HIPAA Modernization: What’s Changing and How to Stay Compliant

Strengthening Reproductive Health Information Privacy

What changed in 2024

HHS issued the HIPAA Privacy Rule to Support Reproductive Health Care Privacy in April 2024, aiming to restrict uses and disclosures of protected health information (PHI) for investigations or proceedings related to lawful reproductive health care and to require a signed attestation before responding to certain requests. These HIPAA Privacy Rule modifications were designed to bolster reproductive health data protection across covered entities and business associates. ([crowell.com](https://www.crowell.com/en/insights/client-alerts/ocr-finalizes-hipaa-modifications-to-strengthen-reproductive-health-care-privacy?utm_source=openai))

Where things stand in 2026

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated most of the 2024 reproductive health privacy amendments nationwide. As a result, the attestation requirement and related prohibitions are no longer in effect as of today (April 20, 2026). Covered entities should revert to baseline HIPAA Privacy Rule standards and applicable state laws when handling reproductive health PHI. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

Action steps

• Update request-response workflows for subpoenas, warrants, and law enforcement demands to reflect the vacatur; do not rely on the 2024 attestation process.
• Document minimum necessary determinations and state-law analyses when disclosing PHI related to reproductive care.
• Coordinate with counsel on cross‑state requests and conflicts of law that may affect reproductive health information. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

Updating Notice of Privacy Practices Requirements

The 2024 rule also included Notice of Privacy Practices (NPP) updates, but—separate from the court’s ruling—HHS set a later, aligned compliance date so entities could update once for both HIPAA and the new 42 CFR Part 2 substance use disorder (SUD) confidentiality rule. The compliance deadline for NPP updates is February 16, 2026. ([hhs.gov](https://www.hhs.gov/sites/default/files/hipaa-support-rhc-privacy.pdf?utm_source=openai))

Because the Texas decision specifically vacated the reproductive‑health‑related NPP provisions, you do not need to add that vacated language. You must still complete required NPP updates that align HIPAA with the Part 2 final rule (for example, describing how SUD records are used and disclosed, patient rights, and complaint pathways). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

How to execute the NPP update

• Map existing NPP content against the 42 CFR Part 2 final rule elements and ensure plain‑language explanations of SUD record handling.
• Publish and post the revised NPP, replace prior versions at points of care and on websites, and distribute to new patients after the effective date.
• Train staff on how the updated NPP changes intake, authorizations, and right‑of‑access workflows. ([hhs.gov](https://www.hhs.gov/sites/default/files/hipaa-support-rhc-privacy.pdf?utm_source=openai))

Enhancing HIPAA Security Rule Protections

OCR has proposed a major update to the HIPAA Security Rule to strengthen cybersecurity protections for electronic PHI—shifting from flexible, “addressable” safeguards toward more prescriptive controls aligned with today’s threat landscape. The Notice of Proposed Rulemaking (NPRM) was published January 2025; a final rule is anticipated on OCR’s regulatory agenda in 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html?utm_source=openai))

What the NPRM signals

• More explicit requirements around risk analysis and risk management, access controls (e.g., multi‑factor authentication), encryption, incident response, and third‑party oversight. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html?utm_source=openai))
• Closer alignment with HHS Healthcare and Public Health Sector Cybersecurity Performance Goals (HPH CPGs)—a voluntary set of “essential” and “enhanced” cyber practices HHS urges organizations to adopt now. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html?utm_source=openai))

Practical moves you can make today

• Complete a current, documented enterprise‑wide risk analysis and close identified gaps on a risk‑prioritized timeline.
• Implement MFA for all remote and privileged ePHI access, encrypt ePHI in transit and at rest, and verify backups and recovery objectives through regular testing.
• Inventory assets and vendors touching ePHI; tighten business associate oversight, minimum necessary access, and network segmentation. ([hhscyber.hhs.gov](https://hhscyber.hhs.gov/performance-goals.html?utm_source=openai))

Meeting Compliance Deadlines

• February 16, 2026: Deadline to implement NPP updates aligned with 42 CFR Part 2. Reproductive‑health‑specific NPP content from the 2024 rule was vacated and is not required. ([hhs.gov](https://www.hhs.gov/sites/default/files/hipaa-support-rhc-privacy.pdf?utm_source=openai))
• 2026 and beyond: Monitor OCR’s finalization of the HIPAA Security Rule overhaul. While timelines can shift, HIPAA final rules typically provide an effective date followed by a compliance period (often around 180 days). Plan and budget accordingly. ([alston.com](https://www.alston.com/en/insights/publications/2025/11/hipaa-security-rule-overhaul?utm_source=openai))

Implementing Training and Policy Updates

Modernization isn’t only about policy text—it’s about day‑to‑day behavior. Refresh workforce training to emphasize minimum necessary disclosures, disciplined request handling after the reproductive‑privacy vacatur, SUD information handling under Part 2, phishing awareness, incident reporting, and escalation. Align policies, procedures, and sanctions with your updated NPP and security practices, and document decisions to demonstrate good‑faith compliance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

Expect continued scrutiny of core Security Rule duties, especially risk analysis and risk management; OCR’s recent enforcement initiatives have signaled heightened attention to these fundamentals. ([theaicounsel.net](https://theaicounsel.net/wp-content/uploads/2025/07/HHS-OCR-Risk-Analysis-Enforcement-Initiative-Continues-Under-New-Administration.pdf?utm_source=openai))

Understanding Enforcement and Penalties

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules through investigations, resolution agreements with corrective action plans and monitoring, and—where warranted—civil money penalties. Penalties are tiered under the HITECH Act and adjusted for inflation; willful neglect that remains uncorrected draws the most severe consequences. State attorneys general may also bring actions on behalf of residents. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html?utm_source=openai))

Enforcement priorities evolve, but the Right of Access initiative and basic Security Rule compliance (especially risk analysis) continue to feature prominently. Organizations that can show mature security programs and prompt corrective actions generally fare better in investigations. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/banner/index.html?utm_source=openai))

Conclusion

HIPAA modernization in 2026 centers on two realities: complete your required NPP updates by February 16, 2026, and fortify cybersecurity now in anticipation of a more prescriptive Security Rule. Treat the reproductive‑privacy vacatur as the current baseline, strengthen core privacy and security controls, and document your program so you are ready for both audits and evolving rules. ([hhs.gov](https://www.hhs.gov/sites/default/files/hipaa-support-rhc-privacy.pdf?utm_source=openai))

FAQs.

What are the key changes to HIPAA under the 2024 modernization?

In 2024, HHS finalized reproductive‑health‑related HIPAA Privacy Rule modifications (later largely vacated in June 2025) and set a February 16, 2026 deadline to update NPPs in coordination with 42 CFR Part 2. OCR also proposed a comprehensive Security Rule overhaul to strengthen cybersecurity protections for ePHI; a final rule is expected in 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

How does the new rule protect reproductive health information?

The 2024 final rule would have prohibited certain uses and disclosures of PHI related to lawful reproductive health care and required a signed attestation for specific requests. However, most of those provisions were vacated nationwide on June 18, 2025, so they are not in effect as of April 20, 2026. Entities must follow existing HIPAA Privacy Rule standards and relevant state law. ([crowell.com](https://www.crowell.com/en/insights/client-alerts/ocr-finalizes-hipaa-modifications-to-strengthen-reproductive-health-care-privacy?utm_source=openai))

When must covered entities comply with the updated Notice of Privacy Practices?

By February 16, 2026. The deadline aligns HIPAA NPP updates with the 42 CFR Part 2 final rule. Because the court vacated the reproductive‑health‑specific NPP elements, you do not need to include that vacated language, but you must incorporate required Part 2 content. ([hhs.gov](https://www.hhs.gov/sites/default/files/hipaa-support-rhc-privacy.pdf?utm_source=openai))

What are the penalties for non-compliance with the modernized HIPAA rules?

OCR applies a tiered, inflation‑adjusted penalty framework and can require corrective actions with multi‑year monitoring. Willful neglect that is not corrected carries the highest penalties, and state attorneys general can also enforce HIPAA. Strong documentation, timely remediation, and mature security controls can significantly mitigate enforcement risk. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html?utm_source=openai))