HHS Updates Rulemaking Timeframes | Davis Wright Tremaine

HHS Updates Rulemaking Timeframes | Davis Wright Tremaine

HHS Updates Rulemaking Timeframes | Davis Wright Tremaine

https://www.dwt.com/blogs/privacy–security-law-blog/2026/07/hhs-updates-hipaa-rulemaking-timeframes

Publish Date: 2026-07-08 11:35:00

Source Domain: www.dwt.com

The U.S. Department of Health and Human Services (HHS) updated its timeframes for upcoming rulemakings on the reginfo.gov website. These dates are not set in stone, but represent HHS’ current projections of when new proposed and final rules will be published. HHS’ last regulatory update was in spring 2025.

HHS has pushed back the date of the final amendments to the HIPAA Security Rule from May 2026 to July 2027. The description of the rule has remained the same since the spring 2025 regulatory update, but the status of the rulemaking has gone from “final rule stage” to “long term actions.” Also, this rulemaking is no longer included in the 2026 Agency Rule List (it instead can be found by searching the website). The new July 2027 date indicates that HHS still intends to finalize at least some of the proposed amendments to the Security Rule. We suspect, however, that HHS will finalize only some of the proposals—likely less controversial ones that it believes provide the highest risk reduction.

On a more immediate timeframe, HHS indicates that it intends to release final amendments to the Privacy Rule to support coordinated care (RIN 0945-AA00) next month. This final rule was proposed on January 21, 2021, and:

. . . will address proposals to modify the HIPAA Privacy Rule to strengthen individuals’ rights to access their own protected health information, including electronic information; improve information sharing for care coordination and case management for individuals; facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhance flexibilities for disclosures in emergency or threatening circumstances; support the use of telecommunications relay services by individuals and workforce members of HIPAA covered entities and business associates who are deaf, hard of hearing, deaf-blind, or who have a speech disability; expand the Privacy Rule permission to use and disclose…

Source