Proposed HIPAA Security Rule Updates: What We Know (and What to Watch in 2026)
The HIPAA Security Rule—originally established to protect electronic protected health information (ePHI)—has remained largely unchanged for over a decade, despite major shifts in technology, cybersecurity threats, and how healthcare organizations store and access data.
In response, the U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), has proposed a significant update to modernize these requirements. The goal is to better align HIPAA with today’s risk landscape, where ransomware attacks, data breaches, and third-party vulnerabilities have become far more common.
As of now, these proposed updates are still in the Notice of Proposed Rulemaking (NPRM) stage and have not been finalized.
While a target publication date of May 2026 remains listed on OCR’s regulatory agenda, the agency has not confirmed whether it will proceed on that timeline. The OCR received approximately 4,700 public comments on the proposal and is actively reviewing them.
In short: A May 2026 final rule is possible—but far from guaranteed.
What Could Change If the Rule Is Finalized?
If the rule is finalized in its current proposed form, it would represent a significant shift in how organizations are expected to protect electronic protected health information (ePHI).
Here are some of the most notable proposed changes:
1. “Addressable” Safeguards May Become Mandatory
One of the biggest structural changes is the proposal to replace “addressable” implementation specifications with “required” ones.
This means organizations would no longer have flexibility in deciding whether certain safeguards are reasonable—they would be expected to implement them outright.
2. More Rigorous Risk Analysis and Documentation
The proposal places a heavier emphasis on conducting detailed, ongoing risk analyses and maintaining comprehensive written records of security policies, procedures, and decisions made around safeguards.
This would raise the bar for documentation significantly—something many organizations are currently underprepared for.
3. Mandatory Technical Safeguards
The proposed rule introduces more explicit technical requirements, including encryption of ePHI, multi-factor authentication (MFA) for system access, regular vulnerability scans, penetration testing, and network segmentation.
These measures move beyond “best practice” and into baseline expectations.
4. Defined Backup and Disaster Recovery Timelines
Organizations would be required to formalize their contingency planning by establishing specific timeframes for restoring systems and data after an incident and documenting those timelines clearly.
This adds a measurable standard to what has often been a loosely defined requirement.
5. Annual Compliance Audits
Another notable addition is the requirement for annual compliance audits, reinforcing the expectation that organizations continuously validate their security posture—not just during incidents or investigations.
6. Increased Oversight of Business Associates
The proposal also tightens expectations around third-party vendors by requiring organizations to verify that business associates are implementing appropriate safeguards and obtain detailed written security analyses prepared by qualified experts.
This shifts more responsibility onto covered entities to actively monitor vendor compliance—not just rely on agreements.
What Would the Compliance Timeline Look Like?
While nothing is final yet, HIPAA rule updates typically follow a predictable timeline:
- The final rule becomes effective 60 days after publication.
- Organizations are then given an additional 180 days to comply.
Total: approximately 8 months to achieve compliance.
However, it’s important to note that OCR has the authority to adjust these timelines in the final rule if needed—especially given the scale and impact of these proposed changes.
What Should You Do Now?
Even though the rule isn’t finalized, the direction is clear:
Security expectations are increasing—and becoming less flexible.
Organizations that take steps now will be in a much stronger position if and when the rule is finalized.
Practical next steps include:
- Reviewing your current risk analysis process
- Evaluating your technical safeguards, such as encryption and MFA
- Strengthening documentation practices
- Assessing vendor oversight procedures
Final Thoughts
At this stage, the proposed HIPAA Security Rule updates represent a likely shift toward stricter, more prescriptive security requirements.
The exact timing is still uncertain, but the message from regulators is consistent:
Organizations will be expected to demonstrate—not just claim—compliance.
We’ll continue monitoring updates from OCR and provide guidance as more details become available.