HIPAA Privacy Rule Proposed Changes Explained: Requirements, Timelines, and Action Steps

You need a clear view of what changed, what’s proposed next, and what to do now. This guide explains recent HIPAA Privacy Rule developments, key compliance dates, how proposed HIPAA Security Rule updates could affect you, and practical steps for covered entities and business associates to stay audit‑ready.

Overview of Recent HIPAA Privacy Rule Changes

In 2024, HHS finalized the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, but on June 18, 2025, a federal court vacated most of that rule nationwide. One notable exception remains: certain updates to the Notice of Privacy Practices (NPP) survived and still require action. Compliance with the remaining NPP modifications is due February 16, 2026, while HHS considers next steps after the ruling. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

What the 2024 final rule (now largely vacated) sought to do: prohibit specific uses and disclosures of protected health information (PHI) related to lawful reproductive health care, and require a signed attestation for certain requests (e.g., law enforcement, oversight, court proceedings). Because those provisions were vacated, they are not presently enforceable, but the NPP-related changes remain. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

Separately, OCR’s earlier (2021) NPRM on care coordination and Right of Access remains proposed; it has not been finalized as of November 26, 2025. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-care-coordination/index.html?utm_source=openai))

Compliance Deadlines and Requirements

Key dates you should track: the reproductive health final rule took effect June 25, 2024. The general compliance date was December 23, 2024. After the June 18, 2025 court decision, those vacated provisions no longer apply, but NPP modifications that were not struck remain and must be implemented by February 16, 2026. ([gao.gov](https://www.gao.gov/products/b-336288?utm_source=openai))

What the NPP must now cover

• Plain-language explanations addressing how your organization uses and discloses PHI, including references to other applicable laws like 42 CFR Part 2 for substance use disorder records, consistent with HIPAA’s remaining NPP modifications.
• Clear descriptions of individual rights and your duties as a covered entity, aligned with the surviving NPP updates.
• Operational alignment: ensure posted, printed, and website NPPs match, and your distribution workflows (e.g., new patient intake) deliver the updated NPP on time.

Tip: Treat the period between publication and the compliance date as the “compliance period”—the window to revise policies, retrain staff, update forms, and test processes. For business associates, confirm downstream communications so your partners understand when your updated NPP goes live and what changes it implies.

Proposed HIPAA Security Rule Enhancements

OCR has proposed the first major modernization of the HIPAA Security Rule since 2013. The NPRM (issued December 27, 2024; published January 6, 2025) would add specificity and tighten expectations for safeguarding ePHI, including removing the “addressable vs. required” distinction (with limited exceptions) and mandating more concrete technical and administrative controls. Public comments closed March 7, 2025; until a final rule issues, the current Security Rule remains in force. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

Highlights you should anticipate

• Security governance: written, tested, and regularly updated policies; annual compliance audits; technology asset inventories and network maps refreshed at least every 12 months.
• Access and authentication: multi‑factor authentication; rapid access change/termination notifications; role‑based access rigor.
• Core safeguards: encryption of ePHI in transit and at rest; anti‑malware; removal of extraneous software; network segmentation; vulnerability scanning (at least every six months) and annual penetration testing.
• Resilience: incident response and contingency planning with procedures to restore critical systems and data within 72 hours; separate technical controls for backup and recovery.
• Business associate oversight: annual verification that required technical safeguards are deployed; time‑bound notifications (e.g., upon contingency plan activation).

If finalized substantially as proposed, these enhancements will materially raise the baseline for covered entities and business associates, particularly around asset management, vendor oversight, and measurable cyber resilience. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

Action Steps for Covered Entities and Business Associates

Immediate privacy priorities

• Map your current NPP language to the surviving NPP requirements and 42 CFR Part 2 alignment; draft updates now so you can publish by the February 16, 2026 deadline.
• Review intake, acknowledgment, posting, and website update workflows to ensure the updated NPP reaches individuals consistently on day one.
• Train workforce members on handling PHI requests post‑vacatur; remove any attestation steps tied to vacated provisions unless required under other laws or policies.

Security readiness (anticipating the NPRM)

• Perform a HIPAA Security Rule gap analysis focused on proposed controls: MFA, encryption, segmentation, vulnerability scanning, and 72‑hour restoration capabilities.
• Build or refine a technology asset inventory and ePHI data flow map; validate accuracy quarterly until your annual cadence is reliable.
• Pressure‑test incident response and disaster recovery playbooks; document tabletop exercises and lessons learned.
• Tighten business associate management: inventory all BAs and subcontractors, define annual verification expectations, and update BAAs to anticipate faster notifications and evidence of controls.
• Budget early: plan capital and operational spend for security tooling, identity and access management upgrades, and staff training.

Governance and documentation

• Use a change‑controlled playbook to track policy revisions, approvals, and workforce training completion.
• Record your rationale for risk decisions that affect PHI, and log remediation dates to demonstrate continuous improvement.

Regulatory Process for Implementing HIPAA Modifications

Under the Administrative Procedure Act (APA), HHS generally follows a notice‑and‑comment approach: issue a Notice of Proposed Rulemaking (NPRM), hold a public comment period, review and respond to comments, and then publish a final rule in the Federal Register with an effective date and a compliance period. HIPAA also limits modification frequency for a standard or implementation specification to no more than once every 12 months, which affects when bundled updates (like NPP changes) are finalized. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/html/2024-30983.htm))

For the Security Rule NPRM, HHS set a 60‑day public comment period (through March 7, 2025). Your best practice: treat NPRMs as early warnings—start planning, provide data‑driven feedback during the Public Comment Period, and be ready to adjust once the final text and compliance timelines are published. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/html/2024-30983.htm))

Timeline for Rule Changes and Compliance

• April 26, 2024: Final HIPAA Privacy Rule to Support Reproductive Health Care Privacy published (89 FR 32976). Effective June 25, 2024. ([gao.gov](https://www.gao.gov/fedrules/208826?utm_source=openai))
• December 23, 2024: General compliance date for that final rule (now largely vacated). ([dlapiper.com](https://www.dlapiper.com/en-us/insights/publications/2024/05/ocr-finalizes-hipaa-privacy-rule-to-support-reproductive-healthcare-privacy?utm_source=openai))
• December 27, 2024 / January 6, 2025: OCR issues Security Rule NPRM; Federal Register publication; comments due March 7, 2025. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2025-01-06/html/2024-30983.htm))
• June 18, 2025: Court vacates most of the reproductive health privacy final rule nationwide; NPP modifications remain. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))
• February 16, 2026: Compliance date for the surviving NPP modifications. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

Impact of Court Decisions on Privacy Rules

The June 18, 2025 ruling reshaped your near‑term priorities: most new reproductive‑health‑specific restrictions and attestation requirements were vacated, but updates to the NPP survived and carry a February 16, 2026 compliance deadline. Expect further movement—appeals or new rulemaking could alter obligations again—so monitor OCR’s Regulatory Initiatives and be prepared to adjust policies and training quickly. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html?utm_source=openai))

Conclusion

Today’s landscape mixes finalized-but-partially‑vacated Privacy Rule changes with ambitious Security Rule proposals. Focus now on timely NPP updates, sustain HIPAA Privacy and Security Rule fundamentals, and line up resources for likely security enhancements. Proactive planning, disciplined documentation, and strong business associate oversight will keep you compliant and resilient.

FAQs.

What are the key changes proposed to the HIPAA Privacy Rule?

The most visible “privacy” activity since 2024 involves the reproductive health final rule—most of which was vacated on June 18, 2025—plus surviving NPP changes that still require updates by February 16, 2026. Beyond that, OCR’s 2021 Privacy NPRM on care coordination and Right of Access remains proposed. Keep your focus on the NPP updates now, while watching for any renewed Privacy Rule proposals following the court decision. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

When must covered entities comply with the updated NPP requirements?

By February 16, 2026. That deadline remains in place despite the 2025 court ruling, which left the relevant NPP modifications undisturbed. Plan for drafting, approvals, publication (paper and web), and workforce training well ahead of that date. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

How does the recent court decision impact the HIPAA Privacy Rule?

The Northern District of Texas vacated most of the 2024 reproductive health privacy final rule nationwide. Practically, covered entities and business associates no longer implement those vacated provisions (such as the attestation requirement), but must still implement the surviving NPP changes by February 16, 2026. Continue monitoring for appeals or new guidance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

What actions should covered entities take to prepare for these modifications?

Update your NPP, retrain staff on request handling, and ensure distribution workflows are ready by February 16, 2026. In parallel, complete a Security Rule gap analysis aligned to the NPRM (MFA, encryption, segmentation, asset inventory, incident response, BA oversight), tighten documentation, and test recovery to confirm you can restore critical systems and ePHI rapidly if an incident occurs. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))