HHS Moves HIPAA Security Rule Overhaul to Long-Term Agenda: What the Delay May Mean for Healthcare Organizations
Author
Paul F. Schmeltzer
Healthcare organizations anticipating a final version of the Department of Health and Human Services’ (HHS) sweeping revisions to the HIPAA Security Rule will have to continue operating under the existing HIPAA Security Rule for at least the near term.
In the recently released Fall 2026 Unified Agenda of Federal Regulatory and Deregulatory Actions, HHS moved the proposed HIPAA Security Rule amendments (RIN 0945-AA22) to its Long-Term Actions agenda and identified July 2027 as the agency’s anticipated timeframe for final action. Although Unified Agenda dates are planning estimates rather than binding deadlines, placement on the Long-Term Actions agenda generally indicates that HHS does not anticipate issuing a final rule within the next 12 months.
Why Was the Rule Moved to the Long-Term Agenda?
HHS has not publicly explained why the rule was moved to the Long-Term Actions agenda, and the Unified Agenda provides no discussion of the agency’s reasoning. As a result, any explanation is speculative, but several factors could be contributing to the extended timeline.
One possibility is that HHS is continuing to evaluate the substantial number of public comments submitted in response to the January 2025 Notice of Proposed Rulemaking (NPRM). The proposal generated more than 4,000 public comments, reflecting widespread interest across the healthcare industry and significant debate regarding the scope, cost, and feasibility of the proposed requirements. While many commenters supported strengthening cybersecurity requirements, others raised concerns regarding implementation costs, operational feasibility, and the burden the proposed requirements could impose on smaller providers and rural healthcare organizations.
Another possibility is that the revised timeline reflects broader policy review by the current administration. It is common for incoming administrations to reassess significant pending regulations to determine whether they remain consistent with current policy priorities. Moving the proposal to the Long-Term Actions agenda may indicate that HHS intends to take additional time to evaluate whether the rule should move forward in its current form or whether revisions are appropriate before issuing a final rule.
Finally, the additional time could suggest that HHS is considering narrowing or modifying portions of the proposal. The January 2025 NPRM would represent the most significant revision to the HIPAA Security Rule in more than a decade. Among other changes, it would eliminate the distinction between “required” and “addressable” implementation specifications, require comprehensive technology asset inventories and network mapping, mandate multi-factor authentication, expand encryption requirements, require more prescriptive risk analyses and vulnerability testing, strengthen business associate oversight, and impose detailed incident response and disaster recovery planning obligations. Given the breadth of those proposed changes, HHS may ultimately determine that certain provisions should be revised, delayed, or otherwise tailored before publication of a final rule.
What the Delay Does Not Mean
What the revised timeline does not mean is that healthcare organizations can relax their current cybersecurity efforts. The existing HIPAA Security Rule remains fully enforceable, and the Office for Civil Rights (OCR) continues to expect covered entities and business associates to implement reasonable and appropriate administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). OCR’s recent enforcement actions continue to focus on fundamental compliance obligations, including conducting accurate and thorough risk analyses, implementing appropriate security measures, managing vendor risk, training workforce members, and responding to known vulnerabilities.
Healthcare organizations therefore should not view the delayed rulemaking as a reason to postpone cybersecurity improvements. Many of the safeguards proposed in the NPRM, such as multi-factor authentication, enhanced asset management, encryption, vulnerability scanning, and incident response planning, are already considered widely accepted cybersecurity best practices.
Practical Takeaways for Healthcare Organizations
Organizations should use this additional time to evaluate their HIPAA Security Rule compliance programs, update risk analyses, review technical safeguards, assess business associate oversight, and identify potential gaps between their current cybersecurity posture and the proposed regulatory framework. Even if the final rule is ultimately modified before publication, investments in cybersecurity governance, documentation, and risk management are likely to improve both regulatory compliance and organizational resilience.
Although the current Unified Agenda identifies July 2027 as the anticipated timeframe for final action, that date remains an estimate rather than a statutory deadline. Additional delays or revisions to the proposal itself remain possible as HHS continues the rulemaking process. Until a final rule is issued and becomes effective, covered entities and business associates should continue complying with the existing HIPAA Security Rule while closely monitoring future regulatory developments.
This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author(s) only and are not necessarily the views of Clark Hill PLC or Clark Hill Solicitors LLP. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.