Data Security Guidance: The Difference Between the Proposed HIPAA Security Rule Update and an Actual Rule Change

Data Security Guidance: The Difference Between the Proposed HIPAA Security Rule Update and an Actual Rule Change
In late December of 2024, HHS proposed, through a Notice of Proposed Rulemaking (NPRM), to revise the HIPAA Security Rule. Does this mean that there is a new Security Rule in place? Absolutely not. To understand why, it helps to know the difference between a proposed rule (which is what the December 2024 HHS proposal is), and a final rule. The proposed rule is a proposal. Only the final rule has the force of law.

What is a Regulation?
In 1996, HIPAA (a law, or statute) was passed. In the law, Congress directed the Department of Health and Human Services (HHS), an executive branch agency, the authority to enforce that law, by directing HHS to come up with regulations for it. The HIPAA law is written as a broad command: “Security of PHI must be protected.” The Security Rule, or regulations, are the “who, what, when, where, and how” details that dictate how the law is to be implemented - what security measures are required, who must take them, and how and when security measures must be implemented.

In general, the authority to issue regulations includes the authority to issue subsequent regulations that are necessary to effect a law’s purpose. The Security Rule has not been updated since 2013. Significant technological advancements have taken place since then, prompting HHS’ proposal (NPRM) to strengthen Security Rule standards - to update the Security Rule (regulation).

What Happens to a Rule after it is Proposed?
Once a Notice of Proposed Rulemaking, or NPRM, is issued, the issuing agency (here, HHS) solicits comments from the public on the proposal. During the comment period, interested stakeholders can submit comments on what they think about the proposed rule. Once the comment period closes, the agency then reviews the comments.

Once an agency has completed a legally required review of comments, the agency then must decide how to proceed. In some instances, in response to comments, the agency may request additional feedback on the proposed rule or certain aspects of it.  In others, the agency may revise the proposed rule and issue another proposed rule in its place. In others still, the agency may withdraw the proposed rule, or may simply choose to not act on the proposal any further.

If an agency decides to go ahead and finalize the rule (make the proposed rule official), the agency publishes a final rule. A final rule has the effect of law. A proposed rule does not - it is, as the name implies, just a proposal.

What is the Status of the Proposed Security Rule Modifications?
When HHS issued the NPRM, it provided for a 60-day comment period. The comment period closed on March 7, 2025. HHS received a total of 4,747 comments - a significant number.
HHS is not required to finalize the proposed rule within a set time frame.

Has HHS Indicated What it Intends to Do With the Proposal?
The Health Care Compliance Association (HHS), a major industry player, interviewed HHS OCR Director Paula Stannard through its publication, Report on Patient Privacy (RPP) in mid-December of 2025. The interview touched on a number of Security Rule issues, including the ongoing HIPAA risk analysis initiative.  The status of the proposed rule?  Well,.....  RPP wrote an article summarizing the interview on January 4, 2026. The title? OCR’s Stannard Mum on Fate of Security Rule NPRM (Report on Patient Privacy 26, no. 1 (January 2026)). Director Stannard discussed the proposed rule, but gave no hint as to its fate.

You can check the status of the rule by going to this website: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202504&RIN=0945-AA2

Update:
On April 6, 2026, at a HIPAA Summit, Director Stannard spoke about the proposed rule. 
Director Stannard acknowledged interest groups' claims that the proposed rule would be burdensome to implement. She also noted that OCR has not finished its review of the 4,700+ comments.

"I can't say much about what we will end up doing on it, and after we review the comments, the Trump administration may have a different view on the burdens and benefits of the proposed changes, because the proposal-making is quite lengthy," Stannard said.

Stannard also noted, "I've heard complaints about the costs and burdens that would be imposed by the security proposed modifications, but I want to encourage you not to overlook the very high cost of doing nothing," "A successful cyberattack can cost far more in terms of reputation - the need to pay ransom, remediation of your systems, [credit monitoring] protection for those whose protected health information was accessed, potential civil liability - and investors knocking at your door asking for documents and initiating an investigation," she said.

Stanndard noted that the current rule's "addressable" standards are not optional. "In practice, regulated entities, especially small and medium sized entities, have treated addressable implementation specifications as optional, and this means that they have not done it," she said. "This has resulted in much more lax security. PHI encryption is a good example under the current security rule."

"It was understandable when we first adopted the Security Rule in 2003 encryption technology was not available. It was very expensive, and for many entities, it may not have been reasonable and appropriate," she said. That's no longer always the case, she said. "It's quite likely that......encryption would now be a reasonable and appropriate measure to adopt in most instances, and that should already be implemented."

A final action for the proposed rulemaking is still anticipated for May on HHS OCR regulatory agenda, although the final acton is subject to postponement. 

Conclusion
The HIPAA Security Rule NPRM reflects HHS’ desire to update the Security Rule to ensure it achieves the purpose of securing electronic protected health information in the 21st century.  The public was given an opportunity to comment on the proposed rule. The comment period has closed. HHS must now decide how to act on the Final Rule. Compliancy Group will let clients know if and when the proposed rule becomes final.

This article was last updated on April 10, 2026.