Navigating the HIPAA 2025 Security Rule Update

In direct response to the increasing sophistication of cyber threats, the growing reliance on electronic health records by healthcare facilities, and identified deficiencies in current HIPAA practices, the US Department of Health and Human Services (HHS) is making a 2025 HIPAA update, specifically to the Security Rule.  What changes can your organization expect to see in the coming months and years as these rule updates roll out? Let’s take a closer look at the HIPAA 2025 Updates to the Security Rule and how the industry is responding to the changes. 

doctor office

Rationale & Motivations for Updates 

Like many of us who serve the healthcare industry, we closely follow trends and legal changes, especially when they impact our clients. We have been tracking the long-overdue Security Rule for some time.  According to the US Department of Health and Human Services Office for Civil Rights (OCR), the rule is intended to “improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.” The initial Security Rule section of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) was meant to apply to electronic protected health information (ePHI) held by “covered entities” and “business associates.” More than 25 years later, the digital world has evolved, causing every stage of modern healthcare to rely on stable and secure computer and network technologies. According to data published by the HIPAA Journal in March 2025, statistics clearly show an upward trend in data breaches over the past 14 years, with 2021 reporting more data breaches than any other year since records began being published by the OCR. Furthermore, in 2022, data breaches increased yet again, with OCR receiving reports of 720 data breaches of 500 or more records. There was no letup in cyberattacks on healthcare organizations in 2023, which set two new records: the most reported data breaches and the most breached records. In 2023, 725 data breaches were reported to OCR, and across those breaches, more than 133 million records were exposed or impermissibly disclosed. Due to the significant rise in data breaches, particularly those involving hacking and ransomware attacks aimed at the healthcare sector, the HHS has taken steps to address the increasing risk of cybersecurity threats to patient health information and to align with modern cybersecurity practices. 

doctor reviewing data on a tabletOverview of HIPAA Updates

The 2025 HIPAA Security Rule update focuses on strengthening cybersecurity for electronic protected health information (ePHI) in response to increased threats. Key changes include eliminating the distinction between "required" and "addressable" implementation specifications, mandating multi-factor authentication (MFA), and enhancing requirements for risk assessments and incident response. These security updates aim to address evolving cybersecurity threats and common compliance deficiencies. Let’s dive into the details for clarification. 

Key Proposed Changes 

While the proposed HIPAA Security Rule changes for 2025 are not yet in effect, they have undergone a public comment period, and the final changes are expected to be implemented soon. Here is a summary of what to expect.

Mandatory Multi-factor Authentication

Multi-factor authentication (MFA) will be required for accessing ePHI, enhancing identity verification and access control. 

Encryption of ePHI

Mandated encryption of ePHI both while at rest and in transit to further protect sensitive data. 

Elimination of "Addressable" Specifications

With very few exceptions, most Security Rule implementation specifications will now be mandatory, meaning that all organizations must comply with these requirements. Previously, "addressable" specifications allowed covered entities or business associates to determine if a specification was reasonable for their environment. The HHS's intent with this change is to clarify that implementing these specifications is no longer optional, while still acknowledging the need for flexibility in the Security Rule in light of rapid technological advancements.

Risk Assessment 

Risk assessments, the systematic process for identifying hazards, evaluating the likelihood and severity of potential harm, and determining appropriate control measures to mitigate or eliminate those risks, have also been addressed in this updated Security Rule for 2025. Regular and thorough risk assessments will now be emphasized to identify and address vulnerabilities. 

Training 

Workforce training will be crucial in preventing social engineering attacks. The Proposed Rule includes specifications related to sanctioning workforce members who fail to comply with a regulated entity’s security policies and procedures and documentation of such sanctions.

Compliance Audits 

The Security Rule update requires entities to perform and document an annual audit of their compliance with each standard and implementation specification of the Security Rule. This audit is in addition to the risk assessment required by the Security Rule.

Industry Response 

There is a mix of reactions within the healthcare industry to the 2025 updates to the HIPAA Security Rule. Some segments of the industry have expressed support for enhanced cybersecurity and patient access, while others voice concerns about the cost, complexity, and potential impact on patient care.  Healthcare organizations with legacy systems face the challenge of upgrading them. Others are concerned with ensuring vendor compliance and implementing multi-factor authentication into their work process. This is especially true for smaller practices with outdated technology. 

Takeaways 

As the healthcare industry continues to adapt to the latest provisions of the 2025 HIPAA Security Rule as they are rolled out, it is crucial to stay informed about the evolving features. Our team at Spectra Networks will continue to follow updates and remain proactive in understanding and implementing compliance requirements. Stay tuned in the coming months. If you have any questions, please don't hesitate to contact us online or call us at 978-219-9752.