Skip to main content

New HIPAA Security Rule: 2026 Status, the 2027 Delay, and What Would Change

By Joseph Abear ·
New HIPAA Security Rule

Last updated: July 14, 2026. This page tracks the rulemaking and is updated as the status changes.

The new HIPAA Security Rule is not final, and it just slipped a year. HHS proposed the first big Security Rule overhaul in two decades on January 6, 2025. The public comment period closed on March 7, 2025, with about 4,745 comments. HHS had aimed for a final rule around May 2026. That date has moved. The Office of Management and Budget (OMB) now lists July 2027 as the target. Until a final rule comes out, the current Security Rule still governs. Every change below is still just a proposal, and proposals can change. Here is where things stand, what would change, the clock that starts when it becomes final, and what to do with the extra time.

TL;DR: Quick answer

  • Status as of July 2026: proposed, not final. The current Security Rule (45 CFR Part 164, Subpart C) still applies, unchanged.

  • The final rule target moved from May 2026 to July 2027 on the OMB agenda. Dates like this shift often. Treat it as a target, not a promise.

  • The biggest change: the "addressable" label goes away. Encryption and multi-factor authentication (MFA) would become required, full stop.

  • Also proposed: written asset lists and network maps, network segmentation, yearly audits, yearly penetration tests, a 72-hour recovery deadline, and tighter checks on Business Associates.

  • Once a final rule comes out, you get about 240 days to comply. Every proposed control is already best practice today, so teams that build to the strong reading of the current rule have nothing to retrofit.

Where the new HIPAA Security Rule stands right now

New Rule Where it Stands

Milestone

Date

Status

Proposed rule (NPRM) published in the Federal Register

January 6, 2025

Done

Public comment period closed (~4,745 comments)

March 7, 2025

Done

Original final-rule signal

~May 2026

Missed

Current OMB target for final action

July 2027

Projected

Compliance deadline after publication

~240 days after the final rule

Estimated

The delay is normal. Big HHS rules slip often. The comment pile was heavy, and the proposals reach deep into how healthcare systems run. But the delay changes nothing about today. OCR still enforces the current rule, and its risk-analysis push keeps producing settlements while everyone waits. The enforcement record is in our guide to HIPAA violation fines and penalties.

What the new HIPAA Security Rule would change

HIPAA Rule What Changes

Area

Today's rule

Proposed rule

Encryption

"Addressable": use it or document an alternative (§ 164.312(a)(2)(iv), (e)(2)(ii))

Required at rest and in transit, with narrow exceptions

Multi-factor authentication

Not named; access control is the standard

Required for systems that touch ePHI

"Addressable" label

Applies to many safeguards

Goes away; those safeguards become required

Asset list and network map

Implied by the risk analysis

Written, explicit, and kept current

Network segmentation

Not named

Required, to stop attackers from moving between systems

Audits and testing

Periodic evaluation (§ 164.308(a)(8))

Yearly compliance audits, yearly penetration tests, regular scans

Incident recovery

Contingency plan standard (§ 164.308(a)(7))

Restore key systems within 72 hours; written incident plans

Business Associates

BAA under § 164.308(b)

Yearly checks that vendors' safeguards are real, plus new notice duties

Read the pattern. The new HIPAA Security Rule mostly turns today's best practices into law. Nothing here is exotic. It is encryption, MFA, written lists, walls between systems, testing, and recovery discipline. That is why the advice below is boring on purpose.

The 240-day clock, and why the delay is not a break

When a final rule comes out, the expected sequence is about 60 days until it takes effect, then about 180 days to comply. Call it 240 days total. That is a short runway if you need to retrofit encryption, roll out MFA, build asset lists, and redo vendor contracts. The July 2027 target buys planning time, not a pass. Two things stay true through the delay. The current rule is fully enforced right now. And encrypted data already earns the breach notification safe harbor today. The biggest proposed mandate pays off years before it becomes one.

What to do now, without betting on a date

New Rule What to do now
  1. Run the risk analysis first. It is required today under 45 CFR § 164.308(a)(1)(ii)(A). It is also OCR's most-cited failure. And it doubles as your gap list for everything the proposal would require. A HIPAA website audit covers the web-facing slice.

  2. Encrypt everything now. At rest and in transit. Treat "addressable" as required. For hosted patient data it effectively is, and the proposal would make it official.

  3. Turn on MFA everywhere patient data can be reached: app logins, admin panels, server access.

  4. Write the list. Which systems hold ePHI, where they run, and how they connect. Put the website on that list. It is the system audits miss most.

  5. Ask your vendors. The proposal adds yearly checks on Business Associates. So ask your host and every PHI-touching vendor how they meet today's safeguards, and what their answer to the proposed ones is.

The infrastructure half of that list is what compliant hosting already does. Our environments run encryption at rest and in transit, MFA on access, isolation, six-year audit logging, and tested backups today. Plans run from $79 per month self-managed to $229 managed; the details are in managed HIPAA hosting. That is HIPAA compliant hosting built to the strong reading of today's rule, which is the posture the proposal would demand. We sell these services, so weigh that as a disclosure. An environment built this way has nothing to retrofit when the final rule lands, in 2027 or later.

Frequently asked questions

Is the new HIPAA Security Rule final?

No. As of July 2026 it is still a proposed rule. The proposal published on January 6, 2025, comments closed March 7, 2025, and OMB now targets final action in July 2027. The current Security Rule applies unchanged until then.

When does the new HIPAA Security Rule take effect?

Unknown until a final rule comes out. The current target is final action around July 2027, followed by about 240 days to the compliance deadline. All of those dates can move.

What are the biggest changes in the new HIPAA Security Rule?

The "addressable" label goes away. Encryption at rest and in transit and MFA become required. Written asset lists, network segmentation, yearly audits and penetration tests, a 72-hour recovery deadline, and tighter vendor checks are added.

Does the delay mean we can wait to upgrade?

Waiting is legal and unwise. The current rule is enforced now, OCR's risk-analysis push is active, and encrypted data already earns the breach notification safe harbor. Every proposed control is a best practice with benefits today.

Will the proposal change before it is final?

Possibly. About 4,745 comments are under review. Rules can be softened, phased, or dropped between proposal and final. That is why this page calls them proposals and tracks the status.

Recap: new HIPAA Security Rule

To recap, the new HIPAA Security Rule is the first big overhaul in two decades, and it is still a proposal. Final action is now projected for July 2027, a year later than first signaled. It would make encryption and MFA required, end the "addressable" label, and add asset lists, segmentation, yearly audits and tests, and a 72-hour recovery deadline, with about 240 days to comply once final. Today's rule governs until then, and it is actively enforced. Build to the strong reading of today's rule and the new one becomes a non-event. This page will be updated as the status changes.

This article is general information, not legal advice. Rulemaking status is as published in the Federal Register and the OMB unified agenda through July 2026 and can change at any time; proposed requirements are paraphrased from the NPRM and may differ in a final rule. Consult qualified counsel and base your safeguards on a documented risk analysis. We sell HIPAA compliant hosting. Reviewed July 2026.

Sources