The HIPAA security rule was delayed, but cybersecurity wasn’t
The federal government has delayed the anticipated update to the HIPAA Security Rule until at least July 2027.
Some healthcare organizations will hear that news and conclude that they have another year—or longer—to postpone cybersecurity improvements.
MSPs need to correct that misunderstanding immediately.
The delay does not suspend the current HIPAA Security Rule. It does not stop ransomware attacks, data breaches, lawsuits, state enforcement, contract obligations or cyber insurance requirements. It simply delays a proposed federal rule that would make many cybersecurity responsibilities more specific and harder to avoid.
The federal Unified Agenda now lists the HIPAA Security Rule update as a “long-term action,” with final action scheduled for July 2027. Regulatory schedules can change again, so even that date is not guaranteed.
For MSPs, this is not a reason to stop talking about healthcare cybersecurity. It is a reason to change the conversation.
The current HIPAA Security Rule is still in effect
The HIPAA Security Rule already requires covered entities and business associates to implement appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information. It also requires risk analysis, risk management, access controls, audit controls, workforce security, incident procedures, contingency planning and other safeguards.
Those obligations did not disappear when the proposed update was delayed.
Yet, many healthcare organizations continue to treat important safeguards as optional. Some still resist encryption, multifactor authentication, centralized logging, access reviews, vulnerability management and documented risk analyses because they believe federal enforcement is unlikely to reach them.
That is a dangerous business strategy.
A regulation does not have to contain the words “multifactor authentication” to make an organization responsible for protecting remote access, privileged accounts, email systems, cloud services and patient information against known threats.
The real question is not whether every safeguard appears by name in the current HIPAA regulation. It is whether the organization can demonstrate that it has identified its risks, selected reasonable protections, implemented them consistently and documented its decisions.
What the proposed rule would change
The proposed HIPAA Security Rule was published in January 2025 to address increasing cybersecurity threats across the healthcare sector.
Among other changes, it would require or strengthen:
- Encryption of electronic protected health information at rest and in transit
- Multifactor authentication, with limited exceptions
- More detailed risk analyses
- Technology asset inventories and network maps
- Annual compliance audits
- Vulnerability scanning and penetration testing
- Network segmentation
- Written incident response and recovery procedures
- More specific restoration deadlines
- Annual verification of business associate safeguards
- Written documentation supporting security decisions
HHS also proposed eliminating much of the flexibility associated with “addressable” implementation specifications by making the proposed safeguards mandatory, subject to limited exceptions.
Healthcare industry groups objected to the cost, complexity and operational disruption that could result. The federal government has now moved the expected final action to July 2027. But the threats that motivated the proposed rule have not been delayed.
HIPAA is no longer the only cybersecurity requirement
Healthcare organizations frequently make the mistake of treating HIPAA as their complete cybersecurity standard.
It is not.
Depending on the organization, its location, the services it provides and the data it handles, it may also be subject to:
- State privacy and cybersecurity laws
- State medical-information laws
- Data-breach notification requirements
- Requirements imposed by state regulators and attorneys general
- Federal rules covering substance use disorder, education, financial or payment card data
- Medicaid, Medicare, managed care and grant requirements
- Funding-source and partner contracts
- Business associate agreements
- Cyber insurance application and policy requirements
These obligations can require protections that are more specific and enforceable than the current HIPAA Security Rule.
State attorneys general do not need to wait for HHS to update HIPAA before alleging that an organization failed to maintain reasonable cybersecurity. Encryption, MFA, access controls, logging, risk analyses, patching and vendor oversight can all become issues following a breach.
Private lawsuits create another layer of risk. Even where HIPAA does not provide individuals with a direct right to sue, plaintiffs may bring claims based on negligence, state privacy laws, consumer-protection laws, contracts or an organization’s failure to follow its own policies.
Many organizations settle these cases, rather than risk the expense and uncertainty of a trial.
Contracts and cyber insurance may hit closer to home
MSPs should also remind clients that their most immediate cybersecurity obligations may come from contracts and insurance policies—not HIPAA.
Contracts with health plans, government agencies, funding sources, hospitals, school systems and community partners may require specific security controls. These can include encryption, MFA, security assessments, incident reporting, employee training, access reviews, backups and vendor oversight.
Failing to meet these requirements could result in the loss of a contract or funding relationship.
Cyber insurance presents another risk. Applications frequently ask whether the organization uses MFA, encrypts data, maintains offline or isolated backups, conducts security training, protects privileged accounts and tests its incident response plan.
Those answers are not simply part of a sales questionnaire. They may become representations on which the insurer relies when issuing the policy. That puts the value of the policy—$ 1 million, $ 2 million, $ 5 million, etc.—on the line. That’s not something a policy owner wants to risk.
After a ransomware attack or data breach, the carrier may compare the claim to the answers in the application. A healthcare organization that postponed security improvements because the HIPAA update was delayed may discover that its insurance policy did not postpone its requirements.
A recent assessment demonstrated the problem
I recently completed a security risk analysis and compliance assessment for a nonprofit healthcare organization.
Its leadership initially viewed HIPAA as its primary cybersecurity obligation. During the assessment, we identified nine applicable federal and state laws and regulations, four contracts containing specific cybersecurity requirements and additional obligations in its cyber insurance documents.
Taken together, those requirements exceeded the protections commonly associated with the current HIPAA Security Rule.
The contract and insurance requirements also felt more immediate to leadership. The organization did not want to risk losing important funding sources, damaging partner relationships or having an insurance claim challenged after an incident.
That changed the conversation from:
“Does HIPAA specifically require us to do this?”
to:
“What protections are we responsible for implementing, and how do we prove that we have implemented them?”
That is the conversation MSPs should be having with every healthcare prospect and client.
What MSPs should do now
Do not let a client use the delayed rule as permission to delay cybersecurity.
Start by asking for the documents that define the organization’s actual obligations:
- Its most recent HIPAA security risk analysis
- Cyber insurance application and policy
- Business associate agreements
- Customer and funding-source contracts
- Incident response and disaster recovery plans
- Security policies and procedures
- Current inventory of systems, cloud services, vendors and data flows
Then, compare what the organization has promised to what is actually implemented.
Document gaps in plain business language. Connect each gap to the potential consequences: interrupted patient care, breach reporting, loss of funding, denied insurance coverage, litigation, contract termination or regulatory action.
Most importantly, give leadership a prioritized plan, instead of a list of products.
Turn the delay into an opportunity to lead
The strongest MSP message is not:
“You need to buy these tools because the new HIPAA rule is coming.”
It is:
“The proposed rule has been delayed, but your current risks and obligations have not. Let’s determine what applies to your organization, compare it to what you have in place and build a documented plan to close the gaps.”
MSPs should use this moment to offer healthcare clients and prospects help with all the systems they use, including cloud services not managed by the MSP:
- A cybersecurity and compliance requirements review
- An updated HIPAA security risk analysis
- A contract and cyber insurance assessment
- A cloud-service and data-flow inventory
- An MFA, encryption, logging and access-control gap assessment
- A business associate and vendor oversight review
- A documented remediation roadmap
- Ongoing compliance reviews and evidence collection
Do not wait until 2027 to begin these conversations.
Contact every healthcare client and prospect that may misunderstand the delay. Explain that HIPAA remains in effect, other obligations may be more demanding and cybersecurity incidents will not wait for the government’s regulatory calendar.
The HIPAA Security Rule update may have been postponed. Accountability has not.
Related: Turn the new HIPAA security rule into more recurring revenue-without increasing liability
Power Your MSP Success with the Kaseya Community
Get fast answers, share product ideas, access exclusive resources, stay current on Kaseya product innovations, and connect with MSP peers.
2026 Kaseya State of the MSP Report

Get 2026 MSP insights from 1,000 plus providers and learn how to grow revenue, adapt to market pressure, and stay competitive.
Get More MSP Insights
Join 50,000+ MSP professionals receiving expert insights, best practices, and industry trends.






