What you need to know
In 2025 and beyond there are many HIPAA updates that are occurring in the healthcare arena. Staff education and patient privacy are front and center of the OCR. You can be fined for HIPAA violations and be required to implement a corrective action plan that will be monitored by OCR for three years. There are significant changes to the HIPAA privacy rule and the security rule.
- Notice of Privacy Practices must be updated to include Health Information Exchanges (HIEs).
- Reproductive healthcare and how you protect privacy (this may change).
- Substance Abuse and Mental Health Services Administration updates.
- A Patient’s right of access may be reduced to 15 days, and immediate in some cases. Patient right of access has been a major problem with complaints resulting in fines from $3,500 to over $250K.
- New patient authorization attestation requirements.
- The posting of estimated fee schedules may be required.
- Information blocking guidelines, this includes a patient’s request for their records in the format of their choice.
- Non-discrimination notices with specific terminology (in 15 languages) on websites and in offices.
- Language assistance notice (and staff training on the tools utilized).
- Conscience rights notice.
- Website accessibility requirements. The ADA requires that people with disabilities have equal access to information. An inaccessible website, mobile app, or kiosk can exclude people just as much as steps at an entrance to a physical location.

The updated HIPAA training requirements for 2025 bring several significant changes. The most notable is the emphasis on cybersecurity.
Cybersecurity awareness is a critical component, and employees must be trained in recognizing and responding to potential cyber threats. This includes:
- understanding how to identify phishing attempts,
- using strong passwords, and
- implementing multi-factor authentication.
Data security proposed changes:
Healthcare providers and their business associates (BAs) may be required to implement enhanced administrative, physical, and technical safeguards for electronic protected health information (ePHI). This includes requiring written procedures for restoring electronic information systems and data within 72 hours. Adding specific compliance time periods for many of the existing requirements. Providers could be required to conduct a compliance audit at least every 12 months and to verify BAs that they have implemented the technical safeguards required under the HIPAA Security Rule. Keep in mind, all entities involved with ePHI must comply with the HIPAA security rule including subcontractors of BAs, this enhancement refers to reviewing/auditing every year.
Healthcare providers may be required to conduct more frequent and thorough risk assessments of their IT infrastructure. The requirement of maintaining an asset inventory and a network map, that illustrates the movement of ePHI throughout the organization’s environment. This is already a requirement under the HIPAA security rule, but the proposed rule will require this to be updated on an ongoing basis, or at least once a year. Also, reviewing their Security Incident Response Plans and documenting how employees are to report suspected or known security incidents and how the entity will respond.
Medical practices would need to utilize anti-malware/ anti-virus systems including remote users. Require vulnerability scanning every 6 months, and penetration testing once a year.
Healthcare providers would need to update legacy systems, since outdated legacy systems are seen as a significant vulnerability. Under the proposed updates, entities may face stricter obligations to retire or upgrade unsupported software.
ePHI would require higher levels of encryption both at rest and in transit and multi-factor authentication (MFA) will need to be utilized, along with continuous network monitoring to detect threats in real time.
Keep in mind, cyber-security is essential for patient privacy and safety.
The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) is working with the Trump Administration to initiate a one-year consultative process with leaders of the healthcare sector to negotiate sound cybersecurity practices that all healthcare stakeholders can be held accountable to.
HSCC Cybersecurity Working Group Executive Director Greg Garcia said “The healthcare industry is now targeted by more cyber-attacks than any other industry sector. If our healthcare owners and operators are to keep up with the evolution of healthcare delivery, technology innovation, and adversarial cyber threats across our vastly interconnected ecosystem, we need our government as a partner in this mission.”
Those involved in cyber-security in the healthcare space understand the need for greater protection but also believe there are many moving parts that need to be coordinated in order to be effective.
Although these proposed changes are being negotiated, the best practice is for all entities involved with patient data to conduct a system wide risk analysis and review how data flows in and out of your network. Once this has been determined, you can address cyber-security for your particular network. This is not a one size that fits all. This is where you need a partner that specializes in data security and not an average IT company. This sounds like a lot of work, but not when you have the right partners in place.

Summary
Our HIPAA Keeper™ online compliance system has everything needed for HIPAA compliance documentation. Plus, we work with business partners that are HIPAA compliant as well. So, whatever your need is, we have you covered!
“Simplifying HIPAA through Automation, Education, and Support”
Feel free to share this blog with your colleagues. We want to educate as many practices as we can since HIPAA violations can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.