New HIPAA Regulations in 2026

Posted By Steve Alder on Dec 30, 2025

New HIPAA regulations may be implemented in 2026, such as the proposed update to the HIPAA Privacy Rule,  a final rule for which is long overdue. An update to the HIPAA Security Rule was proposed in January 2025,  although it is unclear when or if OCR will publish a final rule.

New HIPAA regulations were implemented in 2024 when a final rule was published updating the HIPAA Privacy Rule to strengthen reproductive health care privacy, and a final rule was published aligning the Part 2 regulations more closely with HIPAA, although in June 2025, the HIPAA Privacy Rule to strengthen reproductive health care privacy was vacated nationally by a Texas judge.

This article explains the implemented and proposed new HIPAA regulations and can be used in conjunction with our HIPAA compliance checklist to help better understand how the HIPAA updates for 2026 may impact HIPAA compliance. Please use the form on this page to request your free copy of the checklist

In recent years, new HIPAA regulations and changes attributable to related Acts have mostly had a minimal impact on HIPAA compliance; however, many of the anticipated HIPAA changes in 2026 and beyond are likely to have a much more significant impact, none more so than the proposed changes to the HIPAA Security Rule. If enacted, the HIPAA Security Rule update will have a major impact on HIPAA-regulated entities operationally and financially, requiring a major investment in cybersecurity.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Business Email *

Name *

First

Last

Number *

Company Name *

Get Free Checklist

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The last major update to the HIPAA Rules was in 2013 when the HIPAA Omnibus Final Rule introduced new HIPAA regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Since then, most HIPAA changes have consisted of amendments to existing standards to accommodate changes to other laws, Executive Orders, and to implement new transaction code sets.

The next major update is now due, as the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, proposing a slew of changes to the HIPAA Privacy Rule. The Final Rule should have been published by now; however, it was proposed by OCR under the previous Trump administration and the Biden Administration did not view the update as a priority and failed to implement a final rule. No date has been sent on when the final rule will be published, and it is now up to the new Trump administration to decide if the proposed changes should be implemented. (see the New Regulations in 2024 and 2025 section below).

For several years, new HIPAA regulations have been under consideration concerning how substance use disorder (SUD) and mental health information records are treated and protected. SUD records are covered by the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) regulations, which serve to protect the privacy of substance use disorder patients who seek treatment at federally assisted programs, whereas other healthcare data is covered under HIPAA.

There have been calls from many healthcare stakeholder groups to align the Part 2 regulations more closely with HIPAA, so all healthcare data is required to have equal protection. This would allow clinicians to view patients’ entire medical records, including SUD records, to get a complete view of a patient’s health history to inform treatment decisions. If details of treatment for SUD are withheld from doctors, there is a risk that a patient may be prescribed opioids when they are in recovery.

While there are good reasons why these records need to be treated differently, as part of efforts to tackle the opioid crisis the Substance Abuse and Mental Health Services Administration (SAMHSA) and OCR have moved to align the Part 2 regulations more closely with HIPAA.

There was progress on this front in 2020 through the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which required the HHS to align the Part 2 regulations more closely with HIPAA. In 2022, a Notice of Proposed Rulemaking was published in the Federal Register detailing Part 2 and HIPAA changes as mandated by the CARES Act to increase care coordination and better align these regulations, and a final rule was issued in February 2024. The new rule took effect on April 16, 2024, and compliance is required by no later than February 16, 2026.

How are New HIPAA Regulations Introduced?

The process of implementing HIPAA updates is slow and follows the process mandated by the Administrative Procedure Act. Typically, before any new HIPAA regulations can be introduced, changed, or rescinded, the HHS must seek feedback through a Request for Information (RFI) on aspects of HIPAA regulations that are proving problematic or, due to changes in technologies or practices, are no longer as important as when they were originally published.

After considering the comments and feedback received from the RFI, the HHS releases a Notice of Proposed Rulemaking (NPRM), which is followed by a comment period. Comments received from healthcare industry stakeholders are considered before a Final Rule is issued. HIPAA-regulated entities are then given a grace period to make the necessary changes before compliance with the new HIPAA regulations becomes mandatory and the HIPAA changes become enforceable.

The NPRM for the proposed HIPAA Privacy Rule changes was published in the Federal Register on January 21, 2021, and healthcare industry stakeholders were invited to submit comments on the 357-page proposal, with the deadline for submitting comments set as March 22, 2021. The proposed HIPAA Privacy Rule changes are far-reaching and affect almost everyone who interacts with the healthcare system. Due to the extent of the proposed HIPAA changes and their potential impact, the deadline for submitting comments was extended to May 6, 2021. OCR has yet to provide a date for when the Final Rule will be issued, but since the proposed rule was issued under the previous Trump administration, a final rule may be issued in 2026. If that is the case, there will be a grace period before compliance with the new rule is enforced.

In April 2022, the HHS also released an RFI on how best to take into consideration the recognized security practices of the 2021 HIPAA “Safe Harbor” Law, and how to introduce a method of “settlement sharing” in which victims of data breaches could claim a percentage of civil monetary penalties, as originally required (but never enacted) by §13410(c)(3) of the HITECH Act. OCR has yet to issue an NPRM on settlement sharing, so this is not going to be one of the new HIPAA regulations in 2026. OCR released a video presentation on how HIPAA-regulated entities can demonstrate they have implemented recognized security practices, which can be found here.

New HIPAA Regulations in 2024 and 2025

New HIPAA regulations in 2024 updated the HIPAA Privacy Rule to strengthen reproductive health care privacy (Now vacated – see the section below) in response to the overturning of Roe V. Wade, which removed the constitutional right to abortion, and aligned the Part 2 regulations with HIPAA more closely.  A final rule updating the HIPAA Privacy Rule is overdue, as comments have been collected in response to the 2020 proposed Rule, and in January 2025, OCR published its long-awaited proposed update to the HIPAA Security Rule, which includes many new cybersecurity requirements to better protect the U.S. health care system from the growing number of cyberattacks.

The future of HIPAA is currently unclear due to the administration change and it is too early to say if there will be any new HIPAA regulations in 2026.  The Trump-Vance administration has different views on healthcare than the Biden-Harris administration, and it is unclear what the priority will be for the HHS under the new Secretary and OCR Director. The Privacy Rule update that is currently pending could well be the first of the new HIPAA regulations in 2026, as it was proposed by the previous Trump administration.

Trump’s campaign promises included a focus on deregulation and the reversal of Biden-era policies. In his last term, Trump issued an Executive Order of ‘One-In, Two-Out’ regarding new regulations. While the HIPAA Privacy Rule update to strengthen reproductive health care privacy could have been reversed under the new administration, that proved unnecessary.  The Texas Attorney General challenged the legality of the HIPAA Privacy Rule update to strengthen reproductive health information privacy, as it was alleged to impede the state’s ability to enforce state laws. That challenge was successful, with a federal judge ruling that the new rule was unlawful, vacating the reproductive healthcare privacy rule nationwide.

One of the final acts of OCR under the Biden-Harris Administration was the publication of an NPRM updating the HIPAA Security Rule. The proposed update to the HIPAA Security Rule was added to the Federal Register on January 6, 2025, and the comment period remained open until March 7, 2025. It is now up to the Trump administration to decide whether a final rule should be published implementing the proposed changes. The final rule, if published, could be considerably different from the proposed rule, with some of the requirements removed to ease the burden on regulated entities. Like the update to the HIPAA Privacy Rule proposed by OCR under the previous Trump administration, the proposed update to the HIPAA Security Rule may take several years before being passed or could be shelved. There is bipartisan support for new healthcare cybersecurity requirements due to the massive number of cyberattacks and data breaches that are occurring, but the proposed HIPAA Security Rule update has attracted considerable criticism from providers and industry associations alike due to the cost implications and compliance burden.

New HIPAA Regulations and Part 2 Rulemaking

The CARES Act was passed by Congress on March 27, 2020, to ensure that every American had access to the care they needed during the COVID-19 pandemic and to address the economic fallout from COVID-19. Individuals suffering from substance use disorder (SUD) had to get the treatment they needed during the COVID-19 pandemic, which meant changes needed to be made to Part 2 regulations. The CARES Act improved Part 2 regulations by expanding the ability of healthcare providers to share the records of individuals with SUD, but also tightening the requirements in the event of a breach of confidentiality.

The changes to Part 2 regulations are based on the Legacy Act, which was introduced by Sens. Capito (R-WV) and Manchin (D-WV). Rather than having to obtain consent from a SUD patient for each use or disclosure, and for consent forms to state the specific parties with whom the information will be shared on the consent form, patients can give broad consent for their SUD records to be shared for treatment, payment, and healthcare operations (TPO). Each disclosure made with patient consent must include a copy of the consent or a clear explanation of the scope of the consent.

The SUD records can then be shared by a covered entity or business associate for all TPO reasons, as is the case with HIPAA. Uses and disclosures must be limited to the minimum necessary information and consent can be withdrawn (in writing) by the patient at any time. The CARES Act also allows SUD information to be shared with a public health authority if it is first de-identified in accordance with the HIPAA Rules.

Protections have been put in place for SUD patients, which place limitations on the use of SUD records in criminal, civil, or administrative investigations or proceedings, and there are prohibitions on discrimination against patients suffering from SUD. Patients have also been given three new rights, better aligning Part 2 with the HIPAA Privacy Rule. These are the right to an accounting of disclosures of SUD records, the right to request restrictions on disclosures for treatment, payment, and healthcare operations, and the right to opt out of fundraising communications.

Part 2 programs are required to establish a process to receive complaints about Part 2 violations and are prohibited from taking adverse action against patients who file complaints. Requiring patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services is also prohibited. The final rule also included a new definition for SUD Counseling Notes, which are voluntarily maintained by a clinician separately from Part 2 records. These require specific consent and cannot be used or disclosed based on the broad TPO consent.

Disclosures of SUD records to the Secretary of the HHS are required for enforcement purposes, and the HIPAA and HITECH Act civil and criminal penalties now apply to Part 2 violations, further aligning the regulations with HIPAA. Breaches of Part 2 records now have the same notification requirements as protected health information under HIPAA, so any data breach requires the patient to be notified without unnecessary delay, and no later than 60 days from the date of discovery of the breach. The Part 2 confidentiality notice requirements also align with the HIPAA Notice of Privacy Practices. An update to HIPAA was also included in the final rule, which requires covered entities that receive or maintain Part 2 records to update their HIPAA Notice of Privacy Practices to include a provision limiting the redisclosure of Part 2 records for legal proceedings per the Part 2 standards, the compliance deadline for which is February 16, 2026.

HIPAA Privacy Rule Changes to Strengthen Reproductive Healthcare Privacy (Now vacated)

In June 2022, the Supreme Court delivered a decision in the case of Dobbs v. Jackson Women’s Health Organization, which overturned previous rulings (Roe v. Wade) that the Constitution of the United States protects a pregnant individual’s liberty to have an abortion. The decision led to many anti-abortion states passing laws that prohibited or restricted terminations, forcing women and children to cross state lines to have pregnancies terminated.

Anti-abortion states are unable to prevent women from crossing state lines for terminations, but some have introduced legislation that criminalizes assisting or facilitating an abortion procedure. In response, permissive states have introduced “shield” laws to prevent the extraterritorial application of anti-abortion legislation and protect their citizens from being charged for assisting or facilitating a procedure that is legal in their home state.

The patchwork of state legislation was a major concern to OCR due to possible uses or disclosures of PHI in extraterritorial civil, criminal, or administrative investigations or proceedings. The HIPAA Privacy Rule permitted, but did not require, disclosures of PHI for judicial and administrative proceedings – §164.512(e) of the Privacy Rule. OCR was concerned that patients may withhold information from their healthcare providers and that states with restrictions on abortions may attempt to obtain reproductive healthcare information to prosecute individuals who obtain abortions and the individuals who assist or facilitate that care.

In April 2023, OCR proposed an update to the HIPAA Privacy Rule to strengthen reproductive healthcare privacy, and a final rule was published in the Federal Register in April 2024. These changes took effect on June 25, 2024, and enforcement commenced on December 23, 2024; however, in June 2025, following a legal challenge in Texas court, this Rule was vacated nationally, as it was determined to be unlawful.

Specifically, Texas U.S. District Judge Matthew Kacsmaryk said the HHS had no authority to impose a new rule that limits state laws, the changes to definitions were in excess of statutory authority, and the HHS did not have the authority to require greater protections for different types of healthcare information “to accomplish political ends like protecting access to abortion and gender-transition procedures.” The decision could potentially be appealed by the HHS. If an appeal were to be made and be successful, the HHS would likely face other challenges.

The key HIPAA Privacy Rule changes were:

• A definition of “reproductive health care” is added to HIPAA. This definition covers terminations, but also contraception, fertility, and miscarriage healthcare.
• New limitations are imposed on the uses and disclosures of PHI relating to reproductive healthcare that cannot be bypassed by obtaining consent or an authorization.
• A request for reproductive health care information must be accompanied by an attestation that the information will not be used or disclosed for an out-of-state judicial or administrative proceeding.
• Clarification that providing or facilitating reproductive health care is not abuse, neglect, or domestic violence.
• To reassure patients that PHI relating to reproductive health care will not be used or disclosed, a new section must be added to existing Notices of Privacy Practices. The compliance date for this requirement is February 16, 2026, to coincide with the compliance date for the recently introduced Part 2 changes.

Latest HIPAA Updates Relating to Transaction Code Sets

In the introduction to this article, it was mentioned that most HIPAA changes have consisted of amendments to existing standards to accommodate changes to other laws, Executive Orders, and new transaction code sets. While it is understandable that most covered entities’ attention may be focused on the proposed modifications to the HIPAA Privacy Rule, it is important to keep up to date with the latest HIPAA updates relating to transaction code sets.

This is because, in December 2022, HHS’ Centers for Medicare and Medicaid Services (CMS) published a proposed rule that would add three new transaction codes to the existing transaction code sets. The new transaction codes are to enable the electronic transmission of healthcare attachment transactions – transactions in which further information is provided to support an authorization request or a bill, or to preempt a query relating to a bill.

Currently, healthcare attachment transactions are sent by fax or mail, and by facilitating the electronic transmission of these transactions, the new transaction codes will accelerate authorizations, treatments, and payments. However, to validate their authenticity, electronically transmitted healthcare attachment transactions will have to be digitally signed by software capable of supporting the HL7 IF for CDA R2 protocol.

These latest HIPAA updates relating to transaction code sets could be significant for all covered entities that already use e-signatures in day-to-day healthcare operations (i.e., Business Associate Agreements, remote authorizations for uses and disclosures not permitted by the HIPAA Privacy Rule, e-prescribing, etc.) if the e-signature requirements are extended to other HIPAA-covered transactions, and then to day-to-day healthcare operations.

The Proposed Changes to the HIPAA Privacy Rule

OCR issued a request for information in December 2018, asking HIPAA-covered entities for feedback on aspects of HIPAA Rules that were overly burdensome or obstructed the provision of healthcare, and areas where new HIPAA updates could be made to improve care coordination and data sharing.

OCR was specifically looking at making changes to aspects of the HIPAA Privacy Rule that impede the transformation to value-based healthcare and areas where current HIPAA Privacy Rule requirements limit or discourage coordinated care. The proposed changes to HIPAA include the easing of restrictions on disclosures of PHI that require authorizations from patients and several new HIPAA changes to strengthen patients’ rights to access their own PHI. One proposed change that has attracted some criticism is the requirement to make the sharing of ePHI with other providers mandatory. Both the American Hospital Association (AHA) and the American Medical Association (AMA) voiced their concerns about the mandatory sharing of healthcare data, and also against another proposed change that shortens the timescale for responding to patient requests for copies of their medical records.

Former HHS Deputy Secretary Eric Hargan explained that complaints had been received that some provisions of the HIPAA Privacy Rule are stopping patients and their families from getting the help they need and that changes are necessary to help with the fight against the current opioid crisis in the United States. New HIPAA changes have also been proposed to reduce the administrative burden on HIPAA-covered entities.

In December 2020, OCR announced proposed new HIPAA regulations for the HIPAA Privacy Rule, which were open to comments. The comment period has long since closed, and while a final rule implementing these changes was expected under the Biden-Harris administration, it never materialized. The incoming Trump administration could have made this a priority, given that it was proposed under the previous Trump administration, but a final rule has yet to be issued, although 2026 may be the year when the proposed updates are finalized. In January 2026, OCR announced a Tribal consultation meeting on the proposed HIPAA Privacy Rule update – the first real sign of progress toward a final rule in the past 4 years.

The proposed new HIPAA regulations announced by OCR in December 2020 and published in the Federal Register in January 2021 are as follows:

• Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
• Changing the maximum time to provide access to PHI from 30 days to 15 days.
• Requests by individuals to transfer ePHI to a third party will be limited to the ePHI maintained in an EHR.
• Individuals will be permitted to request their PHI be transferred to a personal health application.
• States when individuals should be provided with ePHI at no cost.
• Covered entities will be required to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
• HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
• HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
• Pathway created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
• Healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans, in cases when an individual directs those entities to do so under the HIPAA Right of Access.
• The requirement for HIPAA-covered entities to obtain written confirmation that a Notice of Privacy Practices has been provided has been dropped.
• Covered entities will be allowed to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” The current definition is when harm is “serious and imminent.”
• Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
• The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.
• The definition of healthcare operations has been broadened to cover care coordination and case management.
• The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
• A definition has been added for electronic health records.

HHS Announces Plans for Improving Cybersecurity and Publishes Healthcare Cybersecurity Performance Goals

In December 2023, the HHS published a Healthcare Sector Cybersecurity concept paper outlining the steps that the HHS would be taking to improve cyber resiliency in light of the growing number of healthcare cyberattacks, including ransomware attacks that are putting patient safety at risk. The concept paper included four main areas of action:

1. Establish voluntary cybersecurity goals for the healthcare sector
2. Provide resources to incentivize and implement cybersecurity practices
3. Implement an HHS-wide strategy to support greater enforcement and accountability
4. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity.

The HPH Cybersecurity Performance Goals (CPGs) were finalized and announced by OCR in January 2024. There are two tiers of CPGs: Essential CPGs and Enhanced CPGs, both of which contain high-impact cybersecurity practices that will have the greatest effect on improving resiliency to cyberattacks. The Essential CPGs include mitigating known vulnerabilities, email security, multifactor authentication, basic workforce cybersecurity training, strong encryption for data in transit, unique credentials for all workforce members, and revoking credentials for departing workforce members. The Enhanced CPGs include a complete asset inventory, third-party vulnerability disclosure, cybersecurity testing, network segmentation, centralized log collection, configuration management, and centralized incident planning and preparedness.

Both sets of CPGs are voluntary; however, OCR believes that regulatory changes are required, as voluntary goals are unlikely to be enough to drive the behavioral changes needed across the sector. In the concept paper, the HHS said an update to the HIPAA Security Rule would likely be proposed in Spring 2024, but the update was delayed. A draft of the proposed update was published in December 2024, and the proposed HIPAA Security Rule update was published in the Federal Register on January 6, 2025.

The HHS has also confirmed that the Centers for Medicare and Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals that participate in the Medicare and Medicaid programs, the adoption of which will be a condition for participation in those programs. While those new requirements were expected to be announced by the CMS in 2024, no announcement has been made to date, with 2026 potentially the year when the changes are made. They are expected to include several of the measures detailed in the healthcare CPGs and the recently proposed HIPAA Security Rule update.

HIPAA Security Rule Changes in 2026?

Since the publication of the Omnibus Final Rule in 2013, there have been new HIPAA updates to the HIPAA Privacy Rule, amendments to the HIPAA Enforcement Rule to account for inflation, and new HIPAA Part 162 requirements, but no changes – other than a technical correction – to the HIPAA Security Rule.  This could be about to change, as one of the last actions of OCR under the Biden Administration was to propose a much-needed update to the HIPAA Security Rule that includes many new cybersecurity requirements.

As previously explained in the How are New HIPAA Regulations Introduced section, a new rule is proposed, followed by a comment period, and comments were accepted on the proposed new HIPAA regulations until March 7, 2025. The comments must then be reviewed, which could take a considerable amount of time, as extensive feedback was received by OCR from HIPAA-regulated entities and healthcare industry stakeholders due to the number of new cybersecurity requirements in the proposed rule. After comments have been considered and changes have been made to the proposed rule, a final rule will be issued, and regulated entities will be given a grace period to comply. The compliance date is likely to be at least a year after the final rule is published due to the number of changes introduced and the cost of implementing the new cybersecurity measures, which will be considerable.

There is a caveat. The HIPAA update was proposed by OCR under the Biden Administration, and the new Trump administration may choose to do nothing with the update, as was the case with the HIPAA Privacy Rule update proposed by the previous Trump administration, which was shelved by OCR under the Biden Administration. If a final rule is issued, it could have many of the proposed updates removed. No decision has been made about whether a final rule will be released, but OCR has stated that the final rule is due in May 2026, although it could well be delayed. If issued, it will likely be 2027 before compliance is enforced.

The Proposed HIPAA Security Rule Changes

The proposed update to the HIPAA Security Rule – HIPAA Security Rule to Strengthen Cybersecurity of Electronic Protected Health Information – is a major overhaul of the cybersecurity requirements for HIPAA-regulated entities, with many new requirements added in line with current cybersecurity best practices, methodologies, and procedures to improve protections against internal and external threats, plus changes in response to court decisions that have affected OCR’s enforcement of the HIPAA Security Rule.

One notable change is the removal of the distinction between required and addressable implementation specifications, with the latter removed in the updated HIPAA Security Rule. Addressable has been taken to mean optional by many regulated entities when that is not the case. This change makes it clear that all requirements must be implemented, although there are limited exceptions to certain implementation specifications.

One of the most commonly identified HIPAA Security Rule violations is the failure to conduct a comprehensive and accurate risk analysis, which OCR is addressing in the latest update, which makes the Security Rule much more focused on risk identification and remediation. In the last round of HIPAA compliance audits in 2016 and 2017, OCR found that most audited entities were not compliant with this important implementation specification. The update includes more specific requirements for the risk analysis, making it clear what the risk analysis must entail.

The update runs to 393 pages and includes extensive changes, with some of the key proposed new HIPAA regulations detailed below:

• Technology asset inventory and network map – The development and revision of a technology asset inventory and network map illustrating the movement of ePHI throughout the regulated entity’s electronic information systems on an ongoing basis, but at least every 12 months.
• Risk analysis – More specific requirements for risk analysis, including a review of the technology asset inventory and network map, the identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI, the identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems, and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
• Contingency planning and security incident response – Development of written procedures for restoring data within 72 hours including restoration priority based on criticality.
• Security Rule compliance audits – Internal audits to be conducted at least every 12 months
• Reviews and tests of security measures – Must be conducted at least every 12 months
• Vulnerability scans – Must be conducted at least every 6 months
• Penetration tests – Must be conducted at least every 12 months
• Technical safeguard for portable devices – Controls required for computer workstations extended to mobiles, tablets, and other portable devices
• Patch management – Timely implementation of patches and software updates
• Unnecessary software removal – Removal of extraneous software from relevant electronic information systems
• Disable unused network ports – In accordance with the regulated entity’s risk analysis.
• Data backups – Separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
• Business associate cybersecurity – Annual verification of business associates’ and contractors’ security measures at least every 12 months
• Encryption – Encryption of all ePHI at rest and in transit
• Multi-factor authentication –
• Network segmentation – Networks must be segmented to limit lateral movement in the event of a compromise
• Anti-malware protection – Software must be implemented to protect against malicious software

Challenges Complying with the New HIPAA Regulations in 2026

The proposed changes to the HIPAA Privacy Rule are a cause of concern for many covered entities and patient privacy advocates due to the potential impact they will have on the privacy and security of healthcare data, and the administrative and economic burden the changes will likely place on healthcare providers. While changes have been made to align the Part 2 regulations more closely with HIPAA, there has been criticism that the proposed changes have not gone far enough.

While some of the proposed changes to the HIPAA Privacy Rule are intended to ease the administrative burden on healthcare organizations, when the final rule is published, considerable time and effort will need to be put into implementing the changes. There will be a need to update HIPAA policies and procedures and communicate those changes to patients and health plan members. Employees will need to be given further HIPAA training, as the HIPAA Privacy Rule requires training to be provided whenever there is a material change to HIPAA policies. Training courses will need to be updated, and providing training to the workforce has the potential to cause workflow disruption. The HIPAA Privacy Rule is largely concerned with restricting the uses and disclosures of PHI. The latest HIPAA changes introduce new requirements to make healthcare information flow more freely and improve access rights for patients. Implementing those HIPAA changes could well create challenges for healthcare organizations.

OCR has been cracking down on violations of the HIPAA Right of Access when timely access to medical records is not provided, and the proposed HIPAA changes shorten the timeframe for providing those records. Based on the number of financial penalties for HIPAA Right of Access violations – more than 50 – it is clear some healthcare providers have struggled to provide records within 30 days. Providing the records within 15 days will be particularly challenging, especially considering the maximum extension has also been shortened to 15 days.

Another area of concern is the definition of electronic health records, which includes billing records. Billing records will need to be provided when an individual requests a copy of their records. Billing records are often kept in a different system – not in the EHR – which can slow down the processing of requests for copies of medical records. The HIPAA Privacy Rule change also prohibits unreasonable barriers to individuals exercising their right of access, such as unreasonable identity checks, which may be a cause of confusion as to what qualifies as ‘unreasonable’.

A definition has been added for Personal Health Application – an application used by an individual to access their health records. Healthcare organizations will be required to inform individuals about the privacy and security risks of sending their PHI to a third-party application, which is not required to have safeguards mandated by HIPAA. Healthcare providers are likely to have to develop their own patient warnings to ensure patients are made aware of the risks. A change has also been made that allows patients to orally request that a copy of their PHI be sent to a third party. Healthcare organizations may struggle to implement the necessary changes to allow those requests to be processed correctly.

There has also been a change to the language of the HIPAA Privacy Rule regarding the need to provide copies of ePHI in the format requested by the individual. “Readily producible” copies of PHI now include copies requested through standards-based APIs using individuals’ personal health applications. It may not be easy for some healthcare providers to provide records in those formats, as they may be restricted by the EHR system they have implemented.

The new HIPAA regulations will allow patients to inspect their PHI in person and take notes and photographs. That too will create challenges, as patients will need to be allowed to inspect their PHI privately, and care will need to be taken to ensure they are not photographing PHI they are not authorized to – such as the PHI of others or any of their own PHI that is excluded from the HIPAA Right of Access. HIPAA-covered entities will need to determine how best to adhere to that requirement. It may be necessary to create an area where records can be viewed electronically and even to supervise individuals who are inspecting their PHI in person. In-person requests to inspect PHI will also need to be provided free of charge, even though providing in-person access has the potential to have a cost impact on a HIPAA-covered entity.

The proposed HIPAA Security Rule changes are commonsense measures based on the latest cybersecurity best practices, and while they include many new requirements that will be easy to implement, some new requirements will be particularly challenging, such as encrypting all ePHI at rest and in transit. The new requirements will also be expensive to implement, and there is a great deal of concern from many regulated entities about how they will find the funds to implement the changes, especially for low-resourced hospitals. Due to the number of new requirements, implementing those changes and adding new policies, procedures, and safeguards will place an enormous compliance burden on HIPAA-regulated entities.

As these issues show, while the changes in many cases are minor, the implications for HIPAA-covered entities can be considerable. It will likely take considerable planning and resources to implement all of the changes, update policies and procedures, and provide training to the workforce. Efforts to implement the new HIPAA changes will need to be initiated promptly after the final rules are published to ensure compliance with any new HIPAA regulations in 2026, and certainly by the effective date.

HIPAA Training for 2026

Final rules may be issued in 2026, updating both the HIPAA Privacy and Security Rules, and if that is the case, it will be a busy time for HIPAA Officers, as policies and procedures will need to be updated, training courses changed, and the revised training rolled out to all members of the workforce. Even without any rule changes, training must be provided to all new members of the workforce, along with annual refresher training for existing staff members.

The HIPAA Journal’s HIPAA experts have developed training courses for HIPAA-regulated entities and healthcare professionals that include real-world, relatable examples drawn from more than a decade of HIPAA breach reporting and analysis. The HIPAA Journal team takes great care to ensure the training courses are kept up to date, factoring in current and emerging compliance issues such as the use of generative AI tools, as well as any rule changes.

The result is training that goes beyond listing rules to show staff how violations and data breaches actually happen and how to avoid them in their daily work. This reduces the risk of breaches, investigations, fines, and reputational damage for your organization. You can find out more about the training courses here.

Recent Changes to HIPAA Enforcement

Halfway through 2018, OCR had only agreed to three settlements with HIPAA-covered entities to resolve alleged HIPAA violations – a fraction of the level in the previous two years. It was starting to look like OCR was easing up on its enforcement of compliance with the HIPAA Rules; however, OCR announced many more settlements in the second half of the year and closed 2018 on 10 settlements and one civil monetary penalty – One more penalty than in 2017. 2018 ended up being a record year for HIPAA enforcement. The final total for fines and settlements was $28,683,400, which beat the previous record set in 2016 by 22%.

OCR’s enforcement activities continued at a high level in 2019, and OCR closed the year with 10 settlements and civil monetary penalties, totaling $12,274,000. In late 2019, OCR announced it was embarking on a new enforcement drive focused on compliance with the HIPAA Right of Access, which requires individuals to be provided with timely access to their medical records for only a reasonable, cost-based fee.

OCR settled two cases in 2019 under this initiative – both for $85,000 – and a further 11 settlements were announced in 2020 to resolve potential violations of the HIPAA Right of Access. In addition to noncompliance with the HIPAA Right of Access, in 2020, OCR imposed financial penalties for particularly egregious cases of noncompliance. The failure to conduct comprehensive risk analyses, poor risk management practices, lack of HIPAA policies and procedures, no business associate agreements, impermissible PHI disclosures, and a lack of safeguards all attracted HIPAA fines in 2020. 2020 saw more financial penalties imposed for violations of the HIPAA Rules than any other year, with the year closing with 19 settlements totaling $13,554,900.

There was a reduction in HIPAA enforcement actions in 2021, with 14 financial penalties announced to resolve HIPAA violations, the majority of which (12) were for violations of the HIPAA Right of Access. Aside from one financial penalty of $5,100,000 for Excellus Health Plan, the financial penalties were far lower in 2021 than in recent years, with penalties totaling $5,982,150 for the year. 2021 also saw an increase in the number of penalties for small healthcare providers.

The trend for smaller penalties continued in 2022, in part due to the nature of the HIPAA violations being enforced and also the new penalty structure OCR adopted (see the Penalty Structure for Violations of HIPAA Regulations in 2024 section below). OCR continued with its heavy focus on the enforcement of compliance with the HIPAA Right of Access, which typically involves a failure to provide one individual with a copy of their medical records, rather than widespread non-compliance with the HIPAA Rules. The average penalty amount in 2022 was $98,688, a quarter of the average penalty the previous year.

2022 saw more settlements and civil monetary penalties imposed (22) than in any other year to date, yet 2022 saw the lowest fine total since 2010, with $2,127,140 in financial penalties imposed. The second lowest of any full year since OCR was given the authority to enforce HIPAA compliance. Another trend that became clear in 2022 was OCR pursuing financial penalties against smaller healthcare organizations. 55% of all fines imposed in 2022 were on small medical practices.

There was a notable decline in penalties in 2023, with only 13 investigations resulting in settlements or civil monetary penalties, although there was a slight increase in fines, with $4,176,500 collected. Only 4 of the financial penalties resolved HIPAA Right of Access violations. One of the main reasons for fines was the failure to conduct a comprehensive, accurate, organization-wide risk analysis.

OCR launched a new HIPAA risk analysis enforcement initiative in 2023 and has provided considerable technical assistance to HIPAA-regulated entities on risk analyses. In its investigations of data breaches, OCR found that the lack of a security risk analysis and the failure to implement and adopt security risk management plans were significant deficiencies that contributed to security incidents and breaches. Under this initiative, OCR has imposed several financial penalties for risk analysis failures, and that enforcement initiative remains active in 2026. OCR has also indicated that it will be focusing its efforts on enforcing wider HIPAA Security Rule compliance.

Former OCR Director Melanie Fontes Rainer confirmed that 22 enforcement actions resulted in settlements or civil monetary penalties in 2024, making 2024 one of the most active years of HIPAA enforcement to date, although some of the cases closed in 2024 were not announced until 2025. OCR closed 2024 with 16 settlements/civil monetary penalties, and there were 21 settlements/civil monetary penalties announced by OCR in 2025.

In contrast to the past few years, there were relatively few enforcement actions in response to HIPAA Right of Access violations (5 penalties) in 2024, demonstrating that this compliance initiative has been effective at encouraging compliance with this Privacy Rule provision. Many of the enforcement actions in 2024 and 2025 resolved violations of the HIPAA Security Rule, with more than half resolving alleged violations of the risk analysis requirement of the HIPAA Security Rule.

In 2024, OCR collected more than $9.9 million in fines, with an average penalty of $579,003 in 2024. The biggest penalty was imposed on Montefiore Medical Center, with $4,750,000 paid to resolve multiple HIPAA Security Rule violations.

In 2025, OCR’s settlements and civil monetary penalties totaled $8,330,066, with an average penalty of $396,670 and a median penalty of $182,000. OCR has focused on one aspect of HIPAA Security Rule compliance – the risk analysis – which has allowed OCR to clear the backlog of investigations more quickly, albeit resulting in smaller, but more numerous penalties.

OCR has been petitioning Congress for further funding to support investigations of HIPAA violations and for Congress to increase the penalties for HIPAA violations. Former OCR Director Melanie Fontes Rainer confirmed that the HITECH and HIPAA audit program has been resurrected, and the third phase of HIPAA compliance audits is now underway, initially involving 50 audits of HIPAA-regulated entities. The audits are focused on HIPAA Security Rule compliance, especially the risk analysis and risk management requirements.

HIPAA Civil Monetary Penalty Overturned

In 2018, OCR imposed a civil monetary penalty of $4,348,000 on the University of Texas MD Anderson Cancer Center. OCR launched an investigation into three data breaches that collectively resulted in an impermissible disclosure of PHI of almost 35,000 individuals. The incidents occurred in 2012 and 2013 and involved the theft of an unencrypted laptop computer and two flash drives.

OCR determined MD Anderson had violated the HIPAA Rules by failing to encrypt the devices. In April 2019, MD Anderson appealed the fine, alleging that the HHS did not have the authority to impose the penalty and that it was excessive. In January 2021, the penalty was overturned, and OCR admitted it could not defend a fine of more than $450,000. The case was remanded for further proceedings and the civil monetary penalties were vacated by the Fifth Circuit Court of Appeals. The judge stated the civil monetary penalties were “arbitrary, capricious, and otherwise unlawful.”

The overturning of the HIPAA fine is thought to have forced OCR to change its approach to HIPAA enforcemen,t as the successful appeal may encourage other covered entities to appeal any proposed financial penalties for HIPAA violations. In 2022, financial penalties were imposed for a variety of reasons, but the majority were for HIPAA Right of Access violations, which appears to be safe ground. HIPAA enforcement in 2024 has encompassed a much wider range of HIPAA violations.

In an effort to improve efficiency, OCR restructured and created three new divisions to better utilize the skillsets of its staff. OCR has had a flat budget for years, but its workload has increased significantly, with a 69% increase in complaints between 2017 and 2022 and a 58% increase in data breaches between 2017 and 2021. The restructuring has made better use of OCR’s resources to improve efficiency, which has helped OCR address the current backlog of investigations and conduct more timely investigations, especially investigations of hacking incidents, as evidenced by the increase in settlements and civil monetary penalties in 2025.

OCR Gets a New Director

In September 2021, 8 months into the Biden administration, Lisa J. Pino was appointed as the new OCR Director, taking over from acting OCR director Robinsue Frohboese, who headed the agency since the resignation of Roger Severino in January 2021. In contrast to past directors, Pino had cybersecurity and data breach experience, having served as a senior executive service official and senior counsel in the U.S. Department of Homeland Security (DHS). Pino’s cybersecurity experience was expected to see a change in how OCR conducts investigations of data breaches, especially in light of the HIPAA Safe Harbor Law. However, Piso left the role in July 2022, less than a year into her tenure, and Melanie Fontes Rainer was appointed OCR Director.

Melanie Fontes Rainer remained in the role until the administration change, when Anthony Archeval took the helm as Acting OCR Director until the appointment of Paula M. Stannard, who previously served as Senior Counselor and Advisor to former HHS Secretaries Tom Price and Alex Azar between 2017 and 2021 under the previous Trump administration, and Acting General Counsel and Deputy General Counsel for six years between 2003 and 2009 under the George W. Bush administration.

Penalty Structure for Violations of HIPAA Regulations in 2026

In 2019, there was a notable HIPAA change related to enforcement action. OCR issued a Notice of Enforcement Discretion after reinterpreting the requirements of the HITECH Act regarding penalties for non-compliance with the HIPAA Rules.  The HITECH Act called for an increase in the penalties for non-compliance with the HIPAA Rules and, at the time, the HHS interpreted the language of the HITECH Act as requiring a cap of $1.5 million for HIPAA violations across all four penalty tiers. In 2019, the requirements of the HITECH Act were reassessed and interpreted differently. Rather than capping the penalties across all four tiers at the same amount, different maximum fines (adjusted for inflation) were set for each of the four tiers, as detailed in the table below.

This table reflects the penalty values published in the Federal Register on August 8, 2024, and the Enforcement Discretion Caps announced in April 2019. Since the change was addressed through a Notice of Enforcement Discretion, it is not legally binding but will remain in effect indefinitely.

The Office of Management and Budget (OMB) set the inflation multiplier for 2025 as 1.02598. The OMB required the adjustment to be made by January 15, 2025; however, OCR is often slow to apply inflation increases and has yet to announce an increase to account for the 2025 OMB multiplier. Another increase is due to be applied by January 15, 2026, so it is now likely that a single increase will be applied this year.

FTC Updates Health Breach Notification Rule

A great deal of health information is now collected, processed, and transmitted by entities not covered by HIPAA. That means that the health information is not classed as protected health information and is therefore not subject to the HIPAA Rules. Breaches of health information at HIPAA-regulated entities are subject to the requirements of the HIPAA Breach Notification Rule, but if there is a breach at a non-HIPAA-regulated entity, it is subject to the Federal Trade Commission’s (FTC) Health Breach Notification Rule.

The FTC issued a final rule on April 26, 2024, updating the Health Breach Notification Rule with new and revised definitions to expand coverage to include health apps and other technologies not covered by HIPAA, including websites that collect health data that are not operated by HIPAA-regulated entities. The update also included new requirements for the content of consumer notifications and the requirement to notify the FTC of breaches of 500 or more records. The breach notification timeline is in line with HIPAA, with notifications required without undue delay and no later than 60 days from the date of discovery of a breach of security.

New HIPAA Regulations in 2021

While there were no changes to HIPAA regulations in 2021, new legislation was introduced related to the HIPAA Privacy and Security Rules in terms of cybersecurity, patient access to healthcare data, and HIPAA enforcement.

2021 HIPAA Safe Harbor Law Updating the HITECH Act

On January 5, 2021, the HIPAA Safe Harbor Bill (HR 7898) was signed into law by President Trump and amended the HITECH Act. The purpose of the HIPAA Safe Harbor Bill was to encourage healthcare organizations to adopt “recognized security practices” to improve their defenses against cyberattacks. The HIPAA Safe Harbor Bill instructs the HHS to take into account the cybersecurity best practices that a HIPAA-regulated entity has adopted continuously for the 12 months preceding any data breach when considering HIPAA enforcement actions and calculating financial penalties related to security breaches and HIPAA Security Rule violations.

The name of the bill is a little misleading, as the HITECH Act amendment does not create a safe harbor where HIPAA-regulated entities avoid any audits or financial penalties for data breaches and/or HIPAA Security Rule violations. The bill requires the HHS to decrease the length and extent of any audits in response to those breaches if recognized security practices have been implemented, and financial penalties will be reduced, but not avoided entirely.

If a HIPAA-regulated entity can adequately demonstrate that recognized security practices have been implemented consistently for 12 months, it will be considered by OCR as a mitigating factor. Organizations that have adopted recognized security practices and have completed a HIPAA Security Risk Analysis, identified risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI) and have reduced them to a low and acceptable level, and have implemented technical safeguards to protect ePHI, will be treated more leniently by OCR. Financial penalties will not be increased for HIPAA-regulated entities that do not implement recognized security practices.

In addition to facing lower penalties and sanctions, HIPAA-regulated entities that adopt recognized security practices and are compliant with the requirements of the HIPAA Security Rule will be better protected against security incidents and data breaches.

21st Century Cures Act

The 21st Century Cures Act (Cures Act) of 2016 was introduced to encourage innovation in medical research, and one of the ways that this was achieved was to make it easier for patients to obtain their healthcare data and share that information with research institutions. The Cures Act called for the HHS to create a new Rule that would improve the flow of healthcare data between providers, patients, and developers of Health IT such as electronic health record (EHR) vendors.

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) published its Interoperability and Information Blocking Final Rule in March 2020, and healthcare providers, developers of Certified Health IT, and health information networks or exchanges were given until November 2, 2020, comply with the information blocking provisions of the Final Rule, although the compliance date was then extended to April 5, 2021, due to the COVID-19 pandemic.

The Centers for Medicare and Medicaid Services (CMS) also published an interoperability rule in March 2020 that applies to Medicare- and Medicaid-participating short-term acute care hospitals, long-term care hospitals, rehabilitation hospitals, psychiatric hospitals, children’s hospitals, cancer hospitals, and critical access hospitals (CAHs). The compliance date for the CMS Rule was July 1, 2021, and the CMS is now enforcing compliance.

Under the CMS Final Rule, CMS-regulated payers including Medicare Advantage (MA) organizations, Medicaid Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP FFS programs, CHIP managed care entities, and QHP issuers, must implement and maintain a secure, standards-based Application Programming Interface (API) to allow patients to access their claims and receive information through a third-party app of their choice, make provider directory information publicly available through a standards-based API, and send electronic patient event notifications of a patient’s admission, discharge, or transfer to another healthcare facility or another community provider or practitioner.

The final interoperability and information-blocking rules do not amend HIPAA or the HITECH Act, although they are related. The final rules promote patient access to ePHI and are intended to make access easier. It is possible that HIPAA policies and procedures could violate the ONC Final Rule if they include practices considered to constitute information blocking. Any entity that engages in information blocking can face financial penalties, which are capped at $1 million (adjusted annually for inflation).

New HIPAA Regulations FAQs

Once a Notice of Proposed Rulemaking has been issued, is it guaranteed that there will be a change to the HIPAA Rules?

Once a Notice of Proposed Rulemaking has been issued, it is not guaranteed that there will be a change to the HIPAA Rules. For example, in 2014, the Department of Health & Human Services issued a Notice of Proposed Rulemaking that would have required health plans to prove compliance with certain areas of the Administration Simplification standards via certification. The proposed Rule was withdrawn in 2017 due to concerns it would place a significant burden on employers’ self-funded health plans.

How likely is it that all the new HIPAA regulations being proposed in the December 2020 HIPAA NPRM will be adopted?

There is a low likelihood that all the new HIPAA regulations proposed in the December 2020 HIPAA NPRM will be adopted. The American Hospital Association (AHA) is one of a number of stakeholders that have raised concerns about the proposed changes, particularly changes relating to a reduction in the maximum time allowed to respond to patient requests, allowing patients to photograph PHI, and transferring PHI to personal health applications.

Will there definitely be some new HIPAA regulations in 2026?

It is highly likely there will be some new HIPAA regulations in 2026. In addition to the outstanding updates to the HIPAA Privacy Rule proposed in 2020, HHS’ Office for Civil Rights is expected to announce a final rule implementing 2026 HIPAA updates to the HIPAA Security Rule to align existing standards with its Healthcare Sector Cybersecurity strategy.

How much disruption might the new HIPAA regulations create?

Disruption caused by new HIPAA regulations depends on how many new HIPAA regulations are created by 2026 HIPAA final rules and how many of the changes are HIPAA amendments to existing standards rather than new requirements. It will be less disruptive to adapt existing policies and procedures to the new HIPAA amendments than it will be to accommodate completely new HIPAA regulations.

When a HIPAA Final Rule 2026 is published, will covered entities have to comply with it immediately?

When a HIPAA Final Rule 2026 is published, it is unlikely that covered entities will have to comply with it immediately. In most cases, covered entities have 90 or 180 days to comply with a rule change, depending on its complexity. When the original Privacy Rule Final Rule was published in 2002, covered entities were given a year to make systems, policies, and procedures HIPAA compliant. Small health plans were given two years. If a HIPAA Final Rule is published in 2026, HHS’ Office for Civil Rights will most likely allow an appropriate period of time for covered entities (and business associates where applicable) to make the necessary adjustments.

Are HIPAA laws still in effect?

The HIPAA laws are still in effect unless a state has adopted regulations with more stringent privacy and security protections or greater individual rights. In some states, laws exist that have more stringent elements than HIPAA (for example, with regard to the privacy of AIDS patients), and in these states, the more stringent elements pre-empt the equivalent standards of HIPAA, but the remaining HIPAA laws are still in effect.

Can HIPAA be overturned?

HIPAA can be overturned by Congress, and, while there have been attempts in the past to repeal certain parts of the Act (for example, the requirement to develop a system of National Patient Identifiers), no part of HIPAA has been overturned to date. However, there have been numerous additions to HIPAA through the Rules added to the Administrative Simplification provisions and via the passage of the HITECH Act in 2009.

Will there be new HIPAA rules for text messaging and email in 2026?

There may new HIPAA rules for text messaging and email in 2026 due to the proposed “essential” HPH Cybersecurity Performance Goals setting a floor of safeguards to better protect organizations from cyberattacks. The safeguards include email system controls, multi-factor authentication, encryption, and workforce training.

Text messaging and email channels that do support the new HIPAA safeguards will not be considered suitable for HIPAA-compliant communications. For example, text messaging PHI via MS Teams covered by a Business Associate Agreement will be HIPAA compliant, but text messaging PHI via SMS will be a violation of HIPAA unless the recipient has specifically requested SMS communications and has been warned of the risks.

When was HIPAA last updated?

HIPAA was last updated in April 2024 when HHS’ Office for Civil Rights published the HIPAA Final Rule to Support Reproductive Healthcare Privacy. The HIPAA Final Rule added a new section to the HIPAA Privacy Rule (§164.509) and introduced a new system of attestation for certain uses and disclosures of PHI.

The Final Rule was effective from June 25, 2024, although the compliance date was delayed until December 23, 2024, in order to give covered entities sufficient opportunities to amend policies and procedures and provide “material change” training as required. The requirement to revise HIPAA Notices of Privacy Practices was extended until February 16, 2026, to align the revisions with those required by the Part 2 amendments.

Does HIPAA have to be signed yearly?

HIPAA does not have to be signed yearly, but Congress has to be kept informed of its effectiveness via several annual and semi-annual reports. Congress could – if it wished – repeal some or all of the Act, but so much of HIPAA is entwined with other state and federal privacy and security laws, that this is an unlikely option.

Do the changes to HIPAA in 2024 require policy revisions?

The changes to HIPAA in 2024 will require policy revisions when the changes impact a covered entity’s HIPAA-covered operations. For example, healthcare organizations that participate in a Part 2 program must revise their policies with regard to how SUD information is used and disclosed. In addition, the new HIPAA updates relating to the privacy of reproductive healthcare information will likely impact many healthcare organizations’ operations.

When were the most recent HIPAA changes to the HIPAA Privacy Rule?

The most recent HIPAA changes to the HIPAA Privacy Rule were in April 2024 when HHS’ Office for Civil Rights published the HIPAA Final Rule to Support Reproductive Healthcare Privacy. Prior to these HIPAA changes, the updates to the Part 2 regulations would have impacted covered entities who participate in Part 2 programs. Some of the Part 2 and HIPAA changes were synchronized to minimize the administration of the changes.

How will the proposed HIPAA changes of 2024 affect the Security Rule safeguards?

The proposed HIPAA changes 2024 to support the Healthcare Sector Cybersecurity concept paper will affect the Security Rule safeguards, as the concept paper states there will be “new cybersecurity standards”. While these may affect some Administrative Safeguards (i.e., security management, contingency planning, and security awareness training), most of the new cybersecurity standards should appear as Technical Safeguards.

In the absence of new HIPAA regulations in 2024 to support Healthcare Sector Cybersecurity, the other proposed HIPAA changes in 2024 are unlikely to affect the Security Rule safeguards unless new implementation specifications are adopted to facilitate the transfer of PHI to personal health applications. Any other HIPAA changes to the Security Rule will more likely be in the Security Rule’s General Rules (45 CFR §164.306) rather than the Administrative, Physical, or Technical Safeguards.

What was the name of the last update to HIPAA?

The name of the last update to HIPAA relating to the HIPAA Privacy, Security, or Breach Notification Rules was the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (89 FR 32976). This was published in April 2024 and had an effective date of June 2024 for most of the provisions.

Subsequent to this HIPAA update, the most recent HIPAA update was published by HHS’ Centers for Medical and Medicaid Services (CMS) in August 2024. This update relates to prior authorization processes and changes some Part 162 operating rules and exception processes. The short name of this update to HIPAA is “Advancing Interoperability and Improving Prior Authorization Processes” (89 FR 8758).

Where can I find the current HIPAA regulations?

To find the current HIPAA regulations, you can visit www.ecfr.gov and navigate to Title 45, Subtitle A, Subchapter C – “Administrative Data Standards and Related Requirements”. This Subchapter contains the current General Rule, Privacy Rule, Security Rule, and Breach Notification Rule among other HIPAA regulations relating to data standards, enforcement procedures, and the imposition of fines.

It is important to be aware of other federal laws closely related to HIPAA (i.e., 42 CFR Part 2 and §1177 of the Social Security Act) and that some state laws pre-empt the HIPAA latest version or exempt HIPAA-covered entities. It is also important to be aware that the Combined Regulation Text published by the Department of Health and Human Services is not an up-to-date version of the current HIPAA regulations.

How often does HIPAA need to be updated?

There are no regulations that stipulate how often HIPAA needs to be updated. However, Parts of the Act are updated every few years to accommodate other acts of legislation (i.e., the NICS changes in 2016 were attributable to an amendment to the Brady Gun Law), to introduce new transaction codes for recently developed drugs and medical products, or to close loopholes in claims procedures. You can keep up to date with the latest HIPAA regulations by subscribing to HHS’ “OCR Privacy & Security Listserv”.

Will there be changes to the HIPAA laws regarding minors in 2026?

It is unlikely that there will be changes to the HIPAA laws regarding minors in 2026 based on how HHS’ Office for Civil Rights addressed the issue of “personal representatives” in the 2024 HIPAA changes to support the privacy of reproductive healthcare information. (“Nothing in this final rule is intended to alter any other use or disclosure permissions for personal representatives, nor does it interfere with the ability of states to define the nature of the relationship between a minor and a parent or guardian”).

Under HIPAA, minors are either “unemancipated” (i.e., subject to the control, authority, and supervision of their patents) or “emancipated” (i.e., living independently as an adult regardless of their age). As an unemancipated minor can be as old as 21 years in some jurisdictions and an emancipated minor as young as 14 years in others (subject to court approval), it would be difficult for HHS to change the HIPAA laws regarding minors in 2025 without creating further challenges with regards to minors’ personal representatives (i.e., parents, guardians, etc.) and providers’ good faith beliefs about what PHI should be disclosed to – or withheld from – minors’ personal representatives.