In the past few months, the healthcare industry has been closely watching for updates to the HIPAA Privacy and Security Rules that will finalize the amendments to these rules proposed by the U.S. Department of Health and Human Services (“HHS”). Based on HHS’s recently revised projected rulemaking timelines on reginfo.gov, below is an update on the recent developments on these amendments:
- Amendments to the HIPAA Security Rule Postponed. HHS has postponed finalizing the proposed amendments to the HIPAA Security Rule designed to improve cybersecurity and strengthen the requirements to safeguard electronic protected health information by at least a year. The HHS has now identified July of 2027 as the projected date for issuing the final rule. It is noteworthy that while despite strong industry opposition to the proposed amendments, HHS has not abandoned the amendments entirely, the rulemaking’s status has shifted from “final rule stage” to “long-term actions,” a classification that typically signals a lower priority on the agency’s regulatory agenda. It remains to be seen which of the proposed security standards will be finalized once the final rule is issued. It is possible that HHS may ultimately finalize the less controversial proposals that reduce cybersecurity risk without imposing heavy new burdens on covered entities and business associates.
- Amendments to the HIPAA Privacy Rule Moving Forward. With respect to the amendments to the HIPAA Privacy Rule first proposed by HHS in 2021, HHS plans to finalize the amendments that focus on coordinated care next month. These amendments will clarify the permissibility of information sharing among healthcare providers, health plans, and others involved in a patient’s care. HHS, however, has indicated that the proposed HIPAA Privacy Rule amendments concerning the timeframe for covered entities to respond to individuals’ requests to access protected health information will now be addressed through a separate rulemaking, expected in November of 2026.
Healthcare organizations should continue to monitor these developments to ensure their HIPAA compliance programs remain aligned with evolving regulatory requirements.


