HIPAA Updates and HIPAA Changes in 2026

Posted By Steve Alder on Jan 2, 2026

HIPAA updates and changes happen more frequently than many people are aware of because of the nature of the update or their minor impact on HIPAA compliance. A major update to HIPAA is long overdue, and steps were taken in December 2020 to address the need for HIPAA changes and HIPAA updates when the HHS’ Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to make multiple changes to the HIPAA Privacy Rule and in December 2024, OCR proposed a long-awaited update to the HIPAA Security Rule.

In addition to these proposed updates, there has been an update to align 42 CFR Part 2 – the Confidentiality of Substance Use Disorder Patient Records regulations – more closely with HIPAA, and an update to change the conditions under which PHI relating to reproductive healthcare can be used or disclosed.

The Part 2 and reproductive health changes were finalized in 2024; however, the changes to reproductive healthcare privacy were vacated nationwide by a Texas court, which deemed them to be unlawful. A Final Rule implementing the proposed changes to the HIPAA Privacy Rule is long overdue, and OCR has yet to issue a final rule implementing the proposed updates to the HIPAA Security Rule.

The previous Trump administration proposed the changes to the HIPAA Privacy Rule, and the new Trump administration will now have to decide whether or not to release a final rule implementing the HIPAA Privacy Rule changes in 2026. It does appear to be a priority, as OCR announced a Tribal Consultation meeting on the proposed HIPAA Privacy Rule update will be taking place in February 2026 – the first sign under the current administration that a final rule will soon be published.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Business Email *

Name *

First

Last

Number *

Company Name *

Get Free Checklist

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The HHS, under the Biden administration, penned an omnibus rule that will implement multiple changes to the HIPAA Security Rule to incorporate new cybersecurity standards. The NPRM for the HIPAA Security Rule update was added to the Federal Register on January 6, 2025, in the last days of the Biden administration, followed by a 60-day comment period. The proposed rule attracted considerable feedback, with many industry associations voicing opposition to the proposed changes. A coalition of industry associations led by CHIME has petitioned the HHS to withdraw the proposed rule. A final rule, potentially in slimmed-down form, may be issued in 2026.

We discuss all the HIPAA updates since the inception of HIPAA in this article, and this information can be used in conjunction with our HIPAA checklist to understand what is required to ensure compliance. Please use the form on this page to receive your free copy of the checklist.

HIPAA Updates in the Past 25 Years

Since HIPAA was signed into law, there have been few major updates to HIPAA. The HIPAA Privacy and Security Rules were introduced at the beginning of the 21st century to limit uses and disclosures of protected health information, give patients rights over their healthcare data, and introduce a set of minimum security standards for electronic protected health information (ePHI).

The HIPAA Rules were updated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach Notification Rule in 2009 and the Omnibus Final Rule in 2013. Such major HIPAA updates placed a significant burden on HIPAA-covered entities, and considerable time and effort were required to introduce new policies and procedures to ensure continued HIPAA compliance.

Minor HIPAA Privacy Rule changes since 2013 include one in 2014 to allow patients access to test reports to align the HIPAA Privacy Rule with the Clinical Laboratory Improvement Amendments (CLIA) regulations. Another HIPAA Privacy Rule change in 2016 allowed covered entities to disclose PHI to the National Instant Criminal Background Check System. The main HIPAA update in 2024 is covered in more detail in the Part 2 and HIPAA Changes in 2024 section below. Under the Biden administration, a change was made to HIPAA to strengthen reproductive health information privacy in 2024; however, in 2025, following a legal challenge, the rule was vacated nationally.

In December 2024, the HHS issued a final rule implementing changes to the HIPAA Administrative Simplification Regulations, modifying the National Council for Prescription Drug Programs (NCPDP) Retail Pharmacy Standards and a modification of the Medicaid Pharmacy Subrogation Standard. These changes are intended to improve data exchange and workflow automation and ease the burden of compliance by reducing the need for manual text entry, split claims, and having to submit paper Universal Claim Forms.

The most commonly updated section of HIPAA is Part 162 of the Administrative Simplification Regulations, which relates to transaction code sets and identifiers. Part 162 HIPAA changes are most often made by the HHS Centers for Medicare and Medicaid Services (CMS) to update existing standards – for example, the 2020 change relating to Schedule II drug refills. A proposed Part 162 HIPAA change was expected to be finalized in 2024, although it failed to materialize and is now long overdue. The CMS proposed rule will standardize electronic “health care attachments” transactions and electronic signatures by updating the HIPAA Transactions Rule standards for financial and administrative transactions among healthcare providers and health plans.

OCR Sought Feedback on Potential HIPAA Changes

Over the past few years, there have been increasing calls for HIPAA changes to decrease the administrative burden on HIPAA-covered entities, but – other than new HIPAA regulations to strengthen reproductive health care privacy – the HIPAA 2024 rules and regulations are currently much the same as they were in 2013. OCR responded to feedback from healthcare industry stakeholders by issuing a request for information (RFI) in December 2018 on potential changes to the HIPAA Rules. OCR sought comments from HIPAA-covered entities about possible HIPAA Rule changes in 2019 and beyond, which are mostly concerned with easing certain administrative requirements and removing certain provisions of the HIPAA Privacy Rule that have been limiting or discouraging the coordination of care. The comment period closed on February 12, 2019.

OCR asked 54 different questions in its RFI. Some of the main aspects that were under consideration were:

• Patients’ right to access and obtain copies of their protected health information and the time frame for responding to those requests (Currently 30 days)
• Removing the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices
• Promotion of parent and caregiver roles in care
• Easing of restrictions on disclosures of PHI without authorization
• Possible exceptions to the minimum necessary standard for disclosures of PHI
• Changes to HITECH Act requirements for the accounting of disclosures of PHI for treatment, payment, and healthcare operations
• Encouragement of information sharing for treatment and care coordination
• Changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible.
• Expansion of healthcare clearinghouses’ access to PHI
• Addressing the opioid crisis and serious mental illness

In 2019, then OCR Director, Roger Severino, said, “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

The HHS aims to implement changes that will make compliance less of a burden without negatively affecting patient privacy or decreasing the security of individuals’ protected health information (PHI). There were no planned changes to the HIPAA Security Rule in this RFI, but several HIPAA Privacy Rule changes were proposed. It has been suggested that in many areas covered by the RFI, the best solution may not be HIPAA rule changes. Guidance was issued in 2022 and 2023, and it is likely that further HIPAA guidance will be issued in 2026 to tackle some of the issues currently experienced with HIPAA compliance by clearing up misconceptions and correcting false interpretations of the requirements of HIPAA.

Expected HIPAA Privacy Rule Changes in 2026

OCR issued a Notice of Proposed Rulemaking on December 10, 2020, that detailed the HIPAA changes to the Privacy Rule based on responses to its December 2018 RFI. The proposed changes are limited, and several HIPAA Privacy Rule changes that healthcare industry stakeholders have been campaigning for have not been included. Most of the proposed HIPAA changes are relatively minor tweaks to strengthen patient access to PHI, facilitate data sharing, and ease the administrative burden on HIPAA-covered entities.

In 2021, OCR sought feedback on the proposed HIPAA changes for 60 days from the date of publication in the Federal Register, with the comment period extended for a further 45 days to give healthcare industry stakeholders more time to review the proposed changes and provide their feedback. OCR has obtained feedback from the comment period, but it is unclear what, if anything, has been done with those comments. A final rule implementing the proposed changes was not a priority under the Biden administration. The return of a Trump administration, which initiated the HIPAA Privacy Rule updates, could see a final rule issued in 2026. There has already been some progress this year, as a Tribal Consultation meeting on the proposed update will be held in February 2026, although no date has been released for when a final rule will be published.

The proposed updates to the HIPAA Privacy Rule are as follows:

• Allowing patients to inspect PHI in person and take notes or photographs of their PHI.
• Changing the maximum time to provide access to PHI from 30 days to 15 days.
• Restricting the right of individuals to transfer ePHI to a third party to only ePHI that is maintained in an EHR.
• Confirming that an individual is permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual.
• Stating when individuals should be provided with ePHI without charge.
• Requiring covered entities to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
• The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
• A definition has been added for electronic health records.
• Wording change to expand the ability of a covered entity to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” (Currently, it is when harm is “serious and imminent.”)
• A pathway has been created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
• Covered entities will not be required to obtain a written acknowledgment from an individual that they have received a Notice of Privacy Practices.
• HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
• HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
• The definition of healthcare operations has been broadened to cover care coordination and case management.
• Covered healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans when individuals direct those entities to do so when they exercise the HIPAA right of access.
• Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
• The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.

The Privacy Rule HIPAA Changes Will Create Challenges for Healthcare Providers

The pending HIPAA updates to the Privacy Rule are intended to ease the administration burden on HIPAA-covered entities, although, in the short term, the burden is likely to be increased. Updates will need to be made to policies and procedures, and changes will be required for HIPAA notices of privacy practices, although there will not, at least, be the requirement to obtain written acknowledgment that updated NPPs have been received.

What is certain is that HIPAA officers and other compliance staff will have a busy few months if final rules are released. OCR will provide sufficient notice before any 2026 HIPAA changes take effect, and a grace period before they start to be enforced, but a lot of work will need to be done. It will be important to create a plan for making all the required changes to ensure they are fully implemented ahead of the compliance deadline.

When new HIPAA regulations are published, there may be a requirement to change policies and procedures, and that will require retraining of affected employees. HIPAA requires training to be provided to the workforce during or soon after onboarding, and after any material change in policies and procedures. HIPAA training may not need to be provided to the entire workforce, but a significant number of employees may need to be trained, and that is likely to place a considerable burden on covered entities and has the potential to cause workflow disruptions.

Improved access to medical records could pose problems for healthcare providers, who will need to ensure they have sufficient staffing and efficient procedures for verifying identities and providing copies of records – especially as the time frame for providing those records will be shortened from 30 days to 15 days. The extension will also be shortened to 15 days, giving healthcare organizations a maximum of 30 days to provide the requested records.

The definition of EHRs has also been updated to include billing records, and these will need to be provided to patients who request a copy of their PHI. That has the potential to make it more time-consuming to provide copies, as billing records are often kept in different systems than healthcare records. It may be necessary to access two different systems to provide patients with a complete copy of their records.

It will be easy for bottlenecks to occur, and important not to get into a situation where 15-day extensions are regularly required. There could well be a need to prioritize requests to make sure patients who urgently need a copy of their records get them in a timely manner. Bear in mind that OCR has been laser-focused on healthcare providers who fail to provide patients with timely access to their medical records and has imposed more than 50 penalties under the HIPAA Right of Access enforcement initiative.

Another of the changes related to patient access is the requirement to allow patients to take notes and photographs of their PHI. There will need to be designated places where patients can inspect PHI privately and, if required, take photographs. Healthcare providers will need to implement safeguards to ensure patients are not taking photographs of PHI they are not authorized to see.

The proposed HIPAA changes prohibit covered entities from imposing unreasonable measures on individuals who exercise their right of access, including unreasonable identity verification requirements. That has the potential to cause problems for healthcare providers. A definition has also been proposed for “personal health application”. If finalized, patients must be allowed to have their records sent to a personal health application of their choosing. There may be privacy risks associated with doing so, and patients will need to be made aware of those risks. That will add an additional burden on healthcare providers, who may not necessarily have the required information to determine whether there is a privacy or security risk.

HIPAA Training for 2026

When the requirements of HIPAA are updated, training needs to be provided to the workforce to ensure that all individuals are aware of any regulatory changes with respect to their individual roles. When HIPAA changes and updates are issued, HIPAA Officers must ensure that their policies, procedures, and training content are updated ahead of the compliance deadline. Even if there have not been any changes to the HIPAA Rules or updates to internal policies and procedures, staff should be provided with regular refresher training sessions, with annual training sessions recommended as a best practice.

The HIPAA Journal offers training courses developed by our HIPAA experts, which include real-world, relatable examples drawn from more than a decade of HIPAA reporting and analysis. The HIPAA Journal team takes great care to ensure that the training courses are kept up to date, factoring in rule changes as well as current and emerging compliance issues such as the use of generative AI tools.

The result is training that goes beyond listing rules to show the staff how violations and data breaches actually occur and how to avoid them in their daily work. This reduces the risk of breaches, investigations, fines, and reputational damage for your organization. You can find out more about the training courses here.

HHS Publishes Health Sector Cybersecurity Performance Goals

Implementing regulatory changes is a long-winded process requiring research to identify areas where the regulations are not working and need to be changed, then an NPRM needs to be issued, followed by a comment period. The comments must be reviewed, and a final rule must be penned, taking the comments into account. A final rule must then be issued, and there must be a notice period to allow regulated entities to implement the changes before the regulations can be enforced. That entire process can span several years.

An alternative to rulemaking is to issue guidance and recommend best practices, although the recommendations can only be voluntary and cannot be enforced. To address the current cybersecurity problem in healthcare and record numbers of data breaches – 747 large data breaches in 2023 and more than 168 million breached records – OCR chose this option ahead of an update to the HIPAA Security Rule.

In December 2023, the HHS published a Healthcare Sector Cybersecurity Strategy document that proposed a framework to help the healthcare sector address cybersecurity threats. The framework includes voluntary cybersecurity goals for the healthcare sector, the incentivization of hospitals to adopt cybersecurity best practices, the implementation of an HHS-wide strategy to support greater enforcement and accountability, and an expansion and maturation of the HHS one-stop shop for healthcare cybersecurity.

In January 2024, OCR achieved its first goal under this strategy with the publication of its HPH Sector Cybersecurity Performance Goals (HPH CPGs). These are sector-specific performance goals developed in conjunction with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework functions. The HPH CPGs consist of two sets of performance goals – Essential and Enhanced – and include cybersecurity practices that are likely to have the greatest impact on improving security at HIPAA-regulated entities to combat cyberattacks, improve incident response, and minimize risk.

Initially, OCR is encouraging all HIPAA-regulated entities to voluntarily adopt the Essential CPGs and then work on maturing their cybersecurity capabilities by adopting the Enhanced CPGs. While compliance with these cybersecurity requirements is currently voluntary, OCR anticipates future rulemaking to make these requirements mandatory. OCR does not believe voluntary goals will be sufficient to drive the behavioral change needed to improve cybersecurity to the extent it needs to be across the sector, hence the proposed update to the HIPAA Security Rule. Many of the requirements of the essential HPH CPGs have been incorporated into the proposed HIPAA Security Rule update and will be mandatory if a final rule is issued.

HIPAA Security Rule Update Proposed

In early 2024, OCR Director Melanie Fontes Rainer said OCR was planning to publish an omnibus rule updating the HIPAA Security Rule in April 2024; however, the update was delayed, and the draft was published in December 2024. The proposed rule was added to the Federal Register on January 6, 2025, and is open for comment for 60 days (deadline March 7, 2025).  The HIPAA Security Rule to Strengthen Cybersecurity of Electronic Protected Health Information has been released “to improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks.” While the comments received are still being reviewed, OCR has given a preliminary date of May 2026 for the release of the final rule, although it could well be delayed.

This is the first major update to the HIPAA Security Rule since the HIPAA Omnibus Rule of 2013 implemented changes mandated by the HITECH Act. The rule proposes some major changes and includes many new cybersecurity requirements for HIPAA-covered entities and their business associates. One of the notable changes is the removal of the distinction between required and addressable implementation specifications. The “addressable” term was something of a misnomer, leading some covered entities to think the addressable implementation specifications were optional when that was not the case. The removal of addressable makes it clearer that none of the requirements of the HIPAA Security Rule are optional, although limited exceptions are included.

Some of the cybersecurity measures included in the HPH CPGs have been added to the HIPAA Security Rule as required safeguards, such as multifactor authentication and encryption, which are in the Essential CPGs, plus asset inventory from the Enhanced CPGs. The updated HIPAA Security Rule is also more focused on risk analyses and assessments, and implementing control measures to manage risks.

Some of the key new requirements of the proposed rule are:

• Technology asset inventory and network map – The development and revision of a technology asset inventory and network map illustrating the movement of ePHI throughout the regulated entity’s electronic information systems on an ongoing basis, but at least every 12 months.
• Risk analysis – More specific requirements for risk analysis, including a review of the technology asset inventory and network map, the identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI, the identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems, and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
• Contingency planning and security incident response – Development of written procedures for restoring data within 72 hours, including restoration priority based on criticality.
• Security Rule compliance audits – Conducted at least every 12 months
• Reviews and tests of security measures – Conducted at least every 12 months
• Vulnerability scans – Conducted at least every 6 months
• Penetration tests – Conducted at least every 12 months
• Encryption – Encryption of all ePHI at rest and in transit
• Multi-factor authentication
• Network segmentation
• Anti-malware protection
• Technical safeguard for portable devices – Controls required for computer workstations extended to mobiles, tablets, and other portable devices
• Patch management – Timely implementation of patches and software updates
• Unnecessary software removal – Removal of extraneous software from relevant electronic information systems
• Disable unused network ports – In accordance with the regulated entity’s risk analysis.
• Data backups – Separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
• Business associate cybersecurity – Annual verification of business associates’ and contractors’ security measures at least every 12 months

The proposed new requirements are all current cybersecurity best practices and will greatly improve healthcare cybersecurity. They are mostly easily achievable provided the regulated entity has the money to implement the changes, and that could be a major problem for smaller regulated entities and cash-strapped rural hospitals. Measures that may be challenging to implement include the requirement to encrypt all ePHI at rest and in transit. Many legacy systems and devices are used in healthcare that may not support encryption.

The Centers for Medicare and Medicaid Services (CMS) is also due to propose new cybersecurity requirements for hospitals, compliance with which will be a requirement for participation in Medicare and Medicaid programs. When finalized and implemented, noncompliance with these cybersecurity requirements could result in civil monetary penalties or potentially disqualification from the Medicare and Medicaid programs. No timeframe has been published for when those cybersecurity requirements will be announced.

The HIPAA Audit Program Was Revived in 2025

OCR continues to petition Congress to increase the civil monetary penalties for HIPAA violations, provide further funding to allow incentives to be created to help low-resource hospitals implement the CPGs and improve cybersecurity, and support increased HIPAA enforcement and allow OCR to conduct proactive audits of HIPAA compliance.

The HHS is required under the HITECH Act to conduct regular audits of HIPAA-regulated entities; however, the last round of audits was conducted in 2017. The HHS’ Office of the Attorney General (HHS-OIG) audited the HHS audit program and found that the HHS had met its auditing responsibilities under the HITECH Act; however, the audit program was far too narrow in scope, as OCR only assessed 8 of the 180 HIPAA Rule requirements.

HHS-OIG recommended an expansion of the program to cover more standards of the HIPAA Rules, and also determined that the audit program was not effective at improving cybersecurity across the healthcare sector, as the audit program lacked teeth. While HIPAA violations were identified, no penalties were imposed for HIPAA violations, and the audits did not even trigger compliance reviews.

OCR Director Melanie Fontes Rainer said the HIPAA audits should start by the end of 2024 and will focus on the risk analysis and risk management requirements of the HIPAA Security Rule, and that they will be expanded in scope. While there was a delay to that plan, OCR confirmed in March 2025 that the long-awaited third phase of its HIPAA compliance audits is underway and initially consists of HIPAA compliance audits of 50 covered entities and business associates.

Part 2 and HIPAA Changes 2026 Compliance Date

In November 2022, OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rulemaking (NPRM) detailing Part 2 and HIPAA changes to better align these regulations. On February 8, 2024, a Final Rule was published by the HHS, which took effect on April 16, 2024. All persons subject to the regulation must ensure full compliance by February 16, 2026.

Like HIPAA, Part 2 protects patient privacy but relates to records of treatment for substance use disorder (SUD), whereas HIPAA applies to protected health information. SUD records are treated differently as they are highly sensitive and require greater protection and restrictions on uses and disclosures than other health information covered by the HIPAA Privacy Rule. While these additional protections are important, they can hamper care coordination and put barriers in the way of information sharing.

The changes ease the complexity of compliance for entities required to comply with HIPAA and Part 2, break down barriers to information sharing, and improve care coordination without removing patient privacy protections. Patient rights have also been expanded regarding the uses and disclosures of the SUD records.

The key changes are:

• Single patient consent for all future uses and disclosures of SUD records for treatment, payment, and healthcare operations.
• Segregation of Part 2 records is not required.
• HIPAA-regulated entities are permitted to redisclose SUD records received under that consent in accordance with the HIPAA Privacy Rule.
• Disclosure of patient records to public health authorities is permitted if they have been de-identified in accordance with HIPAA standards.
• Patients will be able to obtain an accounting of disclosures of their SUD records and request restrictions on certain disclosures.
• Part 2 programs must establish a complaints process about Part 2 violations and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
• The HIPAA Breach Notification Rule requirements will also apply to Part 2 records.
• The Part 2 Patient Notice requirements now align with the HIPAA Privacy Rule Notice of Privacy Practices requirements.
• The HHS will be able to impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act.
• Restriction of the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
• A safe harbor requires investigative agencies to take steps in the event that they discover they have received Part 2 records without having first obtained the required court order.

2024 HIPAA Privacy Rule Changes to Strengthen Reproductive Health Care Privacy (Vacated)

The Supreme Court decision in Dobbs v. Jackson Women’s Health Organization in June 2022 and the overturning of Roe v Wade removed the federal right to an abortion and gave states the authority to determine the legality of abortion. Many states implemented restrictions on abortions, with some states implementing near-total bans. That inevitably led to pregnant people traveling across state lines to have pregnancies terminated in states with more permissive laws.

OCR originally confirmed, through guidance, how the HIPAA Privacy Rule applies to disclosures of reproductive health information. Section §164.512(e) of the HIPAA Privacy Rule permits but does not require disclosures of PHI in extraterritorial civil, criminal, or administrative investigations or proceedings. In April 2023, OCR published an NPRM to strengthen reproductive health information privacy, and a final rule was issued in April 2024, which took effect on June 25, 2024, with enforcement starting on December 23, 2024.

The rule- HIPAA Privacy Rule to Support Reproductive Health Care – added a new definition for reproductive health information, prohibited disclosures of an individual’s PHI for the purpose of conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided. Further, the rule prohibited the identification of any person for the purpose of conducting such an investigation or imposing such liability. The rule required HIPAA-regulated entities to obtain a signed attestation from the requester of the PHI that it will not be used for a prohibited purpose.

Several lawsuits were filed over the final rule, either seeking to get the final rule vacated in its entirety or to prevent the HHS from enforcing compliance with the new rule in certain states. In June 2025, one of those challenges was successful. A Texas judge vacated the final rule, and his decision applies nationally, not just in Texas. As such, the new definition of reproductive healthcare no longer exists, and attestations are not required before any disclosure of reproductive health information, including to support a civil, criminal, or administrative investigation or proceeding, for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. The changes required to be made to the HIPAA Notice of Privacy Practices with respect to the Part 2 regulations are still in effect, and the compliance date is February 16, 2025.

HITECH Act Updated in 2021 Regarding Recognized Security Practices

Many healthcare industry stakeholders had campaigned for the creation of a safe harbor for HIPAA-covered entities and business associates that have adopted a common security framework and implemented industry-standard security best practices, yet still experienced a data breach. It is not possible to prevent all cyberattacks and data breaches, and it is unfair to punish HIPAA-regulated entities for impermissible disclosures of ePHI when they have made all reasonable efforts to secure their systems.

A bill was proposed in 2020 that called for the HHS to consider the recognized security practices adopted by HIPAA-regulated entities that have been in place continuously for the 12 months prior to a data breach occurring when deciding on financial penalties and other sanctions. The bill, HR 7898, was signed into law by President Trump on January 5, 2021.

The purpose of the bill is to encourage healthcare organizations to invest in security and adopt a recognized security framework by providing an incentive. The HITECH Act update has not created a safe harbor for HIPAA-regulated entities that have adopted a security framework and implemented industry-standard security best practices, but OCR will consider the efforts made with respect to security when making determinations in its investigations of complaints and data breaches.

HIPAA-regulated entities that demonstrate they have adopted recognized security practices will benefit from a decrease in the length and extent of audits and investigations of data breaches, and OCR will consider recognized security practices as a mitigating factor to reduce any financial penalties that would otherwise have been applied. In 2022, in response to another request for information, OCR published a video that explains what recognized security practices are and the evidence that can be submitted to prove they have been in place. OCR said that when investigations are launched, OCR will write to the HIPAA-regulated entity and provide an opportunity for evidence of recognized security practices to be submitted.

HIPAA Fines and Settlements Due to be Shared with Victims of HIPAA Violations

In addition to requesting information on recognized security practices in its 2021 RFI, OCR sought comments on how to implement a requirement of the HITECH Act relating to financial penalties for HIPAA violations. Section 13410(c)(1) of the HITECH Act requires OCR to share a portion of the funds it receives from its HIPAA enforcement activities with the victims of HIPAA violations. This is important, as there is no private cause of action in HIPAA, which means individuals cannot sue HIPAA-regulated entities for HIPAA violations when those violations have caused harm.

The problem for OCR – which is why this requirement has not been implemented to date – is the difficulty in implementing a fair method of determining how much victims should receive. In its April 6, 2022, RFI, OCR requested comments to help establish a methodology under which an individual who is harmed by an offense punishable under HIPAA may receive a percentage of any civil money penalty or monetary settlement collected with respect to the offense.

The Government Accountability Office (GAO) has shared a methodology for sharing funds, but OCR is seeking comment on any alternative methodologies. The main problem, however, is identifying the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, as “harm” is not defined by statute.

No timescale has been provided for when a Notice of Proposed Rulemaking will be issued in this regard, or when funds will start to be shared with victims of HIPAA violations. These HIPAA changes could occur in 2026, but it could still be several years before this HITECH Act requirement is implemented.

HIPAA Penalties Could Officially Change in 2026

A HIPAA change occurred in 2019 concerning the penalties for HIPAA violations. OCR issued a Notice of Enforcement Discretion as it had adopted a new penalty structure for non-compliance with HIPAA Rules after a re-evaluation of the language of the HITECH Act.

The HITECH Act called for penalties for HIPAA violations to be increased and, in 2013, the HHS implemented a new HIPAA penalty structure with minimum and maximum penalties set for the four penalty tiers based on the level of culpability. In each category, a maximum penalty of $1.5 million, per violation category, per year was set. The HHS reviewed the language of the HITECH Act in 2019 and interpreted the requirements of the HITECH Act differently. “Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits.”

Rather than setting a maximum penalty of $1.5 million per year in all four categories, the maximum fine was reduced in the first three tiers.  The current minimum and maximum penalties, adjusted for inflation, can be found here. Currently, OCR is using the new penalty structure, as detailed in the Notice of Enforcement Discretion published in the Federal Register. While that remains in effect indefinitely, the new penalty structure is not legally binding and can be changed at any time. It is possible that this change to HIPAA will be made official in 2026, although first, a Notice of Proposed Rulemaking will need to be issued.

OCR is more likely to continue to use its new interpretation under its Notice of Enforcement Discretion without making it official. OCR has been pushing Congress to increase the maximum penalties for HIPAA violations, as the total funds from OCR’s enforcement actions decreased significantly when the new penalty structure was introduced. OCR’s budget is extremely stretched as funding for the department has remained flat for years despite increasing numbers of hacking incidents and data breaches, which have significantly increased OCR’s workload. While the penalties for HIPAA violations have increased annually in line with inflation, OCR is seeking increased penalties to spur healthcare organizations into compliance and to make cybersecurity improvements.

Other HIPAA Rule Changes May Lead to Future Updates

HIPAA rule changes are not exclusive to the Privacy, Security, and Breach Notification Rules. There have been a number of HIPAA rule changes relating to transaction code sets and identifiers (Part 162 of the HIPAA Administrative Simplification Regulations). Usually, these rule changes have a limited impact on covered entities and business associates; however, a proposed HIPAA rule change published in December 2022 could have implications for many day-to-day healthcare operations.

The proposed HIPAA rule change was published by the CMS to resolve an issue concerning healthcare attachment transactions. These transactions occur when a health plan needs further information from a healthcare provider to authorize treatment or pay a bill. Healthcare providers can also provide further information when submitting an authorization request or bill to accelerate treatment and/or payment.

The issue exists because further information cannot be “attached” to an existing transaction and has to be faxed or mailed separately. To resolve the issue, the CMS proposed three new transaction codes. However, in order to authenticate users, ensure the integrity of the attachment, and guarantee nonrepudiation, attachments transmitted using the new codes will have to be digitally signed. To address this issue, the CMS proposed a standard for acceptable e-signatures.

Compliance with the e-signature standard is only necessary when covered entities use the transaction codes to submit attachments electronically. There is no requirement to digitally sign attachments when they are faxed or sent through the mail. It is considered that, like most previous Part 162 HIPAA rule changes, the proposals will have a limited impact on covered entities and business associates.

However, the possibility exists that the proposed standard may be extended to other transactions in the future, and then to day-to-day healthcare operations. As this article discusses, there are a number of ways in which e-signatures are used in day-to-day healthcare operations; and, if the e-signature requirements are rolled out across the rest of the HIPAA Administrative Simplification Regulations, covered entities and business associates may have to make some significant procedural changes.

FAQs

If HIPAA settlement sharing is introduced, will that result in more fines being issued?

If HIPAA settlement sharing is introduced, it is unlikely to result in more fines being issued by HHS’ Office for Civil Rights. Although the agency may come under pressure to pursue more settlements, there has been no indication that the current policy of voluntary compliance wherever possible will be reviewed.

How was HIPAA updated by the Omnibus Final Rule in 2013?

When HIPAA was updated by the Omnibus Final Rule in 2013, the major changes included further limiting permissible uses and disclosures of PHI, expanding patients’ rights, and making business associates directly liable for HIPAA violations attributable to their non-compliance. The Omnibus Final Rule also confirmed the new violation penalty structure imposed by the HITECH Act.

When was HIPAA last updated?

HIPAA was last updated in 2024 when the HIPAA Privacy Rule was updated to strengthen reproductive healthcare privacy to prohibit the uses and disclosures of reproductive healthcare information for the purpose of conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person who has legally sought, been provided with, or has facilitated reproductive health care that was legal in the location where it was provided.

What were the changes in 2017 that impacted HIPAA compliance?

The changes in 2017 that impacted HIPAA compliance relate to changes in 42 CFR Part 2 of the Public Welfare Code. These changes placed stricter conditions on the uses and disclosures of PHI when a patient is suffering a substance abuse disorder (SUD) and impact HIPAA compliance for providers in this field of healthcare who may have to have a three-tier structure for protecting SUD-related PHI, other PHI, and non-protected personal information.

Where is the best place to find changes to the HIPAA standards?

The best place to find changes to the HIPAA standards in the Administrative Simplification Regulations is the HHS’ Office for Civil Rights website. The website provides the opportunity for visitors to register for a “Weekly News Digest” that will deliver news about Proposed Rules, Interim Rules, and Final Rules straight to your email inbox.

How will HHS announce HIPAA updates in 2026?

HHS will announce HIPAA updates in 2026 via one or more Final Rules published in the Federal Register. Once a Final Rule is published in the Federal Register, HHS will publish a News Release on its website. HHS News Releases are usually widely reported in trade publications and on compliance websites, so it is unlikely that any major updates to HIPAA in 2026 will go unnoticed.

Where can compliance officers find the latest version of HIPAA?

Compliance officers can find the latest version of the HIPAA Administrative Simplification Regulations on the eCFR website (https://www.ecfr.gov/). The HIPAA Administrative Simplification Regulations are in three Parts – 45 CFR 160, 162, and 164. Part 164 includes the HIPAA Security Rule (Subpart C), the HIPAA Breach Notification Rule (Subpart D), and the HIPAA Privacy Rule (Subpart E), but compliance officers should not omit to review other Parts of the Title to identify any other standards that apply.

Will there be an Omnibus HIPAA Final Rule 2026?

It is unlikely there will be an Omnibus Final Rule 2026 due to the volume and variety of new regulations being proposed. While it is possible that proposed changes to the HIPAA Security Rule to reflect HHS’ Healthcare Sector Cybersecurity Strategy and recognized security practices may be combined, other proposals – such as electronic signatures and interoperability – may be introduced separately and then expanded to other areas of HIPAA in subsequent rulemaking.

What new Rules were introduced to HIPAA in 2024?

There were no new Rules introduced to HIPAA in 2024 because the 2024 updates to HIPAA affected existing Rules rather than created new Rules. The last update to HIPAA in which a new Rule was introduced, was in 2009 when HHS’ Office for Civil Rights published the Interim HIPAA Breach Notification Rule. The HIPAA Breach Notification Rule was modified and finalized in the HIPAA Omnibus Final Rule of 2013.

When are the first 2026 updates to HIPAA expected?

It is not known when the first 2026 updates to HIPAA are expected due to the change in administration. Some updates to HIPAA in 2024 became effective in 2025, and some of the Part 2 updates to align them with HIPAA have a February 2026 compliance date. In addition, changes to HIPAA violation penalties are due to be made to increase them in line with inflation. While they should occur in January 2026, the HHS is usually slow to apply them.