What does HIPAA stand for? Understanding its Impact in 2025

HIPAA stands for the health insurance portability & accountability act. It is a U.S. federal law that came into effect in 1996 to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Updates to HIPAA were long due and taking into account the evolving landscape of healthcare technology and related intersections, In December 2024, office for civil rights (OCR) proposed updates to HIPAA.

While most of the healthcare industry stakeholders have been campaigning for some changes in HIPAA privacy rule to remove certain aspects that have been consistently disrupting and delaying efficient patient care delivery, Most of the proposed changes are essentially geared towards following key aspects:

1. Increase Patient Access to PHI

   1. Proposed updates provisions for allowing patients to inspect PHI in person and take notes as well.
   2. Reducing the time to provide access to PHI from 30 days to 15 days.
   3. An Individual is permitted to send their ePHI to a personal health application,
   4. Updates also lays out the constraints when individuals should be provided with ePHI without any charges.

2. Enabling Data Sharing

   1. The Armed force’s permission to use or disclose PHI to all the other arms of uniformed services has been provisioned for in the latest proposed updates.
   2. Framework has been created to share PHI in an EHR among covered entities.
   3. Covered healthcare providers will be required to share certain records with other healthcare providers when individuals direct them to do so while exercising HIPAA.

3. Easing administrative burden on HIPAA covered entities

   1. Covered entities are not required to obtain a written acknowledgement from the individuals that they have received a Notice of Privacy Practices.
   2. All entities covered under HIPAA are required to pot estimated fee schedules on their websites for PHI access & disclosure.
   3. Proposed updates also redefine healthcare operations by including care management and care coordination.

In addition to these there have been a couple of additional updates as well

1. Updates to confidentiality of substance use disorder patient’s records regulations.
2. Changing the conditions where PHI pertinent to reproductive healthcare can be used or disclosed.

The driving force behind proposing these updates was primarily to reduce administrative burden on the entities covered under HIPAA but initially it will pose a significant number of challenges for healthcare service providers.

Key Challenges faced by Healthcare Providers:

1. Retraining affected employees which will ultimately increase burden on the human resources of healthcare service providers causing service workflow disruptions and delay in efficient patient care delivery.
2. Improved access to records and shortened time duration for fulfilling such requests to 15 days from 30 days earlier will further increase the administrative burden of healthcare service providers.
3. In an attempt to improve access billings records will need to be provided along with medical records. As these are usually stored in two different systems they will need to be accessed to provide patients with a complete copy of their records.

Technology landscape has been changing at an unprecedented speed, faster than ever before and this ultimately paves way for creation of newer attack surfaces for malicious actors trying to explore vulnerabilities of the existing systems and protocols in-turn resulting in loss of valuable patient healthcare data and potential service disruptions too. This is why along with the HIPAA privacy rule updates, HIPAA security rule updates should be implemented simultaneously to protect valuable patient data and ensure efficient service deliveries.

HIPAA Security Rule Updates

The HIPAA security rule aims to strengthen the cybersecurity of sensitive ePHI data. Some of the key new requirements of the proposed rule are as follows:

1. Understanding the complete technological environment including technological assets and the network map through which they are interconnected: This will help in understanding how the ePHI is moving through the entity’s digital information system and how it is used at various endpoints.
2. Risk analysis - identification of threat to confidentiality, integrity & availability of ePHI.
3. Emergency planning and incident response plan - There has to be a clear written down plan for the guidelines to be followed during and after any security incident takes place. This has to be followed by the restoring of data within 72 hours based on criticality.
4. Security Rule Compliance Audits - These compliance audits are mandatory for at least once every 12 months to ensure all the systems, processes and protocols are adhering to the latest set of compliances laid out by HIPAA.
5. Reviews & Tests of Security Measures - This has to be completed once every12 months to keep all the security measures adhering to latest rules to avoid any unpleasant incidence.
6. Vulnerability Scans - These are proposed as mandatory practice to be carried out once every 6 months, to identify the vulnerabilities that might have appeared with any changes to existing network map or addition of newer end-points with different configurations and permissions.
7. Penetration Tests - These are essential once every 12 months.
8. ePHI encryption - All ePHI has to be encrypted at all times to keep it safe from prying eyes.
9. Multi factor authentication - This is part of good cyber hygiene and it makes all the endpoints more secure by adding another layer of defence to existing systems.
10. Patch Management - Regularly updating the devices with latest software updates and patches basically fills in the security gaps left by the existing version of software making all the systems more secure and reliable.
11. Disable unused network ports - Open ports can be hijacked and might be used to piggyback a full blown cyberattack on the complete system.
12. Cybersecurity readiness of business associates: This has to be carried out every 12 months to make sure all systems and data remains protected and safe.

Navigating through these latest updates can be overwhelming, if you’d like to understand more or want us to break it down for you in easy to implement actionable steps get in touch with us today for a completely free of cost one to one personalized consultation:  Contact Us