New HIPAA Rules 2026: What to Do While the Final Rule Is Still Pending
Everyone is watching the same question: when will HHS finalize the new HIPAA Security Rule?
The proposal was released in late 2024, published in the Federal Register in January 2025, and OCR's agenda pointed to May 2026 for finalization. As of late May 2026, the final rule has not been published. That uncertainty is exactly why this guide exists.
This is not another checklist, and it is not a recap of every proposed change. We already published a fuller HIPAA Security Rule compliance checklist for 2026 for that. This piece is about the decision problem healthcare leaders are facing right now. The rule is not final, but the direction is clear, and the compliance window may be short.
Trying to decide what to move on before the final rule lands?
Jason Lee is opening a limited number of free 30 minute HIPAA readiness reviews while the final rule is still pending. Jason has spent 25+ years across cybersecurity, GRC, cloud security, and executive risk advisory.
Bring the questions your team is stuck on. You will leave with a clearer view of what to start now, what needs budget, and what can wait for the final text.
Book a Readiness ReviewThe signal is clear, even if the rule is not final
The current HIPAA Security Rule already requires covered entities and business associates to protect electronic protected health information. That part has not changed. Organizations still need a risk analysis, a risk management process, access controls, audit controls, contingency planning, workforce training, and business associate oversight.
The proposed rule does not invent HIPAA security from scratch. It raises the standard for what a defensible program looks like. The deeper shift is that healthcare organizations may need to prove their security program is current, not just documented. That means knowing where ePHI lives, how it moves, who can access it, which vendors touch it, which controls are working, and what evidence supports the answer.
For larger health systems, this may be an acceleration of work already underway. For smaller healthcare providers, clinics, healthtech vendors, and business associates, it may expose a harder problem: the security program may exist in pieces, but not as a system that can be explained, tested, and kept current.
The most important proposed shift is the move away from the current required versus addressable structure. Today, some HIPAA safeguards are addressable. That has never meant optional. It means the organization must assess the safeguard, decide whether it is reasonable and appropriate, implement it if it is, or document an equivalent alternative.
In practice, addressable controls have often become the place where hard work sits unresolved. Encryption, technical testing, access reviews, system activity review, and incident response can all look acceptable on paper until someone asks for proof. The proposal points toward a world where more controls are explicit, more evidence is expected, and fewer organizations can rely on "we reviewed it" as the end of the story.
Start now, budget now, wait for final text
If the final version includes a 240 day compliance window, teams that start from inventory and ownership questions will burn a large part of that window just finding the work. The bottleneck will not be understanding the rule. It will be sequencing the work fast enough once the clock starts.
That is why the useful planning model is not "do everything now" versus "wait for the final rule." The better model is three buckets.
| Bucket | What goes here | Why it matters |
|---|---|---|
| Start now | Risk analysis refresh, ePHI data flow review, MFA coverage, encryption gap review, access review, incident response testing. | These are already material to security, insurance, customer trust, and OCR enforcement. |
| Budget now | Penetration testing, recurring vulnerability scanning, network mapping, backup and recovery testing, legacy system remediation, deeper vendor review. | These often need people, tools, or outside support. If the rule lands, budget conversations will be the bottleneck. |
| Wait for final text | Exact policy language, final deadlines, narrow exceptions, business associate reporting details, documentation format. | These depend on the final rule and should not be overbuilt around proposed wording. |
This is the middle path. It avoids panic spending, but it also avoids pretending that nothing can be done until HHS publishes the final text. Do not rewrite every policy around proposed language. Do not ignore the proposal either. A current HIPAA Security Rule checklist is a useful way to separate the start-now work from the wait-for-text work.
The work that will matter either way
If your organization handles ePHI, some work is worth moving forward because it is unlikely to become irrelevant under any version of the final rule.
- Risk analysis. This is already required under the current rule, and OCR has repeatedly focused on weak or incomplete risk analysis in enforcement. The proposed rule only raises the stakes. If your last risk analysis was a lightweight questionnaire or a static annual document, that is the first place to look. Our breakdown of why spreadsheet risk assessments fail covers the common failure mode in detail.
- Asset inventory. This should not be treated as a spreadsheet someone updates once a year. Leadership needs a current view of which systems, applications, devices, cloud environments, vendors, and data flows touch ePHI. If that view is stale, every downstream answer is weaker.
- MFA and encryption. These are already expected by insurers, customers, and security reviewers. The proposed rule may make them more explicit, but the market has already moved. The practical question is not whether the policy mentions MFA or encryption. It is whether they are consistently enforced around the systems that matter.
- Testing. Vulnerability scanning and penetration testing are often treated as annual compliance events or delayed until a customer asks. Under the proposal, they move closer to a recurring operating discipline. The question becomes whether testing has an owner, a cadence, and a remediation path.
- Incident response. A plan that has not been exercised is not much of a plan. Teams should know who decides, who communicates, which systems come back first, and how quickly critical operations can resume.
None of this depends on knowing the final wording. It depends on knowing whether the program works. HIPAA readiness is not a document state. It is an operating state: current inventory, enforced controls, tested response, clear ownership, and evidence leadership can trust. This is also where HIPAA and NIST CSF overlap heavily, which is why we map them together in HIPAA and NIST in one platform.
Not sure where your program actually stands?
Start with our HIPAA Security Risk Assessment: 12 questions, 5 minutes, with a PDF report mapped to the Security Rule emailed to you.
Take the SRA →Business associates will feel this through customers first
Business associates should not wait for OCR to be the first source of pressure. If your company sells into healthcare and creates, receives, maintains, or transmits ePHI, your customers may translate the proposed rule into their own vendor reviews before the rule is enforceable.
That pressure may show up in business associate agreements, RFPs, cyber insurance renewals, security questionnaires, customer audits, and contract renewals. Customers will want proof that access is protected, ePHI is encrypted, systems are tested, recovery is understood, and vendor access is controlled.
For healthtech, SaaS, billing, analytics, IT, and cloud vendors, HIPAA readiness can become a revenue issue before it becomes a regulatory one. If the security story is not clear, sales cycles slow down. The same evidence that satisfies a customer security review is what supports a cyber insurance renewal, so the work compounds rather than duplicating.
Z Cyber's view
The waiting period should be used to make the security program visible. That does not mean rewriting every policy before the final rule lands. It means understanding which parts of the proposed rule would create real operational work inside your organization, which gaps are already material under the current rule, and which items need budget before a deadline becomes official.
Z Cyber helps healthcare organizations and business associates make that practical. The work usually starts with a focused review of the current program: risk analysis, ePHI data flows, MFA and encryption coverage, vendor exposure, incident response readiness, evidence quality, and the gap between policy language and implemented controls. You can see how we approach this on our healthcare cybersecurity page.
Jason Lee, Z Cyber's Managing Director, has spent more than 25 years across vulnerability management, GRC, cloud security, AI governance, and executive risk advisory. He is offering free 30 minute HIPAA readiness reviews for teams trying to understand where they stand before the final rule lands.
Book a free 30 minute HIPAA readiness review.
Pressure-test where you stand today and decide what should move before the final rule lands.
Related Resources
- HIPAA Security Rule: Complete Compliance Checklist for 2026
- Healthcare Cybersecurity: HIPAA + NIST in One Platform
- Why Spreadsheet Risk Assessments Are Failing
- Cyber Insurance Readiness Guide
- AI Security Governance for Healthcare
- Take the HIPAA Security Risk Assessment
Sources
Frequently Asked Questions
Are the new HIPAA rules final?
No. As of May 28, 2026, the proposed HIPAA Security Rule has not been finalized. HHS published the proposal in the Federal Register in January 2025, and OCR's agenda pointed to May 2026 for finalization, but the final rule has not been published yet.
When will the new HIPAA rules take effect?
The effective date depends on when HHS publishes the final rule and what compliance timeline appears in the final text. Until that happens, there is no confirmed enforcement date for the proposed changes. That said, teams should not wait for the final date to start planning. Many of the proposed changes involve work that already matters under the current rule, including risk analysis, access control, encryption review, incident response, and vendor oversight.
What is the HIPAA 240 day compliance window?
The proposed rule includes a 240 day compliance period after the final rule becomes effective. In plain terms, covered entities and business associates would have about eight months to meet the new requirements if that timeline survives in the final rule. That sounds like a long time, but it can move quickly if the organization first has to identify where ePHI lives, who owns each system, which vendors have access, and which controls are missing.
Does HIPAA require MFA?
The current HIPAA Security Rule does not name MFA as a universal hard requirement. The proposed updates would make MFA much more explicit for systems that access ePHI. Even before the final rule, MFA is already expected in many healthcare security reviews, cyber insurance applications, and customer questionnaires. If systems that access ePHI do not have MFA enforced today, that is worth reviewing now.
Does HIPAA require encryption?
Under the current HIPAA Security Rule, encryption is addressable. That does not mean optional. It means the organization must assess whether encryption is reasonable and appropriate, implement it when it is, or document an equivalent alternative. The proposed rule points toward a firmer expectation for encryption of ePHI at rest and in transit. Organizations should use the waiting period to understand where ePHI is encrypted today, where it is not, and whether any exceptions are still defensible.
Do the proposed HIPAA rules apply to business associates?
Yes. HIPAA already applies directly to business associates that create, receive, maintain, or transmit ePHI on behalf of covered entities. That includes many healthtech, SaaS, billing, analytics, IT, cloud, and consulting vendors. If the proposed rule raises the bar for covered entities, business associates should expect more pressure from customers. That may show up in business associate agreements, vendor reviews, security questionnaires, cyber insurance renewals, and contract renewals before OCR enforcement ever begins.
Subscribe for Updates
Get cybersecurity insights delivered to your inbox.
