
Chalice Beam
Sr. Director Healthcare Assessment, Coalfire
HIPAA



The U.S. Department of Health and Human Services (HHS) has updated its regulatory agenda on Reginfo, moving the projected final action date for the HIPAA Security Rule to July 2027 from the previously listed May 2026 target. For Covered Entities and Business Associates still working through the proposal's implications, that shift creates meaningful breathing room. It is not a reason to pause readiness work.
The HHS Office for Civil Rights (OCR) issued the Notice of Proposed Rulemaking (NPRM) on December 27, 2024, and published it in the Federal Register on January 6, 2025. It marked the first substantial update to the Security Rule since 2013 and arrived as ransomware, credential theft, and third-party compromise continued to expose the limits of a more flexible, less prescriptive model.
The proposal would largely eliminate the distinction between addressable and required implementation specifications, replacing broad discretion with more prescriptive expectations. Key proposals include mandatory encryption; multi-factor authentication; network segmentation; anti-malware controls; annual penetration testing; semiannual vulnerability scanning; annual asset-based risk analyses; defined backup and disaster recovery requirements; tighter business associate oversight; and expanded documentation, including annual compliance assessments.
The scope drew a strong response. OCR received nearly 5,000 public comments, many from hospitals, health systems, and provider groups that flagged cost, operational disruption, and the proposed implementation timeline. Those concerns were material: HHS estimated about $9 billion in first-year costs and roughly $6 billion annually in years two through five in its Regulatory Impact Analysis.
Regulatory agenda dates are planning targets, not binding deadlines, and they can move in either direction. Still, Reginfo now lists this rulemaking as a long-term action with a projected final action date of July 2027. That gives Covered Entities and Business Associates more time, even though the proposal itself has not changed, and current Security Rule remains in effect.
For organizations that viewed the original runway as too short, the added time creates room for a more deliberate readiness plan.
Coalfire has been tracking the HIPAA Security Rule NPRM closely through a white paper series covering the proposal's major sections, along with practical guidance on closing compliance gaps. These resources can help Covered Entities and Business Associates turn the proposal into a phased readiness roadmap.
If your organization is deciding where to focus over the next 12 months, Coalfire's healthcare team can help translate the proposal into a phased readiness roadmap grounded in operational reality.
This post reflects rulemaking status published on federal rulemaking trackers as of July 2026. Those dates can change, and organizations should continue monitoring OCR, HHS, and Reginfo for updates.