Data Security Guidance: The Difference Between the Proposed HIPAA Security Rule Update and an Actual Rule Change

Data Security Guidance: The Difference Between the Proposed HIPAA Security Rule Update and an Actual Rule Change
In late December of 2024, HHS proposed, through a Notice of Proposed Rulemaking (NPRM), to revise the HIPAA Security Rule. Does this mean that there is a new Security Rule in place? Absolutely not. To understand why, it helps to know the difference between a proposed rule (which is what the December 2024 HHS proposal is), and a final rule. The proposed rule is a proposal. Only the final rule has the force of law.

What is a Regulation?
In 1996, HIPAA (a law, or statute) was passed. In the law, Congress directed the Department of Health and Human Services (HHS), an executive branch agency, the authority to enforce that law, by directing HHS to come up with regulations for it. The HIPAA law is written as a broad command: “Security of PHI must be protected.” The Security Rule, or regulations, are the “who, what, when, where, and how” details that dictate how the law is to be implemented - what security measures are required, who must take them, and how and when security measures must be implemented.

In general, the authority to issue regulations includes the authority to issue subsequent regulations that are necessary to effect a law’s purpose. The Security Rule has not been updated since 2013. Significant technological advancements have taken place since then, prompting HHS’ proposal (NPRM) to strengthen Security Rule standards - to update the Security Rule (regulation).

What Happens to a Rule after it is Proposed?
Once a Notice of Proposed Rulemaking, or NPRM, is issued, the issuing agency (here, HHS) solicits comments from the public on the proposal. During the comment period, interested stakeholders can submit comments on what they think about the proposed rule. Once the comment period closes, the agency then reviews the comments.

Once an agency has completed a legally required review of comments, the agency then must decide how to proceed. In some instances, in response to comments, the agency may request additional feedback on the proposed rule or certain aspects of it.  In others, the agency may revise the proposed rule and issue another proposed rule in its place. In others still, the agency may withdraw the proposed rule, or may simply choose to not act on the proposal any further.

If an agency decides to go ahead and finalize the rule (make the proposed rule official), the agency publishes a final rule. A final rule has the effect of law. A proposed rule does not - it is, as the name implies, just a proposal.

What is the Status of the Proposed Security Rule Modifications?
When HHS issued the NPRM, it provided for a 60-day comment period. The comment period closed on March 7, 2025. HHS received a total of 4,747 comments - a significant number.
HHS is not required to finalize the proposed rule within a set time frame.

Has HHS Indicated What it Intends to Do With the Proposal?
The Health Care Compliance Association (HHS), a major industry player, interviewed HHS OCR Director Paula Stannard through its publication, Report on Patient Privacy (RPP) in mid-December of 2025. The interview touched on a number of Security Rule issues, including the ongoing HIPAA risk analysis initiative.  The status of the proposed rule?  Well,.....  RPP wrote an article summarizing the interview on January 4, 2026. The title? OCR’s Stannard Mum on Fate of Security Rule NPRM (Report on Patient Privacy 26, no. 1 (January 2026)). Director Stannard discussed the proposed rule, but gave no hint as to its fate.

You can check the status of the rule by going to this website: https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202504&RIN=0945-AA2

Conclusion
The HIPAA Security Rule NPRM reflects HHS’ desire to update the Security Rule to ensure it achieves the purpose of securing electronic protected health information in the 21st century.  The public was given an opportunity to comment on the proposed rule. The comment period has closed. HHS must now decide how to act on the Final Rule. Compliancy Group will let clients know if and when the proposed rule becomes final.