Since the Department of Health and Human Services Office for Civil Rights’ (OCR) publication of a proposed rule to overhaul the HIPAA Security Rule in January 2025, many in the health care privacy community have wondered whether the rule would quietly fade away. Some even hoped it might be dead in the water. However, despite sharp criticisms and industry pushback, recent developments confirm that the OCR has kept the rule’s finalization on its official regulatory agenda for May 2026.
We provided an in-depth look at what the proposed rule could mean for covered entities and business associates here. If the rule is finalized as proposed, it would mean a radical shift in how the security rule is applied—moving away from a flexible approach to account for the various types of regulated entities to a more rigid approach with some prescriptive, strict security requirements that could be difficult to fulfill. The OCR itself estimated that in just the first year, compliance across all covered entities and business associates would cost $9 billion. Moreover, regulated entities might not have as much time as they desire from the final rule’s publication date to come into compliance—if finalized as proposed, entities would have just 240 days.
It remains to be seen exactly when and to what extent the proposed rule will be finalized and to what extent the final rule takes into account the industry feedback provided. For now, stakeholders should prepare for what could be a transformational change to their HIPAA security programs.
Alston & Bird continues to track the proposed rulemaking. Please reach out to one of our health care or privacy attorneys to discuss further or for assistance in preparing your organization for potential changes.
AlstonHealth State Law Hub
Alston & Bird’s Health Care team highlights state legislation and regulatory actions with direct implications for operations, reimbursement, privacy, and enforcement risk. Designed for in-house counsel, the tracker supports legal teams in proactively managing risk and aligning business strategy with a rapidly evolving state regulatory environment.
Learn more on the AlstonHealth State Law Hub.
Ransomware Fusion Center
Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird's Ransomware Fusion Center to learn more and access our tools.
If you have any questions, or would like additional information, please contact one of the attorneys on our Health Care team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.