TL;DR: HHS/OCR's proposed overhaul of the HIPAA Security Rule -- the biggest rewrite since 2013 -- just moved its Final Action target from May 2026 to July 2027, per the 2026 Unified Agenda (RIN 0945-AA22). This is not a CMMC, DFARS, or FAR rulemaking, and it does not apply to government contractors generally. But it is another example of federal cybersecurity regulation converging on the same pattern GovConCyber has been tracking across CIRCIA, the FAR CUI rule, and CMMC: documented, evidence-based, data-specific security obligations. Current HIPAA Security Rule requirements remain in effect and unchanged.
What Just Showed Up in the Unified Agenda
The Department of Health and Human Services' Office for Civil Rights (HHS/OCR) has updated its Unified Agenda entry for RIN 0945-AA22, "HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information." The rulemaking is in the Final Rule Stage, and the Final Action timetable now reads 07/00/2027 -- Unified Agenda shorthand for "month set, exact date not yet set." The prior Spring 2025 agenda had targeted May 2026, so this is roughly a 14-month slip.
HHS/OCR issued the notice of proposed rulemaking (NPRM) on December 27, 2024, and published it in the Federal Register on January 6, 2025 (90 FR 898). The rulemaking is designated Economically Significant and Major, and HHS's own Regulatory Impact Analysis projects roughly $9 billion in industry compliance costs in the first year, followed by approximately $6 billion annually in years two through five. HHS received nearly 5,000 public comments, with substantial pushback from healthcare organizations on cost and implementation timelines -- which is almost certainly what pushed the date.
What the Proposed Rule Would Actually Do
Per HHS/OCR's fact sheet, the proposal would modify 45 CFR Parts 160 and 164 and represents the most significant Security Rule rewrite since 2013. Key proposed changes include:
- Eliminating the "required" versus "addressable" distinction -- nearly all implementation specifications would become required, with only limited exceptions.
- Requiring written documentation of Security Rule policies, procedures, plans, and analyses.
- Requiring a technology asset inventory and network map showing where ePHI moves, updated at least every 12 months and after material changes.
- More specific, prescriptive risk analysis requirements.
- Required incident-response planning and restoration procedures.
- Annual compliance audits.
- Annual technical-safeguard verification and certification from business associates.
- Encryption of ePHI at rest and in transit, with limited exceptions.
- Multi-factor authentication, vulnerability scanning at least every six months, penetration testing at least annually, and network segmentation.
HHS is explicit on one point that matters most for readers: "While the Department is undertaking this rulemaking, the current Security Rule remains in effect." Nothing above is a live obligation yet.
Why This Belongs on GovConCyber
This is not a contractor rulemaking, and GovConCyber is not going to tell you HIPAA now applies to your DoD or civilian-agency contract -- it does not, unless your organization is itself a HIPAA covered entity or business associate. But the substance of this proposal is a clean illustration of the pattern this site keeps documenting across CIRCIA, the FAR CUI rule, and CMMC's Rev. 3 transition: federal cybersecurity regulation is converging on documented, evidence-based, data-specific security obligations, regardless of which statute or agency is writing the rule.
Compare the throughlines:
- Documented programs, not informal assurances. HHS/OCR wants written policies, procedures, risk analyses, inventories, and network maps -- the same shift CMMC made from self-attestation to assessed evidence.
- Third-party verification. HHS/OCR's proposed annual business-associate certification mirrors the compliance-evidence discipline DFARS 252.204-7012, SPRS, and CMMC already impose on subcontractors.
- Data-specific obligations. ePHI is not CUI, FCI, or CDI -- but the compliance logic is identical: first identify what protected data exists and where it moves, then work outward to the safeguards that attach.
- Prescriptive technical controls. MFA, encryption, vulnerability scanning, penetration testing, and segmentation are becoming default expectations across sectors, not DoD-specific asks.
For contractors that also do health-sector or grant-funded health IT work, this is worth tracking directly. For everyone else, it is a useful data point for the broader argument that "what data do we hold, and what does that specific data type require" is becoming the universal starting question in federal cybersecurity compliance -- not just a CMMC-era phrase.
What to Do Now
1. If your organization is a HIPAA covered entity or business associate, do not wait for the final rule to start building toward the proposed controls -- a 14-month slip is not a signal this is going away. 2. If you are a government contractor without HIPAA exposure, use this as a prompt to confirm you know which federal or sector-specific cyber rules -- beyond DFARS/FAR/CMMC -- might apply to your specific data holdings and client base. 3. Do not treat the current proposed requirements as binding. The existing HIPAA Security Rule remains in effect unchanged until a final rule publishes. 4. Set a calendar check for mid-2027 rather than treating July 2027 as fixed -- Unified Agenda dates for this rule have already slipped once.
Key Takeaways
- HHS/OCR's HIPAA Security Rule overhaul (RIN 0945-AA22) now targets Final Action in July 2027, delayed from a prior May 2026 target -- roughly a 14-month slip driven by nearly 5,000 public comments and a projected $9B first-year compliance cost.
- The proposal would eliminate the required/addressable distinction, mandate written documentation and asset inventories, and require MFA, encryption, and regular vulnerability testing -- but none of it is binding yet; the current Security Rule remains in effect.
- This is not a CMMC, DFARS, or FAR rule and does not apply to contractors generally -- but it reinforces the same documented, evidence-based, data-specific compliance pattern showing up across the federal cyber rulemaking landscape.
Sources
- Office of Information and Regulatory Affairs, Unified Agenda, RIN 0945-AA22, Publication ID 2026, Final Action projected 07/00/2027, accessed July 10, 2026, https://www.reginfo.gov/public/do/eAgendaViewRule?RIN=0945-AA22&pubId=202510.
- U.S. Department of Health and Human Services, Office for Civil Rights, HIPAA Security Rule NPRM Fact Sheet, https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html.
- Federal Register, 90 FR 898 (Jan. 6, 2025), https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information.
Informational only, not legal advice; this is a Unified Agenda listing, not a published final rule -- verify all details against the Federal Register once the final rule is issued.