The healthcare industry has long been a prime target for cybercriminals, and with the rise of digital records, HIPAA (Health Insurance Portability and Accountability Act) was introduced to protect sensitive patient information. However, as technology advances and threats become more sophisticated, the existing HIPAA framework needs updating.
In our recent CompassMSP Thought Leadership Thursday webinar, cybersecurity expert Jim Ambrosini broke down what’s changing, why it matters, and the steps small and mid-sized businesses must take to stay compliant. Here’s what you need to know.
A Brief History of HIPAA
HIPAA was established in 1996 to protect healthcare data as more organizations began to digitize their records. At the time, there were limited security standards for IT systems, so HIPAA provided a good foundation with guidelines around physical, administrative, and technical controls. Healthcare organizations were shifting from manual processes to online systems, creating the need for a robust regulatory framework.
Back then, HIPAA was more than adequate for the technology of the time, but as the digital world continued to advance, so did the threats. Today, the risks are greater, necessitating a significantly stronger framework to maintain security.
Main Drivers Behind the HIPAA Updates
Several key factors are driving the upcoming HIPAA updates:
- Advancing Technology: As digital systems evolve, healthcare organizations require more comprehensive protections for their IT systems. Advancements such as AI and machine learning are transforming how data is processed and protected, necessitating new security measures.
- Increasing Cybersecurity Threats: Healthcare is one of the most targeted industries, with cybercriminals seeking to exploit healthcare data for financial gain. In fact, healthcare breaches accounted for nearly a quarter of all data breaches in 2024, affecting over 275 million records (Source: HIPAA Journal, Healthcare Data Breach Statistics).
- The Cost of Breaches: The financial impact of a data breach in healthcare can be crippling, with costs extending far beyond just the immediate loss of data. This includes legal fees, regulatory penalties, and reputational damage that can take years to repair.
Key HIPAA Changes for 2025
For small and mid-sized businesses in the healthcare sector, it’s crucial to stay ahead of these changes. While HIPAA was originally designed to be flexible, organizations now face greater scrutiny and more complex compliance requirements. The good news is that these updates offer a more comprehensive and robust framework for securing sensitive healthcare data.
Here are the changes small and mid-sized businesses need to be aware of:
1. Documentation and Policy Audits Are Now Critical
HIPAA compliance has always required documented security policies, but enforcement is tightening. If your organization undergoes an audit, regulators will expect detailed policies and evidence of adherence. Businesses must:
- Maintain up-to-date policies and procedures that align with current security threats and technology.
- Conduct annual internal audits to ensure compliance and address any gaps.
- Provide audit-ready documentation showcasing security measures and risk assessments.
2. Yearly Testing of Security Policies
A major shift in the 2025 updates is the requirement for annual testing of security policies and procedures. This ensures organizations don’t just write policies but actively validate them. Testing includes:
- Walkthroughs and validation exercises for policy relevance.
- Incident response testing, including evaluations of backup and disaster recovery plans.
- Manual policy reviews to confirm security measures align with current technology.
3. Stricter Enforcement
While concerns have been discussed regarding federal staffing shortages potentially slowing down audits, businesses should not assume leniency. The standard of compliance remains, whether or not an audit occurs. Small and mid-sized businesses should prepare as if they will be audited and maintain strict compliance.
How Small and Mid-Sized Businesses Should Prepare for These Changes
1. Conduct an Internal HIPAA Audit
Self-audits are now a formal requirement. Small and mid-sized businesses must document their efforts to assess and improve security practices annually. While third-party audits are an option, self-assessments are explicitly expected as part of compliance validation.
2. Update Security Procedures to Reflect Current Threats
Policies should not remain static. Organizations must ensure:
- Security policies align with modern cyber threats.
- Old risk reports and outdated documentation are replaced with current assessments.
- Employees are trained on current security policies and procedures.
3. Maintain Proper Documentation
Auditors will request evidence of compliance efforts. Your organization should be able to produce:
- Risk assessment reports from the past year.
- Updated security policies and testing documentation.
- Records of employee training and cybersecurity awareness initiatives.
Real-World Example: Achieving HIPAA Compliance
Healthcare organizations often struggle with maintaining HIPAA compliance, especially with shifting regulations. Here’s an example of how our cybersecurity expert, Jim Ambrosini, helped a managed care facility tackle this challenge.
The Challenge
-
Organization: A large managed care facility in the South, in operation since the late 1980s.
-
Compliance Status: Only 60% compliant with HIPAA.
-
Root Cause: The facility’s non-compliance wasn’t due to lack of knowledge or staffing, but a lack of governance, accountability, and visibility within the organization.
The Solution
Jim led the charge to improve compliance through the following steps:
- HIPAA Assessment: Conducted a comprehensive assessment to identify gaps in compliance.
- Governance Structure: Implemented an IT risk and governance committee, which included key stakeholders like the CFO, CEO, and Director of Medical Services.
- Regular Meetings: The committee met monthly to discuss IT security priorities, project funding, and compliance progress.
The Outcome
After eight months of focused effort, the organization achieved full compliance with HIPAA. Not only did they meet the requirements, but they also developed a strong framework for ongoing security management. Just after completing this process, the organization was selected for an audit and passed successfully, demonstrating the effectiveness of their new compliance framework.
This case study emphasizes the importance of governance, collaboration, and persistence in achieving and maintaining HIPAA compliance. It’s a reminder that even if your organization is far from compliant, it’s never too late to start making improvements.
Need Assistance with HIPAA Compliance?
Navigating regulatory changes can be challenging, but you don’t have to do it alone. At CompassMSP, we help small and mid-sized businesses stay compliant by offering security assessments and ongoing support. If you need guidance on implementing these new HIPAA updates, contact us today.
Watch our Recent Webinar:
The proposed HIPAA updates for 2025 are expected to impact healthcare compliance strategies in applicable organizations. In this webinar, Jim Ambrosini, CompassMSP's Director of Cyber Advisory, breaks down the key HIPAA changes, including new data protection and privacy requirements, and how healthcare leaders can stay compliant.