Federal regulators are preparing extensive HIPAA changes in 2025, with updates already enacted for reproductive health privacy and substance use disorder records, and broader security rule revisions on the horizon.
New HIPAA regulations introduced in 2024 and proposed for 2025 aim to modernize privacy protections, improve cybersecurity, and address longstanding compliance gaps. A final rule aligning substance use disorder (Part 2) regulations more closely with HIPAA took effect in April 2024, with compliance required by February 2026. Meanwhile, the proposed HIPAA Security Rule update, published in January 2025, outlines extensive new cybersecurity requirements and is now under review.
At the same time, the HIPAA Privacy Rule update to strengthen reproductive healthcare privacy was vacated by a federal judge in Texas in June 2025, creating further uncertainty. The final status of these proposed and existing rules will depend heavily on decisions made by the newly seated Trump-Vance administration.
Notable changes already in effect include expanded patient rights over substance use disorder records, with broader consent options and new safeguards against legal and discriminatory misuse. The final rule also brings Part 2 violations under HIPAA’s breach notification and civil penalty standards and requires updates to entities’ Notices of Privacy Practices.
Separately, the proposed HIPAA Security Rule update represents the first major overhaul since 2013. It eliminates the distinction between ‘addressable’ and ‘required’ implementation specifications, mandates annual internal audits, detailed risk analyses, network mapping, incident response testing, and multi-factor authentication. Many updates reflect current cybersecurity best practices, but implementation could be costly and operationally complex, especially for under-resourced healthcare organizations.
Notably, the Privacy Rule update to protect reproductive health information, finalized in 2024, has been struck down nationwide by court order. The judge ruled that the Department of Health and Human Services exceeded its authority. The rule had been designed to limit the use of PHI in abortion-related legal actions, especially across state lines.
The Office for Civil Rights (OCR) has acknowledged the challenges ahead and stated the need for improved cyber resilience in healthcare. It continues to push for stronger enforcement of risk analyses, breach response, and access rights. However, final decisions on the proposed rules are now subject to political leadership under the Trump-Vance administration.
In previous statements, OCR noted that the proposed cybersecurity rules are grounded in practices already recommended through the Healthcare Sector Cybersecurity Performance Goals (CPGs), which include email security, endpoint protection, and system patching.
HIPAA-regulated entities are tackling a period of regulatory uncertainty. Proposed changes to the Security Rule may expand cybersecurity requirements across the sector, driven in part by the continued rise in ransomware incidents and patient data breaches. At the same time, ongoing legal and political developments, particularly around reproductive health, are adding complexity to compliance planning.
It allows providers to access substance use disorder records under broader patient consent, helping them avoid harmful prescription decisions and gain a more complete view of patient history.
HIPAA-regulated entities would continue operating under outdated standards, though the threat landscape has changed. Voluntary adoption of the proposed practices may still reduce risk and support enforcement leniency.
Practices include documented risk analyses, endpoint protection, multi-factor authentication, and regular staff training, all implemented consistently over 12 months.
A federal judge ruled that HHS overstepped its statutory authority by attempting to limit how states enforce their own abortion-related laws through HIPAA.