WASHINGTON — The U.S. Department of Health and Human Services (HHS) has not yet finalized a sweeping overhaul of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule as of June 24, 2026, despite ongoing industry preparations for proposed cybersecurity requirements that would make several safeguards mandatory, according to federal regulatory records and agency information.
The proposed rule, published by HHS in January 2025 through its Office for Civil Rights (OCR), seeks to strengthen protections for electronic protected health information amid rising cyber threats targeting healthcare providers, insurers, and related organizations. HHS said the proposal would update security standards that have remained largely unchanged since major revisions were adopted in 2013.
According to HHS, the HIPAA Security Rule establishes national standards requiring covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic health information. The agency's proposed revisions would expand and clarify those requirements, including converting several previously flexible, or “addressable,” safeguards into mandatory controls.
However, details of the final rule remain unclear because HHS has not published a final regulation. Regulatory and industry sources reported that OCR is still reviewing more than 4,700 public comments submitted in response to the proposal. The agency's previously anticipated spring 2026 target for finalization has passed without publication of a final rule.
“The 2026 HIPAA Security Rule update remains a proposed rule, not final law,” compliance and regulatory analysts noted in recent assessments of the rulemaking process.
Healthcare organizations, cybersecurity firms, and industry associations have nonetheless been preparing for potential changes. Proposed requirements under consideration include stronger encryption standards, expanded risk assessments, multi-factor authentication, vulnerability testing, and enhanced documentation obligations, according to the notice and industry reviews of the proposal.
Some healthcare groups have supported stronger cybersecurity protections following a series of high-profile cyber incidents affecting the sector. Others have expressed concerns about compliance costs, implementation timelines, and operational burdens, particularly for smaller providers and rural healthcare organizations. Industry coalitions have urged HHS to reconsider portions of the proposal or provide additional flexibility.
Federal officials have not announced a revised publication date for the final rule. Under the current rulemaking process, any finalized regulation would first be published in the Federal Register and would become effective according to timelines specified in the final text, HHS records show.
As of Wednesday, healthcare entities remain subject to the existing HIPAA Security Rule while awaiting further action from HHS on the proposed overhaul.
