Real, yes. Urgent today, no.

The proposal is genuine and the direction is clear, but it has not been finalized, OCR's own spring 2026 target passed with nothing published, and a coalition of provider groups has asked HHS to withdraw it. Until a final rule exists, nothing here is being enforced and every specific can still change.

So the honest posture is neither "ignore it" nor "panic." It is to do the work that is smart either way, and hold the finalization-specific steps until there is a date to anchor them to. Most of that work is something you should be able to do in your existing program. The rest of this page is the short list.

Primary source: HIPAA Security Rule NPRM, 90 FR 898 (Jan. 6, 2025). The public comment period closed March 7, 2025; no final rule has published as of the last-reviewed date above.

Addressable would become required

This is the proposed change most worth understanding, because it is the one that quietly reclassifies work you may already be doing.

The current Security Rule sorts safeguards into two buckets: "required" and "addressable." Almost everyone reads "addressable" as "optional." It never meant that. It meant you either implement the safeguard, implement an equivalent, or write down a defensible reason you did not. In practice, many programs treated addressable items as skippable and never documented the reasoning, which is the single most common thing that has to be cleaned up later.

The proposal would remove that distinction entirely. If it is finalized as written, the safeguards you may have been treating as optional become things you must implement and prove in writing. That is the whole ballgame. It is not a new world of exotic controls; it is the end of the gray area you may have been living in, and the start of having to evidence the safeguards you already half-do.

The useful response is not to panic about a long list. It is to find out which of those safeguards you already perform but never wrote down, and which you would genuinely need to stand up. That separation is a single afternoon of structured analysis, not a six-week project, and it is worth doing now because it is the part that pays off no matter how the rulemaking ends.

Common questions about the Security Rule update.

Is the HIPAA Security Rule final?

No. As of June 2026 it is a proposed rule. OCR has not finalized, modified, or withdrawn it, the original May 2026 target passed with nothing published, and it is not being enforced. Until a final rule publishes, every requirement is conditional.

What is actually changing in the HIPAA Security Rule?

The headline change is the removal of the required versus addressable distinction, which would make previously optional-seeming safeguards mandatory and documented. The proposal also raises the bar on written risk analysis and strengthens technical control expectations. All conditional on a final rule.

Is addressable going away in the HIPAA Security Rule?

That is the most-discussed proposed change. If finalized as written, the addressable category would be eliminated and those safeguards would become required, with documentation to prove it. It is not in effect yet.

What technical controls would the proposed rule add?

As reported, the proposal points toward stronger baseline controls including encryption of ePHI, multi-factor authentication, network segmentation, and a stated cadence for vulnerability scanning and penetration testing, with limited exceptions. Treat the direction as reported and the exact thresholds as unconfirmed until the final rule exists.

How would the proposed rule affect business associates?

The proposal includes tighter verification obligations for business associates and shorter contingency and incident timelines. That is why a BAA review is one of the three moves to make now.

When would the HIPAA Security Rule compliance deadline be?

There is no deadline yet, because there is no final rule. Rules of this type typically carry a roughly 240-day compliance window after finalization, which would put real deadlines in early 2027 if OCR finalizes on its stated schedule.

What should we do before the HIPAA Security Rule is final?

Do the work that is useful either way: a gap analysis to find undocumented safeguards, a BAA review against tightening verification, and a more rigorous written risk analysis. None require betting on a final date.

See where the rule would leave you.

The Readiness Snapshot is free. It places your organization on Rote's compliance maturity matrix and shows where your documentation stands against the safeguards the proposal would make mandatory, within one week. No bet on a final date required.