New HIPAA Security Rule: 2026 Status, the 2027 Delay, and What Would Change
Last updated: July 14, 2026. This page tracks the rulemaking and is updated as the status changes.
The new HIPAA Security Rule is not final, and it just slipped a year. HHS proposed the first big Security Rule overhaul in two decades on January 6, 2025. The public comment period closed on March 7, 2025, with about 4,745 comments. HHS had aimed for a final rule around May 2026. That date has moved. The Office of Management and Budget (OMB) now lists July 2027 as the target. Until a final rule comes out, the current Security Rule still governs. Every change below is still just a proposal, and proposals can change. Here is where things stand, what would change, the clock that starts when it becomes final, and what to do with the extra time.
TL;DR: Quick answer
Status as of July 2026: proposed, not final. The current Security Rule (45 CFR Part 164, Subpart C) still applies, unchanged.
The final rule target moved from May 2026 to July 2027 on the OMB agenda. Dates like this shift often. Treat it as a target, not a promise.
The biggest change: the "addressable" label goes away. Encryption and multi-factor authentication (MFA) would become required, full stop.
Also proposed: written asset lists and network maps, network segmentation, yearly audits, yearly penetration tests, a 72-hour recovery deadline, and tighter checks on Business Associates.
Once a final rule comes out, you get about 240 days to comply. Every proposed control is already best practice today, so teams that build to the strong reading of the current rule have nothing to retrofit.
Where the new HIPAA Security Rule stands right now

Milestone | Date | Status |
|---|---|---|
Proposed rule (NPRM) published in the Federal Register | January 6, 2025 | Done |
Public comment period closed (~4,745 comments) | March 7, 2025 | Done |
Original final-rule signal | ~May 2026 | Missed |
Current OMB target for final action | July 2027 | Projected |
Compliance deadline after publication | ~240 days after the final rule | Estimated |
The delay is normal. Big HHS rules slip often. The comment pile was heavy, and the proposals reach deep into how healthcare systems run. But the delay changes nothing about today. OCR still enforces the current rule, and its risk-analysis push keeps producing settlements while everyone waits. The enforcement record is in our guide to HIPAA violation fines and penalties.
What the new HIPAA Security Rule would change

Area | Today's rule | Proposed rule |
|---|---|---|
Encryption | "Addressable": use it or document an alternative (§ 164.312(a)(2)(iv), (e)(2)(ii)) | Required at rest and in transit, with narrow exceptions |
Multi-factor authentication | Not named; access control is the standard | Required for systems that touch ePHI |
"Addressable" label | Applies to many safeguards | Goes away; those safeguards become required |
Asset list and network map | Implied by the risk analysis | Written, explicit, and kept current |
Network segmentation | Not named | Required, to stop attackers from moving between systems |
Audits and testing | Periodic evaluation (§ 164.308(a)(8)) | Yearly compliance audits, yearly penetration tests, regular scans |
Incident recovery | Contingency plan standard (§ 164.308(a)(7)) | Restore key systems within 72 hours; written incident plans |
Business Associates | BAA under § 164.308(b) | Yearly checks that vendors' safeguards are real, plus new notice duties |
Read the pattern. The new HIPAA Security Rule mostly turns today's best practices into law. Nothing here is exotic. It is encryption, MFA, written lists, walls between systems, testing, and recovery discipline. That is why the advice below is boring on purpose.
The 240-day clock, and why the delay is not a break
When a final rule comes out, the expected sequence is about 60 days until it takes effect, then about 180 days to comply. Call it 240 days total. That is a short runway if you need to retrofit encryption, roll out MFA, build asset lists, and redo vendor contracts. The July 2027 target buys planning time, not a pass. Two things stay true through the delay. The current rule is fully enforced right now. And encrypted data already earns the breach notification safe harbor today. The biggest proposed mandate pays off years before it becomes one.
What to do now, without betting on a date

Run the risk analysis first. It is required today under 45 CFR § 164.308(a)(1)(ii)(A). It is also OCR's most-cited failure. And it doubles as your gap list for everything the proposal would require. A HIPAA website audit covers the web-facing slice.
Encrypt everything now. At rest and in transit. Treat "addressable" as required. For hosted patient data it effectively is, and the proposal would make it official.
Turn on MFA everywhere patient data can be reached: app logins, admin panels, server access.
Write the list. Which systems hold ePHI, where they run, and how they connect. Put the website on that list. It is the system audits miss most.
Ask your vendors. The proposal adds yearly checks on Business Associates. So ask your host and every PHI-touching vendor how they meet today's safeguards, and what their answer to the proposed ones is.
The infrastructure half of that list is what compliant hosting already does. Our environments run encryption at rest and in transit, MFA on access, isolation, six-year audit logging, and tested backups today. Plans run from $79 per month self-managed to $229 managed; the details are in managed HIPAA hosting. That is HIPAA compliant hosting built to the strong reading of today's rule, which is the posture the proposal would demand. We sell these services, so weigh that as a disclosure. An environment built this way has nothing to retrofit when the final rule lands, in 2027 or later.
Frequently asked questions
Is the new HIPAA Security Rule final?
No. As of July 2026 it is still a proposed rule. The proposal published on January 6, 2025, comments closed March 7, 2025, and OMB now targets final action in July 2027. The current Security Rule applies unchanged until then.
When does the new HIPAA Security Rule take effect?
Unknown until a final rule comes out. The current target is final action around July 2027, followed by about 240 days to the compliance deadline. All of those dates can move.
What are the biggest changes in the new HIPAA Security Rule?
The "addressable" label goes away. Encryption at rest and in transit and MFA become required. Written asset lists, network segmentation, yearly audits and penetration tests, a 72-hour recovery deadline, and tighter vendor checks are added.
Does the delay mean we can wait to upgrade?
Waiting is legal and unwise. The current rule is enforced now, OCR's risk-analysis push is active, and encrypted data already earns the breach notification safe harbor. Every proposed control is a best practice with benefits today.
Will the proposal change before it is final?
Possibly. About 4,745 comments are under review. Rules can be softened, phased, or dropped between proposal and final. That is why this page calls them proposals and tracks the status.
Recap: new HIPAA Security Rule
To recap, the new HIPAA Security Rule is the first big overhaul in two decades, and it is still a proposal. Final action is now projected for July 2027, a year later than first signaled. It would make encryption and MFA required, end the "addressable" label, and add asset lists, segmentation, yearly audits and tests, and a 72-hour recovery deadline, with about 240 days to comply once final. Today's rule governs until then, and it is actively enforced. Build to the strong reading of today's rule and the new one becomes a non-event. This page will be updated as the status changes.
This article is general information, not legal advice. Rulemaking status is as published in the Federal Register and the OMB unified agenda through July 2026 and can change at any time; proposed requirements are paraphrased from the NPRM and may differ in a final rule. Consult qualified counsel and base your safeguards on a documented risk analysis. We sell HIPAA compliant hosting. Reviewed July 2026.
Sources
Federal Register: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information (NPRM, Jan. 6, 2025)
45 CFR Part 164, Subpart C (current Security Rule): ecfr.gov
OMB Unified Agenda (rule status and projected dates): reginfo.gov
HIPAA Journal: HIPAA Security Rule update postponed