HIPAA security rule changes postponed until mid-2027

HIPAA security rule changes postponed until mid-2027

Federal regulators have delayed a major review of the Health Insurance Portability and Accountability Act (HIPAA) security rule, delaying final action on the rule by a year.

https://omg10.com/4/10736335

The Department of Health and Human Services (HHS) had proposed a May 2026 release for a final rule that makes significant changes to the HIPAA Security Rule and marks the first major update to the 23-year-old rule in more than 10 years.

The US Office of Management and Budget (OMB) website has been updated to indicate that the final rule has been delayed until July 2027.

The Biden administration issued a notice of proposed rulemaking in late 2024 requiring new cybersecurity measures. In January 2025, the HHS Office for Civil Rights issued proposed changes to the HIPAA Security Rule that are intended to address technological changes in healthcare and strengthen the cybersecurity of electronic protected health information, especially given the increase in cyberattacks and ransomware incidents.

The proposal aims to require healthcare organizations to meet a higher standard in protecting sensitive health information from security threats such as cyberattacks. The proposal would require HIPAA-covered entities to meet specific technical standards such as encryption, multi-factor authentication, and network segmentation. The requirements also call for annual penetration testing, more prescriptive requirements for risk analysis, written security incident response plans that are tested at least annually, and verification by business partners of their technical safeguards.

Along with healthcare providers, the proposed changes also aim to strengthen cybersecurity requirements for other organizations that handle ePHI, such as health plans and business associates.

OCR proposed updating the definitions of some terms, such as confidentiality, and adding new definitions, such as multi-factor authentication. It also reinforces the administrative, technical, and physical safeguards that HIPAA-covered entities must implement to protect electronic health information.

The proposed 125-page update sparked fierce pushback from hospitals, health systems and other healthcare organizations. LOC received Nearly 5,000 comments on the proposed rule.

The College of Healthcare Information Management Executives and more than 100 health systems and other provider organizations wrote a letter to HHS in December asking regulators to withdraw the proposed changes. The groups said the Security Rule update would impose substantial new financial burdens on HIPAA-regulated entities and included unreasonable timelines for implementation.

While HHS is delaying updates to the Security Rules, the department is moving forward with a final rule amending the HIPAA Privacy Rule. That final rule, now scheduled to be released in August, aims to give patients more access to their health information and improve care coordination, according to HHS.

HHS says the proposed changes to the HIPAA Privacy Rule, which was published in January 2021, will improve information sharing for care coordination and case management, facilitate greater involvement of families and caregivers in the care of people experiencing emergencies or health crises, and improve flexibility for disclosures in emergency or threatening circumstances. The changes will also reduce administrative burdens on health care providers and health plans covered by HIPAA while continuing to protect the privacy of people’s health information, HHS officials said.

Leave a Reply

Your email address will not be published. Required fields are marked *