Skip to main content
BlogBlogs

Understanding the Upcoming HIPAA Changes: What You Need to Know

By March 10, 2025No Comments

The healthcare industry is facing significant regulatory updates with the upcoming HIPAA changes. If you work in healthcare or manage sensitive patient data, it’s crucial to understand what these changes mean and how they will impact your business.

These updates aim to strengthen security, reduce vulnerabilities, and improve compliance enforcement.

Here’s everything you need to know.

Why HIPAA is Changing

HIPAA, or the Health Insurance Portability and Accountability Act, establishes legal requirements for handling protected health information (PHI).

With the rapid evolution of cyber threats and outdated security policies, the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) have proposed updates to bring regulations in line with modern cybersecurity threats.

Timeline of HIPAA Changes

  • January 6, 2025 – Proposed changes were published in the Federal Register.
  • March 7, 2025 – End of the public comment period, where stakeholders (healthcare providers, IT security professionals, legal experts, and managed service providers) submit feedback.
  • Mid to Late 2025 – Finalization and publication of new rules.
  • Early 2026 – Compliance preparation period begins.
  • 2026 Compliance Deadline – Enforcement begins, and non-compliant organizations may face penalties or business restrictions.

Key HIPAA Changes

1. Mandatory Technology Asset Inventory

Organizations must maintain an updated inventory of all devices that handle PHI. This includes:

  • Tracking every device (computers, tablets, servers) in real-time.
  • Logging lost or stolen assets.
  • Creating a network diagram to map out PHI access points.

2. Addressable Security Specifications Become Mandatory

Previously, some security measures were “addressable,” meaning organizations could decide if they were necessary. These measures are now required, including:

  • Multi-Factor Authentication (MFA) on all PHI-handling systems.
  • Encryption of data both at rest (stored) and in transit (shared electronically).
  • Implementation of network segmentation to prevent unauthorized access.

3. Regular Security Testing and Risk Assessments

Healthcare organizations must now conduct:

  • Vulnerability scans at least every six months.
  • Penetration tests at least once a year.
  • Formal security risk assessments that evaluate technology infrastructure and identify vulnerabilities.

4. Incident Response Plans Are Now Required

Organizations must develop and maintain:

  • A documented incident response plan to handle security breaches.
  • A physical copy of the plan in case digital systems are compromised.
  • A disaster recovery plan, ensuring PHI restoration within 72 hours of an outage.

5. Mandatory Internal Security Audits

Previously recommended, annual internal audits are now required. Organizations must:

  • Conduct documented audits to ensure compliance with HIPAA security rules.
  • Implement continuous vulnerability management (monthly or quarterly updates preferred over annual reviews).

6. Encryption and Network Security Measures

Organizations must implement:

  • Encryption of PHI both in transit and at rest to prevent unauthorized access.
  • MFA across all PHI-accessible systems.
  • Segmentation of networks to prevent unauthorized access (e.g., separating guest Wi-Fi from internal systems handling PHI).

How These Changes Impact Healthcare Organizations

The estimated cost of compliance across the healthcare industry is projected at $9 billion in the first year and $6 billion annually thereafter. These increased requirements may pose challenges for smaller healthcare providers with limited resources. However, compliance is not optional—organizations failing to meet these new security standards could face severe penalties or business disruptions.

What You Can Do Now

To stay ahead of these changes, start implementing compliance measures today:

  1. Create a technology asset inventory – Track all devices handling PHI.
  2. Implement MFA and encryption – Strengthen security where needed.
  3. Review and update incident response plans – Ensure documented and actionable procedures are in place.
  4. Schedule regular security audits and risk assessments – Don’t wait until the last minute.
  5. Train employees on security best practices – A single phishing attack can compromise your entire system.

Final Thoughts

The upcoming HIPAA changes are not just about compliance—they are about strengthening security in an era of growing cyber threats. While these new rules may seem overwhelming, starting small and addressing key areas step by step will help your organization stay compliant and protect sensitive patient data. If you need assistance in implementing these security measures, reach out to a compliance expert or IT security professional to ensure you’re on the right track.

By taking action now, you can secure your systems, avoid penalties, and ensure a safer future for patient data management.

(906) 786-0057
help-desk-mail-image
DS Tech NCT by-line Logo White
Contact Us
DS Tech

1431 North 26th Street #101
Escanaba, Michigan 49829

1414 West Fair Avenue, Suite #110,
Marquette, MI 49855

Subscribe To Our Newsletter

Sign Up For Our TechBoost Newsletter. We promise, no spam!