HIPAA 2025 Didn't Land in May, but Can CISOs Afford to Wait?

The proposed HIPAA Security Rule update is the most significant overhaul in over a decade. The HHS Office for Civil Rights officially targeted May 2026 for finalization. May came and went. As of June 2026, the rule remains pending, with no firm date for when (or whether) it will finalize as proposed.

That puts healthcare CISOs in an uncomfortable position. The rule isn’t dead, but it isn’t here either. The investments required to prepare for it are real budget asks. Asset inventory mandates, business associate verification, the 72-hour incident response window, the one-hour termination access requirement, continuous evidence of control effectiveness. And the board, the CFO, and the audit committee are asking a reasonable question.

Do we still need to fund this prep work?

The right move is to keep building, regardless of when the rule lands.

Do we still need to fund this prep work?

What I’m Hearing

Three ways to think about the limbo

When we talk to healthcare compliance and risk leaders right now, we’re hearing three reactions to the delay.

Pause Prep Work

Hold the budget back, deprioritize the asset inventory project, push BA verification down the roadmap. The logic is that the rule may get scaled back or withdrawn, so why commit resources now. A coalition of industry associations led by CHIME has even petitioned HHS to withdraw the proposed rule entirely. The problem with this approach is that it assumes the rule’s contents are the only reason to invest.

Prepare as if Finalization is Imminent

Treat the proposed rule as a roadmap and build accordingly. This is the safest position from a compliance standpoint, but it can be a hard sell to the board if the rule’s status remains uncertain through the rest of the year.

Reframe the Work

Instead of preparing for what the proposed rule requires, prepare for what defensible evidence requires, regardless of which version of the rule finalizes.

The Proposal

The Evidence Bar Is Rising, with or Without the Rule

OCR is already enforcing risk-analysis requirements under the current Security Rule. In 2024, OCR collected $9.94 million in penalties across 22 enforcement actions. Risk analysis failures are the most identified Security Rule violation in OCR investigations. Cyber insurers are tightening their underwriting standards independent of regulation. Auditors at every level (internal, external, state, federal) are raising the bar on what constitutes evidence.

OCR Senior Advisor Nick Heesters said it directly in an April 2026 risk management video:

Policies and procedures alone are not sufficient evidence of security measure implementation.

OCR now expects continuous evidence that controls are working in practice.

The investments that prepare you for the proposed rule are the same investments that hold up under current enforcement, current audit pressure, and current insurance scrutiny.

Asset Inventory and Network Mapping

Required by the proposed rule, but also required by NIST CSF, by any reasonable risk analysis, and by every cyber insurance application you’ll fill out this year.

Business Associate Verification

The proposed rule would require annual written verification of BA safeguards. Even without it, your auditors are already asking for evidence of vendor security posture, and your insurance broker is already asking what visibility you have into your downstream risk

Continuous Evidence of Control Effectiveness

The proposed rule raises the standard here. That shift is already happening in practice. OCR has expanded its enforcement initiative beyond risk analysis to include risk management, hinging on whether organizations can show controls operating in practice.

Incident Response Readiness

The proposed rule’s 72-hour requirement is aggressive. Every healthcare CISO knows the operational reality. If you can’t respond, contain, and restore quickly, the consequences extend far past regulatory penalties.

Reframing the Ask

What To Tell Your Board This Quarter

When the board or CFO asks whether to keep funding HIPAA 2025 prep, don’t get pulled into a debate about the rule’s status. Reframe the question instead:

We’re funding this work because the evidence bar is rising regardless of what happens with the final rule. OCR is enforcing the current rule more aggressively. Cyber insurers are tightening underwriting. Auditors are raising the bar. The investments required to prepare for HIPAA 2025 are the same investments required to defend our current security posture.

That positions the spend as evidence architecture, which holds up regardless of regulatory uncertainty. It’s a stronger argument, and it doesn’t depend on a regulatory timeline you can’t control.

From Evidence to Board-Ready

Where Armor Dash Fits

The hard part of this work is operational, not strategic. Most healthcare organizations know what evidence they need. The challenge is producing it continuously, from source systems, without rebuilding it manually before every audit.

Armor Dash is built for exactly this gap. It connects to your security stack through APIs. Agentless, nothing to install. Dash gives you continuous tracking against HIPAA, NIST CSF, SOC 2, and the other frameworks your audits press on. The evidence comes from source systems, so the trail is defensible. The board view is current, not two weeks old.

For healthcare CISOs preparing for HIPAA 2025, or just preparing for the next OCR audit, Dash is the reporting layer that makes evidence architecture work in practice.

Dash Overview — *Dash tracks evidence continuously across your frameworks, so the board view reflects source systems instead of a manual snapshot.*

Zooming Out

The Broader Evidence Architecture Conversation

The work of building defensible evidence isn’t just a HIPAA conversation. It’s a board conversation, a budget conversation, and an audit conversation, all at once. Our CEO Chris Drake recently published a framework called The Unfiltered Four that addresses how to make evidence hold up under all three kinds of pressure.

What We Do

What This Means for the Rest of 2026

The proposed HIPAA Security Rule update may finalize this year. It may get scaled back. It may not finalize at all. The right posture for healthcare CISOs isn’t to bet on any of those outcomes. It’s to build evidence architecture that’s defensible regardless.

That’s the conversation that holds up in front of the board, the CFO, the auditor, and OCR. The proposed rule didn’t land in May. The evidence problem didn’t pause.

Built for the Evidence Architecture Conversation

Dash connects to your security stack through APIs, agentless with nothing to install, and gives healthcare CISOs the continuous, defensible reporting HIPAA 2025 prep requires.

Walk through Dash for HIPAA 2025

About Armor

Armor is a global leader in cloud-native managed detection and response. Trusted by over 1,700 organizations across 40 countries, Armor delivers cybersecurity, compliance consulting, and 24/7 managed defense built for transparency, speed, and results. By combining human expertise with AI-driven precision, Armor safeguards critical environments to outpace evolving threats and build lasting resilience. For more information visit our website, follow us on LinkedIn, or request a free Cyber Resilience assessment.