How the 2025 HIPAA changes will impact small medical practices

“In January, the US Department of Health and Human Services (HHS) introduced the first new rule for the Health Insurance Portability and Accountability Act—the law that protects patients’ private healthcare information—in more than 15 years. It came with a plethora of new regulations for how covered entities should go about protecting a patient’s health information,” notes Healthcare Brew in How proposed HIPAA regulations may impact providers’ bottom lines. 

Furthermore, “The proposed regulations would require all covered entities to implement security measures like multi-factor authentication, maintain inventories of all assets that contain or transmit patient data, and conduct annual audits to ensure they’re following the rules.”

According to Steven Teppler, chair of cybersecurity and data privacy at the law firm Mandelbaum Barrett, in an interview with Healthcare Brew, the updates are more in alignment with current best practices in cybersecurity than the original HIPAA rules created in the ’90s and early 2000s.

Overview of major HIPAA changes in 2025

Several HIPAA updates are on the horizon for 2025:

1. HIPAA Privacy Rule Updates: Proposed by the Trump administration in 2020, these changes may finally be implemented in 2025.
2. HIPAA Security Rule Overhaul: A major update focused on cybersecurity standards was proposed in December 2024, with the comment period closing on March 7, 2025.

Additionally, practices need to be aware of recent changes that will be fully enforced in 2025:

• Part 2 and HIPAA Alignment: Finalized in February 2024, with full compliance required by February 16, 2025.
• Reproductive Health Care Privacy Rules: Took effect June 25, 2024, with enforcement beginning December 23, 2024.

Related: The latest HIPAA updates and what's coming in 2025

Patient access changes

For small practices, the proposed Privacy Rule changes modify how quickly and in what ways you must provide patients with their medical information.

Changes and impacts:

1. Reduced response time: The timeframe for providing records would be cut from 30 days to 15 days, with a maximum 15-day extension (30 days total).
   • Small Practice Impact: This compressed timeline means smaller practices need to establish more efficient record retrieval processes with fewer staff members.
2. In-Person inspection rights: Patients would be allowed to inspect PHI in person and take notes or photographs.
   • Small practice impact: Practices need dedicated space and staff supervision for in-person inspections, which may strain limited office space in small practices.
3. Billing records access: The expanded definition of EHRs includes billing records, which must be provided upon request.
   • Small practice impact: Small practices often use separate systems for clinical and billing records, making fulfillment more labor-intensive.
4. Personal health apps: Practices must facilitate sending records to personal health applications.
   • Small practice impact: Small practices may lack technical expertise to ensure secure integration with various health apps.

Small practice strategy:

• Create standardized workflows for record requests with clearly assigned responsibilities
• Consider investing in patient portal technology that can automate much of the access request fulfillment
• Train a backup staff member for record fulfillment to ensure continuity during absences
• Develop a dedicated space where patients can privately view their records

HIPAA security rule cybersecurity requirements

Changes and impacts:

1. Technology asset inventory and network map: Required to be updated at least annually.
   • Small practice impact: Small practices often lack IT staff to catalog all devices and create detailed network maps.
2. Enhanced risk analysis requirements: More specific and technical risk assessment requirements.
   • Small practice impact: These analyses typically require specialized expertise that small practices may not have in-house.
3. Mandatory security measures:
   • Encryption of all ePHI at rest and in transit
   • Multifactor authentication
   • Regular vulnerability scans (every 6 months)
   • Annual penetration testing
   • Network segmentation
   • Regular security audits
   • Small practice impact: These requirements represent significant financial and operational investments for practices with limited budgets and technical expertise.
4. 72-hour recovery capability: Restoration procedures must enable recovery within 72 hours.
   • Small practice impact: Sophisticated backup systems and recovery planning may be beyond the current capabilities of many small practices.
5. Business associate verification: Annual verification of business associates' security measures.
   • Small practice impact: Small practices typically work with numerous vendors but lack leverage to demand security documentation.
     

Small practice strategy:

• Consider outsourcing cybersecurity functions to a managed service provider specializing in healthcare
• Investigate group purchasing arrangements through medical associations
• Prioritize implementation based on risk level – start with encryption and multifactor authentication
• Explore cloud-based security solutions with subscription models to reduce upfront costs
• Investigate potential grant funding or tax incentives for cybersecurity improvements

Related: HIPAA Compliant Email

Part 2 and substance use disorder treatment integration

The alignment of 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records) with HIPAA requirements eases some compliance burdens but adds new responsibilities.

Changes and impacts:

1. Single patient consent: Allows one consent for all future uses and disclosures for treatment, payment, and operations.
   • Small practice impact: Simplifies consent management but requires updated forms and processes.
2. No record segregation requirement: Part 2 records no longer need to be kept separate.
   • Small practice impact: Reduces administrative burden for small practices that treat substance use disorders.
3. New patient rights: Patients can request accounting of disclosures and restrictions on certain disclosures.
   • Small practice impact: Additional tracking requirements for small practices with limited staff.
4. Breach notification requirements: Apply to Part 2 records.
   • Small practice impact: Expands scope of breach response planning and staff training.
     

Small practice strategy:

• Update consent forms and Notice of Privacy Practices by the February 16, 2025 deadline
• Train staff on the new integrated approach to substance use disorder records
• Ensure EHR systems are configured to track disclosures appropriately
• Consider a comprehensive privacy policy review to ensure integration of Part 2 requirements

Reproductive health care privacy protections

New limitations on disclosures of reproductive health information affect all practices, regardless of whether they directly provide reproductive services.

Changes and impacts:

1. Broad definition of "Reproductive Health Care": Includes contraception, fertility treatments, pregnancy screening, and more.
   • Small practice impact: Even primary care providers must implement these protections.
2. Attestation requirements: Recipients of PHI must attest it won't be used for prohibited purposes.
   • Small practice impact: New administrative requirement to obtain attestations for certain disclosures.
3. Notice of privacy practices update: Required by February 16, 2025.
   • Small practice impact: Additional document updates and distribution requirements.
     

Small practice strategy:

• Develop attestation forms and processes for information requests
• Train staff on the broad definition of reproductive health information
• Update Notice of Privacy Practices to reflect changes
• Establish clear protocols for handling subpoenas related to reproductive health information

Learn more: How the updated HIPAA Privacy Rule supports reproductive healthcare privacy

HIPAA enforcement and audit changes

OCR has announced plans to resume HIPAA audits in 2025, with potential changes to enforcement approaches.

Changes and impacts:

1. Focused audits: Initial audits will focus on risk analysis and risk management requirements.
   • Small practice impact: These are areas where small practices typically struggle most due to resource constraints.
2. Recognized security practices: Benefits for practices that have implemented recognized security frameworks.
   • Small practice impact: Opportunity to potentially reduce penalties, but requires investment in documented security practices.
     

Small practice strategy:

• Conduct a gap analysis of current security practices against OCR's focus areas
• Document all security measures implemented and maintain evidence for potential audit
• Consider adopting a recognized security framework like NIST or HITRUST, even if in a limited capacity
• Maintain documentation of security practices for the full 12 months required to receive credit

Practical implementation strategies for small practices

1. Prioritization framework

Not all changes can be implemented simultaneously. Consider this prioritization approach:

1. Immediate compliance needs:
   • Update Notice of Privacy Practices (deadline: February 16, 2025)
   • Implement patient access workflow changes
   • Establish attestation processes for reproductive health information
2. High-risk security measures:
   • Implement multi-factor authentication
   • Ensure data encryption capabilities
   • Establish basic backup and recovery procedures
3. Longer-term implementation:
   • Network segmentation
   • Penetration testing
   • Comprehensive asset inventory
     
     

2. Budget-conscious technology solutions

• Cloud-based solutions: Consider SaaS options with monthly subscriptions rather than large capital expenditures
• Shared services: Explore group purchasing through medical associations or local healthcare coalitions
• Integrated platforms: Prioritize solutions that address multiple requirements simultaneously
  
  

3. Staff training and development

• Designate a HIPAA privacy and security officer with dedicated training
• Develop a "train-the-trainer" approach to maximize internal knowledge
• Consider online training resources specifically designed for small practices
  
  

4. Documentation strategies

• Create simple templates for required policies and procedures
• Establish consistent documentation practices for security measures
• Maintain evidence of compliance efforts to demonstrate good faith

Financial considerations for small practices

These regulatory changes come with financial implications:

Potential costs:

• Technology upgrades for encryption and authentication
• Security assessment and testing services
• Staff training and potential new personnel
• Policy and procedure development
• Documentation systems

The Healthcare Brew article states that, "Small practices would likely be hit hard by such costs because they would be held to the same standards as large healthcare conglomerates like UnitedHealth Group. 'In a small physician practice, the person who answers the phone is often the same person in charge of compliance,' James Madara, CEO and EVP of the American Medical Association, wrote in a March 6 letter responding to the proposed rule."

FAQs

Will there be financial assistance for small practices to comply with these changes?

There are no specific funding programs yet, but practices can explore grants, tax incentives, or group purchasing arrangements to offset costs.

What happens if a small practice cannot comply with the new security requirements?

Non-compliance can lead to penalties, increased audit risks, and potential patient data breaches, which may damage the practice’s reputation and finances.

How will the changes impact telehealth providers?

Telehealth providers must ensure all electronic protected health information (ePHI) is encrypted and implement multifactor authentication for access.

Will business associates, like IT vendors, be subject to stricter HIPAA enforcement?

Yes, practices must conduct annual security reviews of their business associates and ensure they meet HIPAA compliance standards.