Home Compliance StandardsHIPAA / Healthcare Industry New HIPAA Regulations for 2025
HIPAA / Healthcare Industry

New HIPAA Regulations for 2025

by RSI Security
written by RSI Security

For decades, healthcare organizations and their business associates have adhered to HIPAA regulations, which have remained largely consistent since the 1990s. But updates that will come into effect in 2025 figure to complicate some elements of HIPAA compliance.

Is your organization prepared to comply with HIPAA in 2025? Book a consultation to find out.

 

Navigating HIPAA Compliance Amidst 2025’s Changes

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has been relatively consistent in terms of what it requires since its initial publication. While HIPAA has remained largely unchanged since 2013, the upcoming 2025 revisions introduce significant updates, particularly to the Security Rule.

To navigate 2025’s changes to the framework, organizations will need to know:

  • How some changes to the Privacy Rule will impact data accessibility
  • How the bigger overhaul of the Security Rule will shape infrastructure
  • How shifts in governance and enforcement could impact covered entities
  • How other, auxiliary changes to the framework can complicate compliance

Ultimately, the best way to achieve and maintain seamless HIPAA compliance in 2025 and beyond is to partner with a dedicated compliance advisor who’ll streamline the process for you.

 

Implications of Updates to the HIPAA Privacy Rule

The Privacy Rule has undergone minor, iterative changes in recent years, but there have not yet been any large-scale updates that changed its basic principles. That will remain true at least in 2025, as proposed changes generally add onto or clarify pre-existing requirements. Still, there are some practical implications for organizations’ communication and accessibility infrastructure.

Still, these changes and the more impactful ones below have been a long time coming. In the Department of Health and Human Services (HHS), which oversees HIPAA, the Office for Civil Rights (OCR) has been aiming to update the Privacy and Security Rules since at least 2028, when a formal Request for Information (RFI) was published. This was followed up by 2020’s Notice of Proposed Rulemaking, which detailed several potential modifications to the rules.

 

Specific Changes to Privacy Rule Requirements

The Privacy Rule is expected to undergo relatively minor changes to its priorities and reach, which may necessitate changes in the way HIPAA compliance is approached organizationally.

The most impactful proposed changes to the HIPAA Privacy Rule for 2025 are:

  • Covered entities must enhance PHI access and transparency, allowing individuals to inspect their health records in person, take notes, and receive full documentation within 15 days—down from the previous 30-day requirement. Patients will have the right to inspect their PHI in person, take notes, and capture images for personal reference, increasing accessibility and transparency. 
  • Relatedly, covered entities will now be required to provide estimated fee schedules for PHI access, along with itemized estimates for individual requests. They must now notify individuals when they can access PHI without any charge, along with informing people of their rights to full documents from cases where only summaries have been offered.
  • Greater care must be practiced when transferring and handling electronic PHI (ePHI), including limiting transfers to third parties to only electronic health records (EHR) and obtaining confirmation before allowing transfers of ePHI to direct provider sharing.
  • There are subtle changes to certain definitions and permissions, such as more latitude for permitted uses and disclosures related to the Armed Forces’ requests. Covered entities will be provided more grace in determining when PHI sharing is justified to mitigate potential future harm, and the definition of “healthcare operations” has been expanded with respect to determining whether certain uses or disclosures are sound.

In addition, the HHS has set the groundwork for further changes related to these. For example, individuals identified in PHI will eventually have the ability to direct covered entities on how to share EHR, including coordinating sharing between providers that wasn’t previously allowed.

 

Request a Free Consultation

 

Ramifications of the HIPAA Security Rule Overhaul

The 2025 HIPAA Security Rule updates represent a major overhaul, introducing stricter controls on cybersecurity, risk management, and electronic PHI protection. However, the underlying principles of the rule are still remaining basically the same. What these updates seek to do is strengthen the Security Rule’s protections, which has not been attempted since the Health Information Technology for Economic and Clinical Health Act (HITECH) was implemented.

At base, the HIPAA Security Rule builds on the Privacy Rule’s definitions of what access to PHI should look like and prescribes controls for how to ensure that its standards are met. The new requirements for 2025 make it more effective on that front with deeper and broader coverage for a growing range of cyberthreats. These changes will likely require new controls to be installed.

 

Specific Changes to Security Rule Requirements

On the whole, the Security Rule is expected to undergo relatively major updates that will impose more specific and direct requirements on applicable organizations than prior iterations have.

The most impactful proposed changes to the HIPAA Security Rule for 2025 are:

  • Covered entities must now create and maintain an information technology (IT) asset inventory and network map, including updates to ensure accuracy every 12 months.
  • Risk assessments must now include detailed evaluations of IT asset inventories and network maps, identifying and mitigating anticipated PHI security threats.
  • Covered entities will need to develop formalized, written procedures for contingency planning, including a complete, prioritized restoration of impacted data within 72 hours.
  • Covered entities will need to conduct Security Rule audits, system-wide security reviews, and penetration tests every 12 months, along with vulnerability scans every six months.
  • All PHI will need to be encrypted at all times, both in storage (“at rest”) and in transit.
  • Covered entities will need to implement multi-factor authentication (MFA), network segmentation, and anti-malware to ensure the integrity and confidentiality of PHI.
  • Portable devices handling PHI must implement encryption, remote wipe capabilities, and access controls to prevent unauthorized data exposure.
  • Patches and software updates will need to be implemented in a timely manner.
  • Any unnecessary or extraneous software will need to be removed from PHI systems, and unused network ports will need to be disabled in accordance with risk analysis.
  • Covered entities will need to verify business associates’ cybersecurity measures every 12 months, ensuring that any systems in contact with PHI are fully HIPAA compliant.

What these changes reflect is an alignment with consensus best practices that are enshrined in other cybersecurity frameworks and regulations. Some organizations may be subject to HIPAA alongside these other rules, in which case compliance will entail mapping between rulesets.

 

Greater Audit Coverage and Potentially Higher Stakes

Another major trend that covered entities and business associates need to be aware of for 2025 and beyond is the potential for greater HIPAA enforcement by way of audits. Unlike other regulatory frameworks, HIPAA compliance does not require formal certification; however, the Office for Civil Rights (OCR) may initiate audits or investigations following security incidents. A covered entity is assumed to comply, unless some event happens that suggests otherwise. And, while the capacity for preemptive auditing has existed in the past, to prevent incidents from occurring in the first place, the HHS has de-prioritized this practice since at least 2017. But the OCR is expected to increase audit frequency in 2025, advocating for stricter enforcement and higher penalties for non-compliance. There will likely be more audits, covering more HIPAA specifications each time, with greater consequences for failure.

However, these burdens figure to be counterbalanced to an extent by proposed initiatives to help financially challenged institutions implement and maintain complaint protections.

 

Request a Free Consultation

 

Auxiliary Changes to Protected Information Classes

Another kind of change impacting HIPAA in 2025 is the inclusion of different data types under the banner of PHI, along with extended protections due to the socio-political climate we’re in.

In particular, two subsets of personal information are now under tighter control via HIPAA:

  • Substance Use Disorder (SUD) records – Previously governed separately—are now fully protected as PHI under HIPAA, ensuring stricter confidentiality measures This is the result of collaboration between OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA), who have worked to integrate SUD into HIPAA since 2022.
  • Reproductive health informationHIPAA now classifies reproductive health records—including procedures, contraceptive use, and related treatments—as specially protected PHI, restricting their disclosure for legal investigations. In particular, these records are not to be shared for the purposes of civil, criminal, or administrative investigations that persecute recipients for seeking out care. Even if a use or disclosure would normally be permitted by the Privacy Rule, it may not be in this case.

The upshot is that organizations will need to account for additional kinds of data in their PHI safeguards. In the case of reproductive health information, greater care needs to be taken to ensure this specific class of data is not shared under circumstances that other PHI could be.

 

How to Ensure Seamless, Long-term HIPAA Compliance

For organizations seeking HIPAA compliance for the first time, or those looking to continue complying with the rules after these changes are implemented, HIPAA advisory is critical. By working with a trusted implementation and assessment partner, covered entities and business associates alike can review and adjust their existing controls—or implement completely new ones, like the newly required asset and network map—to ensure they meet HIPAA’s new rules.

In addition, working with an advisory partner is one of the best ways to navigate complicated regulatory compliance environments where multiple frameworks may apply simultaneously.

In these cases, implementing an omnibus framework such as the HITRUST CSF is one of the best ways to streamline all requirements and minimize costly overlap. HITRUST certification allows organizations to “assess once, report many” and cover all regulatory bases efficiently.

 

Optimize Your HIPAA Compliance Practices Today

In 2025, changes to HIPAA revolve around the big-ticket rework of the Security Rule. There are other considerations, and the higher stakes of increased audit enforcement make it even more critical for covered entities and business associates to be on top of their compliance. But the biggest practical difference will be meeting the new, imposing security requirements efficiently.

RSI Security has helped countless organizations prepare for, achieve, and maintain HIPAA compliance. We’ve worked with this framework since well before the implementation of the HITECH Act, and we’re committed to helping organizations rethink their cyber defense in a holistic way. The right way is the only way to protect your data, and we’ll help you do just that.

To learn more about our HIPAA compliance services, contact RSI Security today!

 

Contact Us Now!

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

Main Causes of Security Breaches in the Healthcare...

October 25, 2019

Understanding Patient Data Security Risk Management Requirements for...

December 21, 2021

What Is the Difference Between HIPAA vs. FERPA?

November 27, 2019

What Is Considered a Breach of HIPAA?

November 14, 2019

What is Considered PHI Under HIPAA?

March 3, 2023

Medical Cyberattacks

December 18, 2017

Your HIPAA Security Rule Checklist

November 13, 2020

Guide to HIPAA Notice of Privacy Practices Requirements

April 12, 2022

The Five-Step Process to HITRUST Healthcare Auditing

February 17, 2022

What Does Protected Health Information Include?

July 29, 2021

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More