Updates to the HIPAA Security Rule are expected soon, introducing the most extensive changes in over a decade. These updates will make compliance more complex for covered entities and business associates, increasing the stakes for protecting sensitive health information.
Is your organization ready for HIPAA compliance in 2025? Request a consultation to find out.
Navigating HIPAA Compliance Amidst Major Changes
The Health Insurance Portability and Accountability Act (HIPAA) has long set the standard for safeguarding patient information in healthcare.
While HIPAA has remained relatively unchanged since 2013, the Department of Health and Human Services (HHS) has proposed sweeping updates to the HIPAA Security Rule. These changes, spanning 393 pages, aim to align HIPAA with modern cybersecurity best practices and address escalating threats like ransomware.
To achieve and maintain compliance, organizations need to understand:
- The existing Security Rule requirements that remain unchanged in 2025
- Newly proposed controls and processes that will become mandatory
- Other updates to HIPAA’s rules and enforcement that will impact compliance
- How these changes interact with broader privacy and breach notification rules
Existing Requirements of the HIPAA Security Rule
The Security Rule has always required covered entities to ensure the confidentiality, integrity, and availability of protected health information (PHI). Its foundational requirements include:
- Conducting ongoing risk analyses to identify vulnerabilities and threats
- Implementing administrative safeguards (risk management, contingency planning, workforce security)
- Enforcing physical safeguards (facility access control, device and media handling)
- Maintaining technical safeguards (access controls, audit logs, encryption, authentication measures)
These controls remain essential even as new requirements come into effect.
New HIPAA Security Rule Requirements for 2025
The proposed rule introduces detailed and mandatory cybersecurity measures, including:
Governance and Risk Management
- Technology asset inventory and network mapping: Entities must develop and update a comprehensive inventory of all technological assets and create a network map showing electronic PHI (ePHI) flow. Updates are required annually.
- Enhanced risk analysis: Organizations must identify all reasonably anticipated threats and vulnerabilities, assess the likelihood of exploitation, and determine risk levels for each.
- Annual internal audits: Organizations must conduct compliance audits at least every 12 months to assess adherence to HIPAA requirements.
- Annual reviews and testing: Organizations must review and test security measures and controls annually to ensure effectiveness.
- Contingency planning: Written procedures must allow for data restoration within 72 hours, with priorities based on data criticality.
- Annual verification of business associate cybersecurity: Covered entities must confirm their partners’ security measures annually.
Technical and Infrastructure Controls
- Vulnerability scans and penetration tests: Organizations must run vulnerability scans at least every six months and perform penetration tests annually.
- Multi-factor authentication (MFA): MFA must be implemented for all PHI system access.
- Encryption: ePHI must be encrypted at rest and in transit.
- Portable device safeguards: Security controls must extend to laptops, tablets, and mobile devices.
- Patch management and software controls: Organizations must apply patches promptly, remove unnecessary software, and disable unused network ports.
- Network segmentation: Organizations must segment networks to limit attacker lateral movement in the event of a breach.
- Anti-malware protection: Systems must have software in place to detect and prevent malicious code.
- Data backups: Separate technical controls must be implemented to secure backups and ensure rapid recovery.
Other HIPAA Updates Since 2022
In addition to the Security Rule overhaul, several other significant HIPAA updates have emerged in recent years:
- Reproductive health information privacy (2024): While updated protections were initially introduced, a federal judge vacated these rules in June 2025. However, HIPAA Notices of Privacy Practices must still reflect related changes.
- Substance Use Disorder (SUD) records: The CARES Act updated rules for SUD records to match HIPAA standards. This improves care coordination and lets patients give one consent to share their information with healthcare providers.
- Enhanced patient rights: Patients now have expanded rights to inspect and capture copies of their PHI in person, faster record request responses, and access via APIs.
- Faster breach notification: Proposed rules shorten reporting deadlines for covered entities requiring them to report breaches within 72 hours for breaches affecting 500+ individuals.
- HITECH Act updates and safe harbor: Covered entities demonstrating recognized security practices for 12 months may qualify for reduced penalties during enforcement actions.
Increased Enforcement and Audit Expectations
The Office for Civil Rights (OCR) plans to significantly increase HIPAA audits in 2025 and impose higher penalties for non-compliance. Combined with stricter Security Rule requirements, this makes proactive compliance planning essential for minimizing financial and operational risks.
Preparing for 2025 HIPAA Compliance
These updates represent the most substantial changes to HIPAA since the HITECH Act. Covered entities and business associates must:
- Implement or enhance risk management programs
- Adopt the new technical and governance controls
- Prepare for frequent internal audits and OCR enforcement actions
Working with a trusted HIPAA compliance advisor can streamline the transition. A comprehensive approach, such as implementing the HITRUST CSF, can help organizations efficiently manage overlapping regulations.
Strengthen Your HIPAA Compliance Strategy Today
Adapting to these HIPAA Security Rule updates is critical for protecting sensitive healthcare data and avoiding costly penalties.
RSI Security has decades of experience helping organizations achieve and maintain HIPAA compliance. Our experts help you prepare for these sweeping changes and build your data security program to withstand evolving cyber threats.
