HIPAA

The HIPAA Security Rule Update is Delayed to July 2027: A New Opportunity to Strengthen Your Compliance Roadmap

043 Carley25

Chalice Beam

Sr. Director Healthcare Assessment, Coalfire

Brittany brown

Brittany Brown

Manager, Healthcare Advisory, Coalfire

July 13, 2026
HIPAA 1600140658

Healthcare organizations preparing for a more prescriptive HIPAA Security Rule just got something valuable: more time.

The U.S. Department of Health and Human Services (HHS) has updated its regulatory agenda on Reginfo, moving the projected final action date for the HIPAA Security Rule to July 2027 from the previously listed May 2026 target. For Covered Entities and Business Associates still working through the proposal's implications, that shift creates meaningful breathing room. It is not a reason to pause readiness work.

A Quick Recap: Why This Rule Matters

The HHS Office for Civil Rights (OCR) issued the Notice of Proposed Rulemaking (NPRM) on December 27, 2024, and published it in the Federal Register on January 6, 2025. It marked the first substantial update to the Security Rule since 2013 and arrived as ransomware, credential theft, and third-party compromise continued to expose the limits of a more flexible, less prescriptive model.

The proposal would largely eliminate the distinction between addressable and required implementation specifications, replacing broad discretion with more prescriptive expectations. Key proposals include mandatory encryption; multi-factor authentication; network segmentation; anti-malware controls; annual penetration testing; semiannual vulnerability scanning; annual asset-based risk analyses; defined backup and disaster recovery requirements; tighter business associate oversight; and expanded documentation, including annual compliance assessments.

The scope drew a strong response. OCR received nearly 5,000 public comments, many from hospitals, health systems, and provider groups that flagged cost, operational disruption, and the proposed implementation timeline. Those concerns were material: HHS estimated  about $9 billion in first-year costs and roughly $6 billion annually in years two through five in its Regulatory Impact Analysis.

What Changed

Regulatory agenda dates are planning targets, not binding deadlines, and they can move in either direction. Still, Reginfo now lists this rulemaking as a long-term action with a projected final action date of July 2027. That gives Covered Entities and Business Associates more time, even though the proposal itself has not changed, and current Security Rule remains in effect.

For organizations that viewed the original runway as too short, the added time creates room for a more deliberate readiness plan.

What This Means for Your Organization

  1. You have more runway, not a reprieve.
    The delay changes the timeline, not the direction of travel. Covered Entities and Business Associates now have more time to prepare before any new take effect. They should use that time to build evidence, budgets, and sequencing rather than assume the pressure is off.
     
  2. The proposal's core themes remain the right planning baseline.
    MFA, network segmentation stronger risk analysis, and tighter business associate oversight align with where OCR enforcement and healthcare cybersecurity expectations are already moving. A readiness assessment now can establish a defensible baseline and prevent a last-minute scramble if the final rule lands on a shorter compliance clock than expected.
     
  3. Now is the time to close gaps deliberately.
    Use the extra time to build a phased roadmap: a compliance assessment, an updated risk analysis and asset inventory, a realistic view of network segmentation, a defined penetration-testing cadence, and a review of business associate agreements and oversight processes. That work improves security now, regardless of when OCR finalizes the rule.
     
  4. Business Associates should pay particular attention.
    If finalized, the proposal's tighter verification timelines for Business Associate safeguards would increase pressure on vendors and subcontractors to show documentation and technical maturity. The added time gives Business Associates a chance strengthen evidence before Covered Entities start asking harder questions.

Where to Go for More Detail

Coalfire has been tracking the HIPAA Security Rule NPRM closely through a white paper series covering the proposal's major sections, along with practical guidance on closing compliance gaps. These resources can help Covered Entities and Business Associates turn the proposal into a phased readiness roadmap.

If your organization is deciding where to focus over the next 12 months, Coalfire's healthcare team can help translate the proposal into a phased readiness roadmap grounded in operational reality.

This post reflects rulemaking status published on federal rulemaking trackers as of July 2026. Those dates can change, and organizations should continue monitoring OCR, HHS, and Reginfo for updates