HIPAA Security Rule Update Postponed: More Time Given to Implement Major HIPAA Security Rule Changes
There has been some good news for the HIPAA-regulated entities that feel unprepared for the proposed changes to the HIPAA Security Rule. The Department of Health and Human Services (HHS) had proposed a May 2026 release date for a final rule implementing the proposed changes to the HIPAA Security Rule; however, the U.S. Office of Management and Budget (OMB) website has been updated, showing the final rule has been pushed back a year, with the final action due in July 2027.
Why HIPAA Security Rule Changes Have Been Proposed
The HHS’ Office for Civil Rights (OCR), under the Biden administration, issued a Notice of Proposed Rulemaking (NPRM) to strengthen the HIPAA Security Rule in December 2024, and published the proposed rule in the Federal Register on January 6, 2025. The original HIPAA Security Rule was enacted more than two decades ago in 2003 and was updated by the HIPAA Omnibus Final Rule in 2013, but there have been no substantial changes to the Security Rule in the past 13 years.
Today, almost all aspects of healthcare rely on computer and network technologies, and cybersecurity is far more of a concern than when the Security Rule was first published. Over the past 10 years, cyberattacks on healthcare organizations and breaches of electronic protected health information (ePHI) – that the Security Rule was introduced to protect – have been steadily increasing, especially in 2018, when there was a rampant escalation in hacking incidents and healthcare ransomware attacks. Not only have these incidents increased substantially, but there has also been an alarming upward trend in the number of individuals affected and the harm these incidents cause.
Take the ALPHV/BlackCat ransomware attack on Change Healthcare in February 2024. The attack on this key healthcare technology company and clearinghouse had massive implications for the healthcare industry. The company’s systems touch one in every three patient records and are relied on by hospitals, physicians, pharmacies, and laboratories across the country for billing and payment processing. The attack caused severe cash flow problems for the company’s clients, care delivery was affected, and some providers were forced to temporarily close. The outage caused by the attack lasted for weeks, while the disruption for providers continued for much longer. The ePHI of an estimated 192.7 million Americans was stolen in the attack. The attackers breached the Change Healthcare network via a Citrix remote access portal using stolen credentials, and crucially, multifactor authentication was not enabled. Multifactor authentication is one of the requirements of the Security Rule update, as is network segmentation to limit the impact of cyberattacks.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
New Security Rule Requirements
The proposed HIPAA Security Rule update is intended to address changes in the healthcare environment and technology, force HIPAA-regulated entities to make cybersecurity updates to combat cyberattacks and prevent data breaches, and correct deficiencies in the HIPAA Security Rule that OCR has identified from its investigations of data breaches, complaints, and its HIPAA audit program. The updates are based on current cybersecurity best practices and methodologies, and are common sense updates given the extent to which the healthcare industry is being targeted by cyber actors and how frequently they breach healthcare networks.
The proposed changes are substantial, and include the elimination of the addressable implementation classification; strict mandatory cybersecurity requirements such as encryption, multifactor authentication, network segmentation, and anti-malware protection; annual penetration tests, vulnerability scans every 6 months, and annual audits of Security Rule compliance; more prescriptive requirements for risk analyses, which must be conducted at least annually and be based on a comprehensive and accurate technology asset inventory and network map showing how ePHI flows; dedicated backup and recovery controls for ePHI; shorter timelines for business associates and verification of their technical safeguards; and extensive documentation requirements.
Proposed Regulatory Update Attracts Considerable Criticism
The 390-page proposed update was not particularly well received and attracted considerable criticism from hospitals, health systems, and industry groups. OCR received almost 5,000 comments in response to the proposed rule. While industry stakeholders accepted the need for improvements to security to combat the cybersecurity crisis in healthcare, they viewed the proposed rule as an impossible mandate, as it would place substantial financial burdens on healthcare organizations, cause massive operational disruptions, create a huge administrative burden, and has an unworkable timeframe for implementation.
The proposed rule lacks much of the flexibility of the original rule, attracting criticism for the one-size-fits-all approach to cybersecurity. Since the new requirements are extensive, forcing HIPAA-regulated entities to commit substantial funds to compliance will require many to divert funds away from patient care. The pain would be particularly acute for small and rural healthcare providers who are already working on razor-thin margins. The HHS accepts that compliance will not be cheap, calculating that the proposed changes will have a one-year industry cost of $9 billion, with annual industry costs of $6 billion a year for years two through five.
More Time to Prepare for Inevitable New Security Requirements
The timeframes released by government entities for implementing new rules are not legally binding. The final rule may have been delayed by a year and could be delayed further; however, OCR could press ahead and release a final rule ahead of the proposed July 2027 date.
Changes to the HIPAA Security Rule are inevitable to ensure it remains effective. One of the criticisms of the proposed rule was the short implementation timeframe, which was viewed by industry groups as unworkable. While there may be a huge collective sigh of relief at the delay, it is important to use the extra time wisely. Waiting for the final rule to be issued before implementing the required changes runs the risk of missing the implementation deadline and facing the regulatory risks associated with late compliance.
If regulated entities use the time to plan and they start implementing some of the proposed requirements over the coming 12 months, the pain will be eased when the final rule drops. In the meantime, cybersecurity will be improved, helping to prevent cyberattacks, costly downtime, and many data breaches.
Steve Alder, Editor-in-Chief, The HIPAA Journal.


