The timeline for finalization remains uncertain, though HHS is widely expected to complete the rule in 2026. The proposal would convert several existing safeguards from optional or "addressable" practices into explicit requirements, including stronger authentication protocols, encryption standards, and incident-response obligations. The Security Rule update intersects with earlier HIPAA privacy changes that took effect February 16, 2026, which already imposed restrictions on disclosures involving reproductive health and substance use disorder information.
Covered entities, business associates, and group health plans should treat this as urgent. The proposed changes represent one of the largest HIPAA cybersecurity overhauls in years and will materially increase compliance costs and enforcement risk. Organizations should begin now to audit current security controls against the proposed requirements, update business associate agreements, and revise policies to align with the anticipated final rule. Waiting until finalization to begin preparation will compress already tight implementation timelines.