HIPAA Security Rule Updates Delayed to 2027

Image shows a laptop and doctor's stethoscope on a table with a plant in the background. The image title reads, "HIPAA Security Rule Updates."

Table of Contents

Another Year to Get Ready for the HIPAA Security Rule Updates

The proposed overhaul of the HIPAA Security Rule has moved to the Health Human Services (HHS) Long-Term Actions agenda, with July 2027 now marked as the anticipated window for a final rule. This announcement was made by the Office of Management and Budget (OMB) last week. The year-long delay changes nothing about what healthcare organizations should be doing to prepare, but the extra time is an opportunity to bolster their compliance strategies and get ready for the tighter security requirements that will take effect.
Here’s the story so far, and why the extra time matters.

Why the Delay Happened

The proposed rule, first introduced in December 2024, represents the most significant rewrite of the HIPAA Security Rule in over a decade. It responds to a sharp rise in large-scale healthcare data breaches and aims to close gaps that ransomware groups and other cyberattackers have exploited for years.
While OMB and HHS did not provide formal statements explaining why the changes were delayed by a year, it may be because of public comment feedback and pushback from 100 provider organizations, and later a coalition of 57 hospitals and health systems, which formally asked HHS to withdraw or scale back the proposal, citing the financial and operational lift it would require.

Timeline of the HIPAA Security Rule Changes

  1. December 2024: HHS issues the Notice of Proposed Rulemaking (NPRM), announcing planned changes to the HIPAA Security Rule, marking the first major overhaul in over a decade.
  2. January 6, 2025: The proposed rule is formally published in the Federal Register, opening a 60-day public comment period.
  3. March 7, 2025: The public comment period is closed with nearly 5,000 comments received.
  4. December 8, 2025: A coalition of 57 hospitals and health systems sent a letter to HHS urging the withdrawal of the proposed rule, citing financial and operational burdens.
  5. May 2026: Original projected release window for the proposed changes to become a final rule.
  6. July 10, 2026: OMB’s regulatory agenda confirms the final rule has been pushed back to July 2027.
  7. July 2027: New anticipated time frame for the final Action Date for the HIPAA Security Rule updates.

What Hasn’t Changed

The goal of the proposed changes is to align ePHI protections with how healthcare operates today and to close the gap between outdated flexibility and modern threats.
A noteworthy change in the proposed updates is the override of the “required” and “addressable” security implementations, with nearly all security specifications becoming mandatory. PrivaPlan notes that this shift would limit regulated entities’ “flexibility of approach”, forcing organizations to fully implement safeguards that previously allowed customized, risk-based alternatives. The intent is to create a uniform baseline for how each security standard is met.
A detailed breakdown of the expected changes to the HIPAA Security Rule appears below.

More Time to Prepare for HIPAA Security Rule Updates

Here’s the piece worth remembering: almost everything in the proposed rule is already considered sound cybersecurity practice, independent of whether or when it becomes law. Organizations that treat encryption, MFA, network segmentation, and incident response planning as standard operating procedures are already demonstrating what good security practices look like.
And there’s real corporate value in adopting these compliance practices ahead of enforcement. Those who heed the recommendations in the proposed changes will be in the strongest position when the rule finally lands. While it might be tempting to treat this delay as permission to wait, treat the next year as a head start and an investment in your organization’s compliance posture.

What to Do With the Extra Time

Use this time deliberately. Build out your technology asset inventory and map how ePHI actually moves through your systems. Confirm encryption and MFA are fully in place, not just partially rolled out. Take a hard look at network segmentation and vulnerability testing cadence. Revisit business associate agreements and audit processes now, so you can prepare well instead of rushing later.

Reviewing Key Items of the Proposed Security Rule Changes

The rule’s final language may still shift between now and July 2027, but the underlying expectations for protecting ePHI are not going away. The following was originally published in our article “Strengthening ePHI Security: Insights on the Latest HIPAA Rulemaking,” on December 29, 2024. While we cannot predict whether all of the proposed changes will be accepted, especially given the pushback from some healthcare industry professionals, we do know that the changes  are worth revisiting as your organization prepares for compliance over the next year.

HIPAA’s New Cybersecurity Measures: What You Need to Know

The Security Rule is being revised to address the inconsistencies in how regulated entities comply with the requirements and to enhance the protection of sensitive patient information. These proposed updates aim to align with the realities of today’s healthcare environment and establish more effective standards and protocols, enabling covered entities to address the complexities of the current cybersecurity landscape. Below are some of the key changes.

Employing  Multi-Factor Authentication

Introducing the definition of multi-factor authentication (MFA) and its use, MFA has evolved since the 2005 Rule was published and is considered a required authentication standard to protect against threat actors, ransomware, and other incidents.
Organizations will be required to implement:
  • Written Policies for verifying the identities of users and devices before they access electronic systems.
  • Utilizing MFAs for all system logins.
  • User Verification is used for all system logins to confirm that users are who they claim to be.
  • Privilege Changes will also apply MFA for any actions that change a user’s permissions, especially if those changes could affect the confidentiality, integrity, or availability of ePHI.

Security Risk Analysis & Data Governance

The new rule includes conducting and maintaining a thorough inventory of technology assets and a network map, which will be updated annually. This is an essential step in knowing what ePHI must be protected!
While the original Security Rule did not mandate this, early on we recognized that understanding where ePHI resources are located within your organization is vital for effective security. Since 2005, PrivaPlan has championed the critical role of Security Risk Analyses (SRAs) and ePHI inventories, integrating these data maps into our risk analysis framework and showing organizations how to perform these analyses in our HIPAA Privacy & Security Toolkit.
Other security changes include:
  • Risk Level Matrix: Evaluate and assign risk levels to various threats, and review and update these evaluations annually to reflect changes in circumstances or new information.
  • Patch Management: Specific patch management procedures and actions to effectively upgrade systems when a patch or security weakness is identified.
  • Written Risk Management Plans: Establish and implement a written risk management plan. This change makes it clear that a written risk management plan is needed in addition to a risk analysis. The Office for Civil Rights already asks for this when investigating a Security Breach or incident, but this now becomes a requirement.
  • Privileged Account Access: Improve privileged account access protocols to enhance network infrastructure security by establishing effective network segmentation to limit access and exposure, systematically removing unnecessary software that could pose security risks, and managing ports diligently to prevent unauthorized access.

Workforce Standards & Training

Tighter standards for workforce clearance and termination have been outlined. For example, a proposed standard states that “A workforce member’s access must be terminated as soon as possible but no later than one hour after the employment of, or other arrangement with, a workforce member ends.”
Security awareness training must be conducted annually and should include the term “social engineering,” which encompasses training on phishing and smishing threats.

Disaster Planning & Security Response Testing

Healthcare organizations must now include annual security incident response testing and disaster planning in their requirements to enhance cybersecurity.
Establishing and implementing tighter contingency, backup, and disaster recovery response and management, including “Establish (and implement as needed) written procedures to restore loss of the covered entity’s or business associate’s critical relevant electronic information systems and data within 72 hours of the loss.”

Business Associates

Data breaches and cyberattacks in the healthcare sector are commonplace, and the following measures aim to keep third-party providers accountable.
Business Associates are a person, contractor, or entity that creates, receives, maintains, or transmits ePHI on behalf of a covered entity. The business associate is responsible for protecting ePHI that they receive from a covered entity. A business associate agreement (BAA) outlines the responsibilities of both parties in safeguarding ePHI.
Business associates will now be required to comply with enhanced verification of their cybersecurity measures. Once a year, they will need to provide written verification confirming the deployment of their technical safeguards. This confirmation should include an analysis of relevant electronic systems assuring the confidentiality, integrity, and availability of the ePHI. Additionally, an authorized individual must certify the accuracy of this analysis.
Business associates will also need to report to the covered entity within 24 hours if their contingency plan is activated under HIPAA’s emergency response provisions (§ 164.308(a)(13)).

Physical Security Clarifications

A facility’s physical security is also addressed in this update. Physical security measures help protect sensitive health information by securing physical spaces where ePHI is stored or processed.
This rulemaking contains clarifications and specifications for a facility’s physical security standards, such as identifying door access systems to restrict entry to authorized personnel and deploying surveillance systems to monitor the facility.
The clarified standards reflect a growing focus on physical security as a critical component of data protection, encouraging healthcare organizations to maintain both technical and environmental safeguards as part of their compliance strategy.

Ensuring the Security of ePHI in Real-Time

The update also provides a better understanding of real-time monitoring systems and ePHI activity, asking covered entities and business associates to continuously monitor activity in electronic information systems. The deployment of technology assets and technical controls will enable real-time monitoring measures that help mitigate risks, protect sensitive data, and maintain compliance.

Final Thoughts

The delay in the HIPAA Security Rule’s finalization provides a valuable opportunity, not a reason to pause. By proactively strengthening your compliance efforts now, your organization will be well-positioned to adapt quickly when the new requirements take effect. Use this extra year to review your safeguards, address any gaps, and build a culture of security that will benefit your patients, partners, and reputation.

Get Ahead of the Security Rule Updates

Curious where your organization stands against these proposed requirements? Take the next steps with PrivaPlan Associates and give us a call today at 1-877-218-7707 to get started!

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Stay Ahead of Privacy & Security Compliance

Sign Up for Our Newsletter!

Don’t miss the latest updates, tips, and best practices in privacy and security compliance! Join our email newsletter for:

  • Exclusive Insights: Gain access to vital news and expert insights from PrivaPlan experts.
  • Practical Tips: Learn actionable strategies to protect data privacy & enforce data security.

Sign up now and elevate your compliance game!

A Compliance First Guide focused on AI & the HIPAA Security Rule

Ensuring HIPAA Compliance in Generative AI Systems

Our new practical guide offers actionable strategies for establishing an AI system while focusing on the HIPAA Security Rule framework. It's built to help you:

Learn about Compliance!

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.