BioSupply Trends Quarterly logo
Subscribe
Winter 2026 - Critical Care
  Table of Contents  Download Issue  Article Suggestions
Share
Healthcare Management

Revisiting HIPAA: Updates to Know

THE HEALTH INSURANCE Portability and Accountability Act (HIPAA), enacted in 1996, is the cornerstone of patient privacy and data security in the U.S. healthcare system. It established national standards for the privacy and security of patients’ health information, defining how protected health information (PHI) can be used, shared and stored by healthcare providers and health plans.

HIPAA gives patients the right to access and control their healthcare records, while requiring covered entities to protect patients’ data. Enforcement is overseen by the Health and Human Services (HHS) Office for Civil Rights, with penalties for violations ranging from fines to criminal charges.

Recent updates in 2024 and proposed changes for 2025 reflect evolving healthcare practices, technological advances and societal considerations. In 2024, HHS updated HIPAA rules regarding reproductive health records and substance use disorder (SUD) records, both of which took effect that year, while proposals for 2025 address care coordination, administrative procedures and enhanced cybersecurity safeguards for electronic health information. Together, these updates and proposals represented HHS’s ongoing efforts to adapt HIPAA regulations to a changing legal, technological and healthcare environment.

Reproductive Health Privacy

In 2024, HHS issued a final rule titled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” which clarified how reproductive health records must be handled. The rule addressed disclosure requirements, including restrictions on sharing reproductive health information with law enforcement or other third parties, and updated the notice of privacy practices to reflect patients’ rights regarding this sensitive information.1

In 2025, a federal court vacated the attestation requirement, which would have required entities requesting reproductive health information to formally state that the request complied with HIPAA. Other parts of the 2024 rule, such as the disclosure restrictions, remain in effect.1

In practice, when a patient checks in at a clinic, her reproductive health information (for example, abortion or miscarriage care) cannot be shared for investigations unless required by law. If another provider, insurer or government agency later requests those records, the clinic must follow standard HIPAA Privacy Rule procedures for disclosure. While a signed attestation from the requester is no longer required, covered entities must still ensure that any sharing of reproductive health information complies with HIPAA and applicable federal or state laws.

Substance Use Disorder Records

Major updates were issued by HHS in 2024 regarding the confidentiality of SUD treatment records, updating 42 CFR Part 2 (a set of federal regulations that governs the confidentiality of SUD patients) to bring consent, disclosure and breach notification requirements into closer alignment with HIPAA, as required by the Coronavirus Aid, Relief and Economic Security (CARES) Act.

Patients may now give a single consent for their records to be used and disclosed for treatment, payment and healthcare operations, with recipients permitted to redisclose information under HIPAA rules. The changes also applied HIPAA’s breach notification standards to SUD programs, expanded patients’ rights to receive an accounting of disclosures and updated notice requirements to mirror HIPAA’s Notice of Privacy Practices. Enforcement was strengthened through new noncriminal fines, and programs gained flexibility by no longer being required to segregate SUD records when shared under broad consent.2

In practice, when patients enter a primary care clinic and disclose they are receiving treatment for SUD at a specialty program, they can now sign one broad consent, allowing their SUD records to be shared with the clinic, their insurance company and other treating providers for care coordination and billing. The clinic no longer needs to maintain separate files for those records since redisclosure rules now align with HIPAA. If there’s ever a breach of those records, such as a stolen laptop containing PHI, the SUD program must notify the patient promptly, and regulators need to be informed if the breach meets reporting thresholds.

Additional 2024 Rule Proposals

In addition to the two rules finalized in 2024, HHS issued several proposed updates and guidance that remain under review and have not yet taken effect. These proposals primarily affect covered entities, which include healthcare providers, health plans and healthcare clearinghouses that create, receive or transmit PHI. They also indirectly affect business associates, such as IT vendors, billing companies and cloud service providers, that handle PHI on behalf of covered entities. While not finalized, these proposals provide insight into the future direction of HIPAA regulations.

One major proposal seeks to modernize the HIPAA Security Rule. It would strengthen administrative, technical and physical safeguards for electronic PHI, including more detailed risk analyses, mandatory encryption of data, improved breach response plans and requirements for annual compliance audits.3

Another proposal focuses on revising the Notice of Privacy Practices, the document that informs patients about how their health information may be used and shared, as well as their rights under HIPAA. The revisions aim to make patient rights and data-use policies clearer and more transparent.4

HHS also released updated guidance to help covered entities and business associates address ongoing cybersecurity risks.3 This guidance emphasizes practices such as regular risk analyses, employee training, incident response planning and stronger technical safeguards, but it remains advisory rather than regulatory.

In addition, the agency issued fact sheets and educational materials to raise awareness about phishing, ransomware and other common threats to PHI.5 While these resources do not have the force of law, they indicate HHS’s ongoing concern about cyber threats and encourage healthcare organizations to prepare for stricter requirements that may result from the pending Security Rule changes.

Proposed 2025 HIPAA Security Rule Changes

The following highlights summarize the key elements of the proposed 2025 Security Rule changes healthcare organizations would need to prepare for if the rule is finalized.3,6

  • All safeguards required: The longstanding distinction between “required” and “addressable” standards would be removed. Every safeguard would become mandatory, with only narrow exceptions.
  • Stronger risk management: Covered entities would have to maintain a written, detailed risk assessment, including an up-to-date inventory of all technology assets and a network map showing how electronic PHI flows through their systems.
  • Incident response upgrades: Organizations would need written response plans capable of restoring critical systems and data within 72 hours. These plans would also be tested and revised on a regular basis.
  • Technical protections: Encryption of electronic PHI would become mandatory, alongside multifactor authentication, anti-malware protections, consistent system configurations (the standardization of computers, servers and devices) and network segmentation (the division of an organization’s computer network into separate sections to limit sensitive data).
  • Ongoing oversight: Entities would have to conduct a compliance audit at least once every 12 months, perform vulnerability scans every six months and run penetration tests annually to prove security measures are effective.
  • Faster notifications: Access changes (such as when an employee leaves) and activation of contingency plans would have to be reported to the appropriate parties within 24 hours.

An Evolving Landscape

The evolving landscape of HIPAA regulations underscores the need for proactive healthcare management. As privacy concerns grow and technology advances, healthcare leaders must stay informed. The 2024 updates and 2025 proposals represent a pivotal moment in HIPAA’s history — one that demands renewed attention to compliance, patient rights and data security.

References

  1. U.S. Department of Health and Human Services. HIPAA and Reproductive Health. Accessed at www.hhs.gov/hipaa/forprofessionals/special-topics/reproductive-health/index.html.
  2. U.S. Department of Health and Human Services. Fact Sheet 42 CFR Part 2 Final Rule. Accessed at www.hhs.gov/hipaa/for-professionals/ regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html.
  3. U.S. Department of Health and Human Services. HIPAA Security Rule Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information. Accessed at www.hhs.gov/ hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/ index.html.
  4. U.S. Department of Health and Human Services. Model Notices of Privacy Practice. Accessed at www.hhs.gov/hipaa/for-professionals/ privacy/guidance/model-notices-privacy-practices/index.html.
  5. U.S. Department of Health and Human Services. Cyber Security Guidance Material. Accessed at www.hhs.gov/hipaa/for-professionals/ security/guidance/cybersecurity/index.html.
  6. The Center for Excellence for Protected Information. HHS HIPAA Security Rule NPRM Fact Sheet. Accessed at coephi.org/resource/hipaa-security-rule-nprm-fact-sheet.
Lee Warren
Lee Warren is freelance journalist and author from Omaha, Nebraska. When he’s not writing, he’s a fan of sports, books, movies and coffee shops.