The timing and details of a final updated HIPAA Security Rule are up in the air.
What is clear, whether mandated or not, is the need for heightened security and vigilance, especially against cyberattacks. Between 2009 and 2025, protected health information (PHI) of more than 935 million has been compromised in 7,357 healthcare data breaches affecting 500 or more individuals, according to analysis by The HIPAA Journal.
Even as some in healthcare push back against the tougher regulations because of cost and other reasons, industry leaders, including Nordis Technologies, aren’t waiting for new regulations to adopt the latest security practices and protocols. While many organizations may delay until the updates are finalized, compliance-forward companies have already adopted the proposed HIPAA Security Rule upgrades. As a provider of HIPAA-compliant printing and mailing services and secure digital delivery, Nordis applies the same compliance-forward mindset to every patient communication it handles on behalf of clients.
What is the Current Status of the HIPAA Security Rule Update?
In the final months of 2024, the Department of Health and Human Services unveiled proposed HIPAA Security Rule changes and set a target of publishing the final rule in May 2026. The new requirements set tougher security standards in response to the modern threat environment, including stricter safeguards for electronic protected health information (ePHI) given the number and success of cyberattacks against U.S. healthcare.
It’s quite common for proposed regulation changes to miss their original target dates for final publication in the Federal Register. In this case, HHS has not publicly committed to finalizing the proposed changes, proposed different security changes, announced a timeline or a decision to not move forward at all.
Where does the healthcare industry stand on the proposed HIPAA security updates?
While there is broad support for modernizing HIPAA standards to reflect cybersecurity realities, the reactions to the specific proposed changes are mixed and some quite negative. HHS’ Office for Civil Rights, which oversees HIPAA security, has received more than 4,700 public comments. A December 2025 letter from more than 100 providers and professional organizations called for immediate withdrawal of the proposed changes because of their substantial financial burden and unreasonable implementation timeline.
What’s controversial?
- Recommendations become requirements: One critical regulatory change is replacing what have been “addressable” safeguards, which in practice were often treated as optional and remained undone, with definite requirements. Tougher mandates will include encryption for data in transit and at rest, multi-factor authentication, more frequent and rigorous vulnerability testing, and expanded incident response and business associate oversight obligations.
- Compliance timeline: Healthcare providers, revenue cycle management companies, business associates and other HIPAA-covered entities will have 240 days after publication of the final updated HIPAA Security Rule to meet the hefty requirements.
- Cost: HHS originally estimated $9 billion to bring U.S. healthcare into compliance.
What has HHS said about finalizing the HIPAA Security Rule?
HHS is still reviewing the comments and may decide differently about the benefits or burdens of the proposed changes, according to media coverage of remarks made by HHS’ OCR Director Paula M. Stannard during a March 2026 session at the annual HIMSS conference.
As quoted in an xtelligent Health Security article, Stannard went on to say:
“I’ve heard complaints about the cost of work that would be imposed by the proposed modifications. I’ve heard about the lack of flexibility that it proposes. But I want to encourage you to think about it in a different way.
“There’s a very high cost of doing nothing. A successful cyberattack can cost far more in terms of reputation, potentially paying a ransom, remediation of information systems, protection for those whose PHI was accessed, potential civil lawsuits from harm to individuals, and not to mention my investigators coming and knocking on your door and asking for information and talking about penalties.”
Healthcare is the Top Target for Cyberattacks
U.S. healthcare is the No. 1 target and particularly vulnerable to hacking. It topped all U.S. industries for number of cyberattacks in 2025, according to the FBI’s Internet Crimes Report. For 14 consecutive years, U.S. healthcare also has faced the costliest data breaches of all industries while taking 279 days on average to identify and contain a breach, weeks longer than other sectors, according to IBM’s 2025 data breach report.
Why healthcare organizations shouldn’t wait for a final HIPAA Security Rule
While the specifics of an updated HIPAA Security Rule remain uncertain, HHS is raising the risk management bar on healthcare organizations and their business associates. OCR’s Senior Advisor for Cybersecurity Nick Heesters recently released a guidance video that makes it clear that the agency has formally expanded its enforcement initiative beyond risk analysis to include risk management, with an emphasis on action is taken after a risk is found, reports healthcare cybersecurity and compliance firm Clearwater.
Given HHS’ concerns and actions regarding how healthcare is treating security, coupled with the success of cyberattacks, healthcare organizations and their business associates need to proactively deploy more stringent measures to protect their patients’ data. A strong place to start is the proposed HIPAA Security Rule changes and partnering with vendors who treat HIPAA-compliant communication as a baseline, not an afterthought.
Rich O’Rourke and Bryan Ten Broek are attending the HFMA Annual Conference this week in National Harbor, Maryland. Hope to see you there!
Contact us today for more information.
Key Takeaways:
- While the fate of an updated HIPAA Security Rule is uncertain, healthcare organizations shouldn’t wait for new mandates to strengthen patient data protections.
- U.S. healthcare is the No. 1 target and particularly vulnerable to hacking, prompting HHS to step up scrutiny of how risks, including data security, are handled.
- Compliance-forward industry leaders, including Nordis Technologies, have already adopted the proposed HIPAA Security Rule upgrades.
