Recent HIPAA compliance regulatory changes consist of a federal court vacating most of the 2024 HIPAA Privacy Rule amendments for reproductive health information while leaving certain Notice of Privacy Practices requirements in effect with a compliance date of February 16, 2026, and a pending proposed update to the HIPAA Security Rule issued by the HHS Office for Civil Rights in late 2024 and published for public comment in early 2025 that has not been finalized.
On April 22, 2024, the HHS Office for Civil Rights issued a final rule titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy that restricted certain uses and disclosures of protected health information relating to lawful reproductive health care and added related administrative requirements. On June 18, 2025, the U.S. District Court for the Northern District of Texas declared unlawful and vacated most of that final rule, and the HHS Office for Civil Rights stated that only specified Notice of Privacy Practices provisions were vacated while the remaining Notice of Privacy Practices modifications remain effective with compliance required by February 16, 2026. Hospitals, health plans, and other regulated entities that use a Notice of Privacy Practices should treat the February 16, 2026 compliance date as an operational deadline for revising the notice content and associated distribution controls that apply to their settings.
The HHS Office for Civil Rights issued a proposed rule on December 27, 2024 to update the HIPAA Security Rule, with the proposal describing more specific administrative, physical, and technical safeguard expectations for electronic protected health information. The proposal states that the current HIPAA Security Rule remains in effect during rulemaking, so regulated entities remain obligated to maintain a documented risk analysis and risk management program, implement reasonable and appropriate safeguards, and maintain written policies and procedures that reflect their systems, vendors, and workflows while monitoring whether a final rule is issued and what compliance timeframes apply.
A separate set of HIPAA Privacy Rule modifications proposed in January 2021 to change access, care coordination, and administrative requirements has remained in proposed status as of February 2026. Regulated entities should treat these proposals as non-binding until a final rule is issued and should base compliance obligations on currently effective HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule requirements.