Changes Impacting Covered Entities Under HIPAA in 2025

The HIPAA regulation is expected to see some of its first major changes in over 10 years, and the impacts will be felt within the healthcare industry and beyond. As such, parties that qualify as covered entities or business associates will need to update their compliance practices in 2025.

Is your team ready to comply with the new HIPAA rules? Schedule a consultation to find out!

 

HIPAA Compliance for Covered Entities in 2025

The Health Insurance Portability and Accessibility Act of 1996 (HIPAA) has applied to parties both inside and outside of healthcare since its inception. But recent changes are expanding the scope of what HIPAA requires of both covered entities and their business associates. Proposed changes will make it more challenging than ever to comply while raising the stakes of failure.

Fully appreciating what HIPAA will require of covered entities in 2025 means understanding:

• Context for covered entities’ compliance concerns related to HIPAA
• New guidance regarding the scope of healthcare data and patient rights
• Proposed changes to HIPAA’s prescriptive Privacy and Security rules
• Existing and potential changes to HIPAA enforcement processes
• Other compliance considerations impacting covered entities

The best way to act on these insights is to work with a HIPAA compliance partner. Advisory and audit professionals streamline implementation and management for efficient HIPAA compliance.

 

Context for HIPAA Covered Entity Requirements

The HIPAA regulations are unique in their relatively stable legislative history. The biggest changes came in 2009 and 2013, with the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act. New proposed changes for 2025 similarly update HIPAA protections relative to recent advancements in technology, with a focus on proactive safeguards to prevent rising cybercrime across the industry. They also pave the way for easier, faster, and more secure access and sharing of information between healthcare stakeholders. 

With respect to applicability, HIPAA covered entity status has remained relatively unchanged for the better part of its history as a regulation. HIPAA applies primarily to covered entities within the healthcare industry. These include healthcare providers (e.g., doctors, practices), health plans (insurance companies, corporate health plans), and clearinghouses that process health data.

It also applies indirectly to business associates of these covered entities, including attorneys, accountants, and other professional service providers who process sensitive healthcare data.

 

 

Protected Health Information Scope and Rights

The specific kind of data that HIPAA is designed to safeguard is protected health information (PHI), which is especially sensitive in digital formats as electronic PHI (ePHI). PHI and ePHI include records about patients’ treatments, conditions, or payments. PHI generally needs to be anonymized to protect the privacy of individuals identified within it, who are the subjects of PHI.

Subtle changes to what counts as PHI in 2025 and what rights its subjects can expect will have major impacts on how the regulation affects both covered entities and business associates.

One example of shifting definitions for PHI is billing records, which will be classified as EHR. This means that patient access requests apply to these documents as well, even if a given transaction record may not have counted before. And an example of expanded data subject rights is the proposed change in access request timeframe. Covered entities used to have 30 days to fulfill access requests, but they will soon only have 15.

Another consideration to keep in mind is the status of healthcare-related records that may or may not be classified as PHI in the near future. For instance, records related to substance abuse disorder (SUD) treatment are now protected under HIPAA. There was also a push to extend HIPAA protections to reproductive health records, but these are presently on hold.

 

Changes to the Prescriptive HIPAA Rules

The most substantive changes to HIPAA that will impact covered entities in 2025 and beyond are updates to its prescriptive rules. These are the specific requirements that HIPAA places on applicable parties in the form of mandated controls, protocols, and thresholds. Failure to meet these standards can be grounds for noncompliance and enforcement—more on this below.

There are four HIPAA rules in total, but only three of them detail prescriptive requirements. Of these, two are expected to receive major changes in the 2025 update: the Privacy Rule and the Security Rule. The other rule, governing breach notification, does not presently have major updates forthcoming. However, updates to PHI classifications could impact it indirectly.

 

The HIPAA Privacy Rule in 2025 and Beyond

The HIPAA Privacy Rule is the first and most fundamental part of the legislation. It defines PHI and sets up the basic parameters of what HIPAA as a whole is trying to accomplish. The most impactful parts of this rule for cyberdefense purposes are its requirements related to PHI.

In particular, the rule requires covered entities to provide secure access to PHI to its subjects, along with certain required uses. It also requires them to prevent any unauthorized uses of PHI, except for a list of permitted uses and disclosures. These basic principles are still there in 2025.

Expected updates to the HIPAA Privacy Rule for 2025 include, but are not limited to:

• New rules around required uses and disclosures, such as patients being allowed to inspect and photograph their PHI, and third-party PHI transfers being limited to EHR.
• New rules around permitted uses and disclosures, including allowances to disclose PHI to avert a “seriously and reasonably foreseeable” threat to individuals’ health or safety, and when operating on a good faith belief that disclosure is in the patient’s best interest.
• New rules clarifying when covered entities must provide ePHI to patients at no cost.
• Transparency about patients’ right to obtain copies of PHI rather than summaries.
• Requirements to post estimated fee schedules for PHI access on providers’ websites, along with individualized, pro-rated estimates for specific requests made by patients.
• New pathways for secure communication and sharing of PHI between covered entities.
• A new “minimum necessary” exception for uses or disclosures related to individual-level care coordination and case management, irrespective of health care operations status.

Compliance for covered entities and business associates will require greater care to ensure that these new permissions and protections are applied uniformly and efficiently across all systems.

 

 

The HIPAA Security Rule in 2025 and Beyond

The HIPAA Security Rule builds on the protections in the Privacy Rule with specific measures covered entities must take to ensure the confidentiality, integrity, and availability of PHI. It also mandates infrastructure to prevent threats to PHI and ensure compliance across the workforce.

In particular, the Security Rule requires covered entities to perform regular risk assessments to understand the threat environment surrounding PHI. It also requires a set of administrative, physical, and technical safeguards to be installed across all systems in contact with PHI.

Expected changes to the Security Rule for 2025 include, but are not limited to:

• New requirements for technology asset inventories and network maps to document where PHI and ePHI exist within an organization, to be updated every 12 months.
• Greater scrutiny on risk analysis, requiring identification and mitigation of all anticipated threats and vulnerabilities impacting PHI confidentiality, integrity, and availability. This includes prioritization and scoring based on the risks’ likelihood and expected impact.
• New required controls, such as multi-factor authentication (MFA) for PHI system access, network segmentation, anti-malware, and encryption across PHI at rest and in transit.
• New requirements for contingency planning and incident response, including plans for complete data restoration within 72 hours, with systems prioritized based on criticality.
• New auditing protocols, including comprehensive Security Rule assessments every 12 months, penetration testing every 12 months, and vulnerability scans every 6 months.
• New verification requirements ensuring business associate security every 12 months.

As with the Privacy Rule updates, covered entities and business associates will need to make significant changes to their cyberdefense infrastructure to maintain HIPAA compliance in 2025.

 

HIPAA Enforcement in 2025 and Beyond

HIPAA enforcement is overseen by the Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR). Unlike some other regulatory frameworks, HIPAA does not require applicable stakeholders to verify compliance with regular audits. However, the HHS does periodically conduct randomized audits for compliance across the industry, and the most recent such program is underway at present. The more practical vehicle of enforcement is the near-guarantee of investigation and potential discipline in the event of a compliance infraction.

When covered entities or business associates commit a HIPAA violation, they may be subject to civil monetary penalties. The exact amounts that need to be paid are up to the HHS and OCR’s discretion, but standardized fine schedules have been prescribed and indexed for inflation. The fines’ severity has increased significantly over the years and figures to grow more in the future.

Current HIPAA violation fines in 2025 use a tiered system, which breaks down as follows:

• Tier 1 – Infractions committed due to ignorance rather than intentional malpractice

• • • Minimum penalty per violation: $141
    • Maximum penalty per violation: $35,581
    • Annual cap on cumulative penalties: $35,581

• Tier 2 – Infractions committed knowingly but for or through a reasonable cause

• • • Minimum penalty per violation: $1,424
    • Maximum penalty per violation: $71,162
    • Annual cap on cumulative penalties: $142,355

• Tier 3 – Infractions committed due to willful neglect but corrected within 30 days

• • • Minimum penalty per violation: $14,232
    • Maximum penalty per violation: $71,162
    • Annual cap on cumulative penalties: $355,808

• Tier 4 – Infractions committed due to willful neglect and not corrected within 30 days

• • Minimum penalty per violation: $71,162
  • Maximum penalty per violation: $2,134,831
  • Annual cap on cumulative penalties: $2,134,831

Steering clear of these noncompliance penalties requires a careful approach to implementing, reviewing, and maintaining HIPAA controls while responding swiftly to compromising incidents.

 

Other Compliance Considerations

HIPAA compliance is challenging in its own right. But many covered entities and business associates are also beholden to other regulatory burdens simultaneously. Keeping up with required controls and assessment practices across multiple frameworks while minimizing overlap and duplicate work can make overall compliance management especially daunting.

One novel approach that streamlines compliance efforts across the board is implementing an omnibus framework designed to cover wide-ranging regulatory needs. The HITRUST CSF was originally designed to accommodate the specific needs of organizations both in and around healthcare, but it has grown into a more comprehensive framework that incorporates controls from a wide variety of laws and regulations. By implementing the CSF and conducting a bespoke verified assessment, covered entities can ensure HIPAA compliance while meeting PCI, SOC 2, CMMC, and other needs. HITRUST allows you to “assess once, report many.”

 

 

Streamline Your HIPAA Compliance

Covered entities and business associates, both within healthcare and outside of it, will need to step up their cyberdefense efforts to maintain HIPAA compliance in 2025 and beyond. There will be increased burdens to account for across Privacy and Security Rule requirements, along with higher stakes for noncompliance. Plus, these organizations may need to account for other laws.

Working with a HIPAA compliance partner like RSI Security makes meeting these needs much easier. We’ve helped countless covered entities and business associates thereof install and maintain controls to keep PHI secure and avoid noncompliance fines. We know that discipline upfront unlocks greater freedom to grow down the line, and we’ll help you achieve it.

To learn more about our HIPAA compliance services, contact RSI Security today!

 

Contact Us Now!