HIPAA Security Rule Update Likely to Miss Its May 2026 Target

Note: This post was written by Claude Opus 4.7. The following is a synthesis of HHS press releases, congressional documents, and reporting from healthcare trade media.

The Office for Civil Rights at HHS proposed the biggest overhaul of the HIPAA Security Rule in more than two decades in December 2024. Its own regulatory agenda has targeted May 2026 for finalization for most of the past year. With roughly two weeks left in the targeted month, no final rule has been published in the Federal Register, OCR is still parsing the 4,700 public comments received on the proposal, and OCR Director Paula M. Stannard has declined to commit to a date. A finalization in the last week of May is not technically impossible — but every public signal points to the target slipping into the second half of 2026 or later.

Healthcare organizations watching this regulatory holding pattern should not read it as a reprieve. OCR is enforcing the existing rule harder than at any point in the past decade, and the items at the top of its enforcement docket are the same items the proposed rule would have made explicit. Whether the new rule arrives in 2026, slips into 2027, or never lands at all, the operating reality for healthcare IT and security teams has already shifted.

Where the Final Rule Actually Stands

The Notice of Proposed Rulemaking was published in the Federal Register on January 6, 2025. The public comment period closed March 7, 2025, with approximately 4,700 comments submitted — an unusually high volume, much of it hostile from provider organizations citing cost and operational burden.

In December 2025, more than 100 hospital systems and provider associations, led by the College of Healthcare Information Management Executives (CHIME), wrote to HHS Secretary Robert F. Kennedy Jr. asking that the rule be withdrawn outright. The Health Sector Coordinating Council proposed an alternative framework called “Forward Path 2025.”

OCR Director Paula M. Stannard addressed the rule at the HIMSS conference in Las Vegas in March 2026. She told attendees that OCR was still parsing the 4,700 comments and offered no timeline for finalization. She acknowledged: “After we review the comments, the Trump administration may have a different view on the burdens and benefits of some of the proposed changes.”

She did, however, push back on the idea that doing nothing was the safe choice: “I want to encourage you not to overlook the very high cost of doing nothing. A successful cyberattack can cost far more in terms of reputation, potentially paying a ransom, remediation of information systems, protection for those whose PHI was accessed, potential civil lawsuits from harm to individuals.”

Translation: the proposed rule may be slimmed down, delayed, or rewritten — but the direction is not in dispute.

What the Proposed Rule Would Require

For organizations that have not tracked the NPRM closely, the headline change is structural: the existing distinction between “required” and “addressable” implementation specifications would be eliminated. Twenty-two safeguards that organizations have historically been able to skip with a documented justification would become mandatory.

The most operationally consequential requirements are:

Encryption of all ePHI at rest and in transit. No exceptions for legacy file shares, departmental databases, or backup media.
Multi-factor authentication for everyone accessing ePHI. Not just remote access — clinical workstations, EHR, PACS, email, and cloud systems.
Mission-critical system recovery within 72 hours of an incident, with backups no more than 48 hours old.
Vulnerability scans every six months and penetration testing annually, with written results and remediation evidence.
Critical patches within 15 days, high-risk patches within 30 days across every system that touches ePHI.
Auditable physical access controls on server rooms, network closets, and IDF/MDF spaces.
Annual written attestation from every business associate that required safeguards are implemented, plus 24-hour incident reporting.
Documented technology asset inventory and network map showing where ePHI lives and how it moves.

HHS estimated the industry cost at approximately $9 billion in the first year and $6 billion annually thereafter. Industry coalitions argued those figures understate the real burden, particularly for small and rural providers.

If the rule is finalized as proposed, the effective date is 60 days after Federal Register publication, and most provisions are required within 180 days of the effective date — roughly 240 days total from publication to compliance.

OCR Is Enforcing the Existing Rule Aggressively

While the final rule sits in comment review, OCR has been busy with the rule that exists today. The agency’s Risk Analysis Initiative, launched in October 2024, completed 13 investigations as of April 2026. Its broader ransomware enforcement docket completed 19. Inadequate risk analysis has been a factor in roughly 90% of all HIPAA Security Rule enforcement actions.

On April 23, 2026, OCR announced settlements with four regulated entities totaling $1,165,000 in penalties, covering ransomware breaches that affected over 427,000 individuals:

Entity	Affected	Penalty	Primary Deficiency
Assured Imaging	244,813	$375,000	No accurate or thorough risk analysis; delayed breach notice
Regional Women’s Health Group (Axia)	37,989	$320,000	No accurate or thorough risk analysis
Star Group Health Benefits Plan	9,316	$245,000	No accurate or thorough risk analysis
Consociate Health	136,539	$225,000	No accurate or thorough risk analysis

OCR Director Stannard, on the settlements: “Hacking and ransomware are the most frequent type of large breach reported to OCR. Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”

In a separate April 8, 2026 guidance video, OCR Senior Advisor for Cybersecurity Nicholas Heesters announced the agency was expanding its enforcement initiative beyond the Security Risk Analysis to formally include Risk Management — meaning OCR will now bring findings of willful neglect against organizations that complete a risk analysis but fail to act on it. The maximum statutory penalty is $73,011 per violation per day.

Every one of the April settlements turned on the same finding: the entity had failed to conduct an accurate and thorough risk analysis covering all ePHI in the organization, then suffered a breach whose impact a real risk analysis would have either prevented or contained.

A Parallel Legislative Path

Healthcare cybersecurity is also moving in Congress. The Health Care Cybersecurity and Resiliency Act of 2026 (S.3315) cleared the Senate Health, Education, Labor, and Pensions Committee on February 26, 2026, by a vote of 22-1 — only Sen. Rand Paul (R-KY) opposed. The bill is led by HELP Chair Bill Cassidy (R-LA), Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX).

The legislation would codify many of the NPRM’s core requirements — mandatory MFA, encryption, penetration testing, NIST framework alignment — while directing HHS to partner with CISA on healthcare-sector oversight, building specific guidance for rural providers, and authorizing grants to offset compliance costs. It still needs full Senate passage, House action, and a presidential signature.

If it moves, the bill could supersede or sit alongside the regulatory rule. Either way, the same security controls are being targeted from two different directions.

Don’t Forget: 42 CFR Part 2 Is Now in Effect

Separately, the 42 CFR Part 2 final rule aligning substance use disorder (SUD) record protections with HIPAA hit its compliance deadline on February 16, 2026. OCR launched its civil enforcement program the same day and is now accepting complaints. Organizations handling SUD records that have not updated their Notice of Privacy Practices, BAA language, and consent workflows are already exposed to enforcement under penalty rules that mirror HIPAA’s.

What Healthcare Organizations Should Actually Be Doing Right Now

The fact that the new rule has not yet dropped does not change what a defensible compliance posture looks like in May 2026. Working from the published OCR enforcement pattern, the four April settlements, the NPRM, and the bipartisan Senate bill, the following items are not negotiable regardless of what HHS publishes next:

A current, written, organization-wide security risk analysis that explicitly covers every system, application, vendor, and physical location where ePHI is created, received, maintained, or transmitted — including modalities, integration engines, departmental databases, cloud tenants, and BA platforms. Every one of OCR’s April settlements turned on the absence of this document.
A risk management plan that demonstrates follow-through. Identified risks documented but not mitigated is now itself an enforcement finding, separate from the analysis gap. Evidence of action — tickets closed, controls deployed, compensating controls justified — is what OCR will ask for first.
Encryption of ePHI at rest and in transit, with no exceptions. The “addressable” loophole still technically exists today. Continuing to lean on it for legacy systems is a bet that neither OCR enforcement, the final rule, nor S.3315 closes that door. All three are pointing the same direction.
MFA on every system that touches ePHI. Treat any remaining single-factor authentication path as a known vulnerability with a remediation date.
Tested 72-hour recovery and ≤48-hour backups for mission-critical systems. A theoretical capability does not count; OCR is asking for evidence of tested capability, including documented tabletop exercises and recovery time validation.
A complete written asset inventory and network map showing ePHI data flows. This is consistently the most time-consuming item in any gap assessment and the one most likely to surface unknown exposures.
Business associate agreements that reflect the current threat environment — incident reporting timelines, documentation requirements, evidence of safeguards — rather than the boilerplate signed years ago.
42 CFR Part 2 Notice of Privacy Practices, consent workflows, and BAA updates for any SUD-record handling, if not already complete.

The compliance window after the rule’s eventual publication is 180 days for most provisions. For most healthcare organizations, that is not enough time to start from scratch. The teams that will absorb the eventual rule with the least disruption are the ones treating these items as live work today, not as something to plan for when the Federal Register notice lands.

What to Watch

Three near-term signals will tell healthcare organizations how to plan:

A Federal Register notice publishing the final rule, or formally delaying it. Either announcement starts a real countdown.
Senate floor action on S.3315. A vote moves the legislation from interesting to operational.
The pace and scope of OCR settlements through the second half of 2026. Expanded enforcement against entities with risk analyses but no risk management — Heesters’ April expansion — will show up in settlement language first.

The structural changes proposed in the NPRM, the controls written into the Senate bill, and the deficiencies cited in the April settlements all point at the same operating reality. The final rule may still be coming. The compliance bar already is.