Lifeline Compliance · April 19, 2026
OCR put May 2026 on its own regulatory agenda as the target date for the most significant overhaul of the HIPAA Security Rule since 2003. The rule has been in the works for over a year. The proposed version was published in the Federal Register on January 6, 2025. Comments closed March 7, 2025. OCR received roughly 4,700 of them and has been reviewing ever since.
The month is now over. The final rule has not been published. OCR has not confirmed whether it will hit the deadline. The agency has not even said publicly whether the deadline is still on the table.
That silence is the story. And what a small independent practice should do in response is more nuanced than the headlines suggest.
The proposed rule, if finalized substantially as written, would be the most ambitious cybersecurity expansion in HIPAA history. The biggest shift is conceptual. Since 2003, the Security Rule has divided its implementation specifications into two categories: required and addressable. Required specifications must be implemented. Addressable specifications must either be implemented or, if not, must be supported by a documented analysis explaining why an alternative is reasonable and appropriate.
In practice, “addressable” has functioned as the escape hatch for many small practices. Encryption is addressable today. So is multi-factor authentication. So is automatic logoff. So is several years’ worth of technical safeguards that practices have skipped, papered over, or never seriously considered.
The proposed rule eliminates that distinction. Nearly every implementation specification becomes required, with a narrow set of exceptions. The substantive provisions hospitals and compliance vendors have been quietly bracing for include:
That is not a redecoration of the existing rule. It is a different rule. And the compliance window, once it starts, is 240 days from Federal Register publication.
Three things are colliding in real time, and any one of them would be enough to slow the rule down.
The industry pushback has been overwhelming. In February 2025, the College of Healthcare Information Management Executives led a coalition letter signed by more than one hundred U.S. hospital systems and eight major industry associations including the American Medical Association, the American Academy of Pediatrics, Cleveland Clinic, Yale New Haven, and Advocate Health. The letter asked HHS to withdraw the proposed rule outright. The core argument was that HHS’s own estimate of $9 billion in year-one compliance costs would fall hardest on safety-net providers and small practices that cannot absorb it.
The lobbying did not stop with a letter. On April 1, 2026, Greg Garcia, Executive Director of the Health Sector Coordinating Council Cybersecurity Working Group, testified before the House Energy and Commerce Oversight and Investigations Subcommittee. He asked HHS to suspend the proposed rule and replace it with a one-year industry consultation period focused on building consensus instead of imposing requirements.
The political environment changed. The proposed rule was drafted under the prior administration. The current administration has prioritized deregulation across federal agencies. A major rule expanding mandatory healthcare cybersecurity standards is exactly the kind of regulation a deregulatory administration would scrutinize, delay, water down, or quietly let die through neglect.
This is not speculation. It is the explicit assessment of practitioners who follow these rules closely. As one commenter put it bluntly in a recent r/hipaa thread, the proposed rule is “a relic of the previous administration” that “runs afoul of their deregulatory push,” and the chance it gets significantly watered down is real. The comment got little engagement, but it captures something the headline coverage misses. The HIPAA practitioner community is not panicking. They have seen too many announced deadlines slip into the next administration, the next agenda, the next consultation period.
OCR has not committed to anything publicly. As of late April 2026, the agency was still reviewing comments. The May target remained on the Spring Unified Agenda. Beyond that, no statements. No press release. No notice of revised timeline. No notice of delay. Just silence.
Silence is information. In federal rulemaking, agencies that intend to hit aggressive deadlines typically signal it. They preview at conferences, they give interviews, they publish guidance documents in parallel with the rulemaking. OCR has done none of that in 2026. The most reasonable read is that May was always aspirational and the agency is now figuring out what to do with the 4,700 comments and the lobbying coalition without committing to a new date.
Anyone giving you a confident prediction about how this resolves is overconfident. The honest framing is a small number of scenarios, each plausible.
Scenario 1: The rule publishes in the next 90 days substantially as proposed. OCR finishes its comment review, accepts modest technical changes, and pushes the rule across the finish line before political headwinds get worse. The 240-day clock starts in late summer or early fall. Practices would need to be in compliance by spring 2027. Under this scenario, the industry pushback factors in mostly through OCR’s enforcement discretion rather than through changes to the rule. The agency has already signaled it will credit “good-faith, phased compliance plans” from critical access hospitals and federally qualified health centers. The same flexibility may or may not extend to small private practices.
Scenario 2: The rule publishes by year-end 2026 with material modifications. OCR yields to the loudest industry concerns and revises the most controversial provisions. The most likely candidates for revision are the 24-hour breach notification timeline (industry argues it is operationally impossible), the annual penetration testing mandate (small practices argue it is unaffordable), and the network segmentation requirement (technically demanding for any organization without enterprise IT). The substantive direction is preserved but specific requirements are softened or phased in over a longer period.
Scenario 3: The rule is paused, withdrawn, or quietly shelved. The new administration uses its regulatory review authority to pull the rule back. This could come in several forms: a notice of withdrawal, a notice of intent to reissue, a notice of additional consultation, or simply continued silence stretching into 2027 and beyond. The lobbying coalition pushed explicitly for this outcome in April 2026. Whether the administration agrees is unclear, but it is on the table.
Each scenario carries the same implication for an independent practice. The substantive direction of OCR’s enforcement does not change based on which scenario plays out. The agency has been enforcing many of these provisions as if they were already required, through the Risk Analysis Initiative that has produced more than a dozen settlements citing risk analysis failures since late 2024. The fines have ranged from $5,000 to over $100,000 against practices the size you serve. A small Illinois treatment center paid $103,000 in February 2026 for a phishing-induced breach the underlying cause of which OCR cited as a missing risk analysis.
In other words, whether the new rule lands or not, the direction of travel is fixed. The settlements OCR keeps publishing are the practical version of the proposed rule, applied through enforcement discretion rather than codified obligation.
The hospital systems and industry associations fighting this rule are not fighting on behalf of small practices. They are fighting on behalf of organizations with compliance departments, legal teams, lobbying budgets, and direct lines to HHS. The rule, as drafted, is genuinely burdensome for those organizations. But it is fatal for smaller ones, and the smaller ones are not in the room.
When the AMA signed the coalition letter, it was speaking for physicians broadly. When CHIME signed, it was speaking for CIOs at health systems. When Cleveland Clinic signed, it was speaking for itself. Independent practices were not directly represented in the coalition. Their interests were assumed to be aligned with the broader industry push, and in many ways they were, but the small-practice burden is different in kind, not just degree.
A 600-bed health system that has to implement MFA across all systems has an IT department, an existing identity management platform, and a vendor roster ready to do the work. The system absorbs the cost into its annual technology budget. A 6-provider primary care practice has none of that. The same compliance requirement falls on the office manager, who has to figure out which vendor to call, what MFA system actually works with the EHR, how to roll it out without breaking the clinical workflow, and how to train staff who are not technically inclined.
The proposed rule estimates $9 billion in year-one compliance costs across all covered entities. HHS did not publish a per-practice estimate for small practices, but informal industry analysis puts the figure for a typical 5-to-10 provider practice somewhere between $15,000 and $40,000 in the first year, plus ongoing operating costs. That number is conservative because it assumes the practice has reasonable IT infrastructure to start with. Many do not.
For practices operating on margins that have been compressed by Medicare rate cuts, payer mix changes, and rising staff costs, that compliance bill is the difference between profitable and not. Some practices will find a way. Others will not. Some will simply continue operating non-compliantly and hope OCR does not come calling.
The proposed rule contains no small-practice carve-out, no scaled obligations based on practice size, no phased timeline for organizations with fewer than 25 staff. The same standards that apply to a 500-physician health system apply to a solo dermatology office. The result, if the rule lands as proposed, is regulatory burden that is essentially flat in absolute terms but radically uneven in proportional terms. Big systems handle it. Small practices struggle. Solo practices are most at risk.
This is a real concern. It deserves to be named. And it is also, frustratingly, not a reason to wait.
There are several reasons a small independent practice should treat this rule as if it is going to land, even if it might not.
First, the substantive direction is locked in regardless. OCR’s enforcement priorities have been clear for two years. Risk analysis, encryption, access controls, and incident response are the focus. The rule, if finalized, codifies what the agency is already enforcing. If the rule does not finalize, OCR continues to enforce through investigations and settlements, with the same result. There is no scenario where these requirements stop being important.
Second, the 240-day compliance window, when it starts, is short. A practice that has done nothing when the rule publishes has eight months to implement annual penetration testing, vendor MFA, encryption upgrades, asset inventory, network mapping, vulnerability scanning, incident response procedures, and updated documentation. That is not eight months of leisurely work. That is eight months of crisis-mode procurement, configuration, training, and documentation. The practices that will struggle most are the ones that wait for the publication to start the work.
Third, the gap assessment is useful regardless of which scenario plays out. Sit down with the proposed rule, walk through each requirement, and ask “what do we have, what do we lack, what would it cost to close the gap.” That exercise is valuable as preparation for the rule, as a baseline for arguing internally about IT budget, as evidence of good-faith compliance effort if OCR ever investigates, and as the foundation of a risk analysis OCR is already enforcing.
Fourth, many of the proposed requirements are things you should be doing for non-HIPAA reasons. MFA prevents most account compromises. Encryption protects you in any breach scenario. Network segmentation limits the blast radius of ransomware. Annual penetration testing surfaces problems before adversaries do. These are not bureaucratic obligations dreamed up by regulators. They are operational hygiene that reduces real risk to your patients and your business.
The argument for doing the work is not “the rule is coming, panic.” It is “you should be doing most of this anyway, the proposed rule just makes it explicit.”
Concrete steps a small practice can take in the next 90 days, regardless of whether the final rule lands, in priority order.
Complete a documented HIPAA risk analysis if one does not exist or has not been updated in the last 12 months. This is OCR’s number-one enforcement priority. The proposed rule will make it explicitly mandatory. Doing this work now produces an asset that holds up under enforcement whether the rule finalizes or not.
Implement MFA on email and EHR, at minimum. These are the two most commonly compromised systems in small-practice breaches. MFA on these two systems alone closes the largest single attack vector small practices face. The cost is modest and the implementation is straightforward through whatever identity provider you already use.
Inventory your business associates. Make sure every BAA is current. Update the ones that have not been reviewed in three years. Add the BAA tracker to your compliance binder. If the rule lands, the 24-hour breach notification provision will need to be added to BAAs. If the rule does not land, you still need current BAAs because OCR audits them.
Document your incident response plan in writing. It can be a five-page plan. It just needs to exist, be specific to your practice, and identify who does what in the first 72 hours of a suspected breach. The proposed rule makes this explicitly required. The current rule effectively requires it through risk management language. The substantive obligation does not change.
Get a baseline external vulnerability scan. This is cheaper than people expect. Many MSPs include it as part of standard service. If yours does not, a third-party scan typically costs a few hundred dollars and gives you a written report. That report is evidence of good-faith effort if OCR ever asks what you have done to identify vulnerabilities.
Write down your existing technology asset inventory. Not a network diagram, not a $50,000 IT consulting engagement. A spreadsheet listing every system that touches PHI, what kind of data it stores, who manages it, and where the data lives. Most practices do not have this. Building it takes about a day. It satisfies the proposed asset inventory requirement and surfaces gaps you did not know you had.
None of these are full compliance with the proposed rule. All of them move you in the direction the rule is pushing, and all of them produce assets and documentation that will hold up under audit regardless.
The May 2026 deadline OCR set for itself has passed. The agency has not said what comes next. The rule, when it lands, will be a meaningful shift in what small practices owe in cybersecurity terms. There is also a real chance the rule never lands in the form currently proposed, or lands later than expected, or gets significantly modified.
Practitioners who follow these rules closely are skeptical the rule will arrive as drafted. The political and industry pressures pushing back on it are substantial. The lobbying coalition is large and well-funded. The current administration’s deregulatory posture cuts against the rule’s underlying ambition.
None of that changes what an independent practice should do this quarter. The work that satisfies the proposed rule overlaps almost entirely with the work that satisfies OCR’s current enforcement priorities. Doing the work is the right answer either way. Waiting for clarity about whether the rule will land is the wrong answer, because OCR has already shown what it will enforce regardless.
The practices that come out of this period well will be the ones that treat the regulatory uncertainty as background noise and the substantive direction as the real signal. Document the risk analysis. Inventory the assets. Implement MFA. Update the BAAs. Write the incident response plan. None of this is glamorous. All of it makes the practice more defensible whether OCR enforces the new rule, the old rule, or something in between.
The smart small practice in 2026 is the one that stops waiting for Washington to make up its mind and starts doing the work.
The Lifeline HIPAA Risk Assessment Checklist is a free 30-minute self-audit built specifically for small independent practices. It walks through every area OCR examines during an investigation and tells you exactly which documents you have, which you are missing, and which need updating.
Download the Free Risk Assessment Checklist →
For practices that want to close those gaps in a structured way, the Complete HIPAA Compliance System is a full documentation set drafted by a licensed healthcare attorney. Risk analysis templates, risk management plan, full Privacy and Security policies, BAA template and tracker, incident response plan, workforce training materials, and Notice of Privacy Practices updated for the February 2026 Part 2 requirements. One-time purchase. Built for independent practices that need to be audit-ready without the $300/month compliance software.
See the Complete HIPAA Compliance System →
The rule may land in May. It may land in October. It may not land in its current form at all. The work that prepares you for it is the same work that protects you under current OCR enforcement either way. Now is the time to do it.
One short, practical compliance insight every Tuesday. No sales push.
Join the newsletterBrowse products