The healthcare industry is stepping into what could be a landmark year for data privacy and protection. As artificial intelligence becomes more widespread and new technologies continue to evolve, organizations are increasingly depending on data. This growing reliance also raises the stakes, bringing new legal obligations and security threats tied to protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).
With data security, responsible data handling, and patient rights taking center stage, HIPAA compliance is undergoing notable changes and facing closer oversight. Here’s what organizations should be ready for in the coming months—and how they can stay prepared.
A Major Shift in Health Data Security Is Underway
After a staggering 264% rise in ransomware attacks throughout 2024, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) cracked down hard. Last year alone, five major ransomware cases were settled. To further strengthen enforcement, OCR rolled out a new Risk Analysis Initiative at the end of 2024, placing greater focus on organizations that fail to conduct regular and thorough Security Risk Analyses (SRAs), as required by HIPAA.
Although HIPAA doesn’t mandate a specific format for SRAs, OCR is paying close attention to organizations that either skip these assessments or treat them as a mere formality without fully identifying and addressing potential threats.
Adding to this, HHS proposed new rules in January to modernize HIPAA’s Security Rule. These proposed updates aim to improve technical safeguards—such as software patching, data encryption, multifactor authentication, and penetration testing. The changes also call for improved training and awareness to guard against social engineering attacks, which are a growing cause of data breaches.
While these proposed rules support OCR’s ongoing push for stronger data protection, they also introduce new administrative and technical requirements that may be costly and overwhelming for small healthcare providers, self-funded health plans, and other related businesses.
Regardless of whether the rule changes are implemented as proposed or altered, healthcare organizations must be proactive. That means regularly updating their internal security policies and procedures, educating staff about emerging threats, and conducting detailed SRAs—especially since inadequate SRAs are now a major compliance risk.
Patient Access to Records Remains a Top Enforcement Priority
The patient’s right to access their medical records continues to be a critical enforcement issue for OCR. Between March and November 2024, OCR settled five cases related to patient access violations. Another case was resolved as recently as March 7, 2025.
OCR emphasizes that patients and their authorized representatives must receive timely access to their medical records. These recent enforcement cases show that even a single complaint or access request can result in serious financial and legal consequences for an organization.
This enforcement push also supports the goals behind HHS’ Information Blocking Rule, which is designed to promote the free flow of electronic health data between authorized parties. In December 2024, HHS finalized two new rules to enhance data interoperability and address information blocking concerns. These rules clarify when and how providers can share electronic health information, introduce new privacy and security safeguards, and expand certain exceptions so that providers can better meet patient requests.
Healthcare providers and their business partners should take these developments seriously. This is the time to revisit and update patient access policies—not only for HIPAA compliance but also to align with the latest information blocking regulations.
Responsible Use of PHI Is Becoming a Growing Concern
OCR has been increasing its attention on how emerging technologies, especially AI, may lead to the unauthorized use or sharing of PHI. As a result, HIPAA enforcement is likely to expand in line with growing expectations around responsible data usage—particularly as AI becomes more integrated into healthcare operations.
While HHS hasn’t published specific HIPAA rules related to AI, the agency has released guidance suggesting that AI tools could come under scrutiny if they result in unauthorized access or disclosures.
OCR has previously issued a bulletin warning healthcare organizations about the legal risks of using online tracking technologies, such as those embedded in websites and mobile apps. These tools often collect user data, including potentially sensitive information. In the recent court case American Hospital Association v. Becerra, a Texas federal judge invalidated part of this guidance, arguing that HHS had overstepped its authority—specifically regarding tracking on public (unauthenticated) web pages. Still, the guidance remains in effect for authenticated web pages (those requiring user login). HHS is now reviewing its next steps in response to the court’s decision.
Despite the partial court ruling, organizations should continue to be cautious. They need to carefully assess how third-party tools, including AI technologies, access and use PHI. Updated internal policies should reflect responsible data use principles and ensure all tracking technologies are appropriately managed to avoid hidden privacy risks.
Additionally, because AI can piece together seemingly non-sensitive data to uncover PHI—such as reidentifying deidentified information—organizations must understand and manage these indirect disclosure risks.
Privacy of Reproductive Health Data Remains a Legal Flashpoint
On December 23, 2024, a new final rule came into effect to strengthen privacy protections for reproductive health data. This rule prevents the use or disclosure of PHI for criminal, civil, or administrative investigations or any efforts to penalize those seeking or providing reproductive health services that were legal at the time they occurred.
The rule also states that any request for reproductive health-related PHI must include an official statement confirming that the request is not for a prohibited reason. Organizations covered by HIPAA must also update their Notice of Privacy Practices (NPPs) to reflect these new rules.
However, the rule is facing legal challenges. In State of Texas v. U.S. Department of Health and Human Services, Texas argues that the new 2024 rule—and an earlier 2000 HIPAA privacy rule—interfere with the state’s ability to enforce its abortion laws. This case is still under review in federal court.
In the meantime, healthcare providers must comply with the final rule, even as legal proceedings unfold. Organizations should ensure that their NPPs are updated before the February 16, 2026, deadline. They also need to revise internal policies and procedures to reflect the current version of the rule, while staying alert to potential legal changes that could alter or invalidate parts of the regulation—especially with the possibility of a new federal administration.
Conclusion: How to Stay Ahead in 2025
As 2025 progresses, the healthcare industry’s evolving landscape will continue to influence legal and regulatory changes related to data privacy, patient access, and information security. Healthcare providers, insurers, and business associates can protect themselves and ensure HIPAA compliance by being proactive.
This includes:
Conducting detailed and regular Security Risk Analyses
Evaluating and upgrading technical safeguards
Training staff on current threats and compliance procedures
Reviewing and updating policies to align with the latest laws and guidance
Staying informed and prepared will be key to navigating the complex and shifting HIPAA compliance environment in the year ahead.
source – https://www.reuters.com/legal/litigation/new-legal-developments-herald-big-changes-hipaa-compliance-2025-2025-04-07
