Proposed HIPAA Security Rule Changes: What Mental Health Practices Should Understand Right Now
Last Updated: May 19, 2026
Current Status: Proposed Rule Changes Pending Finalization
Monitoring ongoing Security Rule developments and updating this resource as additional guidance becomes available.
There has been increasing discussion across healthcare compliance, cybersecurity, and legal circles regarding the proposed updates to the HIPAA Security Rule. Some organizations are already preparing aggressively for potential changes, while many therapists are hearing fragmented, overly simplified, or outright conflicting information online and trying to figure out what is actually happening.
At this point, the proposed rule has not been finalized. However, the conversation around it has intensified significantly in recent months, particularly as healthcare cybersecurity concerns, ransomware attacks, and large-scale breaches continue to increase across the industry.
For mental health practices, this is not the time to panic. It is the time to start paying attention. A lot of the areas being discussed under these proposed changes are areas regulators have already been focusing on for years. What seems to be shifting now is how operational and how specific those expectations may become.
Are the HIPAA Security Rule changes finalized yet?
Short Answer
No. As of May 2026, the proposed HIPAA Security Rule updates have not been finalized, although many healthcare compliance professionals believe the process may be nearing completion.
Full Explanation
The proposed changes originated from a Notice of Proposed Rulemaking (NPRM) issued by the U.S. Department of Health and Human Services (HHS). The proposal has already gone through the public comment period and broader regulatory review process that federal healthcare regulations typically require.
That matters because many people are now hearing statements such as:
“The Security Rule changes are coming soon.”
One of the biggest things getting blurred together right now is the difference between a proposed rule, a finalized rule, an effective date, and an actual compliance deadline. Those are very different things operationally and legally.
At the time of this article, there is still no finalized Security Rule update. Final language, implementation timelines, and enforcement expectations could still change before publication of a final rule.
At the same time, many healthcare organizations and compliance professionals are taking the proposal seriously because it reflects broader operational and cybersecurity expectations regulators have already been emphasizing for years.
As outlined by the HHS Office for Civil Rights (OCR), healthcare cybersecurity and risk management continue to be major areas of concern across the industry.
Why are regulators pushing for changes to the HIPAA Security Rule?
Short Answer
A big part of this is healthcare cybersecurity. Breaches, ransomware attacks, vendor issues, and cloud-based systems have become a much bigger concern across healthcare.
Full Explanation
Healthcare has become one of the most heavily targeted industries for cyberattacks. That includes small and midsize healthcare organizations, not just large hospital systems.
For many years, HIPAA discussions in smaller practices often focused heavily on forms, privacy notices, and paperwork. While those things still matter, the healthcare landscape has changed significantly. Most practices are now relying on cloud-based systems, telehealth platforms, remote access, AI tools, integrated applications, mobile devices, and multiple third-party vendors, often all at the same time.
Most people still picture HIPAA breaches as stolen paper files, someone breaking into a physical office, or even disclosing a document to the wrong person. That is not what most healthcare breaches look like anymore.
Many breaches now involve phishing attacks, compromised credentials, ransomware, insecure vendors, poorly managed cloud systems, or unauthorized access inside platforms organizations use every single day.
What we seem to be seeing regulators push toward is a more structured and ongoing approach to cybersecurity, operational oversight, and risk management across healthcare.
A lot of the proposed Security Rule discussion seems to be moving healthcare organizations away from treating compliance like a one-time event and more toward ongoing operational management of risk over time.
The proposed Security Rule changes published through the Federal Register reflect that broader shift.
What changes are being proposed under the HIPAA Security Rule updates?
Short Answer
Although the final rule has not yet been released, the proposed updates appear to move toward more operational and prescriptive security expectations, particularly around risk analysis, documentation, vendor oversight, and cybersecurity safeguards.
Full Explanation
One of the biggest discussions happening right now involves the current HIPAA concept of “addressable” implementation specifications.
Under the current Security Rule framework, some safeguards are considered addressable, meaning organizations must assess whether a safeguard is reasonable and appropriate for their specific environment and document their reasoning accordingly.
A lot of the discussion right now is centered around whether regulators are moving toward more standardized expectations across healthcare organizations, including smaller practices that historically had more flexibility in how they addressed certain safeguards.
Much of the proposed discussion appears focused on stronger expectations around ongoing risk analysis, remediation tracking, vendor oversight, access management, documentation of security efforts, incident response procedures, and operational accountability over time.
The exact final language still remains unknown, which is why I think practices should be careful about treating industry predictions as finalized requirements.
What we do seem to be seeing, though, is a broader push toward healthcare organizations being able to demonstrate not just that policies exist, but that risk management and security oversight are actively functioning over time inside the organization.
As discussed in HHS Security Rule Guidance, regulators have increasingly emphasized risk management as an ongoing operational process rather than an annual checkbox exercise.
What is already required under HIPAA right now?
Short Answer
Many of the areas receiving attention under the proposed Security Rule are already required under current HIPAA regulations today.
Full Explanation
One of the biggest misunderstandings currently circulating online is the idea that practices can simply “wait for the new rule” before addressing security and operational concerns.
That is not accurate.
Under current HIPAA requirements, practices are already expected to conduct risk analyses, maintain safeguards, manage vendor relationships, train workforce members, document policies and procedures, and respond appropriately to incidents involving protected health information.
A lot of these obligations already exist under HIPAA now. What seems to be changing is how operational and how specific regulators may expect practices to become around documenting, reviewing, and managing those risks over time.
That distinction matters.
A lot of therapists were taught to think about HIPAA mostly in terms of forms, notices, and paperwork. What we seem to be moving toward now is a much more operational view of compliance.
One of the biggest shifts I think mental health practices need to understand is that HIPAA compliance is increasingly being viewed operationally, not just as a set of forms and policies sitting in a folder somewhere.
Having policies still matters. Documentation still matters. But the larger conversation happening across healthcare right now seems to be moving toward whether organizations can actually demonstrate how privacy, security, oversight, and risk management are functioning over time inside how the practice is actually operating day to day.
What does “ongoing risk analysis” actually mean for therapists?
Short Answer
Regulators increasingly seem to be viewing risk analysis as a continuous operational process rather than a once-per-year compliance task.
Full Explanation
Historically, many organizations treated Security Risk Analyses as annual events. A practice might complete an assessment, store the documentation, and revisit it the following year.
Current regulatory guidance seems to be moving away from that model.
Instead, OCR has increasingly emphasized the idea that risk management should function as an ongoing process involving review, remediation, follow-through, and documentation over time.
That does not mean practices suddenly need to perform massive formal risk analyses every month.
What it does seem to mean is that organizations are increasingly expected to demonstrate awareness of risks, evaluation of operational vulnerabilities, follow-through on identified concerns, and documentation showing those issues are actively being reviewed and managed over time.
For mental health practices, that may include reviewing:
- telehealth workflows
- remote access procedures
- AI usage
- vendor relationships
- cloud platforms
- employee access
- device management
- communication practices
The direction this seems to be moving is toward practices being able to show that they are actively reviewing and managing operational risk over time, not just completing a yearly checklist and putting it in a folder somewhere.
Common Mistake Therapists Make
Many therapists assume HIPAA compliance is primarily about forms, policies, and signed documents. Increasingly, regulators appear focused on operational implementation and whether organizations can demonstrate ongoing management of security risks over time.
A written policy that does not match what is actually happening inside the practice can become a problem very quickly during an audit, investigation, or breach response situation.
Documentation still matters. But increasingly, practices also need to be able to show how those policies and decisions are actually functioning inside how the practice is operating day to day.
What could these proposed changes look like inside an actual therapy practice?
Short Answer
For many therapists, the biggest impact will likely involve operational workflows, documentation practices, vendor oversight, and security management rather than changes to clinical care itself.
Full Explanation
Imagine a small group therapy practice using an EHR, Google Workspace, telehealth software, online scheduling tools, AI-assisted documentation tools, remote contractors, and virtual assistants.
Under both current HIPAA expectations and the proposed Security Rule direction, the practice may increasingly need to demonstrate:
- who has access to protected health information
- which vendors have signed BAAs
- how workforce access is managed
- how risks are reviewed and documented
- how incidents would be handled
- how operational decisions are evaluated over time
This does not mean small therapy practices suddenly need to operate like hospital systems.
It does mean loosely managed workflows, informal processes, and undocumented technology decisions are starting to carry much greater operational risk than they used to.
Here’s a simple way to see the difference:
Will practices have time to implement changes if the rule becomes final?
Short Answer
Most likely, yes.
Full Explanation
Historically, major HIPAA regulatory changes have included implementation periods or grace periods that allow organizations time to adapt operationally.
Even many healthcare compliance professionals discussing the proposed Security Rule changes acknowledge that organizations would likely receive time to review and implement updates following publication of a final rule.
That said, waiting until final publication to begin reviewing foundational compliance practices may place organizations in a much more reactive position later.
Practices that begin strengthening operational consistency, documentation processes, vendor oversight, and security management now will likely be in a much stronger position regardless of the exact final language.
I do think practices should be paying attention to this. I just do not think people need to spiral every time a proposed regulatory change gets discussed online.
What should mental health practices realistically focus on right now?
Short Answer
Practices should focus on strengthening foundational operational compliance areas that already matter today and are unlikely to disappear regardless of final rule wording.
Full Explanation
For many therapists and group practices, the most productive next steps involve understanding where protected health information exists inside the practice, how vendors and technology platforms are being used, how staff access is managed, and how operational decisions are documented.
This is also a good time for practices to evaluate whether their written policies actually reflect their real workflows.
A lot of practices eventually realize that convenience-based workflows, evolving technology use, and informal habits slowly drifted away from what their written policies say they are doing.
The direction healthcare compliance seems to be moving is toward greater operational accountability, stronger cybersecurity expectations, and more ongoing management of risk over time.
One of the biggest things I would encourage practices to avoid right now is assuming they either need to panic or completely overhaul everything overnight.
What I do think practices should be doing is paying much closer attention to how compliance and security are actually functioning operationally inside the practice rather than viewing HIPAA as primarily a documentation exercise.
Stay Updated on Compliance Changes
Compliance expectations are constantly evolving, and most providers don’t hear about changes until they become a problem.
If you want clear, practical updates you can actually use, you can join my email list below.
What do we still not know yet about the proposed HIPAA Security Rule updates?
Short Answer
There are still important unknowns, including final language, implementation timelines, enforcement expectations, and how certain proposed requirements may ultimately apply to smaller healthcare organizations.
Full Explanation
This is one of the most important parts of the current conversation.
Right now, there is a significant amount of industry discussion, speculation, and anticipation surrounding the proposed Security Rule changes. Some healthcare compliance professionals believe the final rule may arrive relatively soon. Others believe timelines could still shift.
At this stage, organizations should be careful not to confuse:
- industry expectations
- vendor marketing
- compliance predictions
- finalized enforceable law
I think the most responsible approach right now is to stay informed, monitor credible regulatory sources, and focus on strengthening the operational areas that already matter under HIPAA today instead of reacting to every piece of speculation online.
Update Log
May 19, 2026
Initial article published. Proposed HIPAA Security Rule updates remain pending finalization. Increased healthcare industry discussion continues regarding possible upcoming publication of a final rule.
Monitoring ongoing Security Rule developments and updating this resource as additional guidance becomes available.
Additional Resources
If you are trying to better understand how HIPAA compliance functions operationally inside a therapy practice, I’ve also created therapist-focused compliance resources designed to help mental health providers evaluate workflows, documentation practices, vendor oversight, and foundational risk management expectations in a more practical and understandable way.
Sources
HHS Office for Civil Rights (OCR) – https://www.hhs.gov/hipaa/index.html
Federal Register – https://www.federalregister.gov/
HHS Security Rule Guidance – https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
About the Author
Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3
Samantha is a licensed mental health professional, solo and group practice owner, and the founder of Guardian Clinical Essentials™, where she helps therapists and group practices implement practical, audit-ready HIPAA and state-specific compliance systems.
Drawing from direct experience in clinical practice and compliance consulting, Samantha specializes in translating complex federal and state regulations into clear, usable policies, tools, and workflows designed specifically for mental health providers.
Related HIPAA Resources
Many practices are also reviewing how AI tools, cloud-based systems, vendor oversight, and ongoing risk management fit into their broader HIPAA workflows. I’ve written more extensively about many of those considerations in the AI + HIPAA Resource Hub.
If you want to better understand how these issues connect to your practice, these additional resources may also be helpful: