HIPAA Security Rule Changes Are Coming: What Healthcare Organizations Should Know Now

The U.S. Department of Health and Human Services (HHS) has formally signaled that significant changes to the HIPAA Security Rule are on the way with a final rule expected in May 2026. This isn’t speculation or industry rumor—this timeline and intent are documented in the federal government’s Spring 2026 Unified Agenda, published on RegInfo.gov, the official regulatory tracking site for federal rulemaking.

For healthcare providers, business associates, and the IT partners who support them, this represents one of the most consequential updates to HIPAA security requirements in years.

What Is Being Changed?

According to the HHS Office for Civil Rights (OCR), the rule titled“HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information” will modify the existing Security Standards under HIPAA and the HITECH Act.

The stated purpose of the rule is clear: to improve cybersecurity in the healthcare sector by strengthening requirements for HIPAA‑regulated entities to safeguard electronic protected health information (ePHI) and better prevent, detect, contain, mitigate, and recover from cybersecurity threats.

In other words, the focus is squarely on cybersecurity maturity, not just compliance checklists.

Why This Matters Now

Cyberattacks against healthcare organizations continue to grow in frequency and impact, and regulators have been increasingly vocal that the current Security Rule—largely unchanged since the mid‑2000s—does not reflect modern threat realities.

HHS has designated this rule as economically significant, signaling that it is expected to have a substantial impact across the healthcare ecosystem, including providers, governmental entities, and organizations that handle ePHI.

Importantly, the rule is already in the Final Rule stage, meaning the policy direction is largely set. While organizations will still need to wait for the final published text to understand precise requirements, the May 2026 target date provides a clear planning horizon.

What the Government Has (and Has Not) Said

At this stage, HHS has not published detailed implementation steps or prescriptive technical controls in the Unified Agenda entry. The RegInfo.gov release does not enumerate specific technologies, tools, or frameworks that organizations must adopt.

What it does make explicit is:

• The rule will strengthen requirements, not merely clarify existing ones
• The focus is on cybersecurity resilience, including prevention and recovery
• The scope includes all HIPAA‑regulated entities and business associates
• The final action is targeted for May 2026

Any claims beyond that—such as mandatory MFA, encryption standards, or specific risk assessment methodologies—will need to wait until the final rule text is released.

What Healthcare Organizations Should Be Doing Now

While no one should guess at final compliance language, the direction of travel is clear. Organizations that are still treating HIPAA Security as a “documentation exercise” rather than an operational cybersecurity program are likely to feel the most pressure once the rule is finalized.

Between now and May 2026, healthcare leaders should be asking:

• Do we have a current and defensible risk analysis tied to real threats?
• Are our security controls designed to detect and respond, not just exist on paper?
• Can we demonstrate our ability to recover ePHI systems after an incident?
• Do our vendors and business associates meet the same security expectations we do?

These are not new questions—but they are exactly the areas regulators are signaling they want to strengthen.

Final Thoughts

The upcoming HIPAA Security Rule changes represent more than a regulatory update. They reflect a broader shift in how the federal government expects healthcare organizations to manage cyber risk. With a final rule expected in May 2026, organizations that begin aligning security strategy, governance, and operational readiness now will be far better positioned when enforcement expectations inevitably rise.

The message from HHS is clear: HIPAA Security is no longer about minimum safeguards—it’s about cybersecurity resilience.