2025 HIPAA Updates: Key Changes Every Organization Must Know

Introduction

In recent years, the healthcare sector has become an increasingly attractive target for cybercriminals, driven by the high value of medical data and often inadequate security measures. In 2024, the United States witnessed 725 significant healthcare data breaches, compromising over 275 million records.

A critical factor contributing to this vulnerability is the disparity in cybersecurity investments. Healthcare organizations typically allocate only 4-7% of their IT budgets to cybersecurity, whereas other industries, such as finance, invest around 15%.

To address these challenges, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) on December 27, 2024, aiming to boost the HIPAA (Health Insurance Portability and Accountability Act) Security Rule and enhance the protection of electronic protected health information (ePHI). The NPRM was published in the Federal Register on January 6, 2025, initiating a 60-day public comment period that concluded on March 7, 2025. During this period, HHS received over 4,000 comments from stakeholders across the healthcare industry. Let's explore the proposed updates in detail.​

Updates to HIPAA in 2025

• Mandatory Multi-Factor Authentication (MFA)

  The 2025 HIPAA Security Rule introduces a pivotal mandate requiring the implementation of Multi-Factor Authentication (MFA) across all access points to electronic Protected Health Information (ePHI). This security measure requires users to verify their identities through multiple credentials, such as passwords, biometric data, or security tokens, before gaining access to sensitive systems.

  The rationale behind this mandate is rooted in the escalating complexity of cyber threats targeting healthcare data. By enforcing MFA, healthcare organizations can significantly mitigate the risk of unauthorized access, even in scenarios where one authentication factor is compromised.

• Enhanced Data Encryption Protocols

  A Ponemon Institute report revealed that 92% of healthcare organizations experienced at least one cyberattack in the past 12 months, with 69% reporting disruptions to patient care as a result.

  The updated regulations mandate encryption for electronic Protected Health Information (ePHI), both at rest and in transit. This shift from optional to compulsory encryption signifies a full-bodied response to escalating cyber threats targeting the healthcare sector. As a result, healthcare organizations must implement advanced encryption methods, ensuring that sensitive patient data remains secure during storage and transmission.

• Uniform Implementation of Security Controls

  They have eliminated the previous distinction between "required" and "addressable" security controls. Historically, this differentiation has allowed healthcare organizations some leeway, permitting them to tailor certain security measures based on their unique circumstances.

  While this flexibility accommodated diverse operational needs, it also led to inconsistencies in safeguarding ePHI. By calling for the uniform implementation of all security controls, the updated regulations aim to eliminate such disparities, ensuring a consistent defense against the escalating threat of cyberattacks.

• Technological Asset Inventories and Network Maps

  Organizations need to develop and maintain comprehensive inventories of their technological assets and detailed maps of their electronic systems. This requirement ensures that all devices, applications, and systems interacting with ePHI are accounted for and monitored.

  Regular updates to these inventories and maps, at least annually or following significant operational changes, are essential to maintain an accurate security posture, thereby reinforcing patient trust and compliance with regulatory standards.

• Annual Audits

  Healthcare organizations must conduct and document comprehensive audits of their administrative, technical, and physical safeguards at least once every 12 months.

  This move signifies a transformative approach to data security, moving beyond reactive measures to a culture of continuous vigilance. By institutionalizing regular audits, healthcare entities are compelled to maintain an ongoing dialogue about their security stance, enabling an environment where complacency is replaced with assertive risk management.

• Vulnerability Scanning and Penetration Testing

  Covered entities and business associates are now required to perform vulnerability scans at least every six months and conduct penetration tests annually. This requires providers to scrutinize their digital systems more deeply, identifying subtle weaknesses and simulating realistic attack scenarios that reveal how their infrastructures withstand real-world pressures.

  Beyond compliance, this shift encourages a mindset where every security test serves as a diagnostic tool, revealing hidden vulnerabilities that might otherwise be overlooked.

What the Proposed HIPAA Rule Changes Mean for Cyber Risk Management?

The proposed updates address a broad range of cyber risk management concerns. The important themes that emerge include:

Enhanced Cyber Hygiene Requirements

The proposed rules emphasize fundamental security measures—such as multifactor authentication, stronger password policies, data encryption, anti-malware protections, and network segmentation—ensuring a more secure healthcare system by formally codifying these best practices.

Stronger, Proactive Risk Management

Regulators are signaling a shift toward more rigorous and frequent risk assessments encouraging organizations moving away from ad-hoc approaches that are no longer considered sufficient.

Rather than addressing risks reactively, healthcare organizations will need to adopt continuous and proactive risk analysis practices.

Greater Standardization and Harmonization

The proposed changes clarify and tighten these definitions around the “addressable” requirements, reducing ambiguity. Additionally, the updates align HIPAA compliance with established frameworks like NIST and CISA, ensuring better harmonization of controls across multiple regulatory standards.

Manu Gopeendran, Senior Vice President, Strategy and Marketing, MetricStream, in his latest article on Cybersecurity Insiders, explores the critical steps healthcare cyber risk teams can take to proactively prepare for the proposed changes.

Read now: How healthcare cyber risk teams can plan ahead for HIPAA’s Security Rule update

How Does MetricStream Help You Comply With HIPAA?

MetricStream's HIPAA compliance empower healthcare organizations to meet regulatory requirements and protect sensitive patient information efficiently. With a comprehensive view of risks and controls, organizations can confidently demonstrate compliance while fostering a culture of accountability. Our key benefits include: 

• Centralized Compliance Management: Streamline the storage, management, and access of HIPAA compliance evidence, eliminating manual processes.
• Unified Control Framework: HIPAA rules can easily be aligned with other cybersecurity frameworks, such as NIST and ISO, enhancing the organization's cyber risk posture.
• Real-Time Compliance Tracking: Make use of user-specific dashboards and graphical snapshots to monitor compliance progress and instantly address gaps.
• Automated Workflows: Reduce the time and effort by replacing manual compliance processes with automated workflows. Interested to know more? Request a personalized demo.

Interested to know more? Request a personalized demo.