HIPAA Security Rule Update Postponed: More Time Given to Implement Major HIPAA Security Rule Changes – The HIPAA Journal
HIPAA Security Rule Update Postponed: More Time Given to Implement Major HIPAA Security Rule Changes
There has been some good news for the HIPAA-regulated entities that feel unprepared for the proposed changes to the HIPAA Security Rule. The Department of Health and Human Services (HHS) had proposed a May 2026 release date for a final rule implementing the proposed changes to the HIPAA Security Rule; however, the U.S. Office of Management and Budget (OMB) website has been updated, showing the final rule has been pushed back a year, with the final action due in July 2027.
Why HIPAA Security Rule Changes Have Been Proposed
The HHS’ Office for Civil Rights (OCR), under the Biden administration, issued a Notice of Proposed Rulemaking (NPRM) to strengthen the HIPAA Security Rule in December 2024, and published the proposed rule in the Federal Register on January 6, 2025. The original HIPAA Security Rule was enacted more than two decades ago in 2003 and was updated by the HIPAA Omnibus Final Rule in 2013, but there have been no substantial changes to the Security Rule in the past 13 years.
Today, almost all aspects of healthcare rely on computer and network technologies, and cybersecurity is far more of a concern than when the Security Rule was first published. Over the past 10 years, cyberattacks on healthcare organizations and breaches of electronic protected health information (ePHI) – that the Security Rule was introduced to protect – have been steadily increasing, especially in 2018, when there was a rampant escalation in hacking incidents and healthcare ransomware attacks. Not only have these incidents increased substantially, but there has also been an alarming upward trend in the number of individuals affected and the harm these incidents cause.
Take the ALPHV/BlackCat ransomware attack on Change Healthcare in February 2024. The attack on this key healthcare technology company and clearinghouse had massive implications for the healthcare industry. The company’s systems touch one in every three patient records and are relied on by hospitals, physicians, pharmacies, and laboratories across the country for billing and payment processing. The attack caused severe cash flow problems for the company’s clients, care delivery was affected, and some providers were forced to temporarily close. The outage caused by the attack lasted for weeks, while the disruption for providers continued for much longer. The ePHI of an estimated 192.7 million Americans was stolen in the attack. The attackers breached the Change Healthcare network via a Citrix remote access portal using stolen credentials, and crucially, multifactor authentication was not enabled. Multifactor authentication is one of the requirements of the Security Rule update, as is network segmentation to limit the impact of cyberattacks.
New Security Rule Requirements
The proposed HIPAA Security Rule update is intended to address changes in the healthcare environment and technology, force HIPAA-regulated entities to make cybersecurity updates to combat cyberattacks and prevent data breaches, and correct deficiencies in the HIPAA Security Rule that OCR has identified from its investigations of data breaches, complaints, and its HIPAA audit program. The updates are based on current cybersecurity best practices and methodologies, and are common sense updates given the extent to which the healthcare industry is being targeted by cyber actors and how frequently they breach healthcare networks.
The proposed changes are substantial, and include the elimination of the addressable implementation classification; strict mandatory cybersecurity requirements such as encryption, multifactor authentication, network segmentation, and anti-malware protection; annual penetration tests, vulnerability scans every 6 months, and annual audits of Security Rule compliance; more prescriptive requirements for risk analyses, which must be conducted at least annually and be based on a comprehensive and accurate technology asset inventory and network map showing how ePHI flows; dedicated backup and recovery controls for ePHI; shorter timelines for business associates and verification of their technical safeguards; and extensive documentation requirements.
Proposed Regulatory Update Attracts Considerable Criticism
The 390-page proposed update was not particularly well received and attracted considerable criticism from hospitals, health systems, and industry groups. OCR received almost 5,000 comments in response to the proposed rule. While industry stakeholders accepted the need for improvements to security to combat the cybersecurity crisis in healthcare, they viewed the proposed rule as an impossible mandate, as it would place substantial financial burdens on healthcare organizations, cause massive operational disruptions, create a huge administrative burden, and has an unworkable timeframe for implementation.
The proposed rule lacks much of the flexibility of the original rule, attracting criticism for the one-size-fits-all approach to cybersecurity. Since the new requirements are extensive, forcing HIPAA-regulated entities to commit substantial funds to compliance will require many to divert funds away from patient care. The pain would be particularly acute for small and rural healthcare providers who are already working on razor-thin margins. The HHS accepts that compliance will not be cheap, calculating that the proposed changes will have a one-year industry cost of $9 billion, with annual industry costs of $6 billion a year for years two through five.
More Time to Prepare for Inevitable New Security Requirements
The timeframes released by government entities for implementing new rules are not legally binding. The final rule may have been delayed by a year and could be delayed further; however, OCR could press ahead and release a final rule ahead of the proposed July 2027 date.
Changes to the HIPAA Security Rule are inevitable to ensure it remains effective. One of the criticisms of the proposed rule was the short implementation timeframe, which was viewed by industry groups as unworkable. While there may be a huge collective sigh of relief at the delay, it is important to use the extra time wisely. Waiting for the final rule to be issued before implementing the required changes runs the risk of missing the implementation deadline and facing the regulatory risks associated with late compliance.
If regulated entities use the time to plan and they start implementing some of the proposed requirements over the coming 12 months, the pain will be eased when the final rule drops. In the meantime, cybersecurity will be improved, helping to prevent cyberattacks, costly downtime, and many data breaches.
Steve Alder, Editor-in-Chief, The HIPAA Journal.
The post HIPAA Security Rule Update Postponed: More Time Given to Implement Major HIPAA Security Rule Changes appeared first on The HIPAA Journal.
Memorial Healthcare Services Settles Pixel Litigation – The HIPAA Journal
Memorial Healthcare Services Settles Pixel Litigation
Memorial Healthcare Services, a nonprofit healthcare provider serving patients in Southern California, has agreed to settle a class action lawsuit over its use of pixels and other tracking, web analytics, and advertising technologies on its website.
The tools are alleged to have been added to the website without the knowledge or consent of patients, causing website users’ personally identifiable information (PII) to be collected and transferred to third parties. The disclosures of PII and health information without consent are alleged to have violated the California Invasion of Privacy Act. Memorial Healthcare Services maintains that there was no wrongdoing.
The lawsuit – Valladolid v. Memorial Health Services – was filed by plaintiff Michelle Valladolid in the Superior Court of California, County of Los Angeles, individually and on behalf of similarly situated individuals. After considering the likely cost of continuing with the litigation and risks associated with a trial and related appeals, the defendant and plaintiff agreed to settle the litigation.
The parties were not able to agree to the terms of a settlement during a full-day mediation session on April 3, 2025; however, through ongoing negotiations, the material terms of a settlement were agreed upon, and the terms have now been finalized. The proposed settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for September 17, 2026. The class consists of individuals who accessed the Memorial Health Services patient portal between March 7, 2022, and July 8, 2022.
Under the terms of the settlement, class members may claim a one-time cash payment, which will be paid pro rata from the $750,000 settlement fund. The defendant has agreed to cover the cost of attorneys’ fees and expenses, settlement administration and notification costs, and a service award for the class representative, which will be deducted from the settlement fund before any cash payments are made. The remaining funds will be shared equally between all class members who submit a valid claim.
Individuals wishing to object to the settlement must do so by July 15, 2026. The deadline for opting out is August 21, 2026, and claims must be submitted by August 21, 2026. Further information can be found on the settlement website: https://mhspixelsettlement.com/
The post Memorial Healthcare Services Settles Pixel Litigation appeared first on The HIPAA Journal.
Data Security Incidents Announced by Park Dental Research Corp; Wabi Sabi Behavioral Health Center – The HIPAA Journal
Data Security Incidents Announced by Park Dental Research Corp; Wabi Sabi Behavioral Health Center
Employee data has been compromised in data security incidents at Park Dental Research Corporation in Oklahoma and Wabi Sabi Behavioral Health Center in Nebraska.
Park Dental Research Corporation
Park Dental Research Corporation, an Ardmore, OK-based dental implant company, has notified individuals about a security incident it experienced on or around April 29, 2026. The investigation confirmed that an unauthorized third party had access to systems containing information such as names, dates of birth, addresses, Social Security numbers, driver’s license numbers, bank account information, passports, and I-9 forms.
There has been no known misuse of the affected information; however, as a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services, which include a $1,000,000 identity theft insurance policy. Notification letters were mailed to the affected individuals on June 24, 2026.
While ransomware was not mentioned in the notification letters, a ransomware group called Interlock took responsibility for the cyberattack and claimed to have exfiltrated 260 gigabytes of data from the company’s systems.
Wabi Sabi Behavioral Health Center
Hastings, NE-based Wabi Sabi Behavioral Health Center, a multidisciplinary mental health provider serving patients in South Central Nebraska, has identified unauthorized access to parts of its network containing employee payroll records. On June 15, 2026, an unauthorized third party gained access to a QuickBooks Online account using compromised credentials. The purpose of the attack was to make changes to employees’ account details in order to divert payments to attacker-controlled accounts. The unauthorized access was detected on the same day, and changes to payroll were identified.
While the affected accounts have been secured, employee information such as names, addresses, and Social Security numbers may have been viewed or copied. The affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services. No misuse of employee data has been identified as a result of the incident. The Nebraska Attorney General has been informed about the data breach, but the number of affected individuals has not been publicly disclosed.
The post Data Security Incidents Announced by Park Dental Research Corp; Wabi Sabi Behavioral Health Center appeared first on The HIPAA Journal.