What does HIPAA stand for? Understanding its Impact in 2025
Author: Mike Rotondo Published on: June 16, 2025
HIPAA Privacy and Security Rule Updates for 2025
HIPAA stands for the Health Insurance Portability and Accountability Act. It is a U.S. federal law enacted in 1996 to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
As healthcare technology continues to evolve, updates to HIPAA have become increasingly important. In December 2024, the Office for Civil Rights (OCR) proposed significant updates to the HIPAA Privacy Rule.
While many healthcare stakeholders have advocated for changes to improve patient care, the proposed updates primarily focus on increasing patient access to records, enabling data sharing, and reducing administrative burdens.
Key Proposed HIPAA Privacy Rule Updates
1. Increased Patient Access to PHI
- Patients may inspect their protected health information (PHI) in person and take notes.
- The response time for PHI access requests is reduced from 30 days to 15 days.
- Individuals may direct providers to send electronic PHI (ePHI) to personal health applications.
- Additional guidance clarifies when ePHI must be provided at no cost.
2. Expanded Data Sharing
- Armed Forces personnel may share PHI with all branches of the uniformed services.
- New provisions support sharing PHI through electronic health records (EHRs).
- Covered providers must send records to other healthcare providers when directed by the patient.
3. Reduced Administrative Burden for Covered Entities
- Written acknowledgment of the Notice of Privacy Practices is no longer required.
- Covered entities must post estimated fee schedules for PHI access and disclosure on their websites.
- Healthcare operations are expanded to include care coordination and care management.
Additional Privacy Rule Updates
- Changes to confidentiality protections for substance use disorder records.
- Updated restrictions on disclosure of reproductive healthcare information.
Although these updates are intended to reduce administrative burdens, healthcare providers may face significant implementation challenges.
Key Challenges for Healthcare Providers
- Retraining staff on new procedures may strain resources and disrupt workflows.
- Shortening the PHI response timeframe to 15 days increases administrative demands.
- Billing and medical records often reside in different systems and may need to be combined to fulfill complete patient requests.
At the same time, the rapidly changing technology landscape continues to introduce new attack surfaces for cybercriminals.
To protect valuable electronic protected health information (ePHI), HIPAA Security Rule updates should be implemented alongside Privacy Rule changes.
HIPAA Security Rule Updates
The HIPAA Security Rule focuses on strengthening safeguards for ePHI. Key proposed requirements include:
- Technology Inventory and Network Mapping: Document all technology assets and understand how ePHI flows through the environment.
- Risk Analysis: Identify threats to the confidentiality, integrity, and availability of ePHI.
- Emergency Planning and Incident Response: Maintain written procedures and restore critical data within 72 hours when required.
- Annual Security Rule Compliance Audits: Perform audits at least once every 12 months.
- Annual Reviews and Testing: Evaluate security controls and procedures every year.
- Vulnerability Scans: Conduct scans at least every six months.
- Penetration Testing: Perform penetration tests annually.
- Encryption: Encrypt ePHI at rest and in transit.
- Multi-Factor Authentication (MFA): Add an additional layer of access security.
- Patch Management: Apply software updates and security patches promptly.
- Disable Unused Network Ports: Reduce unnecessary attack surfaces.
- Business Associate Security Reviews: Assess business associates’ cybersecurity readiness annually.
Navigating these updates can be complex. If you would like practical guidance tailored to your organization, Contact Us for a free one-on-one consultation.