HIPAA 2025 Updates: Proposed New Requirements for Healthcare Data

With more and more healthcare companies getting hit by cyberattacks like ransomware, there are some proposed updates for HIPAA in 2025 that could completely overhaul how cybersecurity is handled and how healthcare companies will need to address data breaches. If the proposed changes go into effect, some more lenient "HIPAA-ready" arrangements could suddenly be at risk or invalidated, putting everyone involved at risk of breaching HIPAA and open to heavy fines.  

Since many of the changes follow standard security best practices, healthcare organizations should consider implementing many of the proposed changes whether or not they become required in HIPAA to protect the data of both users and the organization. Here, we'll cover some of the major changes proposed to the HIPAA Security Rule in 2025 and why they're important for cybersecurity. 

What is the HIPAA Security Rule? 

The HIPAA Security Rule is a set of security standards for protecting users' private healthcare information (PHI). It includes what information falls under HIPAA, how organizations must respond if there is a breach, and what safeguards to put in place. The HIPAA security rule has only seen a few updates, with the most recent update over a decade ago in January 2013. 

While once seen as encompassing and even "overprotective" by some, since January 2013 there has been a shift in cybersecurity towards zero trust, data encryption, MFA, and backup strategies across all industries that HIPAA hasn't necessarily kept up with. Many of these best practices have been recommended but not required for HIPAA, and the proposed 2025 changes intend to add new requirements to meet up-to-date security standards.

Why are the changes being proposed now? 

Healthcare companies are increasingly falling victim to cyberattacks and data breaches, and it's becoming clear that the once comprehensive safeguards aren't cutting it anymore. Companies using old infrastructure, unencrypted transmission protocols, and outdated devices that are remarkably simple to crack have led to massive leaks and patient information being compromised. 

The final straw that led to the big push was the Change Healthcare data breach, which is estimated to have affected over 193 million individuals. Considering the entire US population was estimated to be about 340 million at the time, that means over half of the country was part of the data breach. The ransomware attack is the biggest attack in history against the US Healthcare Sector, with some claiming that a non-verified payment of $22 million was paid out in desperation, and that some bad actors are still trying to extort payments by claiming they have more data. 

And the Change Healthcare breach wasn't even the only cyberattack in 2024. HIPAA Journal estimated there were about 734 data breaches of 500 or more records, totalling about 277 million healthcare records that were breached in 2024. Considering that HIPAA data is meant to have additional protections, the results were unacceptable, leading to the biggest proposed changes to the HIPAA Security Rule to date.  

What are the major proposed HIPAA 2025 Security Rule changes?

The HIPAA 2025 Security Rule is a fundamental shift in how healthcare organizations must protect electronic Protected Health Information. If finalized, controls that used to be recommended will be finalized, and much of the flexibility will be lost as all involved parties will have to adhere to new, stricter standards.  

The 2025 proposal would impose the elimination of "addressable" requirements, mandatory encryptions of all electronic PHI (ePHI), enforce more secure authentication like MFA, require advanced monitoring tools & breach contingency plans, increase staff security training, and strengthen assessment standards. 

Elimination of "Addressable" Requirements

Many security controls were recommended rather than required in the current HIPAA Security Rule. With the proposal, many of these will now be required. Currently, some security settings are noted as "addressable". This doesn't mean they're optional, but that they must be "addressed" in some way, with multiple options available. 

The problem was that the "addressable" issues clearly weren't being addressed, because almost the entire US population had records compromised in 2024.  The proposed changes would cut out much of this flexibility in favor of clear, concrete requirements. 

This may be the single biggest adjustment to the HIPAA Security Rule, as it would affect every aspect of HIPAA compliance:

• Technical safeguards would become uniformly required
• Administrative procedures would have to follow specific standards
• Mandatory Physical security measures would need to be put in place
• Documentation requirements would expand significantly

While these stricter requirements would mean a lot of organizations would need to reevaluate their security strategy, it could ultimately become a boon and "simplify" HIPAA requirements, as it could pave the way for organizations to be HIPAA certified instead of simply "HIPAA-ready" like they are now. 

Mandatory encryption of all ePHI

One of the "addressable" options was how data was secured. The 2025 proposal would shift that so that data encryption becomes a required safeguard at all stages for ePHI. 

• Data at Rest - All ePHI stored on any system would require encryption that meets NIST standards, potentially using PQC algorithms. 
• Data in Transit - All ePHI transmissions would require end-to-end encryption using approved protocols and algorithms, including when transmitted via mobile devices.
• Backup and Archive Requirements - The encryption rule would apply to all copies of data, including backups, archives, and temporary storage.

Require advanced monitoring and threat detection

Two major concerns with the recent large-scale data breaches is that they took so long to be discovered and that they left companies scrambling to react. Advanced monitoring and threat detection would help address both of these concerns. 

In the case of the Change Healthcare breach, a Citrix server didn't have MFA enabled, allowing hackers to get in with compromised credentials. Because they logged in with a valid username and password, the breach went unnoticed for an unknown length of time, and the activity wasn't being actively monitored as something unusual. Once hospitals, health systems, and pharmacies noted service disruptions, they were investigated and the attack was discovered. 

Having active activity monitoring could have potentially discovered this access much faster and stopped the breach before it ballooned to affect the majority of patients. Combined with other proposals like encryption and enforced MFA, the Change Healthcare breach could've been a blip instead of a months-long series of attacks costing billions. 

Some of the proposed monitoring and threat detection steps include: 

• Regular Vulnerability Scanning - Automated scanning of systems containing ePHI to identify software vulnerabilities and configuration weaknesses
• Penetration Testing - Annual testing by qualified professionals simulating real-world attacks against ePHI systems
• Patch Management - How security patches will be discovered and applied in case an exploit is discovered
• Third-party Risk Assessment - Vendor security evaluations, including reviews of BAAs, security patches, and incident histories

Documented risk level and breach contingency plans

While the proposed updates should stop the majority of attacks from ever starting, there are unfortunately never guarantees in cybersecurity. Social engineering, for instance, will always be a weak point and a way to bypass technical safeguards (which is where better staff training comes in).

Because data breaches will always be possible, another requirement would be to have documented breach contingency plans. These plans would include network segmentation, a plan for restoring lost/stolen data, and requiring covered entities to report breaches that affect over 500 individuals within 72 hours. 

Data threats aren't exclusive to hackers, either. There are many other ways that data can be put at risk, and the plan would require documentation of safeguards and steps put in place to protect data. 

Some of the proposals for risk evaluation and breach contingency plans include: 

• Impact Analysis - A comprehensive analysis of what happens if threats successfully compromise ePHI, including patient harm, financial loss, and regulatory penalties
• Environmental Factors - External threats such as natural disasters, hardware deprecation, and third-party risks
• Technology-Specific Risks - How technologies like AI, cloud computing, and IoT devices for ePHI can add additional risks as they evolve
• Vulnerability assessment - A detailed analysis of potential weaknesses that includes software, hardware, and procedural weak points

Enforce more secure authentication

Data breaches are more likely to happen when access to user files isn't locked down. Tightening down access and requiring more secure authentication would become mandatory for any systems that contain ePHI.

These enforcements would include but not be limited to: 

• Required multi-factor authentication for all logins
• Unique and verifiable user identification for all system access with ePHI data
• Enforced MFA implementation across all relevant systems
• Strong password requirements, potentially enforcing that they meet the latest NIST password guidelines

Better staff security training

As technology gets more sophisticated and causes a cat-and-mouse game of exploits and security upgrades, humans will become more of a weak point, and it's likely that attackers will shift to leveraging workers to get access to systems--and to have it given willingly. 

Because of this, the 2025 changes would require better staff security training and cover a number of different areas:

• Regular, ongoing security training covering security best practices and social engineering tactics
• Clear, documented PHI disclosure guidelines
• How to react in case of an emergency and the escalation steps
• Account management procedures, including timely access termination when a user switches roles or companies

Strengthened Risk Assessment Standards

Data risk analysis is already required in some form, but the analysis requirements would become much more rigorous:

When would the proposed updates take effect?

While there's no hard date for when the proposed changes would take effect, they have exceeded the comment period that ended on March 7, 2025 and are likely to go into effect at some point. 

The final updates will likely be published by late 2025, which would formalize the compliance requirements, enforcement timelines, and grace periods. 

Because the grace period is unknown and some of the changes will require a significant time and resource investment, it's best to start planning now. With such drastic changes proposed, waiting until the changes are formalized may not leave enough time, and even if they are backtracked for some reason, the policies and safeguards are much more up-to-date and secure than the 2013 suggestions and follow security best practices. 

As mentioned above, part of the prepration might be reevaluating vendor solutions, as some will no longer meet the new requirements. 

Use Couchdrop for secure HIPAA file transfers

For the file transfer portion of the 2025 HIPAA updates, Couchdrop can help, as the secure-by-design platform already meets the proposed changes. Transfers employ secure end-to-end encryption and files are streamed directly between your existing storage platforms and never stored by Couchdrop at any point. 

There is also a separate, secure HIPAA infrastructure that employs AWS where data stays exclusively in the United States, and Couchdrop will enter into a BAA to formalize using the platform for HIPAA data transfers. 

For more information on Couchdrop and HIPAA or to find out how the platform can work with PHI data transfers, get in touch at sales@couchdrop.io.