How Can We Help?
What is HIPAA?
HIPAA HISTORY > TODAY
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects patient health information. If you provide cloud hosting services to a healthcare provider, you must ensure your systems adhere to healthcare cybersecurity regulations. HIPAA 2025 changes are coming, and so are increased fines… healthcare professionals must pay attention.
HIPAA was established in 1996 due to the need for federal standards protecting sensitive health information from disclosure without patient’s consent. The US Department of Health and Human Services issued the HIPAA Privacy Rule to implement HIPAA requirements. The HIPAA Security Rule protects specific information cover the Privacy Rule.
HIPAA Privacy Rule
The Health Insurance Portability & Accountability Act (HIPAA) includes Privacy Rule standards address the use and disclosure of individuals’ protected health information (PHI) by entities subject to the rule. These individuals and organizations are called “covered entities.”
The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. It protects individual health information while allowing necessary access to health information, promoting high-quality healthcare, and protecting the public’s health. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.
Covered Entities
The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:
- Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions. These transactions include:
- Claims
- Benefit eligibility inquiries
- Referral authorization requests
- Other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health plans:
Health plans include:- Health, dental, vision, and prescription drug insurers
- Health maintenance organizations (HMOs)
- Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers
- Long-term care insurers (excluding nursing home fixed-indemnity policies)
- Employer-sponsored group health plans
- Government- and church-sponsored health plans
- Multi-employer health plans
Exception: A group health plan with fewer than 50 participants administered solely by the establishing and maintaining employer, is not covered.
- Healthcare clearinghouses: Entities processing nonstandard information received from another entity into a standard format or vice versa. Healthcare clearinghouses receive identifiable health information when providing processing services to a health plan or healthcare provider as a business associate.
- Business associates: A non-member of a covered entity’s workforce using individually identifiable health information to perform functions for a covered entity. These functions, activities, or services include:
- Claims processing
- Data analysis
- Utilization review
- Billing
Permitted Uses and Disclosures
The law permits a covered entity to use and disclose PHI, without an individual’s authorization, for the following situations:
- Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)
- Treatment, payment, and healthcare operations
- Opportunity to agree or object to the disclosure of PHI
- An entity can obtain informal permission by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object
- Incident to an otherwise permitted use and disclosure
- Limited dataset for research, public health, or healthcare operations
- Public interest and benefit activities—The Privacy Rule permits use and disclosure of PHI, without an individual’s authorization or permission, for 12 national priority purposes:
- When required by law
- Public health activities
- Victims of abuse or neglect or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement
- Functions (such as identification) concerning deceased persons
- Cadaveric organ, eye, or tissue donation
- Research, under certain conditions
- To prevent or lessen a serious threat to health or safety
- Essential government functions
- Workers’ compensation
HIPAA Security Rule
While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called electronic protected health information, or e-PHI. The Security Rule does not apply to PHI transmitted orally or in writing.
To comply with the HIPAA Security Rule, all covered entities must:
- Ensure the confidentiality, integrity, and availability of all e-PHI
- Detect and safeguard against anticipated threats to the security of the information
- Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
- Certify compliance by their workforce
Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.
For more information, visit HHS’s HIPAA website
2025 Changes to HIPAA
The American healthcare system has seen far too many breaches and exposures of data. A major update to HIPAA is long overdue, and steps were taken in December 2020 to address the need for HIPAA changes and updates. The HHS’ Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to make multiple changes to the HIPAA Privacy Rule and in December 2024, OCR proposed a long-awaited update to the HIPAA Security Rule. The first Trump administration proposed the changes to the HIPAA Privacy Rule and it will be the new Trump administration that will now have to decide whether to release a final rule that implements these HIPAA changes in 2025. The HHS, under the Biden administration, penned an omnibus rule that will implement multiple changes to the HIPAA Security Rule to incorporate new cybersecurity standards. The NPRM for the HIPAA Security Rule update was added to the Federal Register on January 6, 2025, and comments were accepted for 60 days.
HIPAA Penalties Could Officially Change in 2025
A HIPAA change occurred in 2019 concerning the penalties for HIPAA violations. OCR issued a Notice of Enforcement Discretion as it had adopted a new penalty structure for non-compliance with HIPAA Rules after a re-evaluation of the language of the HITECH Act.
The HITECH Act called for penalties for HIPAA violations to be increased and, in 2013, the HHS implemented a new HIPAA penalty structure with minimum and maximum penalties set for the four penalty tiers based on the level of culpability. In each category, a maximum penalty of $1.5 million, per violation category, per year was set. The HHS reviewed the language of the HITECH Act in 2019 and interpreted the requirements of the HITECH Act differently. “Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits.”
Rather than setting a maximum penalty of $1.5 million per year in all four categories, the maximum fine was reduced in the first three tiers. The current minimum and maximum penalties, adjusted for inflation, can be found here. Currently, OCR is using the new penalty structure, as detailed in the Notice of Enforcement Discretion published in the Federal Register. While that remains in effect indefinitely, the new penalty structure is not legally binding and can be changed at any time. It is likely that this change to HIPAA will be made official in 2025, although first, a Notice of Proposed Rulemaking will need to be issued.
OCR is more likely to continue to use its new interpretation under its Notice of Enforcement Discretion without making it official. OCR has been pushing Congress to increase the maximum penalties for HIPAA violations as the total funds from OCR’s enforcement actions decreased significantly when the new penalty structure was introduced. OCR’s budget is extremely stretched as funding for the department has remained flat for years despite increasing numbers of hacking incidents and data breaches which have significantly increased OCR’s workload. While the penalties for HIPAA violations have increased annually in line with inflation, OCR is seeking increased penalties to spur healthcare organizations into compliance and making cybersecurity improvements.
The HIPAA updates in 2024 have been combined with OCR HIPAA guidance to explain how HIPAA applies in certain situations. While penalties are imposed, OCR often resolves noncompliance by issuing technical assistance and OCR has indicated it will be increasing outreach to help covered entities proactively improve compliance.
Other HIPAA Rule Changes May Lead to Future Updates
HIPAA rule changes are not exclusive to the Privacy, Security, and Breach Notification Rules. There have been a number of HIPAA rule changes relating to transaction code sets and identifiers (Part 162 of the HIPAA Administrative Simplification Regulations). Usually, these rule changes have a limited impact on covered entities and business associates; however, a proposed HIPAA rule change published in December 2022 could have implications for many day-to-day healthcare operations.
The proposed HIPAA rule change was published by the CMS to resolve an issue concerning healthcare attachment transactions. These transactions occur when a health plan needs further information from a healthcare provider to authorize treatment or pay a bill. Healthcare providers can also provide further information when submitting an authorization request or bill to accelerate treatment and/or payment.
The issue exists because further information cannot be “attached” to an existing transaction and has to be faxed or mailed separately. To resolve the issue, the CMS proposed three new transaction codes. However, in order to authenticate users, ensure the integrity of the attachment, and guarantee nonrepudiation, attachments transmitted using the new codes will have to be digitally signed. To address this issue, the CMS proposed a standard for acceptable e-signatures.
Compliance with the e-signature standard is only necessary when covered entities use the transaction codes to submit attachments electronically. There is no requirement to digitally sign attachments when they are faxed or sent through the mail. It is considered that, like most previous Part 162 HIPAA rule changes, the proposals will have a limited impact on covered entities and business associates.
However, the possibility exists that the proposed standard may be extended to other transactions in the future, and then to day-to-day healthcare operations. As this article discusses, there are a number of ways in which e-signatures are used in day-to-day healthcare operations; and, if the e-signature requirements are rolled out across the rest of the HIPAA Administrative Simplification Regulations, covered entities and business associates may have to make some significant procedural changes.
HIPAA Security Rule Update Proposed
In December 2024, OCR drafted proposed changes to the HIPAA Security Rule. The proposed rule was added to the Federal Register on January 6, 2025, and was opened for comment for 60 days (deadline was March 7, 2025). The HIPAA Security Rule to Strengthen Cybersecurity of Electronic Protected Health Information was released “to improve cybersecurity and better protect the U.S. health care system from a growing number of cyberattacks.”
This is the first major update to the HIPAA Security Rule since the HIPAA Omnibus Rule of 2013 implemented changes mandated by the HITECH Act. The rule proposes some major changes and includes many new cybersecurity requirements for HIPAA-covered entities and their business associates. One of the notable changes is the removal of the distinction between required and addressable implementation specifications. The “addressable” term was something of a misnomer, leading some covered entities to think the addressable implementation specifications were optional when that was not the case. The removal of addressable makes it clearer that none of the requirements of the HIPAA Security Rule are optional, although limited exceptions are included.
Some of the cybersecurity measures included in the HPH CPGs have been added to the HIPAA Security Rule as required safeguards, such as multifactor authentication and encryption, which are in the Essential CPGs, plus asset inventory from the Enhanced CPGs. The updated HIPAA Security Rule is also more focused on risk analyses , risk assessments and implementing control measures to manage risks.
Some of the key new requirements of the proposed rule are:
- Technology asset inventory and network map – The development and revision of a technology asset inventory and network map illustrating the movement of ePHI throughout the regulated entity’s electronic information systems on an ongoing basis, but at least every 12 months.
- Risk analysis – More specific requirements for risk analysis, including a review of the technology asset inventory and network map, the identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI, the identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems, and an assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
- Contingency planning and security incident response – Development of written procedures for restoring data within 72 hours including restoration priority based on criticality.
- Security Rule compliance audits – Conducted at least every 12 months
- Reviews and tests of security measures – Conducted at least every 12 months
- Vulnerability scans – Conducted at least every 6 months
- Penetration tests – Conducted at least every 12 months
- Encryption – Encryption of all ePHI at rest and in transit
- Multi-factor authentication
- Network segmentation
- Anti-malware protection
- Technical safeguard for portable devices – Controls required for computer workstations extended to mobiles, tablets, and other portable devices
- Patch management – Timely implementation of patches and software updates
- Unnecessary software removal – Removal of extraneous software from relevant electronic information systems
- Disable unused network ports – In accordance with the regulated entity’s risk analysis.
- Data backups – Separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
- Business associate cybersecurity – Annual verification of business associates’ and contractors’ security measures at least every 12 months
The proposed new requirements are all current cybersecurity best practices and will greatly improve healthcare cybersecurity. They are mostly easily achievable provided the regulated entity has the money to implement the changes, and that could be a major problem for smaller regulated entities and cash-strapped rural hospitals. Measures that may be challenging to implement include the requirement to encrypt all ePHI at rest and in transit. Many legacy systems and devices are used in healthcare that may not support encryption.
The Centers for Medicare and Medicaid Services (CMS) is also due to propose new cybersecurity requirements for hospitals, compliance with which will be a requirement for participation in Medicare and Medicaid programs. When finalized and implemented, noncompliance with these cybersecurity requirements could result in civil monetary penalties or potentially disbarment from the Medicare and Medicaid programs. No timeframe has been published on when those cybersecurity requirements will be announced.
Expected HIPAA Privacy Rule Changes
OCR issued a Notice of Proposed Rulemaking on December 10, 2020 to the HIPAA changes to the Privacy Rule. Most changes are minor tweaks to strengthen patient access to PHI, facilitate data sharing, and ease the administrative burden on HIPAA-covered entities. The proposed updates to the HIPAA Privacy Rule are as follows:
- Allowing patients to inspect PHI in person and take notes or photographs of their PHI.
- Changing the maximum time to provide access to PHI from 30 days to 15 days.
- Restricting the right of individuals to transfer ePHI to a third party to only ePHI that is maintained in an EHR.
- Confirming that an individual is permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual.
- Stating when individuals should be provided with ePHI without charge.
- Requiring covered entities to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
- The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
- A definition has been added for electronic health records.
- Wording change to expand the ability of a covered entity to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” (currently it is when harm is “serious and imminent.”)
- A pathway has been created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
- Covered entities will not be required to obtain a written acknowledgment from an individual that they have received a Notice of Privacy Practices.
- HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
- HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
- The definition of healthcare operations has been broadened to cover care coordination and case management.
- Covered healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans when individuals direct those entities to do so when they exercise the HIPAA right of access.
- Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
- The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.
HIPAA Audit Program Due to Commence in Early 2025
OCR is petitioning Congress to increase the civil monetary penalties for HIPAA violations, and to provide further funding to allow incentives to be created to help low-resource hospitals improve cybersecurity. This would also support increased HIPAA enforcement letting OCR to conduct proactive HIPAA compliance audits. There have been no HIPAA audits since 2017, even though the HHS is required under HITECH to conduct regular audits of HIPAA-regulated entities.
HHS-OIG recommended an expansion of the program to cover more standards of the HIPAA Rules. HHS-OIG also determined that the audit program was not effective at improving cybersecurity across the healthcare sector as the audit program lacked teeth – No penalties were imposed for identified violations and the audits did not even trigger compliance reviews. OCR’s Director said HIPAA audits should start by the end of 2024 and focus on the risk analysis and risk management requirements of the HIPAA Security Rule. He further stated that this would be expanded in scope. The audit program has, however, not started and it remains up to the Trump administration to determine if audits should be prioritized.
Part 2 and HIPAA Changes in 2024
In November 2022, OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rulemaking (NPRM) detailing Part 2 and HIPAA changes to better align these regulations. On February 8, 2024, a Final Rule was published by the HHS which took effect on April 16, 2024. All persons subject to the regulation must ensure full compliance by February 16, 2025.
Part 2 protects patient privacy but relates to records of treatment for substance use disorder (SUD) whereas HIPAA applies to protected health information. SUD records are treated differently as they are highly sensitive and require greater protection and restrictions on uses and disclosures.
The changes ease the complexity of compliance for entities required to comply with HIPAA and Part 2, break down barriers to information sharing, and improve care coordination without removing patient privacy protections. Patient rights have also been expanded regarding the uses and disclosures of the SUD records.
The key changes are:
- Single patient consent for all future uses and disclosures of SUD records for treatment, payment, and healthcare operations.
- Segregation of Part 2 records is not required.
- HIPAA-regulated entities are permitted to redisclose SUD records received under that consent in accordance with the HIPAA Privacy Rule.
- Disclosure of patient records to public health authorities is permitted, if they have been unidentified in accordance with HIPAA standards.
- Patients will be able to obtain an accounting of disclosures of their SUD records and request restrictions on certain disclosures.
- Part 2 programs must establish a complaints process about Part 2 violations and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
- The HIPAA Breach Notification Rule requirements will also apply to Part 2 records.
- The Part 2 Patient Notice requirements now align with the HIPAA Privacy Rule Notice of Privacy Practices requirements.
- The HHS will be able to impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act.
- Restriction of the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.
- A safe harbor requires investigative agencies to take steps in the event that they discover they have received Part 2 records without having first obtained the required court order.
2024 HIPAA Privacy Rule Changes-Reproductive Health Care Privacy
The Supreme Court decision in Dobbs v. Jackson Women’s Health Organization in June 2022 and the overturning of Roe v Wade removed the federal right to an abortion and gave states the authority to determine the legality of abortion. Many states implemented restrictions on abortions, with some states implementing near-total bans. That inevitably led to pregnant people traveling across state lines to have pregnancies terminated in states with more permissive laws.
Some states have enacted anti-abortion legislation that criminalizes the facilitation of the termination of a pregnancy regardless of where it takes place. Courts in these states could subpoena PHI from HIPAA-covered entities in other states where abortions can be legally provided in pursuit of a criminal conviction against any person who has had a termination performed or has assisted an individual in obtaining an abortion – including a healthcare provider.
OCR originally confirmed, through guidance, how the HIPAA Privacy Rule applies to disclosures of reproductive health information. Section §164.512(e) of the HIPAA Privacy Rule permits but does not require disclosures of PHI in extraterritorial civil, criminal, or administrative investigations or proceedings. In April 2023, OCR published an NPRM to strengthen reproductive health information privacy, and a final rule was issued in April 2024, which took effect on June 25, 2024, and will be enforced from December 23, 2024.
The HIPAA Privacy Rule to Support Reproductive Health Care adds a new term of “reproductive health care” which is a subset of “health care” and places limitations on uses and disclosures of PHI related to reproductive healthcare. The definition is deliberately broad and includes terminations, but other reproductive healthcare information, such as the provision of contraceptives (or the provision of contraception advice), fertility treatments, pregnancy screening, miscarriage management, and diagnoses and treatments of conditions related to the reproductive system – even if the recipient of the diagnoses and treatments is not of reproductive age.
The final rule “prohibits a regulated entity from using or disclosing an individual’s PHI for the purpose of conducting a criminal, civil, or administrative investigation into or imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided,” and prohibits the identification of any person for the purpose of conducting such an investigation or imposing such liability. These prohibitions apply to all HIPAA-regulated entities where reproductive health care is lawful in the state it is provided or reproductive health care is protected, required, or authorized by federal law, regardless of the state in which it is provided.
The final rule includes a new category of uses and disclosures – “Attested uses and disclosures.” Under the new category, recipients of PHI will have to attest that it will not be further used or disclosed for prohibited purposes – i.e., in the case of reproductive health care, to support a civil, criminal, or administrative investigation or proceeding. HIPAA-regulated entities will be required to obtain a signed attestation from the requester of the PHI that it will not be used for a prohibited purpose, which will apply to health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. HIPAA-regulated entities will be required to update their HIPAA Notice of Privacy Practices to reflect the changes. The HIPAA Notice of Privacy Practices 2024 update requirement has a different compliance date, matching the compliance deadline for the Part 2 update – February 16, 2025.
Covered entities are already being alerted to the fact that any false attestations will be considered notifiable data breaches, while a person(s) who further discloses attested PHI will be in violation of §1177 of the Social Security Act for the wrongful disclosure of individually identifiable health information. Violations of this section are considered criminal violations and carry a maximum penalty of up to ten years in jail and a fine of up to $250,000. Texas is suing the HHS to challenge the Reproductive Healthcare Final Rule and is seeking to prevent the HHS from enforcing the Final Rule in Texas. If that legal challenge is successful, other anti-abortion states are likely to do likewise.
HITECH Act Updated in 2021 Regarding Recognized Security Practices
Many healthcare industry stakeholders had campaigned for the creation of a safe harbor for HIPAA-covered entities and business associates that have adopted a common security framework and implemented industry-standard security best practices, yet still experienced a data breach. It is not possible to prevent all cyberattacks and data breaches, and it is unfair to punish HIPAA-regulated entities for impermissible disclosures of ePHI when they have made all reasonable efforts to secure their systems.
A bill was proposed in 2020 that called for the HHS to consider the recognized security practices adopted by HIPAA-regulated entities that have been in place continuously for the 12 months prior to a data breach occurring when deciding on financial penalties and other sanctions. The bill, HR 7898, was signed into law by President Trump on January 5, 2021.
The purpose of the bill is to encourage healthcare organizations to invest in security and adopt a recognized security framework by providing an incentive. The HITECH Act update has not created a safe harbor for HIPAA-regulated entities that have adopted a security framework and implemented industry-standard security best practices, but OCR will consider the efforts made with respect to security when making determinations in its investigations of complaints and data breaches.
HIPAA-regulated entities that demonstrate they have adopted recognized security practices will benefit from a decrease in the length and extent of audits and investigations of data breaches, and OCR will consider recognized security practices as a mitigating factor to reduce any financial penalties that would otherwise have been applied. In 2022, in response to another request for information, OCR published a video that explains what recognized security practices are and the evidence that can be submitted to prove they have been in place. OCR said that when investigations are launched, OCR will write to the HIPAA-regulated entity and provide an opportunity for evidence of recognized security practices to be submitted.
HIPAA Fines and Settlements will be Shared with Victims of HIPAA Violations
In addition to requesting information on recognized security practices in its 2021 RFI, OCR sought comments on how to implement a requirement of the HITECH Act relating to financial penalties for HIPAA violations. Section 13410(c)(1) of the HITECH Act requires OCR to share a portion of the funds it receives from its HIPAA enforcement activities with the victims of HIPAA violations. This is important, as there is no private cause of action in HIPAA, which means individuals cannot sue HIPAA-regulated entities for HIPAA violations when those violations have caused harm.
The problem for OCR – which is why this requirement has not been implemented to date – is the difficulty in implementing a fair method of determining how much victims should receive. In its April 6, 2022, RFI, OCR requested comments to help establish a methodology under which an individual who is harmed by an offense punishable under HIPAA may receive a percentage of any civil money penalty or monetary settlement collected with respect to the offense.
The Government Accountability Office (GAO) has shared a methodology for sharing funds, but OCR is seeking comment on any alternative methodologies. The main problem, however, is identifying the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, as “harm” is not defined by statute.
No timescale has been provided on when a Notice of Proposed Rulemaking will be issued in this regard, or when funds will start to be shared with victims of HIPAA violations. These HIPAA changes could occur in 2025, but it could still be several years before this HITECH Act requirement is implemented.