The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) are proposing a sweeping modernization of the HIPAA Privacy and Security Rules, which are expected to take effect in 2025. These updates reflect a growing urgency to address cybersecurity threats, strengthen patient rights, and clarify longstanding ambiguities in health data management.

The proposed changes to the Privacy Rule focus on expanding patient access and accountability. Patients would now have the right to inspect their records in person, take notes, and receive full documentation more quickly. Covered entities would be required to provide estimated fee schedules for access to protected health information (PHI) and clearly inform patients when access is free. The proposal also expands protections for records related to Substance Use Disorders (SUD) and reproductive health, with strict limitations on disclosure. In particular, reproductive health records could not be disclosed for civil, criminal, or administrative investigations targeting individuals who seek care, marking a significant shift in privacy protections.

The Security Rule overhaul is centered on cybersecurity. Transfers of electronic PHI (ePHI) would be limited to verified EHR systems, with confirmation required for direct provider-to-provider sharing. Covered entities would need to maintain a network map and IT asset inventory updated annually. New mandatory safeguards would include end-to-end encryption for PHI, multi-factor authentication, network segmentation, and robust anti-malware protection.

OCR is expected to increase both the frequency and scope of audits in 2025. This will include annual Security Rule audits, system-wide security reviews, penetration testing, and vulnerability scanning. Organizations should expect stricter enforcement with broader audit criteria, particularly regarding reproductive health record handling and SUD confidentiality. To help mitigate the financial burden, HHS has proposed assistance initiatives to support smaller providers in adopting and maintaining compliance technologies.

To prepare, providers should update HIPAA policies and standard operating procedures to reflect the new definitions and protections, conduct a full risk assessment and gap analysis, and modernize IT infrastructure to meet updated encryption and access control standards. Training staff on reproductive health and SUD confidentiality will also be essential. Finally, organizations should prepare for OCR audits with documented security reviews and updated asset inventories.

The proposed 2025 HIPAA updates are more than regulatory housekeeping. They represent a recalibration of healthcare privacy in a digital and politically charged era. Providers should act now to align operations with the new standards, not only to avoid penalties but also to maintain the trust patients place in their care.