Source: U.S. Department of Health and Human Services (Federal Register, Jan 6, 2025); Reuters; The HIPAA Journal; DoctorsManagement.com; Allzone; Network Depot

In 2025, U.S. healthcare providers face the most sweeping changes to HIPAA and medical billing compliance since 2013. HHS has introduced a Notice of Proposed Rulemaking (NPRM) to strengthen the Security Rule, while updates to the Privacy Rule are also under consideration. Together, these changes carry significant implications for compliance officers, billing teams, and healthcare organizations across the country.

Major Security Rule Overhaul

On January 6, 2025, HHS published its NPRM in the Federal Register, marking the largest Security Rule update in over a decade. The proposal requires annual technical inventories, enhanced risk assessments, mandatory multi-factor authentication (MFA), encryption, disaster recovery planning, vulnerability scanning, vendor oversight, and stricter workforce access controls. More than 4,000 public comments were submitted before the March 7 deadline, reflecting widespread concern and interest in the proposed changes.

Privacy Rule Updates & Patient Access Rights

The Privacy Rule updates, first proposed in 2020, aim to expand patient rights by simplifying medical record access, reducing delays, and formalizing fee disclosures. They also provide more flexibility for sharing PHI in treatment and coordination, particularly for substance use disorder and reproductive health. However, some provisions were struck down in 2024 by a Texas court, leaving the final regulatory direction uncertain.

Compliance & Billing Implications

The proposed changes have direct consequences for medical billing operations. MFA and encryption requirements will increase overhead for billing platforms, while shortened PHI request timelines and stricter fee disclosures will add new administrative burdens. Privacy updates may also force policy revisions, retraining of staff, and updated patient and payer communications. Rising cyber threats, including a 264 percent increase in ransomware attacks in 2024, further underscore the urgency of compliance.

Key Timelines & Next Steps

• Final Rule expected in late 2025 or early 2026
• Compliance period likely 180–240 days after publication of the Final Rule

Healthcare organizations are advised to prepare now by updating risk assessments, strengthening access controls, revising policies, and training staff to align with the upcoming requirements.

Conclusion

2025 represents a turning point for HIPAA compliance. With stricter cybersecurity standards and expanded patient rights, providers must act proactively to stay ahead of enforcement deadlines and maintain patient trust.