
Proposed changes to HIPAA have been requested since 2018, published in the Federal Register since 2021, and are now anticipated in the early part of 2025. Here’s a look at what these updates — seven years in the making — contain, and how it impacts covered entities, business associates, and their HIPAA compliance practices.
Cybersecurity in Healthcare Needs an Update
Data breaches are increasing within the healthcare industry, and they were ubiquitous enough before. In 2024, 92% of healthcare organizations surveyed by the Ponemon Institute reported falling victim to at least one cyberattack, up from an already enormous 88% in 2023.
Healthcare data and electronic protected health information (ePHI) are still among the most valuable targets for cybercriminals. According to the Verizon 2024 Data Breach Investigations Report (DBIR), “Personal” data was compromised in 75% of breaches, with threat actors only going after valuable “Internal” data 51% of the time. The primary motive? “Financial” (98%), according to the same source, with “System Intrusion” attacks (unauthorized entry) remaining among the top three attack vectors.
As the DBIR notes, “Interestingly, Personal data has eclipsed Medical data as the preferred target for threat actors.” Regardless, the story is plain: Malicious actors are illicitly hacking into healthcare systems, targeting their stores of sensitive personal (and patient) data, and seeking to extort money from these organizations in return for not deleting the data or exploiting it further. And with attack numbers on the rise, it would seem that business is good enough that attackers have little motivation to stop anytime soon.
Although HIPAA requirements have experienced several minor updates, it has been years since any major changes have been made. Meanwhile, attackers have largely had a head start and seem to be making the most of it. Improvements in technology (especially AI) and increased network complexity (remote, hybrid, cloud environments) are leaving pre-2020 healthcare security policies farther and farther behind.
Proposed HIPAA Updates for 2025 and Beyond
There are several changes proposed for 2025 to keep pace with the evolving threat landscape. These include, but are not limited to:
Stronger Data Encryption | Covered entities will be required to implement stronger encryption protocols for data at rest and in transit.
Third-Party Website Tracking | Website tracking tools analyze visitor behavior on healthcare websites to improve the user experience. However, these tracking tools need to be assessed to ensure they don’t inadvertently share PHI with third parties without proper consent.
Patient Rights to Their PHI | Proposed changes would simplify the process for a patient to view and receive copies of their healthcare information. Now, covered entities would need to provide patients with access to their records within 15 days (as opposed to 30 days).
Maximum Fines Reduced for Lower Tiers | HIPAA has four penalty tiers for violations, and they all currently bear the same maximum penalty of $1.5 million per infraction. Under the proposed changes, this amount will remain in force for the highest tier but will be reduced for the other three.
HITECH Accountability | Changes to the HITECH Act will require that disclosures of PHI for treatment, operations, and payment be accounted for.
Mandatory PHI Sharing | Updates to the privacy rule propose that sharing PHI with other healthcare providers be mandatory, rather than only permissible. This will require an even greater focus on secure file transfer and storage policies for ePHI documents, which may be in transit to a much greater extent than before.
Steps to Strengthen Your HIPAA Cybersecurity Stance
Navigating HIPAA compliance can be a challenge, especially with so many soon-to-be-moving parts. However, there are several unchanging principles that, if applied, can help you strengthen your HIPAA cybersecurity posture. These include:
Self-Assessment | A comprehensive assessment, informed by the new HIPAA updates (when and if they pass) should be conducted. Consider contracting a third party for an unbiased evaluation. Additionally, a pen test and adversary simulation should be performed to further test defenses, and results from the assessment can be used to give those offensive security measures an informed view.
Employee Training | Implement a security awareness training program to educate employees about changes to HIPAA requirements in 2025. The definition of “covered entity” and “business associate” might be broader than you think, and even financial institutions dealing second-hand with PHI may need to comply (and train their workforce accordingly).
Update Policies | Comb through technical security policies especially, as these will be the safeguards which, if not updated, could expose you in an audit or lead to a fatal breach. Make sure encryption protocols are properly updated and set, and that any new file transfer requirements are securely managed.
Test Incident Response | Tabletop exercises are helpful in assessing the preparedness of your healthcare organization (or business associate) and quickly reveal if your entity will be able to meet the updated breach notification rule (or has more work to do).
Leverage HITRUST | HITRUST is a framework that encompasses not only HIPAA cybersecurity requirements, but other compliance regulations as well (NIST, ISO, PCI DSS). It helps resource-strapped teams prioritize and comply with these standards in a measured and phased approach.
Fortra offers several notable cybersecurity solutions for healthcare to help you comply with potential HIPAA cybersecurity updates in 2025. From vulnerability management to phishing and data protection solutions, our arsenal of comprehensive defenses stands ready to help any covered entity or business associate protect the ePHI within their network and remain HIPAA-compliant, no matter the changes to come.
Fortra HIPAA Compliance
Complying with HIPAA is more complex than ever and threats to healthcare data are growing. Attack both problems with a robust compliance solution