A newly released regulatory agenda from the Department of Health and Human Services’ Office for Civil Rights (OCR) has HIPAA covered entities and business associates breathing a sigh of relief—at least for now. According to reginfo.gov, the OCR has delayed finalizing the HIPAA Security Rule until July 2027.
The OCR's prior regulatory agenda had raised expectations that the changes to the Security Rule, originally proposed in January 2025, could be finalized in May 2026. When that date passed without action, speculation intensified over the proposed rule’s future. Despite strong industry pushback and continued hopes that the OCR may quietly abandon the proposed rule, the agency’s latest move indicates that finalization of the rule—at least in some form—remains likely. Our previous advisory provided an in-depth look at what the proposed rule could mean for covered entities and business associates.
While HIPAA-regulated entities now have more time to prepare for changes to the Security Rule, the OCR’s regulatory agenda also points to imminent changes to the Privacy Rule. Proposed over five years ago, in January 2021, finalization of the "Changes to Support Coordinated Care and Individual Engagement and Reduce Regulatory Burdens" is now slated for August 2026. The updates to the Privacy Rule are expected to strengthen individuals’ ability to access their own health information and enhance information sharing for care coordination purposes.
Alston & Bird continues to track OCR rulemaking. Please reach out to one of our health care or privacy attorneys to discuss further or for assistance in preparing your organization for potential changes.
If you have any questions, or would like additional information, please contact one of the attorneys on our Health Care team or one of the attorneys on our Privacy, Cyber & Data Strategy team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.


