The HIPAA Security Rule Update Missed Its Deadline
top of page
Search

The HIPAA Security Rule Update Missed Its Deadline

  • 1 day ago
  • 6 min read

HIPAA Security Rule Update vCISO services

The 2026 HIPAA Security Rule update is not final. OCR targeted May 2026 for a final rule; that window has passed with nothing published. It remains a proposed rule (NPRM) while OCR reviews roughly 4,745 comments and 100+ provider groups push for withdrawal. The current Security Rule is what you're held to today.


If you've been told the big HIPAA Security Rule overhaul finalizes in May 2026, that date is now in the rearview mirror and no final rule exists. As of June 2026, the rule is still a proposal. That gap between the headline and reality is the whole story, and it changes how a compliance officer should be spending the next quarter.

The proposal itself is real and serious: the first material overhaul of the Security Rule since 2013, published as an NPRM in the Federal Register on January 6, 2025. But "proposed" and "in effect" are very different things, and treating one as the other is how organizations either overspend on a deadline that hasn't started or freeze and do nothing. Neither is the right move.


Is the new HIPAA Security Rule final?


No. The 2026 HIPAA Security Rule update is still a proposed rule, not law. OCR published the NPRM on January 6, 2025, the comment period closed March 7, 2025, and the agency is still working through approximately 4,745 public comments. OCR's regulatory agenda listed May 2026 as the finalization target, but that month has come and gone with no final rule and no confirmed new timeline.

This matters because federal rulemaking deadlines are not legally binding on the agency. OCR can finalize the rule as written, narrow it, delay it, republish it, or withdraw it entirely. In the meantime, the existing Security Rule — the one adopted in 2003 and last meaningfully touched in 2013 — is the standard OCR enforces. You are not being audited against the proposal today.


What would the proposed rule actually change?


The proposal would convert a long list of "addressable" safeguards into firm requirements and add several new ones. The single biggest structural change is the elimination of the "addressable" implementation category, which today lets organizations tailor or document-around certain controls based on size and capability. Remove that, and most specifications become mandatory with only narrow exceptions.


The concrete new mandates worth knowing, drawn directly from OCR's NPRM fact sheet:

•       Multi-factor authentication for access to ePHI, with limited exceptions.

•       Encryption of ePHI at rest and in transit, with documented exceptions only.

•       Asset inventory and network map covering every system touching ePHI, reviewed at least every 12 months.

•       Vulnerability scanning at least every six months and penetration testing at least once every 12 months.

•       Network segmentation, anti-malware, and configuration management as explicit standalone requirements.

•       Annual business associate verification — written confirmation, not just a signed agreement on file.


None of these is exotic. Most are already best practice, and several are already "addressable" specifications that OCR has long expected organizations to implement. The shift is from "implement or document why not" to "implement, full stop."


When would it take effect if it's finalized?


If the rule is finalized as proposed, the clock is 240 days from publication: 60 days from Federal Register publication until the rule takes effect, then 180 days after that to reach full compliance. That window only starts on the day a final rule publishes — which, as of today, has not happened.


For a multi-site practice or hospital department, 240 days is tight. It would have to absorb a fresh risk analysis, a complete asset inventory and network map, MFA across every ePHI-touching system, encryption gap remediation, rewritten policies, workforce training, scheduled penetration testing, and a stood-up business associate verification workflow. Done from a standing start, that's realistically a 12-to-18-month program compressed into eight.


Why are 100+ hospital systems fighting it?


On December 8, 2025, a coalition led by CHIME (the College of Healthcare Information Management Executives) and including Cleveland Clinic, Yale New Haven Health System, Advocate Health, the American Medical Association, and the American Academy of Pediatrics sent a letter to HHS asking that the rule be withdrawn. Their objection isn't to security — it's to cost, timeline, and the loss of tailoring.


The numbers behind the pushback are HHS's own. Its Regulatory Impact Analysis estimates roughly $9 billion in year-one industry cost if finalized as proposed, with about $6 billion per year in years two through five. The coalition argues those figures understate the real burden on rural hospitals, federally qualified health centers, and small independent practices operating on thin margins — the providers least able to absorb an enterprise-wide overhaul on a 240-day clock.


Should you prepare for a rule that might never land?


Yes — but prepare for the controls, not the deadline. This is the distinction most coverage misses. The argument for acting now isn't that the rule will definitely pass as written. It's that every control in the proposal already reduces your exposure under the rule that exists today.


OCR's enforcement under the current Security Rule has already shifted toward exactly these controls. Inadequate risk analysis remains the single most-cited deficiency in OCR investigations. MFA and encryption gaps show up repeatedly in recent settlements. Asset inventory failures get tied directly to unpatched-software risk. So an organization that deploys MFA, encrypts ePHI, builds a real asset inventory, and documents its risk management is better protected against enforcement and breaches right now, regardless of whether the proposal ever becomes final.

Put the threat environment next to that. Healthcare was the most-targeted U.S. critical infrastructure sector for cyber incidents in 2024 per the FBI, and the Change Healthcare ransomware attack ultimately affected roughly 192.7 million people — the largest healthcare breach in U.S. history. The controls in the proposal map directly onto the failure modes in those incidents. The rulemaking is uncertain; the threat is not.


What a vCISO would do in the next 90 days


The work that pays off whether the rule lands as proposed, lands later in modified form, or never lands at all is the work worth doing now. Here's how I'd sequence it for a mid-market or regulated client:

1.    Refresh the risk analysis. It's already required, it's the most-cited failure, and it drives everything else.

2.    Build the asset inventory. Every system, vendor, and AI tool touching ePHI. If you can't list it, you can't protect it or prove compliance.

3.    Close MFA and encryption gaps. Both are among the most-cited unmet controls in OCR settlements and both are already addressable specifications today.

4.    Audit your business associate agreements. Know which vendors touch ePHI and design a workflow that could produce annual verification if a future rule demands it.

5.    Document the decisions. In an OCR investigation, undocumented security is treated as absent security.


This is the kind of gap planning Purple Shield runs with healthcare clients and their vendors — decoupling the prep from the rulemaking so the spend is defensible under today's rule and ready for whatever finalizes. The 240-day clock hasn't started. The work that protects patients and operations under any outcome is available to begin now.


Frequently asked questions


Is the 2026 HIPAA Security Rule in effect right now?

No. It remains a proposed rule as of June 2026. OCR has not published a final rule, the May 2026 target passed with nothing issued, and the current Security Rule is what's enforced today. There is no new compliance obligation in force from the proposal.


Does the proposed rule apply to business associates?

Yes. Every requirement that would apply to covered entities would also apply to business associates. The proposal adds 24-hour notification timelines for contingency-plan activations and would require business associates to verify their technical safeguards in writing at least once every 12 months, certified by someone qualified — not just a BAA on file.


Would MFA become mandatory?

Yes, with limited exceptions, as drafted. Multi-factor authentication is currently an addressable specification, meaning most entities are already expected to implement it or document an equivalent alternative. The proposal would make it a firm requirement for systems accessing ePHI.


How much would compliance cost?

HHS's own Regulatory Impact Analysis estimates roughly $9 billion in industry-wide year-one cost if finalized as proposed, with about $6 billion per year in years two through five. Per-organization cost depends heavily on existing security maturity — an entity already running MFA, encryption, and annual testing faces a far smaller incremental burden than one starting from scratch.


What happens if the rule is withdrawn?

The controls still matter. OCR's enforcement under the existing Security Rule has already moved toward risk analysis, asset inventory, MFA, and encryption. Investments in those areas reduce exposure under today's rule and align with where both federal and state regulators are heading, regardless of the rulemaking outcome.


Not sure where your ePHI controls stand against either the current rule or the proposed one? Purple Shield Security runs vendor-neutral HIPAA gap assessments, vCISO services as well as fractional CISO services for healthcare organizations and the vendors that serve them. We'll map your real exposure and a defensible remediation plan — no products to sell, just the advisory work.


By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM

Published By: Purple Shield Security

Published: June 11, 2026

Last updated: June 11, 2026

 
 
bottom of page