The 2025 Changes to HIPAA Requirements: What You Need to Know 

The 2025 changes to HIPAA mark a significant evolution in the regulation that has long safeguarded the privacy and security of patient health information. These updates are set to transform how healthcare providers, business associates, and other covered entities manage electronic protected health information (ePHI) and sensitive patient data. By modernizing cybersecurity standards, enhancing privacy safeguards, and aligning data-sharing rules with other healthcare privacy laws, these changes reflect the ongoing effort to adapt HIPAA to the needs of today’s healthcare landscape.

This comprehensive guide from our Director of Operations, Marc Wolfe, breaks down the critical changes, explores how they will impact covered entities, and outlines steps healthcare providers and organizations can take to ensure compliance. 

Stronger Cybersecurity Standards Under the Proposed 2025 Changes to HIPAA Security Rule Updates

Cybersecurity threats in healthcare are on the rise, with ransomware attacks on hospitals and healthcare networks leading to significant data breaches. A striking example of this occurred at Lurie Children’s Hospital, a well-known pediatric healthcare provider. In November 2025, the hospital suffered a cybersecurity breach that forced it to suspend email communications. This disruption hindered the hospital’s ability to communicate effectively with patients, staff, and external partners, showcasing how deeply such attacks can affect healthcare operations. 

The incident at Lurie Children’s reflects a growing pattern of escalating cyber threats across the healthcare sector. Ransomware attacks have become more advanced, often targeting critical hospital systems. When these systems are compromised, healthcare providers are frequently forced to revert to manual, paper-based workflows. This shift not only delays patient care but also increases the risk of medical errors and slows down essential processes like billing. Given the rapid increase in such incidents, it’s no surprise that the U.S. Department of Health and Human Services (HHS) is stepping in with new measures. 

To combat these growing threats, HHS has proposed updates to the HIPAA Security Rule, which is currently under review by the Office of Management and Budget (OMB) as of October 2024. The proposed changes are designed to modernize healthcare cybersecurity practices, ensuring that hospitals, clinics, and their business associates have the necessary tools to prevent, detect, and respond to cyber threats in real time. By requiring stronger technical, administrative, and physical safeguards for electronic protected health information (ePHI), the updated rules aim to reduce the financial and reputational damage caused by incidents like the one at Lurie Children’s. 

These changes underscore the urgency for healthcare providers to strengthen their cybersecurity defenses and adopt more robust protocols for handling sensitive patient information. 

• Stronger Cybersecurity Requirements 
  • New security protocols are expected to better protect against the increasing sophistication of cyber threats. Healthcare providers and their business associates will be required to implement enhanced technical, physical, and administrative safeguards for electronic protected health information (ePHI). 
  • Covered entities will be required to conduct more frequent and thorough risk assessments of their IT infrastructure and cybersecurity frameworks. 
• Updated Technology Standards 
  • The HHS aims to modernize security standards to align with technological advancements. For example, healthcare providers will need to update legacy systems and adopt modern encryption methods, multi-factor authentication (MFA), and continuous network monitoring to detect threats in real time. 
  • Outdated legacy systems are seen as a significant vulnerability. Under the proposed updates, entities may face stricter obligations to retire or upgrade unsupported software. 
• Enhanced ePHI Protections 
  • To reduce the risk of data breaches, the updated rule will likely enforce more stringent controls on data access, use, and sharing. ePHI will require higher levels of encryption both at rest and in transit. 
  • These changes are intended to prevent breaches resulting from employee negligence, insider threats, or third-party vendor failures. 

These 2025 changes to HIPAA mean healthcare organizations and their business associates must begin preparing for the proposed HIPAA Security Rule changes by strengthening their cybersecurity frameworks. Proactive steps may include: 

• Conducting updated risk analyses to identify potential threats. 

• Implementing endpoint detection and response (EDR) solutions. 

• Enhancing employee training on cybersecurity best practices. 

• Working with compliance partners, like MedPro Disposal, to ensure all disposal processes for ePHI-related documents and media align with updated HIPAA security requirements. 

Alignment of 42 CFR Part 2 with HIPAA

Effective February 8, 2024, a new regulation seeks to harmonize 42 CFR Part 2, which governs the confidentiality of Substance Use Disorder (SUD) records, with HIPAA. Historically, 42 CFR Part 2 had stricter privacy rules that made it more difficult to share SUD patient information, often creating operational inefficiencies in healthcare coordination. The 2024 updates address these challenges.

42 CFR Part 2 establishes privacy protections for patient records related to substance use disorder (SUD) treatment. It was designed to encourage people to seek treatment without fear of stigma. However, the strict confidentiality rules often made it difficult for providers to share patient data with others involved in the patient’s care. 

• Simplified Consent Process 
  • Patients will now have a simplified process for granting consent to share their SUD records. In the past, a patient had to provide written consent each time their information was shared. The new rule allows patients to give a one-time consent to allow providers to disclose their SUD records to multiple healthcare entities. 
  • This change is designed to facilitate better care coordination, as patient data can be more easily shared among healthcare providers, payers, and other stakeholders. 

• Permitted Disclosures for Treatment, Payment, and Operations 
  • The new regulations permit providers to share SUD records for treatment, payment, and healthcare operations (TPO) purposes. This aligns with how other health information is handled under HIPAA. 
  • For example, SUD records can be shared with health plans, clearinghouses, and third-party billing entities as long as the appropriate privacy controls are in place. 

• Stronger Penalties for Breaches 
  • The penalties for non-compliance with 42 CFR Part 2 now align with HIPAA’s penalties. This includes the possibility of civil and criminal penalties, with fines reaching up to $1.5 million per violation. 
  • Breach notifications will become more stringent, requiring providers to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media, depending on the number of records involved. 

What This Means for Healthcare Providers

These changes are designed to increase interoperability in the healthcare system and reduce administrative burdens. Providers should update their internal processes to streamline SUD data-sharing in compliance with HIPAA. Key action items for healthcare providers include: 

• Updating consent forms and privacy notices to reflect the new simplified consent process. 

• Reviewing information-sharing agreements with business associates and partners to ensure they are consistent with the new rules. 

Strengthening breach notification protocols and ensuring SUD records are included in data breach assessments. 

Preparing for a Virtual Visit

Preparation is critical to a successful virtual mental health appointment. Patients should:

• Review Instructions: Ensure they understand how to access the video platform and contact the provider if the instructions need clarification.
• Check Compliance: Confirm that the platform is HIPAA-compliant to protect their privacy.
• Inventory Equipment: Use a device with a camera, microphone, and reliable internet connection. A quiet, well-lit space is essential for effective communication.
• Practice Run: Test the platform and equipment beforehand to avoid technical issues during the appointment.

Compliance and Enforcement Implications of the 2025 Changes to HIPAA

The proposed changes to HIPAA, coupled with the alignment of 42 CFR Part 2, will affect every healthcare provider, insurance company, and business associate. Non-compliance could result in severe financial and reputational consequences.

• HIPAA non-compliance penalties already reach up to $1.5 million per incident, but the 2025 updates emphasize stricter penalties for breaches involving SUD records.
• Violations that involve patient data protected under both HIPAA and 42 CFR Part 2 could lead to compounded penalties, further incentivizing compliance.

• The stricter breach notification rules mandate that healthcare providers report breaches involving SUD records, as required by the HITECH Act and HIPAA. 

• Notifications must be sent to individuals affected by the breach, the HHS, and the media if the breach involves 500 or more individuals. 

How Healthcare Providers Can Prepare for the Changes

Healthcare providers, business associates, and other covered entities should start taking steps to comply with the proposed 2025 changes to HIPAA well before they become mandatory. Here’s how to prepare: 

• Perform Risk Assessments 
  • Assess the security of your ePHI and determine areas of vulnerability in your current infrastructure. 
  • Conduct a risk analysis in line with the updated Security Rule standards and consider partnering with compliance experts like MedPro Disposal for secure document destruction. 

• Strengthen Cybersecurity Defenses 
  • Invest in modern security technologies, such as endpoint detection and response (EDR), security information and event management (SIEM) tools, and encryption tools. 
  • Retire legacy systems that are no longer supported or that present a security risk. 

• Update Policies and Procedures 
  • Revise internal policies to reflect the alignment of 42 CFR Part 2 with HIPAA. This includes updating privacy policies and staff training materials. 
  • Streamline workflows for collecting, storing, and sharing patient data to ensure compliance with simplified consent procedures. 

• Train Your Team 
  • Train employees on the revised breach notification process and the enhanced standards for SUD records under 42 CFR Part 2. 

The 2025 HIPAA changes represent a monumental shift in how healthcare providers, insurers, and business associates must handle patient information. From the proposed changes to the HIPAA Security Rule to the alignment of 42 CFR Part 2, the overarching goal is to enhance privacy, reduce administrative burdens, and ensure healthcare systems are prepared to defend against cyber threats. 

Healthcare providers should begin preparing now to avoid costly penalties, data breaches, and reputational damage. By upgrading cybersecurity protocols, simplifying consent processes, and reviewing vendor agreements, providers can ensure compliance and protect patient trust. 

For help navigating the complexities of the 2025 HIPAA changes, turn to trusted compliance partners like MedPro Disposal. With industry-leading expertise in secure document destruction and HIPAA compliance training, MedPro Disposal helps healthcare providers maintain peace of mind as they navigate the ever-evolving regulatory landscape. 

For comprehensive compliance solutions tailored to healthcare providers, consider MedPro Disposal. We ensure that your practice operates smoothly and effectively, enabling you to concentrate on providing high-quality patient care. Contact us today to learn more.