.

Regulators are struggling to find a balance: how do you hold a smaller provider responsible for the security failures of a large global software vendor? This “downstream” risk management is difficult to regulate without creating a complex set of legal requirements that might actually make responsibility less clear, not more.

The Danger of the “Wait and See” Approach

It is tempting to see the regulatory delay as a break—a chance to save money and keep things as they are. However, hackers don’t wait for the Federal Register to update. In fact, the absence of current regulations might encourage threat actors who know exactly where the “standard” HIPAA defenses fall short.

OCR Enforcement Continues

Even if the Security Rule isn’t updated this year, OCR’s enforcement of existing rules is continuing, especially regarding the “Right of Access” and “Risk Analysis” requirements.

Its investigations in 2025 resulted in fines totaling more than $8.3 million, primarily for inadequate risk analyses. Ransomware incidents, weak technical safeguards, and right of access failures are also on the list. Enforcement priorities in 2026 are much the same.

The Blueprint to Improve Cybersecurity Now 

Although the official mandates may be delayed, the “Reasonable and Appropriate” standard in the current Security Rule still applies. This means your organization is legally required to stay up to date with the current threat environment, even if a new rule doesn’t explicitly demand it.

Here’s how healthcare organizations should prioritize their efforts while the updates are pending.

Update Your HIPAA Risk Analysis

The most common cause of HIPAA settlements isn’t a lack of a firewall; it’s a failure to conduct a comprehensive, enterprise-wide Risk Analysis. Don’t view Risk Analysis as a once-a-year task. With the growth of AI tools and telehealth, your risk profile shifts every month. Make sure your Risk Analysis encompasses every device, cloud service, and vendor that interacts with your data.

Evaluate Whether You Meet NIST Standards

Incorporate defenses from the National Institute of Standards and Technology Cybersecurity Framework. Even without a new HIPAA requirement, aligning your defenses with NIST is considered best practice. If an audit occurs and shows that you voluntarily adopted a stricter framework, it demonstrates good faith and compliance.

Prioritize Multi-Factor Authentication (MFA) Everywhere

If there is one “best practice” that was almost certainly going to be mandated in the updates, it is MFA. You shouldn’t wait for a law to require it. MFA is the single strongest barrier against credential harvesting and unauthorized access. Focus on implementing it across all remote access, email accounts, and any administrative access to electronic protected health information (ePHI).

Focus on “Human Firewall” Training

Technology is rarely the weakest link; people are. Use this transition period to move past boring, annual “compliance videos.” Conduct monthly phishing simulations and reward staff for spotting and reporting suspicious emails. Cybersecurity must become a part of the clinical culture, not just an IT concern.

Review and Test Your Contingency Plans

The current Security Rule already requires a contingency plan, but many organizations have plans that look good on paper yet fail in practice. If your servers were encrypted by ransomware tomorrow, do you know—for sure—how long it would take to restore from backups? Have those backups been air-gapped or made immutable? Testing your recovery process is a cost-effective way to significantly improve your security posture without waiting for new regulations.

Tighten Business Associate Agreements (BAAs)

Since third-party risk is at an all-time high, review your contracts. Make sure your BAAs include clear language about breach notification timelines and the right to audit the vendor’s security measures. While you may not control how a vendor operates, you can manage your legal and financial risk with a solid BAA.

Act Today to Protect Yourself and Your Patients’ Data

The Security Rule updates may be delayed, but the need for them still exists. Director Paula Stannard’s warnings about the healthcare sector’s vulnerability are founded on the very real risk of dangerous and costly breaches.

Make a conscious decision: begin strengthening your cyber defenses now. Don’t wait for new regulations to compel action. Implement MFA, perform comprehensive risk assessments, and prioritize staff training today. By acting proactively, your organization will not only meet compliance standards but also protect itself and stay ahead of threats when new rules eventually arrive.

Free HIPAA Checklist
What best describes you?