Blog

Person wearing blue medical gloves holds a white card with the word "HIPAA" printed in bold black letters.
Business Continuity HIPAA Managed IT Services Security

The HIPAA Security Rule Update Slipped to 2027. Here Is What Small Practices Should Do With the Extra Time.

If you run a small medical or dental practice and you have been quietly worrying about the proposed HIPAA Security Rule overhaul, here is the headline: you have more time than you thought.

The Department of Health and Human Services had targeted May 2026 for a final rule. That date is gone. According to the federal regulatory tracker at Reginfo.gov, the Office for Civil Rights (OCR) now lists a final action date of July 2027, and the rulemaking has been moved into the “long-term actions” category. In plain terms, the biggest rewrite of the Security Rule in more than twenty years just got pushed back roughly a year.

That is a real reprieve. It is also not a reason to close the tab and forget about it, and I want to walk through why.

What the update actually is

The current Security Rule dates back to 2003, with a refresh in the 2013 Omnibus Rule. Not much has changed since. Meanwhile, the way a dental office or a specialty clinic runs has changed enormously, and so has the threat picture.

OCR published the proposed update in the Federal Register on January 6, 2025. The goal was to bring the rule in line with how care is actually delivered today and to close gaps OCR kept finding in its own breach investigations. The proposal would make a set of controls mandatory that many well-run practices already treat as basic hygiene: encryption of ePHI at rest and in transit, multifactor authentication, network segmentation, anti-malware protection, vulnerability scans every six months, annual penetration testing, and a written technology asset inventory paired with a map of how patient data moves through your systems.

There is one structural change worth calling out, because it lands hardest on smaller offices. The current rule sorts safeguards into “required” and “addressable,” and “addressable” has long given a practice room to decide a given control is not reasonable for its size and to document why. The proposal removes that distinction and makes nearly everything required. That built-in flexibility, the thing small practices have relied on most, is what the update takes off the table.

The reference case that comes up again and again is the 2024 Change Healthcare ransomware attack. Attackers got in through a remote access portal using stolen credentials, and multifactor authentication was not turned on. An estimated 192.7 million people had their information exposed. One missing control, on one portal. That is exactly the kind of gap the update was written to close.

Why it got delayed

The proposal was not warmly received. OCR took in nearly 5,000 public comments, and a coalition of more than 100 hospital systems and provider groups, led by CHIME, formally asked HHS to withdraw it in December 2025.

The objection was rarely “we do not need better security.” It was about cost and pace. HHS’s own analysis put first-year compliance across the industry at roughly $9 billion, with about $6 billion a year for the following four years. On top of that, the proposal as written would give organizations only about 240 days to comply once the rule took effect. For a small practice already running on thin margins, that combination looked less like a runway and more like a wall.

So the date moved. That is the good news, and it is worth taking a breath over.

The part worth being honest about

Here is what the delay does not change.

Agency timelines are not binding. OCR could finalize earlier than July 2027, could slim the rule down to the less controversial pieces, could push it back further, or in theory could shelve it. Nobody outside OCR knows yet. Betting your compliance posture on any one of those outcomes is a guess, and it is not a guess I would make with patient data on the line.

More to the point, the threats the rule was written to address are not on the same schedule. Ransomware crews are not waiting for a Federal Register notice. And most of what the proposal asks for, things like MFA, encryption, tested backups, and knowing where your data lives, is simply what reasonable security looks like in 2026, rule or no rule. If a breach happens at your practice next spring, “the final rule was not out yet” is not a defense that helps you with OCR, with your patients, or with your malpractice carrier.

What to do with the next twelve months

You do not need to boil the ocean. If you spread the work across the coming year, most small practices can land in a solid place without a painful scramble later. A practical order:

  1. Run a real risk analysis. Not a checkbox exercise. Figure out where ePHI actually lives, who can touch it, and where it flows. This is the foundation everything else sits on, and it is already required under the current rule.
  2. Build a simple asset inventory and data flow map. A spreadsheet of every device, application, and vendor that handles patient data, plus a plain diagram of how that data moves. This tends to be the heaviest lift a small practice faces, which is precisely why you start it now instead of under a deadline.
  3. Turn on multifactor authentication everywhere. Email, remote access, your practice management system, anywhere someone logs in. This is the Change Healthcare lesson in a single line.
  4. Encrypt at rest and in transit. Full disk encryption on laptops and workstations, encrypted backups, and modern transport security on anything leaving your network.
  5. Test your backups. A backup you have never restored from is a hope, not a recovery plan. Pick a file, restore it, confirm it actually comes back.
  6. Check your vendors. Your billing company, your cloud software, your IT provider. The proposal tightens expectations on business associates, and their gaps quietly become your gaps.

None of this is exotic. It is the baseline, and reaching it over twelve calm months is far easier than reaching it in 240 days with a clock running.

One more thing, so the delay does not lull you into thinking all of HIPAA is on pause. The Security Rule slipped, but a separate update to the HIPAA Privacy Rule is still moving, with a final rule expected as soon as August 2026. That one deals mostly with patient access to records and care coordination rather than security, and it may change the wording of your notice of privacy practices, so it is worth keeping an eye on. The rulemaking machine did not stop. Just this one piece of it did.

The takeaway

The practices that struggle when the final rule lands will be the ones that read “delayed” as “cancelled.” The ones that treat July 2027 as a planning horizon, and chip away a little each quarter, will barely feel it when the rule arrives. In the meantime you get the prize that actually matters, which is a practice that is genuinely harder to breach.

If you would like a second set of eyes on where your practice stands today, we are always glad to talk it through. You can reach us at (407) 720-6540.