Blog
← Back to Blog
August 20, 2025 medical

HIPAA 2025 Updates: What Changed and What You Need to Do

HIPAA compliance updates 2025

HHS has proposed the most significant updates to the HIPAA Security Rule since its original implementation. Driven by the Change Healthcare catastrophe and the escalating threat landscape, these updates transform many "addressable" requirements into mandatory ones. The era of compliance flexibility is ending.

Key Proposed Changes

Encryption: No Longer Addressable

Under current rules, encryption is "addressable," meaning covered entities can implement equivalent alternative measures if they document why encryption isn't reasonable. The proposed update makes encryption of ePHI at rest and in transit mandatory. No alternatives. No exceptions.

Impact: Practices with unencrypted servers, workstations, laptops, or backup media must implement encryption. Unencrypted devices containing ePHI become automatic violations.

MFA: Mandatory

Multi-factor authentication for all systems accessing ePHI is proposed as a mandatory requirement. The Change Healthcare breach (caused by missing MFA) is explicitly cited as justification.

Network Segmentation

Networks containing ePHI must implement segmentation to prevent lateral movement during a breach. Systems that don't need ePHI access must be isolated from systems that do.

72-Hour Recovery

Covered entities must be able to restore critical systems within 72 hours of a cybersecurity incident. This requires tested backup and recovery procedures with documented recovery time objectives.

Annual Penetration Testing

Annual penetration testing and vulnerability scanning every six months are proposed as mandatory requirements.

Technology Asset Inventory

Covered entities must maintain a complete, current inventory of all technology assets that create, receive, maintain, or transmit ePHI. This includes medical devices, imaging systems, and IoT devices.

Compliance Timeline

The proposed rules include a compliance timeline of 180 days after finalization for most requirements, with extended timelines for certain technical controls. Practices should begin preparation now.

Action Items

  1. Encrypt everything. Full disk encryption on all workstations and laptops. Database encryption for your EHR. Encrypted backup media. This is becoming non-negotiable.
  2. Deploy MFA everywhere. Every system that accesses patient data needs MFA. EHR, email, remote access, cloud storage. All of it.
  3. Implement network segmentation. Separate clinical systems from guest Wi-Fi, personal devices, and administrative networks.
  4. Test your recovery. Can you restore operations within 72 hours? If you haven't tested, you don't know. Test now.
  5. Build your asset inventory. Catalog every device that touches ePHI. Include medical devices, imaging systems, and network equipment.
  6. Budget for penetration testing. Annual pen tests and biannual vulnerability scans will be mandatory. Get quotes and budget accordingly.

These proposed rules reflect lessons learned from years of catastrophic breaches. They're not surprising. They're the same controls we've been recommending for nine years. The difference is they're about to be legally required.