HIPAA Security Rule Update 2026: What We Know, What We Don’t, and Why It Shouldn’t Change Your Next Step

by | Jun 18, 2026 | General Business |

If you’ve been searching for a HIPAA Security Rule update in 2026, you’re not alone.

Over the past several months, we’ve received a steady stream of questions from therapists, practice owners, and compliance program members:

  • Is the proposed HIPAA Security Rule still happening?
  • Was it withdrawn?
  • Has the OCR delayed it?
  • Should I be making changes right now?
  • What does this mean for my practice?

These are reasonable questions.

The proposed rule would represent the most significant update to the HIPAA Security Rule in more than twenty years. It generated thousands of public comments, sparked extensive debate across healthcare, and prompted strong reactions ranging from “This is long overdue” to “This will be impossible for smaller organizations to implement.”

Then May came and went. No final rule. No withdrawal. No major announcement.

And, as of this writing, the next regulatory agenda cycle has not yet been released.

For many people, that silence has created uncertainty. But here’s the thing:

While everyone is asking what the OCR is going to do, very few people are asking the more important question.

And that question should be driving your next step.

Where Things Actually Stand

The proposed HIPAA Security Rule update was listed on the OCR’s Spring 2026 regulatory agenda with a target date of May 2026. As of this writing, May has passed.

That may sound significant, but it’s important to understand what regulatory agenda dates actually represent.

These are projected targets, not binding deadlines.

Federal agencies routinely miss those dates, revise them, and move actions into future agenda cycles. In some cases, that happens multiple times before a rule is finalized — or before an agency ultimately decides not to move forward.

In other words, the fact that May has come and gone does not tell us whether the proposal will be finalized, modified, delayed again, or withdrawn.

It tells us only that the OCR did not complete the rulemaking process on the timeline it had previously projected.

At this point:

  • No final rule has been issued.
  • The proposal has not been withdrawn.
  • No compliance deadline has started.
  • The OCR continues to review approximately 4,700 public comments submitted in response to the Notice of Proposed Rulemaking (NPRM).

So if you’ve been wondering whether you missed a major announcement, the answer is no.

There hasn’t been one.

The Wrong Question

Whenever a major regulatory proposal appears, it’s natural to become focused on the proposal itself.  People start asking:

  • What if it passes?
  • What if it doesn’t?
  • Should I wait?
  • Should I start implementing everything now?
  • How much is this going to cost me?

Those questions make sense.

But they can also pull our attention away from the issue that actually matters most. The central question has never really been:

What might the OCR require in the future?

The central question has always been:

What is reasonable and appropriate for protecting client information today?

That’s not a proposed standard. It’s the existing standard and the foundation of the current HIPAA Security Rule.

And it’s the standard mental health practices should be applying regardless of what ultimately happens with the proposed rule. 

The central question has always been: What is reasonable and appropriate for protecting client information today?

Regulatory Uncertainty Does Not Mean Security Uncertainty

One of the points we discussed recently on the Practice Tech Podcast is that regulatory uncertainty does not create security uncertainty.

The OCR may still be deciding what to do. Cybercriminals are not.

The threat landscape is not sitting around waiting for the next regulatory agenda.

Ransomware attacks continue. Business email compromise continues. Credential theft continues. Healthcare breaches continue.

And every day, therapists and practice owners continue making decisions about technology, devices, vendors, communication systems, documentation workflows, remote work practices, and access to client information.

The current HIPAA Security Rule remains fully in effect.

More importantly, the risks the Security Rule was designed to address remain fully in effect.

So while we don’t know what the OCR will ultimately do with the proposed rule, we do know something else with certainty:

Safeguarding client information remains an active responsibility today.

Not next year.

Not after a final rule.

Not after the next regulatory agenda.

Today.

What OCR Director Paula Stannard’s Comments Tell Us

The most meaningful public comments we’ve received recently came from OCR Director Paula Stannard during the 43rd National HIPAA Summit in April 2026.

Importantly, Stannard did not announce a decision. She did not preview a final rule.

And she carefully avoided signaling whether the OCR intends to finalize, modify, delay, or withdraw the proposal.

What she did provide was insight into how the OCR is thinking about the problems the proposal is attempting to address.

And frankly, that may be more useful than speculation about timelines.

Because concerns tend to outlast rulemaking.

The Cost of Doing Nothing

One of the strongest themes in Stannard’s remarks was that organizations should not focus exclusively on the cost of compliance.

They should also consider the cost of inadequate security.

That includes:

  • Ransomware incidents
  • System remediation
  • Operational disruption
  • Breach response
  • Credit monitoring
  • Reputational damage
  • Civil liability exposure

This stood out because it reflects something we’ve taught for years at Person Centered Tech. HIPAA Security compliance is not fundamentally about avoiding penalties. It is about avoiding preventable harm.

The purpose of the Security Rule has never been to create arbitrary administrative burdens, but rather to protect the confidentiality, integrity, and availability of protected health information.

In other words:

The goal is not compliance. The goal is security.

Compliance is the framework HIPAA gives us for getting there. As my colleague Evan put it during our podcast discussion:

“The cost of the lock is often cheaper than the cost of what’s in the safe.

That is a useful lens through which to evaluate almost every security decision.

The Most Persistent HIPAA Misunderstanding

Stannard also highlighted something we’ve spent years helping therapists understand: 

The misconception that “addressable” means optional.

It doesn’t.

And it never has.

Under the current Security Rule, addressable means:

  • Assess whether a safeguard is reasonable and appropriate.
  • If it is, implement it.
  • If it isn’t, implement an equivalent alternative safeguard or document why no equivalent safeguard is reasonable and appropriate.

What HIPAA has always required is thoughtful analysis and documented decision-making.

Not avoidance. Not wishful thinking. Not pretending the risk doesn’t exist.

One of the reasons this matters is that what qualifies as reasonable and appropriate changes over time. The standard doesn’t change. The context does.

Why Encryption Was Such a Telling Example

Stannard specifically pointed to encryption.

That wasn’t accidental.

When the Security Rule was written more than twenty years ago, encryption was far less accessible than it is today. Technology, threats, costs and expectations have all changed. The point wasn’t that encryption suddenly became important because the OCR proposed a new rule.

The point was that many organizations should already be concluding that encryption is reasonable and appropriate based on today’s realities.

That is a critical distinction.

The argument isn’t:

You should do this because a future rule might require it.

The argument is:

You should evaluate it honestly based on today’s technology and today’s threat landscape.

That is exactly how the Security Rule was designed to function.

Why Risk Analysis Remains the Heart of Everything

Perhaps unsurprisingly, Stannard also noted that risk analysis deficiencies remain one of the OCR’s most common findings.

Not just missing risk analyses.

Incomplete analyses.

Outdated analyses.

Analyses that never meaningfully influence decision-making.

This is where many organizations get stuck.

They treat risk analysis as a deliverable.

A form.

A report.

A checkbox.

But risk analysis is none of those things.

Risk analysis is a process.

It is the mechanism that allows a practice to answer the central question:

What is reasonable and appropriate for us?

Without that process, decisions become guesses.

With that process, decisions become informed, defensible, and useful.

That’s why risk analysis sits at the center of HIPAA Security compliance.

And it’s why we continue to emphasize it so heavily in our programs, consultations, and educational resources.

In-Practice Compliance and Formal Compliance

One of the most important distinctions we make at Person Centered Tech is the difference between in-practice compliance and formal compliance.

Both matter.

But they are not the same thing.

In-Practice Compliance

In-practice compliance is about what is actually happening in your practice.

It asks:

  • How does client information flow into your practice?
  • How does it move through your practice?
  • How does it leave your practice?
  • What systems store it?
  • Who has access to it?
  • What vendors touch it?
  • What devices are used?
  • What technical, administrative, and physical safeguards are actually in place?

In-practice compliance is about whether client information is truly being safeguarded using reasonable and appropriate measures based on reasonably anticipated threats.

Formal Compliance

Formal compliance is about whether those safeguards are properly documented and codified through the structures HIPAA requires.

That includes:

  • HIPAA Security policies and procedures
  • Workforce training
  • Documentation
  • Assigned responsibilities
  • Required administrative processes

Formal compliance matters. But formal compliance should support actual security. It should not replace it.

A practice can be doing meaningful, client-protective security work and still have gaps in formal documentation.

A practice can also have beautifully written policies that bear little resemblance to what is happening day-to-day.

The latter may look compliant on paper. But it does very little to protect client information. The most important goal of the Security Rule is not performative compliance. The most important goal is safeguarding client information.

Documentation should support that goal, not distract from it.

What We’re Telling Practices Right Now

We are not telling practices to panic. We are not telling practices to implement every element of a proposed rule that may never become final. And we are certainly not telling practices to sit back and wait. 

We are telling practices to continue doing the work that matters regardless of what the OCR ultimately decides. That means:

  • Understanding your security circle
  • Knowing where PHI lives
  • Reviewing multi-factor authentication and encryption
  • Evaluating vendors and business associates
  • Maintaining a current risk analysis
  • Documenting decisions
  • Implementing safeguards that are reasonable and appropriate for your environment

Those actions make sense if the proposed rule is finalized. They make sense if it is modified. They make sense if it is delayed again. And they make sense if it is withdrawn entirely. Because they were never really about the NPRM.

They were always about protecting client information.

 

How PCT Can Help

If you’re wondering where your practice stands today — or what your next step should be while the proposed rule remains in limbo — we have resources designed specifically for mental health practices.

Start With the Free Mini Risk Analysis Tool

Our free Mini Risk Analysis Tool provides a quick snapshot of your practice’s security posture.

It helps you identify key components of your security circle and evaluate your safeguards through the same reasonable-and-appropriate lens discussed throughout this article.

While it is not a substitute for a full HIPAA Security Risk Analysis, it can help you understand where you’re already doing well, where there may be gaps, and where you may want to focus your attention next.

Get a Consultant-Performed HIPAA Security Risk Analysis and Risk Mitigation Plan

For practices that want a thorough and accurate HIPAA Security Risk Analysis, our Risk Analysis and Mitigation Plan (RAMP) service provides a consultant-led HIPAA Security Risk Analysis and Risk Mitigation Plan.

What makes our approach different is that we evaluate both in-practice compliance and formal compliance.

We don’t simply ask whether documentation exists, but instead examine how client information actually flows into, through, and out of your practice.

We evaluate whether the safeguards currently in place are reasonable and appropriate based on reasonably anticipated threats. 

And we document the good work you’re already doing.

That means your mitigation plan is not simply a list of paperwork tasks. It becomes a genuinely useful roadmap that prioritizes addressing the most meaningful risks to client information first, while also addressing the formal compliance requirements HIPAA expects.

Because our goal is not performative compliance.

Our goal is helping practices meaningfully protect client information.

Schedule Your Service

Informational Brochure

CE Credit Hours
Legal Ethical CE

For SOLO Pracititioners

Informational Brochure

CE Credit Hours
Legal Ethical CE

 

For Group Practices

CE Credit Hours
Legal Ethical CE


Use a Comprehensive HIPAA Security Compliance Program

For practices that want a complete roadmap and ongoing support, our HIPAA Security Compliance Programs for solo and group practices address both in-practice and formal compliance needs.

These programs help practices:

  • Build and maintain a strong security circle
  • Implement reasonable and appropriate safeguards
  • Develop and maintain HIPAA Security policies and procedures
  • Train workforce members
  • Address vendor, device, workspace, and system risks
  • Document decisions and mitigation efforts
  • Maintain compliance as technology and threats evolve

One of the reasons we feel confident encouraging practices to focus on reasonable and appropriate safeguards rather than trying to predict the fate of the NPRM is that the vast majority of the proposed rule reflects security and compliance practices we’ve been teaching for years.

In fact, our current HIPAA Security Compliance Programs already address more than 95% of the substantive safeguards, risk management activities, and compliance expectations reflected in the proposed rule.

That means practices already participating in PCT’s programs are generally well positioned regardless of what ultimately happens with the proposed rule. And if additional requirements are finalized, PCT will provide the materials, guidance, and support needed to address them.

The core work remains the same: protecting client information through meaningful risk analysis and reasonable and appropriate safeguards.

Put another way:

We didn’t have to redesign our compliance programs when the NPRM was released because the proposed rule largely validated the direction we were already helping practices move toward.

 

The Bottom Line

Everyone wants to know what the OCR is going to do. We’d like to know too. But while we wait for that answer, there is another question that is far more useful:

What is reasonable and appropriate for protecting client information in my practice today? 

That is the question the current Security Rule asks. It is the question the OCR continues to emphasize. And it is the question that ultimately matters most.

The proposed rule may change the roadmap.

It does not change the destination.


v2.10.0

Continuing Education National Approvals

Person Centered Tech Incorporated has been approved by NBCC as an Approved Continuing Education Provider, ACEP No. 6582. Programs that do not qualify for NBCC credit are clearly identified. Person Centered Tech Incorporated is solely responsible for all aspects of the programs.

Person Centered Tech Incorporated is approved by the American Psychological Association to sponsor continuing education for psychologists. Person Centered Tech Incorporated maintains responsibility for this program and its content.

Continuing Education State Approvals

  • Person Centered Tech is an approved provider continuing education provider with the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health Counseling. CE Broker Provider #50-23706.
  • Ohio Counselor, Social Worker, and Marriage and Family Therapist Board accepts continuing education credits from providers approved by the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health.
  • Person-Centered Tech Incorporated is recognized by the New York State Education Department's State Board for Social Work as an approved provider of continuing education for licensed social workers #SW-0540 and the State Board for Mental Health Practitioners as an approved provider of continuing education for licensed marriage and family therapists #MFT-0092, licensed mental health counselors #MHC-0210 and licensed psychoanalysts #P-0050 and the State Board for Psychology as an approved provider of continuing education for licensed psychologists #PSY-0068.

Policies and Terms

Training Resources

About Us

Email: [email protected]

Customer Service Hours: M-F 9AM-3PM PST

Address:
Person Centered Tech Incorporated
PO Box 42494
Portland, OR 97242

Where's our phone number?

Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss

jQuery( document ).ready(function() { if (typeof Boxzilla !== 'undefined' && Boxzilla !== null) { Boxzilla.on('box.show', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.show', }); }); Boxzilla.on('box.dismiss', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.dismiss', }); }); Boxzilla.on('box.hide', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.hide', }); }); Boxzilla.on('ready', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.ready', }); }); } });