
New HIPAA Security Rule Changes: What's Proposed & When (2026)
The proposed HIPAA Security Rule overhaul just slipped to 2027. Here's what would change, who it affects, and what to do now, in plain English.
New HIPAA Security Rule Changes
HHS wants to rewrite the HIPAA Security Rule for the first time since 2013, and the proposal would touch nearly every practice, hospital, health plan, and vendor that handles electronic patient data. A quick status check, since most articles on this topic are already out of date: the rule is still a proposal, not law. A final version was expected in May 2026. That month came and went with nothing, and the federal government's public regulatory agenda now shows July 2027.
So you have time. What you don't have is a reason to ignore it, because the changes are big, the preparation is slow, and most of what's proposed already matches what regulators expect when they investigate a breach.
Status as of July 8, 2026: Proposed, not final. The current Security Rule remains fully in force. OCR received more than 4,700 public comments and is still reviewing them; the OMB regulatory agenda lists final action for July 2027, a date that binds no one.
What is the proposed HIPAA Security Rule update?
The Security Rule is the part of HIPAA that governs how electronic protected health information (ePHI) gets secured; it sits alongside the Privacy Rule and the Breach Notification Rule as one of the three rules of HIPAA. Its standards were written in 2003 and lightly revised in 2013, which means the rule protecting your patient data predates ransomware as a business model, telehealth, smartphones, and most of the cloud.
On January 6, 2025, the HHS Office for Civil Rights published a roughly 400-page proposal (a Notice of Proposed Rulemaking, or NPRM) in the Federal Register to close that gap. OCR's reasoning, laid out in its official fact sheet, comes down to two things: healthcare breaches keep setting records, and the deficiencies OCR finds in its investigations keep repeating.
The Change Healthcare attack is the case OCR doesn't have to name. In February 2024, attackers got into a remote access portal using stolen credentials; multi-factor authentication wasn't turned on. Roughly 193 million people had data exposed, and pharmacies nationwide couldn't process claims for weeks. Much of this proposal reads like a direct response to that incident.
Is it final? When would it take effect?
No, and probably not soon. The actual timeline so far:
- January 6, 2025: Proposal published; a 60-day comment period opens.
- March 7, 2025: Comments close with more than 4,700 submitted, among them a letter from eight industry associations, led by CHIME, asking the administration to withdraw the rule entirely.
- Early 2026: OCR Director Paula Stannard tells the HIMSS conference her office is still parsing comments and won't commit to a date.
- May 2026: The original target for a final rule passes with nothing published.
- July 2026: The OMB's regulatory agenda is updated to show final action in July 2027.
If a final rule ever publishes, the math from the proposal works like this: it takes effect 60 days later, compliance is due 180 days after that (240 days total), and business associate agreements get roughly a year. Hold the July 2027 date and compliance deadlines land in early-to-mid 2028. Nobody should treat that as a promise; agency timelines aren't binding, and OCR could move earlier, later, or shelve the whole thing.
What would change: the whole rule in one word is "more"
Nearly 400 pages compress to a single idea. The current rule trusts you to decide what's "reasonable and appropriate" for your organization; the proposed rule stops trusting and starts specifying. Every change fits one of four families: more mandatory controls, more documentation, more proving, and more speed when things break.

One structural shift makes all of it possible. The proposal deletes the distinction between "required" and "addressable" implementation specifications. For twenty years, "addressable" was the escape hatch that let a small practice skip encryption if it documented why. That hatch closes. Everything becomes required, with narrow exceptions that themselves demand paperwork.
More mandatory controls: encryption, MFA, patching, and training deadlines
Encryption of ePHI at rest and in transit gets promoted to its own standard. Exceptions exist, but each one requires written documentation and compensating controls; "we never got around to it" stops being an answer.
Multi-factor authentication becomes required across systems that touch ePHI. The carve-outs are narrow: legacy systems that can't support it and FDA-authorized medical devices from before March 2023, and only alongside a documented plan to migrate off them.
The rest of the requirements:
- Network segmentation, so an attacker who lands in one system can't roam your whole network.
- Patch deadlines: critical-risk vulnerabilities fixed within 15 calendar days, high-risk within 30.
- Configuration hygiene: anti-malware protection, unused software removed, unneeded network ports disabled.
- Training deadlines: new workforce members trained within 30 days of getting access, and everyone retrained at least every 12 months. More on this below, because it's the change most practices will feel first.
More documentation: asset inventories, network maps, and written risk analysis
Every standard needs written policies, procedures, plans, and analyses. No exceptions, no "it's understood."
Two documents anchor everything else: a technology asset inventory listing every system that touches ePHI, and a network map showing how that data moves. Both get refreshed at least every 12 months and after any material change. Your written risk analysis, already the most-enforced requirement in all of HIPAA, would have to build on that inventory and map, with required elements spelled out in the rule instead of left to judgment.
And the records of all of it get reviewed annually. If you didn't write it down, it didn't happen; that's the posture.
More proving: annual audits, penetration tests, and vendor attestations
Documentation says you have controls. This category makes you demonstrate they work.
An annual compliance audit against every standard and implementation spec becomes mandatory. A binder of policies doesn't satisfy this; testing yourself against each requirement once a year does.
The proving cadence, if the rule lands as written:
- Review and test the effectiveness of your security measures every 12 months, replacing today's vague duty to "maintain" them.
- Vulnerability scans every 6 months; a penetration test every 12.
- Written verification from every business associate, annually: an analysis by someone qualified in cybersecurity plus a signed certification that the safeguards are actually deployed.
- Backup proof: restoration tested monthly, backup controls tested every six months.
That business associate item deserves a second look. Today, a signed BAA is essentially the end of your vendor diligence. Under the proposal, you'd collect written technical attestations from every vendor touching your ePHI, every year; and if you're a business associate yourself, you'd be the one producing them.
More speed when things break: 72-hour recovery and one-hour access cutoffs
The proposal sets clocks today's rule never did:
- Critical systems and data restored within 72 hours, guided by a written criticality analysis so you know what to bring back first.
- A departed employee's access cut within one hour of termination.
- 24 hours to notify another regulated entity when a workforce member's access to their systems changes or ends.
- Business associates notify covered entities within 24 hours of activating a contingency plan.
- Incident response plans written, and tested, before you need them.
The training requirement is about to get teeth
Today, HIPAA doesn't set a training schedule. It says train your workforce as "necessary and appropriate," and most organizations settle on annual training because it's defensible; I covered the current rules in how often HIPAA training is required.
The proposal replaces that judgment call with a requirement. New workforce members would need training within 30 days of getting access to ePHI, and everyone, management included, would need security awareness refreshers at least every 12 months. Annual training would move from best practice to legal floor.
If your practice already trains everyone on hire and once a year after, this change costs you nothing; you're compliant the day it lands. If training happens "whenever we remember," you'd be building a tracked, documented annual program with deadlines a regulator can check against a calendar. Figuring out who on your team actually needs HIPAA training is the place to start, and the answer is broader than most people expect: front desk, billing, IT, and volunteers all count.
Will it actually happen?
The honest answer is that nobody knows, including OCR, but here's my read.
The case against: the pushback has been loud. Industry groups asked the administration to withdraw the rule, arguing the burden would crush small and rural providers. HHS's own estimate puts first-year compliance costs around $9 billion industry-wide, with roughly $6 billion a year after that. The May 2026 target already slipped a full year, and this administration generally prefers cutting regulations to writing them.
The case for: healthcare cybersecurity is one of the few issues with genuine bipartisan agreement, breach numbers keep breaking records, and OCR already treats most of these requirements as expectations. Read recent enforcement actions and the same citations repeat: no risk analysis, no MFA, weak access controls, unpatched systems. The worst HIPAA violation cases in history got expensive for exactly the failures this rule would make explicit.
My position: some version of this rule gets finalized, probably slimmed down and probably with a longer runway than 240 days, sometime in 2027 or 2028. But here's the part that matters even if I'm wrong. The proposal is a preview of how OCR judges you today when a breach lands on their desk, so preparing for it is just preparing for your next incident investigation.
What to do now (without spending much)
You don't need a consultant or a seven-figure budget to get ahead of this. Six moves, roughly in order of return:
- Turn on MFA everywhere it's off. Email, EHR, remote access, cloud storage. This is the single control that would have blunted the biggest healthcare breach in history, and it's usually free.
- Write down where your ePHI lives. One page listing every system, device, and vendor that touches patient data. Congratulations, you've started the asset inventory the rule would require.
- Check your encryption defaults. Modern laptops and phones encrypt at rest when the setting is on; confirm it, then confirm your email and file-sharing vendors encrypt in transit.
- Put training on a calendar. New hires within 30 days, everyone annually. Adopting the proposed cadence now means the training requirement costs you zero when it becomes law.
- Ask your vendors what they'd attest to. Send your business associates one question: "If you had to certify your technical safeguards in writing next year, could you?" Their answer, or their silence, tells you which relationships need attention.
- Teach your team to spot phishing, since stolen credentials open most healthcare breaches. The SLAM method takes about ten minutes to teach and covers the essentials.
Frequently asked questions
Has the HIPAA Security Rule been updated in 2026?
No. The changes remain a proposal. OCR published the NPRM on January 6, 2025, the comment period closed March 7, 2025, and no final rule has been issued as of July 2026. The current Security Rule stays fully in force and fully enforced.
When will the new HIPAA Security Rule be finalized?
The government's regulatory agenda currently lists July 2027 for final action, a year later than the original May 2026 target. That date isn't binding; the rule could publish earlier, later, or never. Compliance would be due roughly 240 days after publication.
Do the proposed changes apply to business associates?
Yes, fully. The proposal even coins a term, "regulated entities," that covers covered entities and business associates alike, and it adds annual written verification of every business associate's technical safeguards.
Is MFA currently required under HIPAA?
Not explicitly. Today's rule requires you to verify the identity of anyone accessing ePHI but never names MFA. The proposal would make MFA mandatory with narrow exceptions. In practice, OCR already treats missing MFA as a red flag in breach investigations.
Does HIPAA require encryption?
Not in absolute terms today. Encryption is currently an "addressable" specification, so an organization can document why an alternative safeguard is reasonable instead. The proposed rule would end that flexibility, making encryption of ePHI at rest and in transit mandatory, with narrow exceptions that each require written documentation and compensating controls.
Would HIPAA training requirements change?
Yes. New workforce members would need training within 30 days of getting access to ePHI, with security awareness refreshers for everyone at least every 12 months. Today's rule sets no fixed schedule.
What should a small practice do right now?
Enable MFA, inventory where patient data lives, confirm encryption is on, and move training to a documented annual cycle. All four cost little, satisfy today's rule, and put you ahead of tomorrow's.
Two decades of HIPAA enforcement show a pattern: the organizations that get hurt aren't the ones that lacked budget, they're the ones that waited. Annual, documented training is the one piece of this rule you can finish this week. TeachMeHIPAA's online training gets your whole team certified in about an hour, with the completion records an auditor would ask to see.


