Feds push back HIPAA security rule overhaul to July 2027

Federal regulators have delayed a major overhaul of the Health Information Portability and Accountability Act (HIPAA) Security Rule, pushing back final action on the rule by a year.

The Department of Health and Human Services (HHS) had proposed a May 2026 release for a final rule that makes significant changes to the HIPAA Security Rule and marks the first major update to the 23-year-old rule in more than 10 years.

The U.S. Office of Management and Budget (OMB) website was updated and indicates that the final rule was pushed back to July 2027.

The Biden administration issued a notice of proposed rulemaking in late 2024 mandating new cybersecurity measures. In January 2025, HHS' Office for Civil Rights issued proposed changes to the HIPAA Security Rule that intends to address technological changes in healthcare and strengthen the cybersecurity of electronic protected health information, especially given the rise of cyberattacks and ransomware incidents.

The proposal aims to hold healthcare organizations to a higher standard for protecting sensitive healthcare information from security threats like cyberattacks. The proposal would require that entities covered by HIPAA achieve specific technical standards like encryption, multifactor authentication and network segmentation. The requirements also mandate annual penetration tests, more prescriptive requirements for risk analyses, written security incident response plans that are tested at least annually and verification from business associates about their technical safeguards.

Along with healthcare providers, the proposed changes also are aimed at strengthening cybersecurity requirements for other organizations that handle ePHI, such as health plans and business associates.

The OCR proposed to update the definitions of some terms like confidentiality and add new definitions like multifactor authentication. It also beefs up the administrative, technical and physical safeguards HIPAA-covered entities should implement to protect electronic health information.

The 125-page proposed update prompted fierce pushback from hospitals, health systems and other healthcare organizations. OCR received nearly 5,000 comments on the proposed rule.

The College of Healthcare Information Management Executives and more than 100 health systems and other provider organizations wrote a letter to HHS in December calling for the regulators to withdraw the proposed changes. The groups said the Security Rule update would place substantial new financial burdens on HIPAA-regulated entities and included unreasonable timelines for implementation.

While HHS is pushing back the Security Rule updates, the department is moving forward with a final rule that modifies the HIPAA Privacy Rule. That final rule, now slated to be released in August, aims to give patients more access to their health information and improve care coordination, according to HHS.

HHS says the proposed changes to the HIPAA Privacy Rule, which was published in January 2021, will improve information sharing for care coordination and case management, facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises and enhance flexibilities for disclosures in emergency or threatening circumstances. The changes also will reduce administrative burdens on HIPAA-covered healthcare providers and health plans while continuing to protect individuals’ health information privacy, HHS officials said.