Patient Data Privacy in 2025: Beyond HIPAA Compliance

HIPAA sets baseline for patient data privacy. But in 2025, privacy landscape is more complex.

State privacy laws, patient expectations, AI tool data handling, vendor security. Privacy requires more than HIPAA checkbox compliance.

HIPAA Remains Foundation

Core Requirements

HIPAA Security Rule and Privacy Rule still apply. Administrative, physical, and technical safeguards required.

Business Associate Agreements for vendors handling PHI. Breach notification procedures. Patient rights to access records.

But Not Sufficient

HIPAA from 1996. Privacy landscape evolved significantly since then.

Meeting HIPAA requirements doesn't address all current privacy concerns.

State Privacy Laws

California CCPA/CPRA

California Consumer Privacy Act and California Privacy Rights Act apply to some healthcare data.

While HIPAA preempts for covered entities, some data falls outside HIPAA coverage.

Other State Laws

Virginia, Colorado, Connecticut, and other states enacted privacy laws.

Multi-state practices face complex compliance landscape.

Healthcare-Specific State Laws

Some states have healthcare privacy laws beyond HIPAA. Washington My Health My Data Act, for example.

AI and Data Privacy

AI Training Concerns

When using AI tools with patient data, is data used for AI training?

Consumer AI tools often use data for training. Not appropriate for patient information.

Enterprise AI Commitments

Enterprise AI tools with BAAs commit to not using customer data for training.

Verify these commitments before using AI with patient data.

De-Identification Risks

AI can sometimes re-identify from patterns in de-identified data.

De-identification isn't foolproof privacy protection with AI.

Patient Portal Privacy

Access Logs

Who accessed what patient information and when. Patients increasingly expect visibility into access logs.

Sharing Controls

Patients want control over who sees their information. Proxy access, family member access, sharing with other providers.

Data Download

Patients have right to download their records. Modern portals make this easy.

Vendor Privacy Practices

Beyond BAAs

Business Associate Agreements required but not sufficient.

Review vendor actual privacy practices. Where is data stored? Who can access? How long retained?

Subprocessors

Vendors often use subprocessors (cloud infrastructure providers, etc.).

Understand full chain of data handling.

Data Residency

Where is patient data physically stored? Some patients care about data location.

Mobile Apps and Wearables

Patient-Generated Health Data

Data from fitness trackers, health apps, wearables. Often falls outside HIPAA.

When integrated into EHR, becomes PHI and subject to HIPAA.

App Privacy Policies

If recommending health apps to patients, understand their privacy practices.

Some apps have concerning data sharing policies.

Marketing and Communications

HIPAA Marketing Rules

Using patient data for marketing requires authorization in most cases.

Appointment Reminders

Technically not marketing but still PHI disclosure. Patients should be able to opt out of certain communication methods.

Email and Text Privacy

Standard email and text not secure. Patients should consent to receiving PHI via these channels.

Breach Prevention

Encryption

Data at rest and in transit should be encrypted. This is HIPAA requirement but worth emphasizing.

Access Controls

Role-based access. Users see only information needed for their roles.

Monitoring

Audit logs tracking who accessed what. Review for inappropriate access.

Training

Staff training on privacy policies and procedures. Most breaches involve human error.

Patient Privacy Expectations

Transparency

Patients expect clear information about how data is used and protected.

Control

Patients want control over their data. Who can see it, how it's shared, ability to correct errors.

Security

Patients expect strong security protecting their information from breaches.

Limited Use

Patients expect data used for healthcare purposes, not sold or used for unrelated purposes.

Telehealth Privacy

Platform Selection

HIPAA-compliant telehealth platforms required. Consumer video platforms not appropriate.

Provider Location

Providers conducting telehealth from home need private spaces. Family members shouldn't overhear.

Recording

If telehealth visits recorded, recordings are PHI requiring secure storage and retention policies.

Research and Quality Improvement

De-Identification for Research

Properly de-identified data can be used for research without authorization.

But de-identification must follow HIPAA standards.

Quality Improvement

Using patient data for quality improvement generally allowed under HIPAA but should still protect privacy.

Incident Response

Breach Notification

HIPAA requires notifying patients of breaches affecting their information.

Some state laws have additional notification requirements.

Documentation

Document privacy incidents and response. Required for HIPAA compliance and useful for improvement.

Privacy Impact Assessments

For new technologies or processes involving patient data:

• What data will be accessed or collected?
• How will it be stored and protected?
• Who will have access?
• What are privacy risks?
• How will risks be mitigated?

Looking Forward

Federal Privacy Law?

Potential federal privacy law could change landscape. Healthcare likely partially exempt but worth monitoring.

AI Regulations

AI-specific regulations emerging. Will affect AI use with patient data.

Patient Expectations Rising

Patients increasingly aware of data privacy issues. Expectations will continue rising.

Practical Steps

1. Ensure HIPAA compliance (baseline requirement)
2. Review state privacy law applicability
3. Assess AI tool data handling practices
4. Evaluate vendor privacy beyond BAAs
5. Implement strong access controls and monitoring
6. Train staff on privacy policies
7. Be transparent with patients about data practices
8. Conduct privacy impact assessments for new technologies
9. Stay current on evolving privacy regulations

Our Services

At Robell Technologies, we help medical practices navigate privacy complexity:

• HIPAA compliance assessment and remediation
• AI tool privacy evaluation
• Vendor privacy assessment
• Privacy policy development
• Staff privacy training
• Breach response planning
• Privacy impact assessments

Fourteen years serving Arizona medical practices means understanding both privacy requirements and operational realities.

If you need help with patient data privacy beyond basic HIPAA compliance, we can help.

Privacy is not just regulatory compliance. It's patient trust. Protect it accordingly.