The HIPAA Security Rule overhaul, explained without the panic
You have probably seen the headlines. HHS has proposed the first major rewrite of the HIPAA Security Rule in more than two decades, and it is a significant one. If it finalizes close to as written, it would reset the baseline for how every covered entity and business associate documents and defends its security program. This is worth your attention. What the headlines get wrong is the urgency: the rule is still a proposal, it is not being enforced, and you have time to get ahead of it deliberately rather than in a scramble.
Real, yes. Urgent today, no.
The proposal is genuine and the direction is clear, but it has not been finalized, OCR's own spring 2026 target passed with nothing published, and a coalition of provider groups has asked HHS to withdraw it. Until a final rule exists, nothing here is being enforced and every specific can still change.
So the honest posture is neither "ignore it" nor "panic." It is to do the work that is smart either way, and hold the finalization-specific steps until there is a date to anchor them to. Most of that work is something you should be able to do in your existing program. The rest of this page is the short list.
Addressable would become required
If you read nothing else, read this. It is the part most people get wrong.
The current Security Rule sorts safeguards into two buckets: "required" and "addressable." Almost everyone reads "addressable" as "optional." It never meant that. It meant you either implement the safeguard, implement an equivalent, or write down a defensible reason you did not. In practice, many programs treated addressable items as skippable and never documented the reasoning, which is the single most common thing that has to be cleaned up later.
The proposal would remove that distinction entirely. If it is finalized as written, the safeguards you may have been treating as optional become things you must implement and prove in writing. That is the whole ballgame. It is not a new world of exotic controls; it is the end of the gray area you may have been living in, and the start of having to evidence the safeguards you already half-do.
The useful response is not to panic about a long list. It is to find out which of those safeguards you already perform but never wrote down, and which you would genuinely need to stand up. That separation is a single afternoon of structured analysis, not a six-week project, and it is worth doing now because it is the part that pays off no matter how the rulemaking ends.
Three moves, all useful either way.
None of these require betting on a final date. All three improve your standing under today's rule and get you ahead of tomorrow's.
A structured gap analysis surfaces the safeguards you already satisfy in practice but never documented. Those are the cheapest to close and the first things the proposal would make mandatory.
If the verification obligations on business associates tighten, your existing agreements are where the exposure sits. A clause-level review against 45 CFR 164.504(e)(2) tells you where you stand today.
Risk analysis is already the most-cited deficiency in OCR enforcement. Moving from an annual spreadsheet to a documented method is the highest-value thing you can do regardless of the proposal.
Rote runs each of these as a structured analysis. The goal is a clear picture of where you actually stand, not a stack of new work.
Common questions about the Security Rule update.
No. As of June 2026 it is a proposed rule. OCR has not finalized, modified, or withdrawn it, the original May 2026 target passed with nothing published, and it is not being enforced. Until a final rule publishes, every requirement is conditional.
The headline change is the removal of the "required" versus "addressable" distinction, which would make previously optional-seeming safeguards mandatory and documented. The proposal also raises the bar on written risk analysis and strengthens technical control expectations. All conditional on a final rule.
That is the most-discussed proposed change. If finalized as written, the addressable category would be eliminated and those safeguards would become required, with documentation to prove it. It is not in effect yet.
As reported, the proposal points toward stronger baseline controls including encryption of ePHI, multi-factor authentication, network segmentation, and a stated cadence for vulnerability scanning and penetration testing, with limited exceptions. Treat the direction as reported and the exact thresholds as unconfirmed until the final rule exists.
The proposal includes tighter verification obligations for business associates and shorter contingency and incident timelines. This is why a BAA review is one of the three moves above.
There is no deadline yet, because there is no final rule. Rules of this type typically carry a roughly 240-day compliance window after finalization, which would put real deadlines in early 2027 if OCR finalizes on its stated schedule.
See where the rule would leave you.
The AI Readiness Snapshot is free. It places your organization on Rote's AI compliance maturity matrix and shows where your documentation stands against the safeguards the proposal would make mandatory, within one week. No bet on a final date required.