The US Department of Health and Human Services (HHS) has postponed the finalization of updates to the HIPAA Security Rule, with a new target date of July 2027, according to the Office of Management and Budget’s regulatory calendar.
The updates, first proposed in January 2025 by HHS’s Office for Civil Rights (OCR), are designed to strengthen protections for electronic protected health information (ePHI) in response to a surge in healthcare data breaches between 2018 and 2023.
The Security Rule, which has not seen substantive updates in more than a decade, sets national standards for safeguarding ePHI. HHS officials have emphasized that cyberattacks on healthcare systems pose unique risks, including disruption of patient care and erosion of public trust.
While OCR has characterized the changes as clarifications and expansions of existing requirements, healthcare providers and industry stakeholders have raised concerns about the scope and cost of compliance.
Critics argue that the proposed standards could impose significant operational burdens, particularly on smaller organizations. The administration’s response to these criticisms remains uncertain, contributing to the extended timeline.
The proposed amendments reflect the reality of contemporary healthcare cybersecurity. Reports of large-scale breaches doubled between 2018 and 2023, with the number of affected individuals increasing nearly tenfold.
Advances in electronic medical records and connected devices have expanded vulnerabilities, while HHS has stressed that nearly every aspect of modern healthcare depends on secure digital infrastructure. If finalized, the amendments would require covered entities and business associates to adopt updated cybersecurity practices, including enhanced risk assessments, stricter access controls, and more detailed incident response protocols.
“Robust and effective cybersecurity measures that lead to fewer and less costly cyberattacks are goals that all healthcare organizations firmly support,” Patrick Foley, special counsel for Duane Morris Healthcare, told GRIP. “But providers have rightly criticized the proposed updates to the rule as imprudent and overreaching, and fear that the administrative burdens and costs of complying will be significantly greater than what regulators have estimated.”
Pushback
In December 2025, the College of Healthcare Information Management Executives (CHIME) and more than 100 US hospital systems, healthcare provider organizations, and provider associations called for HHS to withdraw its proposed updates to the HIPAA Security Rule. Provider groups signing the letter criticized the proposed amendments as overly burdensome and costly, particularly for smaller and rural organizations.
Many hospitals and associations argue that the projected compliance costs – estimated at billions of dollars annually – would divert resources away from patient care. They also contend that the implementation timeline of 240 days is unrealistic given the complexity of healthcare IT systems.
Ericka Watson, principal and CEO of Data Strategy Advisors, told GRIP that the pushback was to be expected. “I’m not surprised by this, because looks at what’s on the table: mandatory encryption, MFA, annual pen testing, all inside a 240-day window. Smaller and rural providers especially just don’t have the staff or budget to turn around fast, and I think HHS realized this. The extra year is them trying to get the balance right.”
“But I’d push back on anyone who reads the delay as a green light to relax. The breaches have been driving this (the number doubling and the people affected jumping x10) none of that stops because the rule got pushed,” Watson continued.
HIPAA today
The current HIPAA Security Rule, in place since 2003, mandates that covered entities implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Administratively, organizations must conduct regular risk analyses, develop security policies, and train staff on compliance.
Physical safeguards include controlling facility access and securing workstations and devices. Technical safeguards mandate measures such as access controls, audit logs, and transmission security to protect data when shared electronically.
The rule is designed to be flexible and scalable, allowing organizations to tailor their security measures based on size, complexity, and resources. This flexibility has been both a strength and a weakness.
While it enables smaller providers to adopt reasonable protections without excessive burden, critics argue that the standards are too vague and outdated given the rapid evolution of cyber threats.
The proposed amendments aim to address these gaps by introducing more prescriptive requirements, but that shift has sparked debate over whether the balance between adaptability and enforceability is being lost.
“My message to my clients right now is simple: Treat 2027 like it’s already here,” said Watson. “Do the risk analysis. Know where your ePHI lives and who has access. Get your MFA and encryption in place before it’s required. I’ve done a lot of audits and assessments over the years, and there is a pattern. The organizations that wait for the final rule to start moving are usually the ones scrambling at the end.”

