
The long-awaited HIPAA Security Rule update just got pushed back — again. Federal regulators have delayed the final rule to July 2027, a full year behind schedule, after hospitals and health systems flooded HHS with nearly 5,000 comments warning the proposed changes would impose major financial burdens. The overhaul would have mandated encryption, multifactor authentication, annual penetration tests, and more.
The push to modernize the HIPAA Security Rule is hitting another wall. The Department of Health and Human Services (HHS) has pushed back the final rule to July 2027 — a full year later than the previously anticipated May 2026 release — marking the first major update to the 23-year-old rule in over a decade.
The proposed overhaul, introduced in January 2025, aimed to raise the cybersecurity bar for healthcare organizations by requiring specific technical standards. But the 125-page proposal drew fierce opposition from hospitals, health systems, and provider groups who argued the requirements were financially burdensome and came with unreasonable implementation timelines. Meanwhile, HHS is still moving forward on a separate HIPAA Privacy Rule update, expected in August, which focuses on improving patient access to health information and streamlining care coordination.
Key Takeaways:
Why it matters: Cyberattacks and ransomware incidents targeting healthcare are on the rise, making robust security standards critical. The delay leaves healthcare organizations in a prolonged state of regulatory uncertainty — and potentially vulnerable — while the industry and regulators work toward a workable framework.