CLIENT ALERT
Final action on HIPAA Security Rule modifications now projected for July 2027
July 16, 2026
Read time: 3 min
The US Department of Health and Human Services’ Office for Civil Rights has extended its projected timeline for finalizing modifications to the HIPAA Security Rule. The 2026 edition of the Unified Agenda of Federal Regulatory and Deregulatory Actions, released by the Office of Management and Budget’s Office of Information and Regulatory Affairs, categorizes the rulemaking titled “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information” as a “long-term action” and lists July 2027 as the projected date for final action. The prior Unified Agenda, issued in September 2025, listed May 2026 as the projected date for final action.
The notice of proposed rulemaking, published on January 6, 2025, proposed extensive modifications to the HIPAA Security Rule. Among other obligations, the proposed rule would require regulated entities to:
- Meet new and expanded requirements for implementing encryption and multi-factor authentication
- Maintain technology asset inventories and network maps
- Revise business associate agreements and obtain written verification at least once every 12 months that business associates deploy certain technical safeguards
- Treat all implementation specifications as mandatory, eliminating the distinction between “required” and “addressable” implementation specifications
- Review, verify, and update risk analyses on an ongoing basis and at least once every 12 months
- Perform penetration tests at least once every 12 months
- Perform vulnerability scans at least every six months
- Implement additional data backup and recovery controls and testing requirements
- Audit compliance with the Security Rule at least once every 12 months
If finalized, the rule would make the first modifications to the HIPAA Security Rule since 2013 and could entail significant additional compliance obligations and costs for HIPAA covered entities and business associates. For a detailed discussion of the January 2025 proposed modifications to the HIPAA Security Rule, see our prior client alert.