HIPAA Security Rule Update 2025: Everything you need to know

When HIPAA was first introduced and even when it received a major overhaul in 2013, the cyber threat landscape was starkly different from what we face today. As a consequence, earlier, HIPAA focused on protecting patients’ privacy during digital transformation and cloud data backup, but it did not mainly ensure security. 

In 2025, cyber threats will be more complex, faster, and capable of bypassing even the most resilient defenses. The writing on the wall is clear – HIPAA, even though the most rigorous healthcare standard, is dated and needs a major revamp. 

Enter HIPAA new rule updates for 2025. Though built on general cybersecurity best practices of today, it’s a steep upgrade from the resilience HIPAA offered before. The new HIPAA 2025 security rule update makes a bold statement – checkbox-style security is out, and resilient, mindful practices with real impact are in. And you — the business associates, covered entities, and sub-contractors — need to giddy up. 

Here’s everything new with HIPAA in 2025:

TL;DR

The 2025 update removes the distinction between “addressable” and “required” security measures, making all specifications mandatory for all entities.

New mandates include stronger security protocols like multi-factor authentication and regular vulnerability scans, alongside improved documentation and technology inventory requirements.

The updated rule emphasizes recovery capabilities with mandatory encryption and faster breach notification deadlines to enhance quick and transparent responses.

1) Big or small, HIPAA’s new security rule update in 2025 levels the playing field for all

Historically, HIPAA regulations have been a bit ambiguous in the language and guidelines – leaving it to entities across the healthcare sector to interpret them differently, resulting in ambiguous security programs and inadequate measures taken by businesses. According to experts, that became HIPAA’s Achilles’ heel. 

For context, smaller and larger players have different circumstances and differ in their capacity to implement measures. Thus, HIPAA accounted for this in its original HIPAA Security Rules 164.306 by introducing addressable and required rules. The caveat? Businesses and organizations were given a free hand at defining what measures are addressable for them based on their capacity and resources and which ones are mandatory. 

In the 2025 update of the HIPAA security rule, HHS mentioned: “We are concerned that some regulated entities proceed as if compliance with an addressable implementation specification is optional,” further adding that “interpretation may weaken the security posture of the industry and the regulated entities.”

Thus, the new security rule eliminates the distinction between required and addressable postulates. Now, all the regulated entities, their sub-contractors, and business entities have to abide by the same rule, regardless of their capacity or circumstances. 

In short, HSS proposes to unify specifications in the 2025 HIPAA Security Rule

The new HIPAA Security Rule update for 2025 removes the distinction between “addressable” and “required” implementation specifications, which is a significant change. Here’s how the two compare to each other: 

Previous rule	2025 update
Requirements were flexible, and entities could implement if they deemed them appropriate based on a risk assessment. If not implemented, entities had to document their reasoning and consider alternative measures.However, some measures were mandated, and entities had to implement them without exception.	The new update to HIPAA unifies these specifications and makes all the addressable requirements a required specification, mandating them from businesses of all sizes.

2) Tighter nudge for stronger security, not just privacy

While rooted in intentions of the greater good, the focus of HIPAA has not been in a place where it matters the most, specifically if you talk about the digital and cloud transformation of the healthcare industry. 

Here’s how the HIPAA 2025 update tightens the grip on security:

Mandates MFA

Multi-factor authentication (MFA) is touted as the silver bullet in security. It ensures only authorized personnel get access to the information. It stops attacks and breaches in their tracks, therefore guaranteeing the confidentiality of ePHI. Under new security rules, MFA is mandatory, and businesses of all sizes would need to safeguard ePHI and cloud data access with MFA. 

Set frequency for vulnerability scans and penetration testing

The new HIPAA Security rule update for 2025 also sets specific requirements for vulnerability scans and penetration testing. The idea behind these mandates is for entities to review and monitor how their defenses and state of security hold up against evolving threats and enable them to plug any gaps. 

Documenting and inventorizing technology 

While most security standards like NIS2 and ISO27001 already demand asset inventoriziation, the new proposed amendments to HIPAA demand some specific actions. And the benefits are multifold:

• The intention behind the rule is to easily track how ePHI data moves across network and cloud systems, making it easier to identify the gaps in security throughout the data lifecycle. 

• Moreover, a network map helps pinpoint areas where ePHI might be at risk and allows for implementing targeted security measures. And in the case of a breach, a network map aims to expedite the process quickly.

• A network map can expedite the response process in a security breach by quickly identifying the affected areas and the pathways through which the breach occurred. This enables faster containment and remediation.
  
• Furthermore, identifying all the assets enables better risk management and faster mitigation and containment of threats, as the assets can be easily isolated, quarantined, or backed up in case of any incidents. 

3) Spotlight on better resilience, faster recovery

Cybersecurity is not always about the ability to evade a breach, but it is also about the capability to bounce back and contain the fallout of an incident. 

“Every cloud company will face a breach; it’s not a question of if, but when.” – Rachna Dutta, Infosecurity Consultant. 

HIPAA’s update emphasizes the resilience of the organization in containing the damage. Here are the measures that HSS proposed in the upcoming update:

Encryption

Encryption is a containment measure that reduces the damage even if the hackers get their hands on the confidential data. If the data is encrypted, meaning it will only be meaningfully readable if they have the decryption key, threat actors won’t be able to use or read the data without bypassing the encryption, which preserves the confidentiality of the data. 

Encryption ensures that all ePHI stored in disjointed cloud resources or systems are unreadable or secure from unauthorized access. 

In the new upcoming HIPAA security rule update, encryption is mandatory.  

Disaster recovery and response planning

The updated HIPAA security rule mandates entities to have adequate policies outlining the procedures to restore lost data and ensure that business processes essential to the security of ePHI continue to maintain confidentiality, integrity, and data availability.  

Permanent loss of ePHI does not pose a risk to the privacy of a person’s records, but it also ensures the continued delivery of quality healthcare services. Thus, it becomes even more critical to document containment, responses, and recovery plans. 

As per proposed guidelines under HIPAA, the plan should outline how ePHI will be protected from theft, how it will be restored in the event of a breach or system failure, and how it will be protected. This included documenting backup procedures and enforcing the backup policies while training the staff to carry out backup and recovery procedures adequately. 

Speed and transparency

Taking a leaf out of the EU’s GDPR playbook, HIPAA follows suit to enhance the speed of response and transparency in notifying incidents. 

Here’s how these new HIPAA rules aim to improve speed and transparency:

• Faster Breach Notification Deadlines: Under the updated regulations, covered entities are required to report breaches affecting 500 or more individuals to the U.S. Department of Health & Human Services (HHS), the affected individuals, and, in some cases, the media, within 72 hours of discovering the breach. This is a significant change from the previous 60-day window and aims to speed up the response time to potential data breaches.
• Immediate Notification for Larger Breaches: The notification deadline for breaches that affect a greater number of individuals may vary; however, the proposed rule suggests capping it at 24 hours. 
• Enhanced Transparency with Patients: The new rule also proposes prompt responses to affected individuals to ensure transparency. In addition to initial notifications, organizations are mandated to keep individuals updated with the containment update and any additional measures they might need to take to protect themselves. The affected individuals would also need to get an update when the issue is resolved. 

HIPAA Security Rule 2025 also amends privacy rights in parallel

The proposed updates also introduce certain meaningful amendments to the rights of the data subjects, enhancing control and ease of access to the ePHI. Here are some privacy rights amendments for consumers:

1. Simplified Consent Processes: HIPAA now simplifies the consent process for sharing Substance Use Disorder records, giving patients the right to give a one-time consent to allow their SUD information to be shared with healthcare entities. This improves quality and eases access to treatment.
2. Expanded Rights for Data Access and Control: The updated rules are expected to give patients greater control over accessing their data and governing how other healthcare entities use and share their information.

Improved Notice of Privacy Practices: Healthcare entities must provide patients with an easily understandable notice of privacy practices to help them exercise their rights better and clarify how their information is protected, stored, and utilized.

HIPAA 2025 rollout timelines

Tribal Consultation Meeting

• Date: February 6, 2025
• Time: 2:00 PM to 3:30 PM Eastern Time
• Purpose: To solicit input from Tribal officials regarding the modifications to the HIPAA Security Rule.
• Location: The specific location (physical or virtual) must be confirmed.

Deadline for Submitting Comments

• Date: March 7, 2025
• Action: All comments regarding the proposed modifications to the HIPAA Security Rule must be submitted by this date.

Review and Consideration of Input

• Post-Meeting to Pre-Implementation: After receiving input during the Tribal consultation meeting and through submitted comments by March 7, the Department of Health and Human Services will review all feedback to finalize modifications.

Announcement of Final Rule Changes

• Expected Date: To be determined based on the feedback and internal review timeline.
• Details: After thorough consideration of all inputs, the final details of the modifications to the HIPAA Security Rule will be announced.

Implementation of Modifications

• Start Date: To be determined based on the announcement of final rule changes.
• Compliance Requirement: Affected entities will be expected to comply with any new requirements by a specified deadline, which will be announced along with the final rule changes.

Get everything you need to get HIPAA compliant. 

Map and manage all HIPAA requirements from one place with Sprinto. Just plug Sprinto in, and it will automatically map assets – infra, cloud systems, and more – to controls, ensuring continuous monitoring and automatic evidence collection for seamless audits. Sprinto, with its out-of-the-box, ready-to-launch HIPAA programs, adds structure to your HIPAA compliance journey and automates the manual work, saving you the struggle to sift through endless checklists. Be sure to run thorough compliance programs and avoid non-compliance penalties with continuous monitoring and intelligent, automated alerts that keep compliance on track.   

FAQ

What are the key changes in the HIPAA Security Rule for 2025?

The new HIPAA Security Rule in 2025 is set to tighten the grip on cybersecurity measures by incorporating key changes like eliminating the distinction between “required” and “addressable” implementation specifications, mandating risk assessments and certain data-security measures like encryption, access controls, MFA, and continuous control monitoring. The new rule also enforces greater transparency in notifying breaches and timely response to an incident.   

What are the implications of the 2025 changes for healthcare providers?

Healthcare providers and their business associates must prepare for increased cybersecurity and data protection obligations. This preparation involves updating technology systems, conducting frequent security assessments, and training staff on new procedures. The updates aim to bolster defenses against cyber threats and enhance the security of electronic protected health information (ePHI)

What changes are made to HIPAA e-signature requirements?

The 2025 HIPAA rules advocate for greater use of e-signatures across healthcare transactions, even including the ones that were not previously covered under HIPAA, which enforces healthcare providers to ensure the confidentiality and integrity of e-signatures by implementing greater access controls and data encryption. This update is set to increase the overall efficiency of processes and faster delivery of healthcare services.