The most significant overhaul of the HIPAA Security Rule in over a decade just moved a year further away. According to the federal government's own regulatory tracker at Reginfo.gov, the projected publication date for the final rule has slipped from May 2026 to July 2027 (HIPAA Journal, Holland & Knight).
If you run security or compliance for a healthcare organization, your inbox probably filled with some version of "good news, we have more time." That read is half right. You do have more time. But treating this as a reprieve is the wrong call, and here is why.
What Actually Changed
Two things, and only two things.
First, the date. HHS previously listed May 2026 as its target for finalizing the rule. The Office of Management and Budget's Unified Agenda now lists July 2027 as the projected final action date (Fierce Healthcare).
Second, and more telling, the rule was moved to the Unified Agenda's Long-Term Actions list. That placement is the part worth paying attention to. It generally signals that the agency does not anticipate issuing a final rule within the next 12 months (GovInfoSecurity). This is not a rule that is about to land and got nudged a few weeks. It is a rule the government has explicitly parked for the medium term.
One important caveat. July 2027 is a planning estimate, not a binding deadline. Unified Agenda dates are projections, and they move (Holland & Knight). The date could slip again. It could also be pulled forward if political or breach-driven pressure builds. Plan around the direction of travel, not the specific month.
Why It Slipped
The delay did not come out of nowhere. OCR received roughly 5,000 public comments on the proposed rule, and a large share of them were pushback (HIPAA Journal).
The objections centered on cost and feasibility. HHS itself estimated first-year compliance spending at close to $9 billion across regulated entities, with several billion more each year after that. Industry groups described the proposal as an impossible mandate that would impose substantial financial burdens and major operational disruption, and argued that its one-size-fits-all approach hits small and rural providers hardest, the organizations already operating on the thinnest margins (Becker's Hospital Review).
Those are legitimate concerns, and the government appears to have heard them. A slimmed-down final rule is a real possibility. But "slimmed down" is not the same as "gone." For a fuller breakdown of what the proposal actually requires, see our earlier analysis of the proposed HIPAA Security Rule changes.
What Did Not Change
Here is the part that should shape your decision.
The proposal exists because healthcare breaches kept getting bigger and more frequent. That trend did not reverse because a regulatory date moved. Ransomware groups are still targeting hospitals, physician groups, and specialty practices. Patient data is still being exfiltrated at scale. The clinical disruption from a locked-up environment still measures in weeks, not hours.
Now look at what the proposed rule actually asks for: multi-factor authentication on access to systems that hold patient data, encryption of that data at rest and in transit, network segmentation, regular vulnerability scanning and penetration testing, and the ability to recover critical systems inside 72 hours.
None of that is exotic. Most of it is what a competent security program does regardless of what the regulation says. The rule is not inventing new expectations so much as codifying the ones that already separate organizations that weather an attack from organizations that get run over by one. A finalization date in 2027 does not make an unencrypted database or a flat network safe in 2026.
The Case Against Waiting
If the controls are worth having anyway, the delay changes your timeline, not your destination. And there is a concrete downside to sitting on it.
When the final rule does land, every healthcare organization that waited will reach for the same scarce resources at the same time. Penetration testing firms, encryption and segmentation projects, MFA rollouts, compliance staff, and outside assessors all get more expensive and harder to book when demand spikes against a deadline. The organizations that used the runway will already be done. The ones that waited will be paying premium rates to scramble.
There is also a quieter risk. The current Security Rule is still in force. Its risk analysis, MFA-where-reasonable, and safeguard requirements are enforced today, and OCR settlements have not paused waiting for the new rule. The gaps you would close for 2027 are, in most cases, gaps that already carry regulatory and breach risk right now.
What To Do With The Runway
Use the extra 12 to 18 months to do this deliberately instead of frantically:
- Run a gap assessment against the proposed requirements now. Map where you stand on encryption, MFA, segmentation, testing cadence, and recovery capability. The proposed rule is a good scoping document even if the final version is trimmed.
- Sequence the long-lead work first. Network segmentation and encrypting legacy systems are the projects that take quarters, not weeks. Start those while the calendar is on your side.
- Get the budget conversation done early. It is far easier to fund this as planned, phased work over 2026 and 2027 than as an emergency line item when the rule finalizes. Bring leadership the cost of doing it calmly versus the cost of doing it under a deadline.
- Tighten your business associate oversight. Vendor security is a recurring theme in the proposal, and it is also where many healthcare breaches originate. This work pays off regardless of the final rule text.
- Document as you go. Much of the proposed rule is about being able to show your work. Building the documentation habit now costs little and saves a scramble later.
The Bottom Line
The government gave healthcare an extra year. It did not give healthcare a pass. The threat that prompted the rule is unchanged, the current Security Rule is still enforced, and the controls in the proposal are the same ones that decide how badly an attack hurts you.
Treat July 2027 as the outer edge of your runway, not the day you start. The organizations that come out of this well will be the ones that used the delay, not the ones that were relieved by it.
Jackal Group helps small and mid-sized healthcare providers close the gap between where their security program is and where regulators and attackers are headed. See how we work or get in touch to talk through what the HIPAA Security Rule changes mean for your organization.