HIPAA changes happen more frequently than many people appreciate; but, due to some significant HIPAA changes in 2024 – and more proposed for 2025 – there is a greater awareness of the need to keep up to date with the latest changes to HIPAA in order to avoid increased penalties for non-compliance.
Up until April 2024, there had only been two minor changes to the HIPAA Privacy Rule and none to the HIPAA Security Rule since 2013. Therefore, although changes are frequently made to the HIPAA Part 162 regulations and the HIPAA Enforcement Rule, it is understandable that many people felt HIPAA was consistent in its compliance requirements.
However, in April 2024, HHS’ Office for Civil Rights finalized proposals to protect the privacy of reproductive health information by introducing attestation requirements for uses and disclosures of Protected Health Information now prohibited by a new standard in the HIPAA Privacy Rule (§164.502(a)(5)(iii)). The update to HIPAA is explained in this Fact Sheet.
The timing of the HIPAA update was significant as it came just weeks after an update to 42 CFR Part 2 that more closely aligned the protections for SUD patient records with those for Protected Health Information. The breach notification requirements and penalties for violations of 42 CFR Part 2 were also aligned with HIPAA. The update to 42 CFR Part 2 is explained in this Fact Sheet.
What this meant for HIPAA covered entities who maintain or transmit reproductive health information, and who also participate in Part 2 programs, is that they had two changes to make to policies and procedures and their HIPAA Notices of Privacy Practices. They also had to provide HIPAA training to members of the workforce whose roles were affected by either update.
Further HIPAA Privacy Rule Updates in the Pipeline
To further complicate compliance with the 2024 HIPAA changes, there are further HIPAA Privacy Rule updates in the pipeline. These HIPAA updates originate from a Notice of Proposed Rulemaking published in 2021 (OCR-0945-AAOO) that proposes changes to HIPAA to accommodate HHS’ “Regulatory Sprint to Coordinated Care”. The proposed HIPAA changes include:
- Strengthening patients’ rights to inspect and obtain copies of their PHI.
- Reducing the permitted time limit to respond to a patient’s access request.
- Reducing the identity verification burden when patients exercise their HIPAA rights.
- Amending the definition of health care operations to clarify the scope of care coordination and case management.
- Creating an exception to the “minimum necessary” standard for care coordination and case management.
- Encouraging disclosures of PHI to help individuals experiencing SUDs, serious mental illnesses, and emergencies.
- Eliminating the requirement to obtain an individual’s written acknowledgment on receipt of a HIPAA Notice of Privacy Practices.
- Permitting disclosures of PHI to relay services for patients who are hard of hearing, deaf-blind, or who have a speech disability.
Due to the complexity of the proposed HIPAA changes and interactions with CMS’ Advancing Interoperability initiative and 42 CFR Part 2, the proposed changes to the HIPAA Privacy Rule have not yet been finalized. The change of administration is expected to accelerate the proposals and it is highly likely they become new HIPAA regulations in 2025.
With regards to CMS’ Advancing Interoperability initiative, covered entities may also have to adopt their current procedures to accommodate new HIPAA rules designed to streamline prior authorization processes, while new HIPAA Part 162 changes have been proposed with regards to e-signature requirements for attachments to healthcare transactions.
HIPAA Changes in 2025 to the HIPAA Security Rule
In addition to the existing and proposed updates to the HIPAA Privacy Rule, there will be HIPAA changes in 2025 to the HIPAA Security Rule as a result of HHS’ Healthcare Sector Cybersecurity Strategy. The “Strategy” was published in 2023 to map a path forward on cybersecurity improvements that would help reduce the volume of HIPAA data breaches attributable to security incidents.
At the time, HHS noted that CMS will propose new cybersecurity requirements for hospitals in the Medicare and Medicaid programs, and that the Office for Civil Rights would update the HIPAA Security Rule to include new cybersecurity requirements. In January 2024, HHS published its first Cybersecurity Performance Goals, which although voluntary at the time, would “inform future rulemaking”.
Adoption of the Cybersecurity Performance Goals would help HHS’ Office for Civil Rights resolve the challenge of how to comply with a 2020 amendment to the HITECH Act instructing the agency to consider a breached entity’s 12-month compliance with “recognized security practices” when determining HIPAA penalties, sanctions, and other remedies.
Proposed HIPAA changes were anticipated throughout 2024, but they were only passed to the Office for Management and Budget for review at the end of October 2024. A Notice of Proposed Rulemaking is now expected in the New Year, with the HIPAA changes in 2025 to the HIPAA Security Rule more likely to be finalized in the second half of the year.
Changes to the HIPAA Enforcement Rule
When the HITECH Act was passed in 2009, one of the measures created a four-tier civil monetary penalty structure for violations of HIPAA based on the level of culpability. The maximum penalty for violations of HIPAA was set at $1.5 million; but, since the passage of the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, the penalties have been increased each year to account for inflation.
The current (December 2024) minimum and maximum penalties per violation tier are displayed in the table below. HIPAA changes to account for inflation are due in January 2025, however, recent HIPAA updates to the penalty amounts have been delayed to later in the calendar year.
| Penalty Tier | Level of Culpability | Minimum Penalty per Violation Type | Maximum Penalty per Violation Type | Annual Penalty Limit |
| Tier 1 | Lack of Knowledge | $141 | $35,581 | $35,581 |
| Tier 2 | Lack of Oversight | $1,424 | $71,162 | $142,355 |
| Tier 3 | Willful Neglect | $14,232 | $71,162 | $355,808 |
| Tier 4 | Willful Neglect not Corrected in 30 days | $71,162 | $2,134,831 | $2,134,831 |
As well as updates to the penalty amounts, a potential HIPAA change in 2025 could result in settlement sharing with individuals who have been harmed as the result of a data breach. This was originally a requirement of the HITECH Act, but due to issues surrounding the definition of harm and how funds should be distributed among harmed individuals, HHS has only got to the stage of publishing a Request for Information.
How to Keep Up to Date with Changes to HIPAA in 2025
The best place to find the latest changes to HIPAA are on the HHS website. Covered entities and business associates can sign up for HHS’ Email Updates – particularly the “Weekly News Digest” which is easier to scan for HIPAA changes than other updates. Organizations can also comment on “open” publications (i.e., Requests for Information) via the HHS Laws and Regulations Home Page.
For organizations who interests extend beyond proposed HIPAA changes, enforcement actions, guidance, and other press releases, the HHS website hosts a dedicated HIPAA Newsroom web page; that covers all HHS activities. It is also worth periodically reviewing the CMS Newsroom to identify proposals that may lead to future new HIPAA regulations – particularly HIPAA changes relating to HIPAA Part 162 and the Promoting Interoperability initiative.
