HIPAA Security Rule Update Delayed to July 2027: What It Means for Your Compliance Timeline

If you built a 2026 compliance plan around the HIPAA Security Rule overhaul landing this year, that plan is now pointed at the wrong date. In the Fall 2026 Unified Agenda, HHS moved the proposed Security Rule amendments (RIN 0945-AA22) to its Long-Term Actions list and identified July 2027 as its anticipated timeframe for final action, roughly a year later than the May 2026 target that had been widely circulated.

That is the whole news. What follows is what it changes for you, and, more usefully, what it does not.

What changed, precisely

The HHS Office for Civil Rights issued a Notice of Proposed Rulemaking to strengthen the HIPAA Security Rule in December 2024; it was published in the Federal Register on January 6, 2025. The comment period closed on March 7, 2025, drawing close to 5,000 comments, with a significant share of healthcare organizations and industry groups arguing the proposed requirements were too costly and too difficult to implement on the timeline offered.

HHS had been working to a May 2026 final-rule target. OMB’s Unified Agenda (RIN 0945-AA22) now lists a final action of July 2027, and the rulemaking sits on the Long-Term Actions list, which generally signals the agency does not expect to finalize within the next twelve months.

Two caveats that matter more than the headline

These timelines are not legally binding. July 2027 is a target, not a statutory commitment, and OCR could move earlier or delay again. This date has already slipped once. Treat it as a signal about near-term likelihood, not as a date you can schedule against.

The real compliance date is also later than the rule date. Publication of a final rule would start a compliance window, commonly cited as 180 to 240 days. So even if July 2027 holds exactly, realistic full compliance lands in 2028, not 2026. Anyone selling you a 2026 Security Rule deadline is selling you a deadline that does not exist.

Do not confuse this with the Privacy Rule

These two get conflated constantly, and the distinction is the difference between a live obligation and a hypothetical one. The Security Rule update is the one that slipped to July 2027. The HIPAA Privacy Rule final rule is a separate rulemaking, is targeted for August 2026, and is moving ahead.

If you take one operational point from this page: the thing that slipped is not the thing arriving soonest.

What did not change: the Security Rule you are already under

This is the part that gets lost in the coverage. The proposed amendments were never in force. Nothing was rolled back, because nothing had taken effect. The existing HIPAA Security Rule remains fully enforceable today, exactly as it was last month.

The obligations that were already law are still law, and they are the ones OCR enforces:

A delay in the proposed rule does not create slack in the current one. An organization that fails a risk analysis review in 2026 does not get to point at a 2027 rulemaking calendar.

The trap: treating this as a reason to stop

The predictable reaction to a delay is to shelve the work for a year. That is the wrong read, for three reasons.

First, the direction of travel is not in doubt. The proposed rule pushed toward removing the “addressable” versus “required” distinction, mandating asset inventories and network maps, requiring encryption and multi-factor authentication far more broadly, and imposing tighter vendor verification. Whatever the final text says, no plausible version of it asks you to know less about your systems, your vendors, and your data than you know today.

Second, the groundwork is the same groundwork. An accurate asset inventory, a current vendor register, and a real risk analysis are not “new rule” artifacts. They are current-rule obligations, and they are the foundation any future rule would build on. Doing them now is not speculative compliance spending; it is the work you already owe.

Third, an extra year of comment and revision usually means a shorter compliance runway once the rule lands, not a longer one. Organizations that spent the delay building inventories will be adjusting. Organizations that spent it waiting will be starting.

What to do between now and 2027

Concretely, and in priority order:

  1. Refresh your risk analysis if it is more than twelve months old. This is the obligation you are most likely to be judged on, and the one most often stale. Our HIPAA risk assessment guide walks the current requirement, not a hypothetical future one.
  2. Build the asset and device inventory now. It is the connective tissue of the proposed update and it is already implied by the current rule. If you cannot list the systems that touch ePHI, you cannot claim an accurate risk analysis.
  3. Get your vendor register current. Which vendors touch ePHI, which have a signed BAA, and when each was last reviewed.
  4. Close the obvious technical gaps, MFA on remote and privileged access, encryption at rest and in transit. Note carefully: the current Security Rule does not mandate these outright; they sit under addressable specifications and general safeguards. The proposed update would tighten them. Doing them now is defensible today and near-certain tomorrow.
  5. Prepare for the Privacy Rule instead. It is targeted for August 2026 and it is the one arriving.
  6. Watch, but do not build against, July 2027. Track the docket; do not re-plan your year around a target that has already moved once.

Comparing tooling while you wait? Our breakdown of the best HIPAA SRA software covers what to look for. For the fuller background on what the proposed update would change, see our HIPAA Security Rule update guide.

If AI tooling is entering your clinical or administrative workflow while you wait, the current rule still governs it, see using LLMs with PHI and HIPAA-compliant AI dictation. A delayed rulemaking does not delay your obligations for a tool you deploy this year.

The short version

The proposed HIPAA Security Rule update is proposed, not final, with final action now targeted for July 2027, on a date that is itself an estimate and has already slipped once. Add the 180-to-240-day compliance window that publication would start, and realistic full compliance is a 2028 conversation. Meanwhile the Security Rule you are accountable to has not moved an inch, and the Privacy Rule final rule is targeted for August 2026, sooner than the thing everyone is writing about.

The correct response to this news is not to slow down. It is to spend the extra runway doing the unglamorous inventory-and-risk-analysis work you were going to be asked for anyway.

Medcurity’s pricing starts at $499/year and scales with organization size. If you want the risk analysis, asset inventory, and vendor register in one place while the rulemaking sorts itself out, talk to us.

Frequently asked questions

Is the proposed HIPAA Security Rule update in effect?

No. It is proposed, not final. HHS issued a Notice of Proposed Rulemaking in December 2024 (published in the Federal Register on January 6, 2025); the comment period closed March 7, 2025, and no final rule has been issued. OMB’s Unified Agenda (RIN 0945-AA22) now lists a final-action target of July 2027, pushed back from a previous May 2026 target.

Does the delay mean I can pause my HIPAA compliance work?

No. The existing HIPAA Security Rule remains fully in force and fully enforceable. The proposed amendments were never in effect, so nothing was suspended. Your risk analysis, risk management, safeguards, BAA, and training obligations are unchanged.

Is July 2027 a firm deadline?

No. Unified Agenda dates are planning estimates rather than binding deadlines. July 2027 reflects the agency’s current anticipated timeframe for final action, and it can shift again. It is a signal about likelihood, not a date to schedule against.

Why was the HIPAA Security Rule update delayed?

HHS received close to 5,000 public comments on the proposal. Many healthcare organizations and industry groups pushed back on the proposed requirements as too difficult and too expensive to implement. The rulemaking was subsequently moved to the Long-Term Actions agenda with a July 2027 anticipated final action.

When would I have to comply if the rule is finalized?

Later than the rule date. Publication of a final rule would start a compliance window, commonly cited as 180 to 240 days. If the July 2027 target holds, realistic full compliance lands in 2028, not 2026. There is no 2026 compliance deadline tied to the Security Rule update.

Is the HIPAA Privacy Rule update also delayed?

No, and this is the most common confusion. The Privacy Rule final rule is a separate rulemaking, is targeted for August 2026, and is moving ahead. Only the Security Rule update slipped to a July 2027 target. The thing that slipped is not the thing arriving soonest.

What should I prioritize while the rule is pending?

A current risk analysis, an accurate asset and device inventory, a current vendor and BAA register, and the obvious technical gaps, MFA on remote and privileged access, and encryption at rest and in transit. All are defensible under the current rule and are foundations of any likely final rule. Also prepare for the Privacy Rule, which is targeted sooner.