HIPAA Security Rule Update Delayed to 2027: What Your Practice Should Actually Do Now— ✦ —

If you run a medical or dental practice, you have probably seen warnings that sweeping new HIPAA security requirements are about to take effect. Mandatory encryption, multi-factor authentication, annual penetration testing, and more. Some vendors have even implied that practices are already out of compliance with these new rules.

The reality is simpler. Those rules are not final, they are not being enforced, and they will not take effect in 2026.

At Simplicity IT, we work with healthcare practices across San Diego County every day, and we think you deserve a straightforward answer about where things actually stand and what is worth doing right now.

What Actually Happened

In January 2025, the Department of Health and Human Services (HHS) published a proposed overhaul of the HIPAA Security Rule, the first major update since 2013. The proposal would make encryption of patient data mandatory both at rest and in transit, require multi-factor authentication on systems that access electronic protected health information (ePHI), mandate annual risk assessments and regular penetration testing, and remove the "addressable" flexibility that has allowed practices to decide whether certain safeguards fit their environment.

The public comment period closed in March 2025. HHS originally targeted May 2026 for a final rule, but that date passed with nothing published. The federal regulatory agenda now lists final action in July 2027, and a coalition of more than 100 hospital systems and provider associations has formally asked HHS to withdraw or scale back the proposal because of the cost burden on smaller providers.

Even when a final rule is eventually published, practices will have roughly six to eight months from publication before compliance is required. Nothing in the proposal is enforceable today, and nothing will be for quite a while.

What Is Still Being Enforced Today

The delay does not mean HIPAA enforcement is on pause. The current Security Rule remains fully in effect, and the HHS Office for Civil Rights (OCR) continues to investigate breaches and audit practices under it. One of the most common deficiencies cited during investigations is a missing or outdated security risk analysis. OCR's third phase of HIPAA compliance audits is also underway.

If your practice has not completed a documented risk analysis recently, or you cannot quickly locate that documentation, that is the real compliance gap—not the proposed 2027 rule.

Why Preparing Early Still Makes Sense

Most of what the proposed rule would require is worth implementing anyway. Encryption, multi-factor authentication, tested backups, and a written incident response plan help prevent ransomware attacks affecting healthcare practices today. Cyber insurance carriers are also increasingly requiring these safeguards regardless of what HHS ultimately decides. A practice that adopts these measures on its own schedule, spread over a reasonable budget, typically becomes more secure while avoiding the expense and stress of scrambling to meet a future deadline.

Healthcare organizations should focus on:

  • Do now: Complete a documented security risk analysis, enable multi-factor authentication for email and remote access, verify backups, and maintain an up-to-date incident response plan.
  • Plan for: Expanded encryption coverage and formal penetration testing on a timeline that fits your budget.
  • Ignore: Anyone claiming your practice is already out of compliance with rules that have not yet been finalized.

A Note About Our Earlier Coverage

We have previously written about the proposed HIPAA Security Rule changes and what they could mean for healthcare practices. While the analysis of the proposal itself still applies, the timeline has changed. We believe it is important to update our guidance so practices have an accurate understanding of current requirements rather than acting on outdated deadlines.

Get a Straight Answer About Your Practice

Simplicity IT supports healthcare and dental practices throughout San Diego County with cybersecurity, managed IT services, compliance support, risk assessments, backup management, and practical guidance focused on today's HIPAA requirements—not tomorrow's speculation.

Contact us today for a straightforward review of your current security posture and compliance readiness. Schedule your Discovery Call here.