The U.S. Department of Health and Human Services (HHS) updated its timeframes for upcoming rulemakings on the reginfo.gov website. These dates are not set in stone, but represent HHS' current projections of when new proposed and final rules will be published. HHS' last regulatory update was in spring 2025.

HHS has pushed back the date of the final amendments to the HIPAA Security Rule from May 2026 to July 2027. The description of the rule has remained the same since the spring 2025 regulatory update, but the status of the rulemaking has gone from "final rule stage" to "long term actions." Also, this rulemaking is no longer included in the 2026 Agency Rule List (it instead can be found by searching the website). The new July 2027 date indicates that HHS still intends to finalize at least some of the proposed amendments to the Security Rule. We suspect, however, that HHS will finalize only some of the proposals—likely less controversial ones that it believes provide the highest risk reduction.

On a more immediate timeframe, HHS indicates that it intends to release final amendments to the Privacy Rule to support coordinated care (RIN 0945-AA00) next month. This final rule was proposed on January 21, 2021, and:

. . . will address proposals to modify the HIPAA Privacy Rule to strengthen individuals' rights to access their own protected health information, including electronic information; improve information sharing for care coordination and case management for individuals; facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhance flexibilities for disclosures in emergency or threatening circumstances; support the use of telecommunications relay services by individuals and workforce members of HIPAA covered entities and business associates who are deaf, hard of hearing, deaf-blind, or who have a speech disability; expand the Privacy Rule permission to use and disclose protected health information of Armed Forces personnel for national readiness purposes so that it applies to all uniformed services personnel; and reduce administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals' health information privacy interests.

We may see:

  • changes to the "serious and imminent threat" standard;
  • a new exception to the minimum necessary standard for disclosures involving health plans for care coordination and case management activities;
  • deletion of the requirement for healthcare providers to obtain acknowledgement of receipt of the notice of privacy practices; and
  • changes to align the right-of-access regulatory language with the Ciox Health v. Azar decision that limited the scope of "third party directives" (when the individual requests that a copy of protected health information go to a third party).

The final rule also may require changes to the content of the HIPAA notice of privacy practices. HHS sent this final rule to the Office of Management and Budget (OMB) on April 4, 2026, and currently is awaiting OMB approval. If a covered entity is considering revising its notice of privacy practices, then it may wish to wait until this final rule is published to avoid the possibility of revising the notice twice in a short period of time.

Next up, according to the regulatory agenda, is a proposed rule (RIN 0945-AA28) to promote individuals' timely access to protected health information. HHS indicates that this proposed rule is expected in November 2026 and "would address the amount of time that covered entities have to respond to requests for protected health information … made pursuant to the right of access." The January 21, 2021, proposed rule would shorten the right-of-access deadline from a 30-day period with a 30-day extension available to a 15-day period with a 15-day extension available under more limited circumstances. The fact that HHS is planning a separate proposed rule on the right-of-access timeline suggests that HHS will not finalize the 2021 amendments on this issue and may be seeking comment on an alternative approach.

Finally, on the long-term front, HHS indicates that in November 2027 it intends to publish a proposed rule (RIN 0945-AA04) for "a methodology for the distribution of [civil money penalties (CMPs)] and monetary settlements to those harmed by an offense under the HIPAA Rules relating to privacy or security." The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act required HHS to publish such a rule within three years. Obviously, HHS is running a bit late on this one. This rulemaking poses big questions regarding how the federal government will find that someone has been harmed by a privacy incident, what reimbursement is appropriate, and how this will impact the number of complaints to OCR and the resolution of such complaints.

These regulatory updates provide the most formal statement we have seen in over a year regarding this administration's plans for HIPAA. It is worth noting again, however, that all of these timelines are aspirational and HHS' policy initiatives are always subject to change.

+++

Adam Greene is a partner in Washington, D.C., Becky Williams is senior counsel in Seattle and chair of the firm's health information practice, and Apurva Dharia is an associate in Washington, D.C. For any questions or more insights, please contact the authors or another member of our healthcare and privacy & security teams and sign up for our alerts.