For companies involved in the healthcare industry and their partners that work with electronic protected health information (ePHI), it is important to keep up to date on important changes in HIPAA (the Health Insurance Portability and Accountability Act). In this article, we will give an overview of the key changes to HIPAA in 2025.
HIPAA Background
HIPAA was passed in 1996 to improve the nation’s healthcare system by mandating the standards-based implementation of security controls by all healthcare entities that create, store, or transmit personal health information.
The main types of companies that need to comply with HIPAA include healthcare providers, healthcare clearinghouses, and health insurance companies. In addition, business associates of these companies that perform certain functions or activities with ePHI also must comply with HIPAA. Businesses associates include claims processing companies, billing companies, attorneys, consultants, accountants, and IT support and service companies.
The compliance requirements for HIPAA are managed by the Department of Health and Human Services (HHS) and enforced through audits, which can result in penalties from $50K to $1.5 million per calendar year for non-compliance and criminal prosecution in some cases. Notably, ignorance of requirements is not considered a valid defense in non-compliance cases.
Important Changes to HIPAA in 2025
Significant changes to the two main areas of HIPAA, the Privacy Rule and the Security Rule, are listed below. The sources for this information are RSI Security, Thomson Securities, and HIPAAVault.
Updates to HIPAA Privacy Rule Requirements
-Enhanced individual access and transparency to PHI. Covered entities must now allow individuals to review and copy their health records in person with full documentation provided within 15 days. This change has cut the documentation time requirement in half.
-Notification of fees for PHI access. Entities must now provide fee schedules and estimates for individual PHI requests as well as information on how to access PHI at no charge if applicable.
-More latitude in sharing PHI. In an effort to mitigate potential future harm for individuals, entities will have more flexibility in determining when sharing PHI is justified. Individuals will have more control in directing covered entities on how to share their electronic health records (EHR) with other providers and partners. The military, in particular, will now have greater permission to use and disclose PHI.
-Covered entities must now include substance use disorder records as PHI and more stringently restrict the sharing of reproductive health information as specially protected PHI.
-Stricter controls on transferring ePHI. Transfers of ePHI to third parties will be limited to only EHR. There will be more stringent confirmation requirements before allowing ePHI transfers to direct providers.
Updates to HIPAA Security Rule Requirements
-Covered entities must create and maintain an IT asset inventory and network map with annual risk assessments evaluating their IT assets and networks.
-Companies will need to have formalized contingency planning that demonstrates how they will achieve complete, prioritized restoration of impacted data with 72 hours. Entities are also required to have written security incident response plans and procedures documenting how their workforce will respond to and resolve cybersecurity attacks.
-Covered entities and business associates are required to implement Zero Trust security frameworks, multi-factor authentication (MFA), network segmentation, and anti-malware tools to protect PHI, which will need to be encrypted at all times.
-Entities must promptly implement software updates and patches and remove or disable any unnecessary software and unused network ports.
-Portable devices dealing with PHI must implement encryption, remote wipe capabilities, and access controls to protect against data exposure to unauthorized personnel.
– Stricter Business Associate Agreements (BAAs) with vendors will be required. As a result, there will be more rigorous oversight of vendors and business associates. Covered entities are required to assess the risks of entering an agreement with a business associate with a designated cybersecurity expert, and these business partners would have to notify entities within 24 hours of the activation of their contingency plan.
-Covered entities are required to conduct annual compliance audits, system-wide security reviews, and penetration tests to guarantee adherence to the Security Rule’s standards. They must also conduct vulnerability scans every six months.
Work with a HIPAA Compliance Expert
We recommend you work with a proven HIPAA compliance expert, like Network Depot, to ensure your organization meets this year’s updated HIPAA requirements. For healthcare companies, a HIPAA compliance expert will conduct a HIPAA Gap Analysis and implement, install, and support your Electronic Medical Records (EMR) system. Your trusted HIPAA partner will help you adjust to the important changes to HIPAA compliance in 2025 and ensure that all private patient information will be stored and trasmitted securely.
For the business associates of healthcare companies, we can assist you in performing an IT asset and network assessment and advise on and implement any necessary changes to ensure you meet HIPAA requirements.
By understanding these key changes to HIPAA and working closely with a HIPAA expert, your business will have peace of mind knowing you are fully HIPAA-compliant. Secure in this knowledge, your organization will be able to stay focused on achieving your unique mission.