Explore our Topics:

HHS pushes sweeping HIPAA Security Rule update to 2027

Industry groups like CHIME had warned of the financial and regulatory burden the intended updates would have on hospitals and other care delivery organizations.
By admin
Jul 15, 2026, 1:32 PM

The Department of Health and Human Services have placed a hold on the intended overhaul of the Health Insurance Portability and Accountability Act’s Security Rule until July 2027.  

HHS is, however, pressing forward with the planned updates to the HIPAA Privacy Rule next month. Regulators remain focused on expanding initiatives that will better support patient access to their health information, while working to reduce the impact of regulatory burden on care delivery organizations. 

The 125-page proposed HIPAA Security Rule update sought to make mandatory, except in limited cases, a host of implementation specifications, including segmentation, multi-factor authentication, vulnerability scanning, and encryption. The changes would require written documentation for all security rule procedures. 

Initially, these rules were set for May 2026, though industry stakeholders had repeatedly pressed HHS to press pause its plans due to unfunded mandates and the significant increase in documentation that would further burden providers.  

In fact, almost 5,000 public comments were sent to HHS about the proposed rulemaking, and many of those comments pushed back on the requirements. 

In December 2025, more than 100 health systems, healthcare provider organizations, and provider associations signed a joint letter led by the College of Healthcare Information Management Executives (CHIME), asking HHS to withdraw its proposed update to the HIPAA Security Rule. 

In the letter, stakeholders warned the proposal would fundamentally change HIPAA cyber requirements for hospitals and healthcare providers in a way that would mandate prescriptive technical controls that conflict with modern healthcare IT architectures, while substantially increasing documentation, reporting, and compliance burdens. 

In short, stakeholders were concerned the proposal would drive up costs, particularly for organizations already struggling financially. The letter urged HHS to instead engage with industry leaders to develop a more practical cybersecurity framework. 

News of the paused update to the Security Rule has been well received. However, HHS has given no indication that the requirements would be relaxed once the hold is lifted. Given the continued evolution of threats and the digital health infrastructure itself, provider organizations should use this time to continue sharpening their defenses. 

The HHS Cyber Performance Goals include the 10 essential goals tailored to digital health environments that can readily support organizations with common vulnerabilities with baseline measures able to improve incident response and reduce risk. Many of these functions, like access management and email security, will support a more risk-based approach to cybersecurity. 

In the meantime, HHS is continuing its efforts to modify the HIPAA Privacy Rule and intends to issue rulemaking actions intended to advance ongoing interoperability efforts and ease regulations tied to health IT certification requirements.  

The updates to the HIPAA Privacy Rule are intended to improve care coordination, while reducing administrative burden on HIPAA-covered care providers and health plans with a focus on continued privacy  protections for health information. 


Show Your Support

Subscribe

Newsletter Logo

Subscribe to our topic-centric newsletters to get the latest insights delivered to your inbox weekly.

Enter your information below

By submitting this form, you are agreeing to DHI’s Privacy Policy and Terms of Use.