HHS delays HIPAA Security Rule overhaul to July 2027
Key Takeaways
- Federal regulators have pushed final action on a major HIPAA Security Rule overhaul to July 2027 after extensive pushback from healthcare stakeholders.
Federal regulators have delayed a major overhaul of the Health Insurance Portability and Accountability Act Security Rule, moving final action on the update back by a year. The Department of Health and Human Services had previously proposed a May 2026 release for the final rule, which would make significant changes to the HIPAA Security Rule and represent the first major update to the 23-year-old rule in more than a decade.
An updated posting on the U.S. Office of Management and Budget website now indicates that the final rule is expected in July 2027. The change pushes back the timeline for one of the most closely watched federal cybersecurity rulemakings affecting healthcare organizations.
The Security Rule proposal stems from a notice of proposed rulemaking issued in late 2024 under the Biden administration. In January 2025, HHS’ Office for Civil Rights released proposed changes intended to address technology shifts in healthcare and strengthen cybersecurity protections for electronic protected health information. The proposal came amid growing concern about cyberattacks and ransomware incidents affecting the sector.
Under the proposal, HIPAA-covered entities would be expected to meet more specific technical requirements, including encryption, multifactor authentication and network segmentation. The draft also called for annual penetration testing, more detailed risk analysis requirements, written incident response plans that would be tested at least once a year and verification from business associates about their technical safeguards.
The changes were not limited to providers. HHS also said the proposed rule was meant to strengthen cybersecurity obligations for other organizations that handle electronic protected health information, including health plans and business associates.
The Office for Civil Rights proposal also included updates to some definitions, such as confidentiality, and new terms, such as multifactor authentication. It would also expand the administrative, technical and physical safeguards that HIPAA-covered entities are expected to use to protect electronic health information.
The 125-page proposal drew strong opposition from hospitals, health systems and other healthcare groups. According to the report, OCR received nearly 5,000 comments on the proposed rule. The response reflected broad concern across the industry about the cost and operational demands tied to the update.
In December, the College of Healthcare Information Management Executives and more than 100 health systems and other provider organizations sent a letter to HHS urging regulators to withdraw the proposed changes. The groups said the Security Rule update would create substantial new financial burdens for HIPAA-regulated entities and that the timelines for implementation were unreasonable.
The delay to the Security Rule overhaul comes even as HHS continues to move forward on a separate HIPAA rulemaking. The department is still advancing a final rule that would modify the HIPAA Privacy Rule, with release now slated for August.
That Privacy Rule update is intended to give patients more access to their health information and improve care coordination, according to HHS. The department has said the proposed changes, first published in January 2021, would improve information sharing for care coordination and case management, support greater involvement from family members and caregivers in emergency or crisis situations and provide more flexibility for disclosures in emergency or threatening circumstances.
HHS officials have also said the Privacy Rule changes would reduce administrative burdens on HIPAA-covered healthcare providers and health plans while continuing to protect the privacy of individuals’ health information.
Together, the two rulemakings show that HHS is still working on major HIPAA changes, but the more extensive Security Rule update is now on a longer timeline. For now, final action on that proposal is expected in July 2027, according to the updated OMB schedule.