medcomply.ai
News
OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security RuleOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security Rule

Rule Update

HIPAA Security Rule Final Rule: May Deadline Passes With No Announcement

TL;DR

OCR's regulatory agenda listed May 2026 as the target publication date for the HIPAA Security Rule final rule — the most significant proposed update to the Security Rule since 2005. As of mid-May 2026, no final rule has been announced. Federal agencies routinely miss regulatory agenda deadlines. The rule may still be published this month, delayed further, scaled back, or withdrawn entirely. Covered entities should continue preparing for stronger security requirements regardless of the regulatory outcome.

OCR's regulatory agenda listed May 2026 as the target publication date for the HIPAA Security Rule final rule — the most significant proposed update to the Security Rule since 2005. As of mid-May 2026, no final rule has been announced. Federal agencies routinely miss regulatory agenda deadlines. The rule may still be published this month, delayed further, scaled back, or withdrawn entirely. Covered entities should continue preparing for stronger security requirements regardless of the regulatory outcome.

OCR's regulatory agenda listed May 2026 as the target for the HIPAA Security Rule final rule. The month is here and no announcement has been made. Here is where things stand and what covered entities should do right now.

medcomply.ai editorial teamPublished May 14, 2026Updated May 14, 20265 min read

OCR set May 2026 as its target for publishing the HIPAA Security Rule final rule. May is here. No announcement has been made.

This is not unusual — federal regulatory agendas are targets, not guarantees. Agencies miss them routinely, particularly when proposed rules face significant industry opposition or administrative headwinds. But the silence is notable given how closely the healthcare industry has been watching this particular rulemaking.

Where things stand right now

A final action is still listed for May on HHS OCR's regulatory agenda, though federal agencies routinely extend those deadlines, and the next agenda update is expected shortly.

The proposed rule — published December 27, 2024, in the final days of the Biden administration — would represent the most significant update to the HIPAA Security Rule since the original rule took effect in 2005. Its core proposals include mandatory encryption of ePHI at rest and in transit, required multi-factor authentication, annual penetration testing, documented asset inventories and network maps, and 72-hour system restoration objectives.

It remains to be seen whether the Trump administration will view the benefits of the proposed rule as worth the short term financial and administrative pain of implementation. Based on the feedback received, the proposed rule could be slimmed down to reduce the compliance burden, although doing that would water down the protections. If the final rule is released, OCR could extend the timeframe for compliance to ease the burden on HIPAA-regulated entities.

Three scenarios playing out simultaneously

Scenario 1 — Published in May as scheduled OCR could still publish a final rule before the end of the month. Given the regulatory agenda listing, this remains possible. If published, it would likely differ from the NPRM in some respects — particularly around implementation timelines — reflecting the substantial industry feedback received during the comment period.

Scenario 2 — Delayed to later in 2026 or 2027 The most likely near-term outcome given the silence. A delay would allow OCR to continue reviewing comments, potentially negotiate a more scaled-back version of the rule, and give the administration more time to assess the political calculus of finalizing a $9 billion compliance mandate.

Scenario 3 — Withdrawn or significantly scaled back The HIPAA update was proposed by OCR under the Biden administration, and the new Trump administration may choose to do nothing with the update, as was the case with the HIPAA Privacy Rule update proposed by the previous Trump administration, which was shelved by OCR under the Biden administration.

What OCR is doing regardless of the final rule

Here is the critical point that gets lost in the final rule coverage: OCR is not waiting for a final rule to enforce strong security expectations.

Whether the NPRM is finalized, revised, or rescinded, OCR is actively enforcing the rules that exist today — and the bar it is applying is whether your organization has a functioning, continuous risk management program. Not a point-in-time assessment. Not a binder of policies. A living program.

OCR Director Paula Stannard has been explicit about this. Even if the proposed rule does not make it to a final rule, Stannard said there have already been benefits from the proposed rule. "The proposal to modify the Security Rule helped put a spotlight on information security in the healthcare system and drew attention to the need for better compliance and to take cybersecurity seriously."

The six enforcement actions OCR has taken in 2026 — all citing risk analysis and risk management failures — demonstrate that the agency's enforcement posture does not depend on the final rule. The existing Security Rule, enforced with increasing rigor, is sufficient to generate significant penalties for organizations with inadequate security programs.

The asset inventory question

You cannot manage risk to electronic protected health information you have not fully accounted for. Every system, application, device, and data flow that touches ePHI needs to be in scope — including the ones that have been quietly accumulating through acquisitions, new vendors, and technology changes.

This is where most organizations have the largest gap — not in their policies, but in their knowledge of what systems actually exist and what ePHI they contain. The proposed rule would make asset inventories and network maps a formal requirement. Under the existing rule, they are essential to completing the risk analysis that OCR already requires and enforces.

What to do right now

The regulatory uncertainty does not change the operational advice. Organizations that are waiting for final rule publication before acting are making a strategic mistake regardless of which of the three scenarios plays out.

If the rule is published this month: Organizations that have already begun implementing encryption, MFA, and asset inventories will need only to formalize and document what they have done. Organizations that have not started will face a compressed 180-day implementation window.

If the rule is delayed: The time created by a delay is preparation time. Every month of delay is an additional month to close gaps that OCR is already enforcing under the existing rule.

If the rule is withdrawn: The underlying security expectations remain. OCR's enforcement data from 2024 through 2026 makes clear that the agency expects encryption, strong access controls, documented risk analyses, and active risk management regardless of whether those expectations are codified in a new rule.

Note

medcomply.ai will publish an update the day OCR announces any action on the Security Rule final rule — whether publication, delay, withdrawal, or modification. Subscribe to the Compliance Brief to receive that update in your inbox.

The May 2026 HIPAA Security Rule final rule deadline has arrived with no announcement. Whether the rule is published this month, delayed, or withdrawn, OCR's enforcement expectations for the existing Security Rule are unchanged and actively enforced. The regulatory uncertainty is not a reason to pause preparation — it is a reason to accelerate it.

Sources & citations

  • HHS OCR Regulatory Agenda — Spring 2026Open
  • HIPAA Journal — Final Rule Edges CloserOpen
  • Clearwater Security — HIPAA Security Rule Enforcement 2026Open

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

Has the HIPAA Security Rule final rule been published?
As of May 14, 2026, no final rule has been published. OCR's regulatory agenda listed May 2026 as the target date, but federal agencies frequently miss regulatory agenda deadlines. The rule may still be published in May, delayed to later in 2026, significantly modified, or withdrawn by the Trump administration.
What happens if the final rule is not published in May 2026?
If OCR misses the May target, the proposed rule remains a proposal with no legal force. The existing HIPAA Security Rule — unchanged since 2005 in its core provisions — continues to apply. OCR's enforcement expectations under the existing rule remain in full effect regardless of the final rule's status.
Should we still prepare for the proposed Security Rule changes?
Yes. The proposed changes — mandatory encryption, MFA, asset inventories, annual penetration testing — represent security best practices that OCR enforces under the existing rule's flexible framework regardless of whether the proposed rule is finalized. Organizations that implement these controls are better positioned for both regulatory compliance and cybersecurity resilience.
What is the current status of industry opposition to the proposed rule?
A coalition of more than 100 hospital systems and provider associations has formally called on HHS and the White House to withdraw the proposed rule, citing its estimated $9 billion first-year compliance cost and arguing it runs counter to the Trump administration's deregulatory agenda. CHIME has been among the most vocal opponents.
If a final rule is published, how long will organizations have to comply?
The NPRM proposed a 180-day compliance window after publication. Industry groups have called for an 18-24 month window given the scale of changes required. OCR could extend this timeline in the final rule. If published in late May 2026, a 180-day window would put mandatory compliance in late November 2026.

Related intelligence

Rule Update

OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement

4 min read

Rule Update

Reproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now

6 min read

Rule Update

Patient Rights Under HIPAA — A Practical Guide for Healthcare Providers

8 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.