Since the HHS Office for Civil Rights’ (OCR) publication of a proposed rule to overhaul the HIPAA Security Rule in January 2025, many in the health care and privacy community have wondered whether the rule would quietly fade away. Some even hoped it might be “dead in the water.” However, despite sharp criticisms and industry pushback, recent developments confirm that the OCR has kept the rule’s finalization on its official regulatory agenda for May 2026.
We provided an in depth look at what the proposed rule could mean for covered entities and business associates here. If the rule is finalized as proposed, it would mean a radical shift in how the security rule is applied — moving away from a flexible approach to account for the various types of regulated entities to a more rigid approach, with some prescriptive, strict security requirements that could be difficult to fulfill. OCR itself estimated that, in just the first year, compliance across all covered entities and business associates would cost $9 billion. Moreover, regulated entities might not have as much time as they desire from the final rule’s publication date to come into compliance – if finalized as proposed, entities would have just 240 days.
It remains to be seen exactly when and to what extent the proposed rule will be finalized and to what extent the final rule takes into account the industry feedback provided. For now, stakeholders should prepare for what could be a transformational change to their HIPAA security programs.
Alston & Bird continues to track the proposed rulemaking. Please reach out to one of our health care or privacy attorneys to discuss further or for assistance in preparing your organization for potential changes.
About Jennifer Everett
About Kate Hanniford
About Angela Burnette
