Cyberattacks are evolving at an alarming pace, fueled in part by the rapid rise of artificial intelligence. From deepfakes to fully automated threats, AI has drastically expanded the reach and sophistication of digital breaches. In 2024 alone, the Office of Civil Rights (OCR) received 734 reports of data breaches, a number expected to rise in the coming years.
In response to these growing threats, HIPAA continues to evolve, introducing updates that aim to strengthen data privacy and security in an increasingly digital world. So, what changes are on the horizon? And how will they impact healthcare organizations and patient data? Read on to explore what’s next for HIPAA in 2025 and beyond.
Outline
- What's HIPAA?
- Privacy and Protected Health Information
- Security Provisions and Safeguards
- The Final Omnibus Rule
- The Costs of HIPAA Noncompliance
Key Takeaways
- HIPAA releases new updates that reflect best practices in data security and integrity.
- HIPAA was initially created to protect patients' data when they switched insurance providers.
- However, as records became electronic, there was a need for more sophisticated regulations.
- Over time, these regulations include the Privacy Rule, the Security Rule, the HITECH Act, and the Final Omnibus Rule
- In December 2024, the OCR issued a Notice of Proposed Rulemaking to strengthen the Security Rule of the HIPAA.
What's HIPAA?
The Health Insurance Portability and Accountability Act of 1966 protects the privacy, security, and integrity of protected health information. At first, HIPAA was used to protect health information used to process health insurance when employees switched jobs. It was also used to prevent fraud and abuse in healthcare settings.
Later, when patient records became electronic, large organizations were able to store and transfer patient data more easily. But it was not without risks. To mitigate these risks, HIPAA enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. In essence, this Act enforced mandatory reporting of breached electronic data.
Privacy and Protected Health Information
The Privacy Rule came into effect in 2003. This rule protects information, i.e., Protected Health Information or PHI. HIPAA defines Protected Health Information as "any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual." In essence, your medical data includes treatments, office visits, expenses, and diagnoses. HIPAA ensured that medical practitioners couldn't use this personal information for personal gain. For example, your data could not become part of a research study without your consent. It prevented your information from becoming part of any marketing or fundraising campaigns.
Security Provisions and Safeguards
By 2005, rules surrounding security came into effect. These rules protect electronic data, known as Electronic Protected Health Information or ePHI. These rules required entities to adhere to three specific safeguards to remain in compliance. The first safeguard is the administrative safeguard. This includes mandatory policies to enforce compliance with the HIPAA Security Rule. The second safeguard is the physical safeguard. This safeguard required covered entities, including business associates and subcontractors, to physically store data in a way that restricted access to unauthorized persons. The third safeguard is the technical safeguard. This was used to protect electronic communications about data, i.e., how ePHI is shared or discussed over open networks.
The Final Omnibus Rule
The most recent addition to HIPAA is the Final Omnibus Rule of 2013. This rule defines the encryption standards for ePHI. The goal of these standards was to keep health information safe in the event of a breach. It accomplished this by making it inaccessible without a specific cipher. In 1996 and even back in 2009, smartphones still weren't a concern. By 2013, the Final Omnibus Rule had no choice but to address the role of mobile devices in privacy. It addressed the fact that practitioners use their devices to discuss or transfer ePHI and created provisions to protect data.
In December 2024, the Office of Civil Rights (OCR) issued a Notice of Proposed Rulemaking. This notice strengthened the Security Rule of the HIPAA and enhanced the security of electronic protected health information from sophisticated cybersecurity attacks. The notice proposed rather extensive changes, some of which include:
- There is no distinction between required and addressable implementation requirements. This distinction has been removed, and all implementation specifications must be specific, with limited exceptions.
- It is now required to have written documents of Security Rule policies, plans, analyses, and procedures.
- All implementation specifications have been updated and revised to reflect the changes in terminology.
- It is now mandatory to develop and revise technical asset inventories and network maps at least once a year.
- Risk analysis must be specific and must identify all reasonably anticipated threats, potential vulnerabilities, and predisposing conditions. In addition, it must contain a review of the technology assets inventory, including an assessment of the risk level of each of the identified threats.
- Prompt notification within 24 hours when access to electronic IT systems is terminated or changed.
- To enable prompt development of contingencies, regulated entities must prepare written procedures for action within 72 hours of a security incident. These procedures must also contain how workforce members must report and respond to these incidents.
- It is mandatory for regulated entities to conduct a compliance audit at least yearly. EPHI must be encrypted both at rest and in transit, with limited exceptions.
- Business associates must perform at least yearly audits to confirm the correct implementation of technical safeguards.
- It is now mandatory to use multi-factor authentication, with a few exceptions.
- Vulnerability scanning must be done at least every 6 months.
- It is mandatory that group health plans and their agents explicitly state their methods for complying with the safeguards of the Security Rule.
The Costs of HIPAA Noncompliance
HIPAA’s Enforcement Rule authorizes its officials to investigate noncompliance claims, impose penalties, and impose sanctions. The consequences of all these can be trivial or devastating, depending on the scope of noncompliance.
Take Montefiore Medical Centre, for instance. In 2024, they were fined $4.74 million for breaching the Security Rule. As it turned out, a staff member had been stealing protected health information and selling it to identity theft rings. The investigation by the HHS revealed the company's failure to perform thorough risk assessments, failure to monitor and safeguard its system activity, and, above all, a failure to activate policies that monitored activity in IT systems that contained PHI.
And it's not just monetary costs we have to think of. Noncompliance costs can cost you customer loyalty. For example, do you think patients will remain loyal to the Montefiore Medical Center after learning of the incident? Your guess is as good as mine.
Compliance training still remains one of the most cost-effective ways to avoid noncompliance costs. We have a range of HIPAA compliance training that fits the unique needs of diverse staff. For example, we have tailor-made training courses for business associates, dental offices, health professionals, and HR. All our courses are accredited by the IACET to provide continuing education units (CEUs). To learn more about our courses, visit our website here.
