It’s a good thing I don’t gamble. I’ve been wrong so many times in predicting the release of both the final rules for the changes to the HIPAA Privacy and Security Rules that I now vow not to make any further predictions on the subject. I simply have no clue (and neither does HHS, apparently).
My last article focused on the HIPAA Security Rule and the uncertainty of changes that were anticipated in 2026. At the time, the Department of Health and Human Services (HHS) regulatory agenda indicated a final rule date of May 2026. It gave the same date for the final rule for the HIPAA Privacy Rule changes, which have been pending since 2021. Given the severity of cybersecurity issues and announcements from HHS/Office for Civil Rights on the commitment to updating the HIPAA Security Rule, it seemed as if the Security Rule changes would back burner the final changes for the HIPAA Privacy Rule. I guess not.
Here are the facts as we know them right now (clearly, subject to change):
- The HHS Regulatory Agenda for 2026 no longer includes an anticipated final rule date for changes to the HIPAA Security Rule. It is now on the “Long-Term Actions” list with July 2027 as the final action date.
- The revised HHS Regulatory Agenda for 2026 identifies August 2026 as the target month for publication of the final HIPAA Privacy Rule.
A new item also appears on the 2026 Agenda: a notice of proposed rulemaking slated for November 2026 titled “HIPAA Privacy Rule to Promote Individuals’ Timely Access to their Protected Health Information.” HHS says it will solicit comments on proposals to modify “the amount of time that covered entities have to respond to requests for protected health information (PHI) made pursuant to the right of access.”
This signals to me that HHS will not finalize its proposal to reduce the number of days to respond from 30 days to 15 days under 45 CFR 164.524. But given my recent track record anticipating things related to the HIPAA changes, I am hesitant to say so even though it seems like a safe bet.
What’s next?
Given that it is highly unlikely for HHS to issue a final rule that is on the Long-Term Action list, we can take a collective deep breath there, but enforcement will continue under the current HIPAA Security Rule, so HIPAA-regulated entities need to ensure compliance.
As for the Privacy Rule, there will be 240 days to come into compliance after the final rule is published. Instead of making any predictions on dates, which I will no longer do, I recommend that you enjoy your summer and continue compliance efforts under the current rules. We will let you know when it is time to spring into action.
