HIPAA Rule Rewrite Puts Cyber Controls On The Clock

The U.S. Department of Health and Human Services’ proposed HIPAA Security Rule rewrite would move healthcare cybersecurity from flexible safeguard language toward mandatory technical controls, placing hospitals, health plans, clearinghouses, providers, and business associates under a sharper federal compliance model if the rule is finalized. The proposal remains pending as of June 18, 2026, after a May 2026 regulatory-agenda target passed without a final rule.

What Is The HIPAA Security Rule Update Proposed By HHS OCR?

The HIPAA Security Rule update is an HHS Office for Civil Rights proposal to revise the federal standards that protect electronic protected health information. OCR said the rewrite would respond to rising healthcare cyberattacks, common HIPAA compliance failures, modern cybersecurity practices, and court decisions affecting Security Rule enforcement.

HHS issued the proposal on December 27, 2024, and published it in the Federal Register on January 6, 2025, under RIN 0945-AA22. The proposal would modify 45 CFR Parts 160 and 164 and would be the most significant Security Rule rewrite since the rule was last revised in 2013.

What Is The Timeline For The HIPAA Security Rule Update From 2003 To 2026?

The HIPAA Security Rule was first published in 2003, revised in 2013, and targeted for a major cybersecurity rewrite after large healthcare breaches increased. HHS proposed the new rule on December 27, 2024, opened comments through March 7, 2025, and listed final action for May 2026.

OCR said large breach reports rose 102% from 2018 to 2023, while the number of affected individuals rose 1002%. HHS said more than 167 million people were affected by large healthcare breaches in 2023. Regulations.gov listed roughly 4,680 docket comments, while trade coverage cited OCR officials reviewing about 4,745 comments.

The latest confirmed status is that no final rule had been published as of June 18, 2026. The current Security Rule remains in effect, and the proposed requirements are not yet enforceable as final regulatory obligations.

What Mandatory Cyber Controls Would The HIPAA Security Rule NPRM Require?

The HIPAA Security Rule NPRM would require regulated healthcare entities to apply more specific cybersecurity safeguards, including multi-factor authentication, encryption, vulnerability scanning, penetration testing, asset inventories, network maps, network segmentation, written policies, annual audits, and faster recovery planning for critical systems.

The proposal would remove the distinction between “required” and “addressable” implementation specifications. HHS said that change would make clear that Security Rule safeguards set a compliance floor, not optional guidance. The rule would require automated vulnerability scans at least once every 6 months and penetration testing at least once every 12 months.

The proposal would require multi-factor authentication for technology assets in relevant electronic information systems, with limited exceptions. It would require written procedures to restore critical relevant systems and data within 72 hours of loss. Business associates would have to notify covered entities within 24 hours after contingency-plan activation.

Which Healthcare Entities Would The HIPAA Security Rule Update Affect?

The HIPAA Security Rule update would affect covered entities and business associates that create, receive, maintain, or transmit electronic protected health information. That scope includes health plans, healthcare clearinghouses, most healthcare providers, and vendors that handle protected health data for regulated healthcare organizations.

HHS estimated the proposal would affect 1,822,600 regulated entities and about 1 million business associates. HHS estimated 740,348 small entities could be affected. Bloomberg Law reported that the proposal could reach healthcare supply-chain companies, including accounting, legal, administrative, artificial intelligence, analytics, and other service providers handling health data.

Group health plans and plan sponsors would face new documentation and notification obligations where plan documents allow sponsors to receive ePHI. Business associate agreements would need revision, and business associates would need to verify technical safeguard compliance to covered entities.

What HIPAA Penalties Could OCR Use Against Covered Entities And Business Associates?

OCR could use existing HIPAA civil monetary penalties against covered entities and business associates that violate the Security Rule after a final rule takes effect. HHS updated HIPAA penalty amounts on January 28, 2026, with penalties ranging from $145 per violation to $2,190,294 per violation for post February 18, 2009 violations.

The 2026 penalty table sets the unknowing violation tier at $145 minimum and $73,011 maximum per violation, with a $2,190,294 calendar-year cap. The willful-neglect and not-corrected tier starts at $73,011 and reaches $2,190,294 per violation, with a $2,190,294 calendar-year cap.

Bloomberg Law reported that the proposed rule would give OCR more specific language to enforce after a 2021 appeals court decision vacated a $4.3 million penalty against the University of Texas M.D. Anderson Cancer Center. HHS said the proposal addresses court decisions that affect Security Rule enforcement.

How Should Healthcare Organizations Prepare For The HIPAA Security Rule Rewrite?

Healthcare organizations should treat the HIPAA Security Rule rewrite as a planning signal and prepare for controls that are already common in OCR enforcement expectations. Practical steps include mapping ePHI systems, documenting asset inventories, deploying MFA, testing backup recovery, scanning vulnerabilities, scheduling penetration testing, and updating business associate agreements.

Organizations should refresh security risk analyses, link risks to remediation records, and keep written evidence for each safeguard. Security teams should test whether critical systems can return within 72 hours, review remote access protections, confirm encryption at rest and in transit, and create a compliance calendar for 6-month, 12-month, and annual tasks.

The proposed rule would become effective 60 days after Federal Register publication of a final rule, with compliance due 180 days after that effective date. That creates a total proposed runway of 240 days from final-rule publication.

Why Are Hospitals And Provider Groups Opposing The HIPAA Security Rule Proposal?

Hospitals and provider groups are opposing the HIPAA Security Rule proposal because they say it would impose costly, rigid, and operationally difficult mandates on healthcare organizations already dealing with thin margins, staffing shortages, legacy systems, and active cyber threats. A CHIME-led coalition asked HHS to withdraw the proposal.

CHIME said more than 100 hospital systems, provider organizations, and associations signed its December 8, 2025 letter. Signatories argued that the proposal would add financial burdens, require infrastructure redesign, increase documentation duties, and divert resources from patient care. The coalition asked HHS to develop a more practical, risk-based approach.

Axios reported on May 19, 2026, that stakeholders were still pressing the administration to narrow the rule, lengthen timelines, and reduce cost burdens. HHS did not comment to Axios for that story.

What Would The HIPAA Security Rule Update Cost Healthcare Organizations?

HHS estimated the proposed HIPAA Security Rule update would cost about $9 billion in the first year and about $6 billion annually in years 2 through 5. HHS put the undiscounted 5-year present value at $34 billion for regulated entities and affected health plan sponsors.

The largest quantified first-year cost categories include policy and procedure updates, network segmentation, penetration testing, MFA deployment, annual Security Rule compliance audits, workforce training, and business associate agreement revisions. HHS estimated $983.7 million for network segmentation, $655.8 million for penetration testing, and $327.9 million for MFA deployment.

HHS said the proposal could pay for itself if it reduced affected individuals in breaches by 7% to 16%, or lowered breach cost per affected person by 7% to 16%. Industry groups dispute the burden assumptions and say implementation could cost more for hospitals with older systems and rural providers with limited security staff.

When Will HHS Publish The Final HIPAA Security Rule?

HHS has not published a final HIPAA Security Rule as of June 18, 2026. The Unified Agenda listed final action for May 2026, but that target passed without publication, leaving the final timing, scope, and political path unresolved.

The open questions are whether HHS will finalize the proposal as written, narrow technical mandates, lengthen the compliance period, withdraw the rule, or restart the process with provider groups. No court has blocked the Security Rule proposal itself because it remains a pending rulemaking, not a final regulation.

Why Does The HIPAA Security Rule Rewrite Matter For Healthcare Cyber Risk?

The HIPAA Security Rule rewrite matters because healthcare cyberattacks increasingly affect care delivery, not just data privacy. The Change Healthcare attack disrupted billing and care authorization systems nationwide in 2024, and AP reported that OCR opened an investigation into whether protected health information was exposed.

AP reported that Change Healthcare handled about 14 billion transactions annually. Bloomberg Law reported that the proposal was shaped in part by supply-chain attacks and the growth of vendors handling health data. HHS said ransomware and hacking drove much of the increase in large healthcare breaches from 2018 to 2023.

The broader significance is that federal healthcare cybersecurity policy is shifting from flexible standards toward provable controls. The proposal would make cybersecurity documentation, technical testing, vendor oversight, and recovery capability central HIPAA obligations.

How Bright Defense Helps Healthcare Organizations Prepare For The HIPAA Security Rule Rewrite

Bright Defense helps healthcare providers, health plans, business associates, and digital health vendors prepare for the HIPAA Security Rule rewrite through HIPAA Compliance Services, Penetration Testing, Continuous Compliance, and Security Assessments. These services support control validation, evidence collection, risk remediation, HIPAA gap analysis, security risk analysis, and readiness for stronger OCR expectations.

For organizations preparing ahead of a final rule, Bright Defense can test exposed systems, review cloud and network configurations, assess MFA and segmentation gaps, validate vulnerability management practices, and document findings against proposed HIPAA Security Rule controls. That work helps compliance, legal, and security teams move from policy language to defensible operating evidence.

Sources Cited In This HIPAA Security Rule Report

1. HHS OCR — HIPAA Security Rule NPRM (December 27, 2024)
   https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html
2. HHS OCR — HIPAA Security Rule Notice Of Proposed Rulemaking To Strengthen Cybersecurity For Electronic Protected Health Information Fact Sheet (December 27, 2024)
   https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
3. Federal Register — HIPAA Security Rule To Strengthen The Cybersecurity Of Electronic Protected Health Information (January 6, 2025)
   https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information
4. Regulations.gov — Proposed Modifications To The HIPAA Security Rule To Strengthen The Cybersecurity Of ePHI, Docket HHS-OCR-2024-0020 (March 7, 2025)
   https://www.regulations.gov/docket/HHS-OCR-2024-0020
5. Reginfo.gov — View Rule RIN 0945-AA22, HIPAA Security Rule To Strengthen The Cybersecurity Of Electronic Protected Health Information (Spring 2025)
   https://www.reginfo.gov/public/do/eAgendaViewRule?RIN=0945-AA22&pubId=202504
6. Federal Register — Annual Civil Monetary Penalties Inflation Adjustment (January 28, 2026)
   https://www.federalregister.gov/documents/2026/01/28/2026-01688/annual-civil-monetary-penalties-inflation-adjustment
7. Reuters Via SRN News — Biden Administration Proposes New Cybersecurity Rules To Limit Impact Of Healthcare Data Leaks (December 27, 2024)
   https://srnnews.com/biden-administration-proposes-new-cybersecurity-rules-to-limit-impact-of-healthcare-data-leaks/
8. Associated Press — The Massive Health Care Hack Is Now Being Investigated By The Federal Office Of Civil Rights (March 13, 2024)
   https://apnews.com/article/change-healthcare-cyberattack-federal-government-hhs-88ac99fc0c62e69dc60fc5c39682e859
9. Bloomberg Law — Health Supply-Chain Hacks Targeted By HHS Cybersecurity Rule (January 13, 2025)
   https://news.bloomberglaw.com/privacy-and-data-security/health-supply-chain-hacks-targeted-by-hhs-cybersecurity-rule
10. Bloomberg Law — Insurers, Hospitals Urge HHS To Cut Biden-Era Cyber Rule Updates (July 17, 2025)
    https://news.bloomberglaw.com/privacy-and-data-security/insurers-hospitals-urge-hhs-to-cut-biden-era-cyber-rule-updates
11. CHIME — Over 100 Provider Organizations Urge HHS To Withdraw Proposed HIPAA Security Rule (December 8, 2025)
    https://chimecentral.org/chime/resource-press-release/over-100-provider-orgs-urg-hhs-withrdaw-proposed-hipaa-security-rule
12. Axios — Cyber Crackdown Could Cost Hospitals Billions (May 19, 2026)
    https://www.axios.com/2026/05/19/cyber-crackdown-hospitals-cost-billions
13. Medcurity — 2026 HIPAA Security Rule Update: New Requirements To Prepare For (June 2026)
    https://medcurity.com/hipaa-security-rule-2026-update/
14. Cloud Security Alliance — The HIPAA Security Rule Is About To Change: What Healthcare CISOs Need To Do Before The Final Rule Drops (June 2026)
    https://cloudsecurityalliance.org/articles/the-hipaa-security-rule-is-about-to-change-what-healthcare-cisos-need-to-do-before-the-final-rule-drops
15. BleepingComputer — Massive Healthcare Breaches Prompt US Cybersecurity Rules Overhaul (December 31, 2024)
    https://www.bleepingcomputer.com/news/security/massive-healthcare-breaches-prompt-us-cybersecurity-rules-overhaul/