Advisories July 10, 2026

Health Care / Privacy, Cyber & Data Strategy Advisory | HHS Office for Civil Rights Delays Final HIPAA Security Rule Until 2027 as Privacy Rule Changes Near

Executive Summary
Minute Read

Our Health Care and Privacy, Cyber & Data Strategy teams discuss the delayed final Health Insurance Portability and Accountability Act (HIPAA) Security Rule timeline from the HHS Office for Civil Rights (OCR) and track expected Privacy Rule updates.

  • The OCR delayed the final HIPAA Security Rule until July 2027
  • The proposed Security Rule may still move forward in some form
  • Privacy Rule changes are expected in August 2026, with potential compliance obligations

A newly released regulatory agenda from the Department of Health and Human Services’ Office for Civil Rights (OCR) has HIPAA covered entities and business associates breathing a sigh of relief—at least for now. According to reginfo.gov, the OCR has delayed finalizing the HIPAA Security Rule until July 2027.

The OCR's prior regulatory agenda had raised expectations that the changes to the Security Rule, originally proposed in January 2025, could be finalized in May 2026. When that date passed without action, speculation intensified over the proposed rule’s future. Despite strong industry pushback and continued hopes that the OCR may quietly abandon the proposed rule, the agency’s latest move indicates that finalization of the rule—at least in some form—remains likely. Our previous advisory provided an in-depth look at what the proposed rule could mean for covered entities and business associates.

While HIPAA-regulated entities now have more time to prepare for changes to the Security Rule, the OCR’s regulatory agenda also points to imminent changes to the Privacy Rule. Proposed over five years ago, in January 2021, finalization of the "Changes to Support Coordinated Care and Individual Engagement and Reduce Regulatory Burdens" is now slated for August 2026. The updates to the Privacy Rule are expected to strengthen individuals’ ability to access their own health information and enhance information sharing for care coordination purposes.

Alston & Bird continues to track OCR rulemaking. Please reach out to one of our health care or privacy attorneys to discuss further or for assistance in preparing your organization for potential changes. 


If you have any questions, or would like additional information, please contact one of the attorneys on our Health Care team or one of the attorneys on our Privacy, Cyber & Data Strategy team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.


Media Contact
Alex Wolfe
Communications Director