HIPAA Compliance in 2025: What’s Changing & Why It Matters

Healthcare privacy is evolving rapidly, and 2025 is poised to be a year of significant developments. From how artificial intelligence is handled to increased scrutiny around reproductive health data, the boundaries of HIPAA compliance are expanding. This blog post highlights the most important updates and what healthcare organizations need to do to stay compliant.

The Health Insurance Portability and Accountability Act (HIPAA) was initially passed in 1996 and later expanded by the HITECH Act. It establishes the ground rules for the use and disclosure of protected health information (PHI), which includes any identifiable health data that a provider or health plan creates or receives in connection with a patient’s care or payment for that care. It applies across all formats, including electronic, paper, and verbal. Notably, HIPAA doesn’t cover employee records or trade secrets.

HIPAA applies to two main types of entities:

• Covered entities, such as healthcare providers, insurers, and clearinghouses, which conduct certain transactions electronically.
• Business associates, vendors, and contractors that access PHI while delivering services to covered entities.

While HIPAA serves as the federal baseline, state-level privacy laws can go further, so compliance often requires managing a mix of rules and requirements. HIPAA is built around three core rules:

• Privacy Rule: Governs how and when PHI can be shared and requires safeguards, such as policies and Business Associate Agreements (BAAs).
• Security Rule: Emphasizes safeguarding electronic PHI using administrative, technical, and physical measures.
• Breach Notification Rule: Requires the timely disclosure of any breach of unsecured PHI to affected individuals, regulators, and, in some cases, the media.

The Push Toward Stronger HIPAA Safeguards

HIPAA and related privacy regulations have undergone a series of significant changes in recent years, some subtle, while others have been more substantial. While smaller adjustments often pass unnoticed, a broader overhaul has been long overdue. In response, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) in December 2020 to update the HIPAA Privacy Rule. This was followed by a long-anticipated proposal in December 2024 aimed at modernizing the HIPAA Security Rule.

The Security Rule currently requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). One of the most significant proposed changes is the removal of the distinction between “required” and “addressable” safeguards. Under the new approach, all safeguards would become mandatory, with some exceptions, eliminating the flexibility that many organizations previously relied on to delay or bypass certain security measures.

While the proposed rule maintains some flexibility in how safeguards are implemented, it expands the factors that organizations must consider when assessing the adequacy of their safeguards. These include:

• Complexity, size, and capabilities of the organization
• Cost of implementing security measures
• Effectiveness of safeguards in supporting system resilience
• Likelihood and potential impact of threats to ePHI
• State of the organization’s current technical infrastructure

If finalized, these changes would require a thorough reevaluation of security practices. Safeguards that were once optional would need to be properly implemented, increasing both accountability and compliance expectations.

Key Areas of Focus in the Proposed HIPAA Security Rule

The proposed updates introduce several new and expanded requirements designed to address today’s evolving cybersecurity landscape. These include:

• Backup Systems: Organizations must maintain retrievable ePHI backups that are no older than 48 hours. Backup processes must include real-time failure alerts and be tested monthly with full documentation.
• Business Associate Agreements (BAAs): Business associates must notify covered entities within 24 hours of activating a contingency plan. Covered entities are also required to obtain annual written confirmation that vendors have implemented all necessary technical safeguards.
• Contingency Planning: Organizations must document recovery procedures for critical systems and restore data within 72 hours of a disruption. These plans must be tested and updated at least once per year.
• Encryption Requirements: ePHI must be encrypted both in transit and at rest. If systems currently lack encryption capability, a written plan must be in place to migrate to compliant technologies.
• Multi-Factor Authentication (MFA): Any action that alters user access levels must be protected by MFA. These controls must be tested annually or after system changes.
• Network Segmentation: Organizations must implement both technical and policy-based controls to limit access to ePHI by isolating it within secure network segments.
• Technology Inventory and Network Mapping: A written inventory of all technology assets and a detailed network map must be maintained and updated at least annually, or whenever significant changes occur.
• Vulnerability Scanning and Penetration Testing: Automated scans must be conducted at least every six months or as indicated by a risk analysis. Penetration testing must also be performed biannually by qualified cybersecurity professionals.

If finalized, these proposed changes will raise the standard for HIPAA compliance, particularly in areas such as technical infrastructure, vendor oversight, and breach prevention and response. While some organizations may already meet aspects of these requirements, others will face considerable operational and financial adjustments to keep up. Now is the time to assess current practices and prepare for what’s ahead.

Core HIPAA Compliance Areas to consider for 2025

Balancing Innovation with Privacy

Artificial intelligence (AI) is rapidly becoming a powerful tool in healthcare, improving efficiency, supporting clinical decision-making, and helping reduce provider burnout by automating administrative tasks. From interpreting radiology scans to enhancing remote monitoring, AI offers real value to care delivery. However, with these benefits come complex compliance challenges, particularly around data privacy. AI systems require vast amounts of data to function effectively, often utilizing patient information for training purposes. This creates significant risks under HIPAA and other privacy laws, especially when third-party tools use or retain data without clear user awareness.

Healthcare organizations must ensure they have the proper rights, licenses, and patient consents before using or sharing data with AI platforms. They should also carefully review vendor agreements, privacy policies, and terms of use to understand how data may be processed or commercialized. In many cases, the use of PHI for product development or marketing may be restricted without specific notice or anonymization. As AI adoption continues to grow, staying compliant means not just managing data but doing so transparently, lawfully, and ethically.

Reproductive Health Privacy

Following the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which overturned Roe v. Wade, the landscape of reproductive health privacy has become more complex and contentious. In response to growing concerns, the OCR issued a Final Rule in April 2024 aiming to strengthen HIPAA protections for reproductive health information. This rule prohibited the use or disclosure of PHI for investigations or proceedings related to the lawful provision or receipt of reproductive care.

However, the rule quickly faced legal challenges. In June 2025, a federal court in Texas vacated the rule, finding that HHS lacked clear authority to implement special protections for politically sensitive medical procedures. While it remains uncertain whether the decision will be appealed, further federal action appears unlikely in the short term.

In the absence of a federal standard, many states have stepped in. California, for example, amended its Confidentiality of Medical Information Act to block disclosures of abortion-related records to law enforcement or courts enforcing conflicting out-of-state laws. New York voters approved a constitutional amendment protecting reproductive autonomy. They enacted Shield Laws to prevent enforcement of out-of-state penalties against providers of legal reproductive or gender-affirming care.

As more states adopt their protections, some expansive and others restrictive, healthcare organizations must navigate a patchwork of overlapping and sometimes conflicting rules. This creates significant compliance challenges, particularly for providers, insurers, and digital health platforms operating across state lines.

To manage these risks, organizations should:

• Review and update privacy policies to reflect current state and federal requirements.
• Limit data sharing related to reproductive care unless legally required.
• Conduct privacy audits and work closely with legal counsel to guide policy and communication strategies.

New Rules for Substance Use Disorder Records

In February 2024, the U.S. Department of Health and Human Services (HHS), in collaboration with the Substance Abuse and Mental Health Services Administration (SAMHSA), released a long-awaited update to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations under 42 C.F.R. Part 2 (“Part 2”). These rules, originally designed to protect individuals from discrimination and legal consequences associated with their SUD treatment, were first implemented in 1975, long before HIPAA was established.

Historically, providers covered by both HIPAA and Part 2 have faced challenges complying with two sets of often conflicting privacy standards. The new “Part 2 Final Rule” aims to streamline compliance by aligning Part 2 more closely with HIPAA, reducing administrative burdens while maintaining strong patient privacy protections.

Key Changes in Part 2 Final Rule

• Breach Notification: Any breach involving Part 2 records must now follow the same notification procedures required under the HIPAA Breach Notification Rule.
• Counseling Notes Protections: Similar to HIPAA’s protections for psychotherapy notes, notes from SUD counseling sessions must be kept separate and require specific consent to disclose, even if a patient has provided general consent for treatment, payment, and healthcare operations (TPO).
• Patient Rights: Patients can file complaints directly with HHS and request a list of all disclosures made with their consent over the past three years.
• Public Health Disclosures: De-identified SUD records may be shared with public health authorities without patient consent, consistent with the HIPAA Privacy Rule.
• Safe Harbor for Investigators: Government investigators who access Part 2 records without proper court orders may be shielded from liability if they can demonstrate that they acted with reasonable diligence in confirming whether Part 2 applies.
• Simplified Redisclosure: Covered entities can redisclose SUD information received under TPO consent without needing to isolate those records from other PHI, making it easier to integrate into standard workflows.
• Stronger Enforcement: Part 2 violations are now subject to the same civil and criminal penalties as HIPAA violations.
• Unified Patient Consent: Patients may now give a single, ongoing consent for the use and disclosure of SUD records for TPO, rather than needing to approve each disclosure individually.

Note: The Final Rule took effect on April 16, 2024. Organizations must be fully compliant by February 16, 2026.

Action items:

• Evaluate whether your organization handles SUD-related records.
• Update internal policies and procedures to reflect the new requirements.
• Revise your Notice of Privacy Practices to address how SUD information is handled under the revised rules.

HIPAA and Tracking Technologies: Legal Challenges and Compliance Considerations

In early 2024, the HHS and SAMHSA issued updated guidance on the use of third-party tracking technologies, including cookies, web beacons, session replay scripts, and fingerprinting tools, on healthcare websites. The guidance warned that such technologies might result in unauthorized disclosures of PHI, depending on the context in which they are used and the type of data collected.

Notably, the guidance suggested that PHI could be improperly disclosed not only on authenticated webpages (where users log in or submit identifiable information), but also on public-facing pages if they collect IP addresses and browsing data that could be linked to specific individuals. This expansive interpretation raised concerns across the industry and contributed to a surge in regulatory enforcement and class action litigation focused on tracking technologies.

In response, the American Hospital Association (AHA), along with other plaintiffs, challenged the guidance in court. In June 2024, a federal judge in the Northern District of Texas vacated HHS’s expanded interpretation of PHI, ruling that it exceeded the agency’s authority under HIPAA. The court specifically rejected the notion that an IP address collected on an unauthenticated webpage without more, qualified as PHI simply because the page referred to a health condition or provider. The court held that this so-called "Proscribed Combination" unlawfully broadened the definition of PHI beyond what HIPAA allows.

As a result, HHS must revise the guidance and can no longer enforce the vacated portions related to unauthenticated webpages. However, the rules and expectations for authenticated areas of a healthcare provider’s website remain in effect. Key takeaways include:

• Business Associate Agreements (BAAs) must be in place with any tracking technology vendors that have access to PHI.
• Disclosures of PHI to third-party vendors must be explicitly permitted under the Privacy Rule.
• Tracking technologies on authenticated webpages must comply with the HIPAA Privacy and Security Rules, ensuring any PHI collected is properly safeguarded.
• Use of tracking technologies must be included in regular security risk assessments, as required by the Security Rule.

Even with the partial legal rollback, HIPAA-regulated entities should continue to carefully assess and manage their use of tracking technologies. These tools are increasingly scrutinized in regulatory audits, due diligence processes, and litigation. Because tracking activity is often visible and easily documented, healthcare organizations must be proactive in identifying potential risks and ensuring compliance with the current legal framework.

Offshore Operations in Healthcare

Offshore service arrangements, such as those for claims processing, call center support, and technical help, can offer significant cost savings and operational efficiencies. These benefits make offshore contracting attractive, especially in competitive markets where pricing models are tightly controlled. However, these arrangements raise serious questions around data privacy and regulatory compliance, particularly when they involve access to large volumes of health information.

Organizations considering offshore vendors must carefully navigate a web of federal, state, and contractual requirements. While offshore arrangements are not strictly prohibited, they are subject to heightened scrutiny and specific compliance obligations:

HIPAA Requirements: HIPAA does not ban the use of offshore vendors, but it does require covered entities and business associates to implement reasonable administrative, physical, and technical safeguards to protect PHI. In addition, appropriate BAAs must be executed. Offshore arrangements introduce unique risks that may require additional controls to ensure HIPAA compliance.

Medicare Guidance: The Centers for Medicare & Medicaid Services (CMS) has issued guidance requiring Medicare Advantage organizations and prescription drug plan sponsors to take “extraordinary measures” to ensure offshore arrangements properly protect patient data. Specifically, organizations must complete an attestation that includes:

• A description of any PHI the subcontractor will access
• The identity and role of the offshore subcontractor
• The security measures in place to protect PHI

In addition to the attestation, organizations are also required to audit their offshore subcontractors. While the guidance does not prohibit the use of offshore vendors, it establishes strict conditions that must be met before such arrangements are permitted.

Medicaid Regulations: Under the Affordable Care Act, states cannot use Medicaid funds to pay for services rendered by financial institutions outside the U.S. However, CMS has clarified that administrative services, such as support functions, may be eligible for offshore outsourcing. Despite this, states may have restrictions. Because Medicaid rules vary by jurisdiction and are often updated through state-issued guidance and manuals, organizations must review applicable state-specific restrictions before engaging offshore vendors.

State Laws: Several states have introduced restrictions on offshore data handling:

• Florida amended its Electronic Health Records Exchange Act in 2023 to restrict where certain providers can store electronic health records. The law now requires qualified records to be stored only within the U.S., its territories, or Canada. Offshore storage is prohibited.
• Ohio issued an executive order that bans the use of state agency funds for services carried out outside the United States. For providers operating across state lines, these state-level actions create additional compliance requirements to navigate.

Contractual Restrictions: Even if the law permits offshoring, contracts may set stricter limits. Agreements with payers, Medicare Advantage plans, or Medicaid agencies often include specific clauses that restrict the transfer of offshore staff or data. These terms can take precedence over what regulations might otherwise allow.

Ethical Hacking: A Proactive Approach to Cybersecurity

Healthcare organizations continue to face growing cybersecurity threats, with daily headlines reporting data breaches involving highly sensitive personal and health information. These incidents are not only harmful due to the nature of the data concerned, but they’re also expensive, often triggering litigation, regulatory investigations, and long-term reputational damage.

One strategy gaining traction to address these threats is ethical hacking, also known as white hat or good-faith hacking. This involves hiring security professionals to intentionally probe systems, networks, and applications for vulnerabilities before bad actors can exploit them. Ethical hacking can take the form of structured penetration testing or incentive-based programs, such as bug bounties, which reward individuals for responsibly disclosing security flaws.

Many leading technology companies have successfully adopted these programs, recognizing that the cost of identifying a vulnerability early is far less than the cost of responding to a breach. The same logic increasingly applies to the healthcare sector, where the consequences of a security lapse can be particularly severe. However, any ethical hacking initiative must be carried out in compliance with HIPAA. This includes ensuring that:

• BAAs are in place with third-party testers, when necessary,
• Ethical hackers have a legitimate and permitted purpose for accessing systems,
• Only the minimum necessary PHI is accessed or exposed during testing,
• Proper safeguards are used throughout the process.

Without these protections, organizations risk turning a proactive measure into a costly compliance failure. As cyber threats become increasingly sophisticated, ethical hacking provides a practical approach to identifying and mitigating vulnerabilities before they can cause damage. When implemented carefully and lawfully, it can be a powerful part of a healthcare organization’s broader security strategy.

Five Smart Moves to Strengthen HIPAA Compliance Now

The table below outlines practical steps your organization can take now to stay compliant:

Looking Ahead

Healthcare privacy has evolved beyond simply checking compliance boxes. It’s now about actively managing risk, adapting to regulatory changes, and meeting rising expectations from patients and partners. As we move through 2025, organizations need to tighten security protocols, reexamine their technology infrastructure, and treat data as both a critical asset and a potential liability. Failing to comply can result in substantial financial penalties and lasting reputational damage.

The current HIPAA Security Rule still governs today’s requirements, but proposed changes signal that stricter obligations are likely on the horizon. With cybersecurity threats increasing and regulatory attention intensifying, it’s safe to assume that some form of these updates will be adopted.

While a major overhaul isn't needed right now, this is a good time to reassess. Review your current security practices and identify any areas that require improvement. Staying proactive and making informed updates now can help you prevent more significant issues later and strengthen trust along the way.

Next Steps: Support from Compass IT Compliance

Compass IT Compliance can help your organization navigate this increasingly complex privacy landscape. From HIPAA Risk Assessments to third-party vendor reviews, penetration testing, and policy development, our team provides practical, experienced guidance aligned with the latest regulatory expectations. Whether you're preparing for anticipated rule changes or responding to new privacy challenges, we help healthcare organizations stay secure, compliant, and resilient. Contact us today to learn how we can support your compliance and cybersecurity goals.