The 2026 HIPAA Privacy Rule update: what's changing and how it affects your practice
A 2026 HIPAA Privacy Rule update is in final federal review — covering patient access, care coordination, and privacy notices. What's proposed and how to prepare.
By CoreFolio
7-minute read
Most of the attention on 2026 HIPAA (Health Insurance Portability and Accountability Act) rulemaking has gone to the proposed Security Rule overhaul. But a second, separate change is further along: a HIPAA Privacy Rule update is now in final review at the White House, and it could publish before the Security Rule changes do.
If you run a small practice, this is the rulemaking more likely to touch your front-desk workflows in the near term — how quickly you turn around a records request, what your privacy notice says, and how you share information for care coordination. Here is what is actually proposed, where it stands, and how to prepare without acting on a rule that is not final yet.
What this is — and what it is not
The update traces back to a Notice of Proposed Rulemaking (NPRM) that the U.S. Department of Health and Human Services (HHS) published in the Federal Register on January 21, 2021, titled Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement.1 The Office for Civil Rights (OCR) — the HHS component that writes and enforces the HIPAA rules — designed it to make it easier to share protected health information (PHI) for care coordination and to strengthen a patient's right to their own records.
It is a proposed rule. It is not in effect, and nothing in it is a requirement today. The current Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) still governs, and OCR continues to enforce it — the Right of Access Initiative, which penalizes practices that do not provide records on time, runs under the current rule, not the proposed one.
Where it stands now
Three primary-source signals show this rulemaking is moving:
- The proposal exists and is specific. The 2021 NPRM (86 Fed. Reg. 6446) lays out the changes in detail.1
- OCR reopened work on it in early 2026. On January 14, 2026, OCR published a Tribal Consultation notice confirming it is developing modifications to the Privacy Rule and naming the proposal topics — strengthening access rights, improving information sharing for care coordination, and enabling greater family and caregiver involvement in emergencies.2
- A final rule is in the last review step. On April 2, 2026, HHS sent a final rule (Regulatory Identification Number 0945-AA00, titled HIPAA Privacy Rule: Changes to Support Coordinated Care and Individual Engagement and Reduce Regulatory Burdens) to the White House Office of Management and Budget (OMB) for the review that precedes publication.3 HHS's regulatory agenda projects publication in 2026.
A projected date is a projection, not a deadline — federal agencies routinely miss them, and a rule can still be modified before it publishes. But OMB review is the final gate before a final rule appears in the Federal Register, so this one is closer than the Security Rule changes.
What the 2021 proposal would change
Every item below is drawn from the 2021 NPRM and is proposed, not final.1 The final rule may adopt, narrow, or drop any of them.
1. Faster access to records
The proposal would shorten a covered entity's required response to an access request from the current 30 calendar days to no later than 15 calendar days, with any extension limited to one additional 15-day period (down from the current 30-day extension). It would also clarify the required form and format for responses and require entities to tell individuals they keep the right to obtain or direct copies when a summary is offered in place of a full copy.
2. Stronger in-person inspection rights
The proposal would strengthen the right to inspect PHI in person, including allowing individuals to take notes or photographs of their own information during a visit.
3. Lower identity-verification and fee barriers
The proposal would reduce identity-verification burdens on individuals exercising access rights, specify when electronic PHI must be provided at no charge, and require covered entities to post estimated fee schedules on their websites for access and for authorized disclosures, plus provide individualized fee estimates on request.
4. Easier information sharing for care coordination
The proposal would amend the definition of health care operations to clarify that individual-level care coordination and case management are permitted, and create an exception to the "minimum necessary" standard for those activities. It would also clarify that covered entities may disclose PHI to social-services agencies, community-based organizations, and similar health-related service providers to support a patient's care.
5. Changes to the privacy notice and disclosures
Two changes would affect front-desk paperwork and judgment calls:
- Notice of Privacy Practices (NPP). The proposal would eliminate the requirement to obtain a patient's written acknowledgment of receipt of a direct treatment provider's NPP, and would modify the NPP's required content.
- Disclosures to avert harm. It would let covered entities disclose PHI to prevent a threat to health or safety when harm is "serious and reasonably foreseeable," a more permissive standard than the current "serious and imminent" threat test.
What is still uncertain
Because the rule is not final, the details can change. The 2021 NPRM proposed that a final rule would take effect 60 days after publication, with a 180-day compliance period after that — so enforcement of any new or modified standards would begin 240 days after the final rule publishes.1 HHS asked for comment on whether 180 days is enough, so the final compliance window could differ.
There is also open question about which proposals survive. Some access-related provisions from 2021 drew significant industry comment, and HHS has signaled it may not finalize every 2021 proposal exactly as written. Treat the list above as the direction HHS proposed, not a settled set of obligations — the published final rule is the only authoritative source for what you must do and by when.
What it means for your practice
You cannot comply with a rule that has not published, and you should not rebuild your operations around a proposal. But a few steps reduce your exposure under the current rule and position you for the final one:
- Tighten your records-request workflow now. The current 30-day access clock is already the most heavily enforced Privacy Rule obligation. A process that reliably turns requests around in about two weeks meets today's rule comfortably and would absorb a shift to 15 days if the final rule adopts it.
- Know where your Notice of Privacy Practices lives — but wait to rewrite it. If an NPP revision is already on your list, holding until the final rule publishes avoids revising it twice in a short window.
- Map how you share information for care coordination. Document which outside providers, social-services agencies, and community organizations you exchange PHI with, and on what basis. This is useful under the current rule and directly relevant to the proposed care-coordination changes.
- Watch the Federal Register. The compliance window starts from the final rule's publication date, not from today. When it publishes, read the actual effective and compliance dates rather than relying on the 2021 proposal.
How this fits with the rest of 2026
The Privacy Rule update is one of two HIPAA rulemakings in motion, and they are easy to confuse:
- The Privacy Rule update (this article) governs use, disclosure, and patient rights. It is in OMB review with a projected 2026 final rule.
- The 2026 Security Rule NPRM governs how ePHI is safeguarded — encryption, multi-factor authentication, asset inventories, and the technical safeguards that protect electronic records. HHS has moved that rulemaking to long-term actions, with a projected final action in July 2027.
Neither changes your obligation to follow the current rules today, including the breach notification requirements that apply regardless of either rulemaking's outcome. Preparing for the direction both rules point — faster access, tighter documentation, stronger safeguards — reduces your risk under the rules that already exist.
Sources
Footnotes
-
U.S. Department of Health and Human Services, Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446 (Jan. 21, 2021). Full text at https://www.govinfo.gov/content/pkg/FR-2021-01-21/html/2020-27157.htm. ↩ ↩2 ↩3 ↩4
-
U.S. Department of Health and Human Services, Office for Civil Rights, Tribal Consultation on Proposed Modifications to the HIPAA Privacy Rule, 91 Fed. Reg. (Jan. 14, 2026), FR Doc. 2026-00561. Full text at https://www.govinfo.gov/content/pkg/FR-2026-01-14/pdf/2026-00561.pdf. ↩
-
Office of Management and Budget, Office of Information and Regulatory Affairs, Pending EO 12866 Regulatory Review — RIN 0945-AA00 (HIPAA Privacy Rule: Changes to Support Coordinated Care and Individual Engagement and Reduce Regulatory Burdens), HHS/OCR, Final Rule stage, received April 2, 2026. Status at https://www.reginfo.gov/public/do/eoDetails?rrid=1334515. ↩