medcomply.ai
News
OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security RuleOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties: Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule: A Complete Guide for 2026 · Security Rule

Rule Update

The HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next

TL;DR

OCR's proposed HIPAA Security Rule overhaul — the most significant proposed update since 2005 — faces opposition from a coalition of more than 100 hospital systems and provider associations who have called on HHS and the White House to withdraw it. OCR itself estimated first-year compliance costs at $9 billion across all regulated entities. Whether the final rule is issued as proposed, scaled back, or withdrawn, covered entities and business associates should be preparing for stronger security requirements regardless of the regulatory outcome.

OCR's proposed HIPAA Security Rule overhaul — the most significant proposed update since 2005 — faces opposition from a coalition of more than 100 hospital systems and provider associations who have called on HHS and the White House to withdraw it. OCR itself estimated first-year compliance costs at $9 billion across all regulated entities. Whether the final rule is issued as proposed, scaled back, or withdrawn, covered entities and business associates should be preparing for stronger security requirements regardless of the regulatory outcome.

OCR's proposed HIPAA Security Rule overhaul faces fierce industry opposition — including a coalition of over 100 hospital systems calling for its withdrawal. Here is the full picture of what is proposed, who is fighting it, and what covered entities should actually do while the outcome remains uncertain.

medcomply.ai editorial teamPublished May 11, 2026Updated May 11, 20267 min read

The proposed HIPAA Security Rule overhaul is officially the most contested healthcare regulation of 2026. On one side: OCR, citing record-breaking breach volumes and inadequate industry security practices. On the other: a coalition of more than 100 hospital systems and provider associations arguing the proposal is unworkable, unaffordable, and politically misaligned with the current administration's priorities.

Here is the full picture — the proposal, the opposition, the political dynamics, and what every covered entity and business associate should actually be doing right now.

The proposal in brief

OCR published its Notice of Proposed Rulemaking on December 27, 2024, proposing the most sweeping update to the HIPAA Security Rule since the original rule took effect in 2005. The core proposals:

Mandatory encryption of ePHI at rest and in transit — eliminating the addressable specification flexibility that currently allows organizations to document alternatives. Required multi-factor authentication for all ePHI system access. Annual penetration testing. Current asset inventories and network maps as required documentation. 72-hour system restoration objectives following security incidents. Annual internal compliance audits.

If the rule is finalized as proposed, it would mean a radical shift in how the Security Rule is applied — moving away from a flexible approach to account for the various types of regulated entities to a more rigid approach with some prescriptive, strict security requirements that could be difficult to fulfill.

The $9 billion price tag

The cost estimate embedded in OCR's own regulatory impact analysis is striking.

OCR itself estimated that in just the first year, compliance across all covered entities and business associates would cost $9 billion.

Industry groups argue this figure is actually an underestimate. Their position: OCR's cost modeling does not adequately account for the infrastructure investment required by small practices, rural hospitals, and federally qualified health centers that currently lack the IT foundations on which the new requirements would need to be built. You cannot implement mandatory MFA across all ePHI systems if those systems do not currently support MFA — and many legacy healthcare systems do not.

Note

The $9 billion figure covers all regulated entities combined — not per organization. For context, there are approximately 750,000 HIPAA-covered entities in the United States. The average per-entity first-year cost in OCR's estimate is roughly $12,000, though actual costs vary enormously by organization size and current security posture.

The opposition

A coalition of more than 100 hospital systems and provider associations called for HHS to withdraw the proposed updates to the HIPAA Security Rule, which they said runs counter to President Trump's robust deregulatory agenda.

CHIME, the College of Healthcare Information Management Executives, has been among the most vocal opponents. The organization submitted public comments, co-led a stakeholder letter to HHS and the White House requesting rescission, and argues the administration's cost estimates dramatically understate the real burden, particularly for under-resourced providers.

The political argument being made by opponents is pointed: the proposed rule was published in the final days of the Biden administration, and the Trump administration has a documented deregulatory agenda. Opponents are arguing that finalizing a $9 billion compliance mandate contradicts the administration's stated priorities.

OCR's position

OCR has not flinched publicly. Director Paula Stannard has continued to defend the need for stronger security requirements — though she has also acknowledged the industry feedback.

Even if the proposed rule does not make it to a final rule, Stannard said there have already been benefits from the proposed rule. The proposal to modify the Security Rule helped put a spotlight on information security in the healthcare system and drew attention to the need for better compliance and to take cybersecurity seriously.

This statement is significant. It suggests OCR views the NPRM as having achieved part of its goal regardless of whether it becomes a final rule — by raising the visibility of security requirements and signaling to regulated entities that the current flexible framework will be enforced more rigorously.

The three possible outcomes

Outcome 1 — Finalized as proposed (or close to it)

The rule's finalization remains on the Department of Health and Human Services Office for Civil Rights' regulatory agenda for May 2026. If OCR publishes a final rule, regulated entities would have 240 days to comply — meaning mandatory compliance could begin in early 2027.

Outcome 2 — Finalized in scaled-back form

The most politically viable path may be a final rule that preserves the core requirements — encryption, MFA, asset inventories — while removing or softening the most burdensome provisions like annual penetration testing and 72-hour restoration objectives. This would allow OCR to claim a win while responding to industry concerns.

Outcome 3 — Withdrawn or indefinitely delayed

There is a caveat. The HIPAA update was proposed by OCR under the Biden administration, and the new Trump administration may choose to do nothing with the update. If the administration decides the political cost of finalizing a $9 billion mandate outweighs the cybersecurity benefits, the rule could be withdrawn or placed on indefinite hold — as happened to a previous HIPAA Privacy Rule update proposed under the first Trump term.

What you should actually do right now

Here is the practical reality that cuts through the regulatory uncertainty: whether the NPRM is finalized, revised, or rescinded, OCR is actively enforcing the rules that exist today — and the bar it is applying is whether your organization has a functioning, continuous risk management program.

The proposed rule's requirements — encryption, MFA, asset inventories, penetration testing — are not new concepts invented for this NPRM. They are security best practices that NIST, HHS cybersecurity guidance, and OCR enforcement expectations have been pointing toward for years. The question the final rule answers is whether they become explicit mandatory minimums or remain implicit expectations enforced under the existing flexible framework.

Either way, organizations that implement them are in a stronger position — for regulatory compliance, for cybersecurity resilience, and for OCR investigations triggered by breaches.

On encryption: If your ePHI is not encrypted at rest and in transit, begin the implementation process now. The investment is justified regardless of the final rule outcome.

On MFA: Audit every system that accesses ePHI for MFA capability. Where it is supported, enable it. Where it is not, evaluate whether the system needs replacement or supplemental controls.

On asset inventories: You cannot protect ePHI you do not know you have. Building a current, accurate inventory of all systems, applications, devices, and data flows touching ePHI is foundational — required under the current rule's risk analysis provisions regardless of the NPRM outcome.

On penetration testing: If your organization has never conducted a penetration test, engage a qualified security firm. The findings from a first test are typically significant and worth knowing regardless of regulatory requirements.

Warning

Organizations that are waiting to see the final rule before acting are making a strategic mistake. OCR is enforcing the existing Security Rule with increasing rigor today. The gap between where most organizations are and where OCR expects them to be exists regardless of whether the NPRM is finalized.

The HIPAA Security Rule final rule may be published this month, scaled back, or withdrawn. What will not change regardless of the outcome is OCR's expectation that organizations implement strong, documented, continuous security programs. The organizations that treat the NPRM as a prompt to act — rather than waiting for certainty — will be in a materially stronger compliance position in 2027 than those that did not.

Sources & citations

  • Alston & Bird — HIPAA Security Rule Still on TrackOpen
  • Clearwater Security — HIPAA Security Rule Enforcement 2026Open
  • HIPAA Journal — Final Rule Edges CloserOpen
  • 45 CFR Part 164 Subpart C — Current Security RuleOpen

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

How much would compliance with the proposed Security Rule update cost?
OCR's own estimate is that compliance across all covered entities and business associates would cost approximately $9 billion in the first year alone. Industry groups argue this figure significantly underestimates the true burden, particularly for smaller and rural providers who lack the IT infrastructure to implement requirements like mandatory MFA and annual penetration testing.
Who is opposing the proposed Security Rule update?
A coalition of more than 100 hospital systems and provider associations has called on HHS and the White House to withdraw the proposed rule, arguing it runs counter to the Trump administration's deregulatory agenda and places unreasonable financial burdens on providers. CHIME (College of Healthcare Information Management Executives) has been among the most vocal opponents.
Could the proposed rule be withdrawn entirely?
Yes. The rule was proposed in the final days of the Biden administration. The Trump administration has a stated deregulatory agenda and has reversed other Biden-era healthcare regulations. OCR has not confirmed whether it will finalize, modify, or withdraw the proposal. This uncertainty is why organizations should prepare for stronger security requirements regardless of the regulatory outcome.
If the rule is not finalized, do organizations still need to improve their security?
Absolutely yes. OCR is actively enforcing the existing Security Rule with increasing rigor. The proposed rule's requirements — encryption, MFA, asset inventories, penetration testing — represent security best practices that OCR already expects organizations to implement under the current flexible framework. The final rule question is about whether these become mandatory minimums, not whether they are good practice.
What is the 240-day compliance window mentioned in the proposed rule?
The NPRM proposed that regulated entities would have 240 days from the final rule's publication in the Federal Register to achieve compliance. Industry groups have called for a longer window — potentially 18 to 24 months — given the scale of changes required. OCR could extend this in the final rule.

Related intelligence

Rule Update

OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement

4 min read

Rule Update

HIPAA Security Rule Final Rule: May Deadline Passes With No Announcement

5 min read

Rule Update

Reproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now

6 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.