HIPAA 2025 Proposed Updates: How Healthcare Leaders Can Stay Compliant

The healthcare industry has long been a prime target for cybercriminals, and with the rise of digital records, HIPAA (Health Insurance Portability and Accountability Act) was introduced to protect sensitive patient information. However, as technology advances and threats become more sophisticated, the existing HIPAA framework needs updating.

In our recent CompassMSP Thought Leadership Thursday webinar, cybersecurity expert Jim Ambrosini broke down what’s changing, why it matters, and the steps small and mid-sized businesses must take to stay compliant. Here’s what you need to know.

A Brief History of HIPAA

HIPAA was established in 1996 to protect healthcare data as more organizations began to digitize their records. At the time, there were limited security standards for IT systems, so HIPAA provided a good foundation with guidelines around physical, administrative, and technical controls. Healthcare organizations were shifting from manual processes to online systems, creating the need for a robust regulatory framework.

Back then, HIPAA was more than adequate for the technology of the time, but as the digital world continued to advance, so did the threats. Today, the risks are greater, necessitating a significantly stronger framework to maintain security.

Main Drivers Behind the HIPAA Updates

Several key factors are driving the upcoming HIPAA updates:

• Advancing Technology: As digital systems evolve, healthcare organizations require more comprehensive protections for their IT systems. Advancements such as AI and machine learning are transforming how data is processed and protected, necessitating new security measures.
• Increasing Cybersecurity Threats: Healthcare is one of the most targeted industries, with cybercriminals seeking to exploit healthcare data for financial gain. In fact, healthcare breaches accounted for nearly a quarter of all data breaches in 2024, affecting over 275 million records (Source: HIPAA Journal, Healthcare Data Breach Statistics).
• The Cost of Breaches: The financial impact of a data breach in healthcare can be crippling, with costs extending far beyond just the immediate loss of data. This includes legal fees, regulatory penalties, and reputational damage that can take years to repair.

Key HIPAA Changes for 2025

For small and mid-sized businesses in the healthcare sector, it’s crucial to stay ahead of these changes. While HIPAA was originally designed to be flexible, organizations now face greater scrutiny and more complex compliance requirements. The good news is that these updates offer a more comprehensive and robust framework for securing sensitive healthcare data.

Here are the changes small and mid-sized businesses need to be aware of:

1. Documentation and Policy Audits Are Now Critical

HIPAA compliance has always required documented security policies, but enforcement is tightening. If your organization undergoes an audit, regulators will expect detailed policies and evidence of adherence. Businesses must:

• Maintain up-to-date policies and procedures that align with current security threats and technology.
• Conduct annual internal audits to ensure compliance and address any gaps.
• Provide audit-ready documentation showcasing security measures and risk assessments.

2. Yearly Testing of Security Policies

A major shift in the 2025 updates is the requirement for annual testing of security policies and procedures. This ensures organizations don’t just write policies but actively validate them. Testing includes:

• Walkthroughs and validation exercises for policy relevance.
• Incident response testing, including evaluations of backup and disaster recovery plans.
• Manual policy reviews to confirm security measures align with current technology.

3. Stricter Enforcement

While concerns have been discussed regarding federal staffing shortages potentially slowing down audits, businesses should not assume leniency. The standard of compliance remains, whether or not an audit occurs. Small and mid-sized businesses should prepare as if they will be audited and maintain strict compliance.

How Small and Mid-Sized Businesses Should Prepare for These Changes

1. Conduct an Internal HIPAA Audit

Self-audits are now a formal requirement. Small and mid-sized businesses must document their efforts to assess and improve security practices annually. While third-party audits are an option, self-assessments are explicitly expected as part of compliance validation.

2. Update Security Procedures to Reflect Current Threats

Policies should not remain static. Organizations must ensure:

• Security policies align with modern cyber threats.
• Old risk reports and outdated documentation are replaced with current assessments.
• Employees are trained on current security policies and procedures.

3. Maintain Proper Documentation

Auditors will request evidence of compliance efforts. Your organization should be able to produce:

• Risk assessment reports from the past year.
• Updated security policies and testing documentation.
• Records of employee training and cybersecurity awareness initiatives.

Real-World Example: Achieving HIPAA Compliance

Healthcare organizations often struggle with maintaining HIPAA compliance, especially with shifting regulations. Here’s an example of how our cybersecurity expert, Jim Ambrosini, helped a managed care facility tackle this challenge.

The Challenge

• Organization: A large managed care facility in the South, in operation since the late 1980s.

• Compliance Status: Only 60% compliant with HIPAA.

• Root Cause: The facility’s non-compliance wasn’t due to lack of knowledge or staffing, but a lack of governance, accountability, and visibility within the organization.

The Solution

Jim led the charge to improve compliance through the following steps:

• HIPAA Assessment: Conducted a comprehensive assessment to identify gaps in compliance.
• Governance Structure: Implemented an IT risk and governance committee, which included key stakeholders like the CFO, CEO, and Director of Medical Services.
• Regular Meetings: The committee met monthly to discuss IT security priorities, project funding, and compliance progress.

The Outcome

After eight months of focused effort, the organization achieved full compliance with HIPAA. Not only did they meet the requirements, but they also developed a strong framework for ongoing security management. Just after completing this process, the organization was selected for an audit and passed successfully, demonstrating the effectiveness of their new compliance framework.

This case study emphasizes the importance of governance, collaboration, and persistence in achieving and maintaining HIPAA compliance. It’s a reminder that even if your organization is far from compliant, it’s never too late to start making improvements.

Need Assistance with HIPAA Compliance?

Navigating regulatory changes can be challenging, but you don’t have to do it alone. At CompassMSP, we help small and mid-sized businesses stay compliant by offering security assessments and ongoing support. If you need guidance on implementing these new HIPAA updates, contact us today.