Skip to content

HIPAA 2025 Update: What Healthcare Organizations Need to Know

The healthcare industry is facing a growing wave of cybersecurity threats.

Between 2018 and 2023, large data breaches affecting 500 or more individuals doubled.

Even more alarming, the number of people impacted by these breaches jumped by an astonishing 950%.

In 2023 alone, 167 million people were affected by major data breaches, setting a new record.

A major contributor to this surge is the increase in hacking incidents and ransomware attacks.

These attacks have risen by 260% and 264%, respectively, targeting healthcare organizations.

This sharp rise in cybersecurity threats highlights the urgent need for stronger protections of sensitive patient data.

One key area for improvement is the HIPAA Security Rule, which sets national standards for safeguarding electronic protected health information (ePHI).

The last major update to this rule was in 2013.

With rapid technological changes and more sophisticated cybercriminal tactics, it’s clear that the rule needs to be updated.

In this blog, we’ll explore the key changes to HIPAA regulations coming in 2025, and what healthcare organizations need to know to stay ahead and protect their patient data.

Key Proposed Changes to the HIPAA Security Rule in 2025

The proposed changes to the HIPAA Security Rule in 2025 are a major step forward in strengthening cybersecurity in the healthcare industry. Here’s a breakdown of the key updates:

1. Elimination of “Addressable” Implementation Specifications

One of the biggest changes is the removal of the “addressable” implementation specifications.

Currently, healthcare organizations have some flexibility in how they implement certain security measures. But with the new rule, all implementation specifications will be mandatory, with very few exceptions.

For example, encryption, which was previously “addressable,” will now be required for all electronic protected health information (ePHI), except in specific situations.

2. Mandatory Encryption

Encryption of ePHI will become mandatory, both when the data is stored (at rest) and when it’s being transmitted (in transit).

This change reflects the growing importance of protecting patient data from unauthorized access.

The rule does allow some exceptions, such as when a patient requests ePHI in an unencrypted format or when encryption isn’t technically feasible. However, these exceptions will be limited.

3. Enhanced Security Risk Analysis

A thorough security risk analysis is key to preventing breaches. The proposed rule requires healthcare organizations to adopt a more detailed approach to risk analysis.

This includes regularly reviewing technology inventories, identifying potential threats, and assessing vulnerabilities in their systems.

The rule also highlights the need to consider the risks involved with using artificial intelligence (AI) tools in managing ePHI, such as how AI accesses and shares data.

By taking a more proactive approach to risk analysis, healthcare organizations can better protect patient data.

4. Stricter Timelines for Incident Response and Notifications

In the event of a cybersecurity incident, time is of the essence. The new rule introduces stricter timelines for responding to incidents and notifying affected parties.

For example, healthcare organizations must restore any lost data and systems within 72 hours of an incident. They must also notify relevant entities within 24 hours when certain events, like workforce member access termination, occur.

These timelines are designed to ensure quicker responses and reduce the impact of security breaches.

5. Regular Compliance Audits

To ensure ongoing compliance, the proposed rule requires both healthcare organizations and their business associates to conduct regular compliance audits at least once a year.

These audits will help identify areas for improvement and ensure that ePHI remains secure.

Business associates must also verify their technical safeguards annually, providing written certifications confirming their compliance.

6. Multi-Factor Authentication and Network Segmentation

To improve access security, the new rule mandates the use of multi-factor authentication (MFA).
MFA requires users to provide multiple forms of verification before gaining access to systems.

The rule also calls for network segmentation, which divides networks into smaller, isolated segments to limit the potential damage from a security breach.

Speak with our compliance experts and get a free assessment for your healthcare organization.

Additional Updates and Considerations for Healthcare Organizations

Beyond the core changes to the HIPAA Security Rule, there are a few more important updates and considerations that healthcare organizations should be aware of:

1. Increased Documentation Requirements

The proposed rule significantly expands the documentation requirements for compliance.

Healthcare organizations will now need to document all policies, procedures, plans, and security analyses related to the Security Rule.

This change ensures that organizations have clearly defined practices for safeguarding ePHI. However, it also means more administrative work.

Healthcare organizations will need to allocate additional resources to ensure thorough documentation of their security practices.

2. Cybersecurity Performance Goals (CPGs)

In 2024, the Department of Health and Human Services (HHS) introduced voluntary cybersecurity performance goals (CPGs) to help healthcare organizations enhance their security posture.

These goals are based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and are divided into two tiers: Essential and Enhanced.

The Essential CPGs focus on basic security practices, while the Enhanced CPGs are aimed at more advanced measures. While compliance with these goals is voluntary for now, it’s expected that the updated Security Rule will make them mandatory.

3. Resumption of HIPAA Audits

HHS is expected to resume proactive HIPAA audits in late 2024 or early 2025.

These audits will focus on compliance with the Security Rule, especially in areas like risk analysis and risk management.

After a break since 2017, these audits will be a key tool in assessing whether healthcare organizations are meeting the updated requirements.

Impact of the Proposed HIPAA Security Rule Updates

The proposed updates to the HIPAA Security Rule will significantly affect healthcare organizations. Here’s what to expect:

1. Compliance Effort

Healthcare organizations will need to make substantial efforts to comply with the new requirements, including:

  • Revising policies and procedures to align with updated rules, such as documenting risk analyses and incident response plans.
  • Updating business associate agreements to include new security standards, ensuring accountability across all parties.
  • Investing in new technologies and training, such as encryption solutions and multi-factor authentication.

2. Potential Costs

The implementation costs will be high, particularly for smaller organizations.

The White House estimates an initial cost of $9 billion in the first year, with $6 billion in subsequent years.

These costs will cover technology upgrades, staff training, and increased documentation requirements.

3. Enhanced Cybersecurity

Though challenging and costly at first, the updates will strengthen the cybersecurity posture of the healthcare sector.

With mandatory encryption and multi-factor authentication, and a focus on proactive risk management, the rules aim to reduce data breaches. This is crucial given the rise in cyberattacks, such as a 100% increase in large-scale breaches from 2018 to 2023.

While initial efforts may be demanding, the updates will create a more secure healthcare environment in the long run.

Preparing for the Updated HIPAA Security Rule in 2025

As the updates to the HIPAA Security Rule approach, you must take steps to ensure compliance. Here are some actionable tips to help you prepare:

1. Conduct a HIPAA Readiness Assessment

Before making any changes, assess your organization’s current compliance with the HIPAA Security Rule.

  • Review your policies, procedures, and security controls.
  • Identify gaps that need addressing, such as whether you currently encrypt ePHI at rest and in transit.
  • Make sure your incident response plan aligns with the new 72-hour restoration requirement.
  • This assessment will give you a clear plan to prioritize compliance efforts.

2. Update Software and Security Protocols

The updated rule mandates several key security measures, including encryption, multi-factor authentication, and network segmentation.

  • Review and upgrade your systems to meet these new requirements.
  • For example, invest in encryption software for ePHI, deploy multi-factor authentication to secure access, and implement network segmentation to protect critical data.

3. Implement Staff Training Programs

It’s crucial that your staff understands the new HIPAA Security Rule.

  • Create training programs tailored to different roles within your organization.
  • Provide regular refresher training to keep everyone up-to-date on best practices.

4. Partner with IT Vendors for Compliance-Ready Solutions

Navigating the complexities of the updated rule can be challenging.

  • Partner with IT vendors who offer compliance-ready solutions.
  • These experts can help with encryption, multi-factor authentication, security risk assessments, and staff training programs.

By working with specialized vendors, you can streamline your compliance process and ensure you meet the new HIPAA requirements.

Why Partner with a Healthcare-Specific IT Company?

Navigating HIPAA and healthcare regulations can be tricky. While general IT companies may offer broad services, healthcare-specific IT companies bring essential expertise. Here’s why they’re the better choice:

1. Compliance Expertise

Healthcare IT companies have deep knowledge of regulations like HIPAA and PIPEDA. They ensure your solutions are compliant, avoiding costly penalties and reputational damage.

2. Avoid Costly Mistakes

General IT companies may not understand the nuances of healthcare data protection. Small mistakes can lead to serious consequences. A specialized partner ensures compliance every step of the way.

3. Tailored Healthcare Solutions

Healthcare IT companies specialize in creating solutions designed for healthcare workflows. This means better efficiency, user experience, and functionality.

4. Data Security

Sensitive patient data requires top-tier security. Healthcare IT companies know how to implement robust measures like encryption and multi-factor authentication to keep your data safe.

5. Ongoing Support

Healthcare-focused IT companies offer continuous support and updates, ensuring your systems remain secure and compliant as regulations evolve.

Meet our health tech team, specializing exclusively in healthcare projects for the last 10+ years.