Federal regulators have postponed a major overhaul of the Health Information Portability and Accountability Act (HIPAA) security rules and delayed final action on the rules by a year.
The Department of Health and Human Services (HHS) is proposing to release a final rule in May 2026 that would make significant changes to the HIPAA Security Rule, marking the first major update to the 23-year-old rule in more than a decade.
The U.S. Office of Management and Budget (OMB) website has been updated to show that the final rule has been postponed to July 2027.
The Biden administration has issued a notice of proposed rulemaking that would require new cybersecurity measures in late 2024. In January 2025, the HHS Office for Civil Rights announced proposed changes to the HIPAA Security Rule aimed at addressing technological changes in the healthcare field and enhancing the cybersecurity of electronically protected health information, especially in light of the increase in cyberattacks and ransomware incidents.
The proposal aims to hold healthcare organizations to higher standards for protecting their confidential information from security threats such as cyberattacks. The proposal would require HIPAA-covered entities to achieve certain technology standards such as encryption, multi-factor authentication, and network segmentation. The requirements also require annual penetration testing, more prescriptive requirements for risk analysis, a written security incident response plan that is tested at least once a year, and verification from business partners of technical safeguards.
The proposed changes are also aimed at strengthening cybersecurity requirements for health care providers as well as other organizations that handle ePHI, such as health plans and business associates.
OCR proposed updating definitions for some terms, such as confidentiality, and adding new definitions, such as multi-factor authentication. It also strengthens the administrative, technical, and physical safeguards that HIPAA-covered organizations must implement to protect electronic health information.
The 125-page update sparked fierce backlash from hospitals, health systems and other health care providers. OCR received nearly 5,000 comments on the proposed rule.
Leadership from the College of Health Information Management and more than 100 health systems and other provider organizations sent a letter to HHS in December asking the regulator to reverse the proposed changes. The group said the security rule updates would impose significant new financial burdens on HIPAA-regulated entities and include unreasonable implementation timelines.
While HHS is postponing updates to the Security Rule, the Department is working on a final rule amending the HIPAA Privacy Rule. The final rule, currently scheduled to be released in August, is aimed at giving patients more access to their health information and improving care coordination, according to HHS.
HHS says the proposed changes to the HIPAA Privacy Rule, published in January 2021, will improve information sharing for care coordination and case management, encourage family and caregiver involvement in the care of individuals facing emergencies or health crises, and increase flexibility in disclosures in emergency or threatening situations. The changes will also reduce the administrative burden on HIPAA-covered health care providers and health plans, while continuing to protect the privacy of personal health information, HHS officials said.

