🛡️ 2025 HIPAA Security Rule Overhaul: What You Need to Know

1. Mandatory “Addressable” Controls Become Required

The 2025 NPRM (Notice of Proposed Rulemaking) eliminates the “addressable” vs. “required” distinction—almost every implementation spec becomes mandatory. This includes:

• Multi-Factor Authentication (MFA) across all PHI-access systems dstech.netbimgroup.us+6duo.com+6reuters.com+6blog.rsisecurity.com+6reuters.com+6dstech.net+6

• Encryption for ePHI at rest and in transit hyperproof.io

2. Tech Asset Inventory & Network Mapping

• Required annual inventory of every device, application, and system (servers, tablets, even wearables) interacting with PHI

• Detailed network maps to illustrate data flow and dependencies reuters.com+2dstech.net+2federalregister.gov+2

3. Expanded and Frequent Risk Assessments

• Risk analyses now must include threats across entire supply chains and external vendors

• Penetration testing at least yearly; vulnerability scans every six months reuters.com+2duo.com+2dstech.net+2dstech.net+1reuters.com+1

4. Incident Response, Disaster Recovery & Contingency Planning

• Formal incident response plans, documented and tested annually

• Disaster recovery obligations: restore critical systems within 72 hours of failure reuters.com+2dstech.net+2axios.com+2

• Business associates must notify downstream partners within 24 hours of contingency plan activation reuters.com+1federalregister.gov+1

5. Vendor Oversight & BAAs

• Heightened vendor oversight: due diligence, formal risk verifications, and faster notifications hyperproof.io+1cyera.com+1

6. Annual Compliance Audits

• Required internal or external compliance audits at least once annually, ensuring adherence to standards 

7. Workforce Security & Access Termination

• Role-based access policies with automatic de-provisioning within one hour of employee exit

• Annual testing of access protocols reuters.com

Why This Update? The Context Behind the Changes

• Cyberattacks fuel acceleration: A 264% rise in ransomware in 2024 triggered this overhaul reuters.com+1theverge.com+1

• AI and data sharing methods introduced new risk vectors that needed fresh safeguards 

HHS estimated $9 billion in compliance costs in year one, followed by $6 billion annually from 2026–2029 hhs.gov+4axios.com+4theverge.com+4.

📅 Timeline & Next Steps

• NPRM published: January 6, 2025

• 60-day public comment period ended March 7, 2025 hipaaguide.net+9hipaajournal.com+9reuters.com+9

• Final rule expected: late 2025 to early 2026 cyera.com

• Compliance deadlines: likely 180 days after publication, with phased implementation across 6–24 months reuters.com+3reuters.com+3cyera.com+3

🔮 Future & Ongoing HIPAA Evolutions

• Reproductive health privacy: Stronger Privacy Rule protections enacted June 2024, currently under legal challenge reuters.com

• OCR enforcement expansion: Greater scrutiny on patient access rights and information-blocking, especially as AI tools emerge reuters.com

• HITECH Act updates: Expected changes to align OCR penalties and “recognized security practices,” including patient recovery share provisions hhs.gov+1hipaaguide.net+1

🧭 How TidyView IT Can Help You Navigate & Comply

TidyView IT specializes in preparing small practices for this complex environment—without breaking the bank. We offer:

1. Gap analysis & remediation roadmap aligned with new 2025 controls

2. Tech asset inventories & automated network mapping

3. MFA, encryption, role-based access, backups & incident response frameworks

4. Bi-annual vulnerability scanning, annual penetration testing & compliance audits

5. Vendor assessment support and Business Associate Agreement reviews

6. Employee access training, policy documentation, and policy testing

7. Tailored implementation timelines to match evolving federal deadlines

👩‍⚕️ Bottom line: These updates mark the most significant HIPAA revision since 2013—meaningful, mandatory, and non-negotiable. TidyView IT transforms compliance into a structured, manageable process—keeping your patients safe, your practice secure, and your budget on track.

👉 Ready to stay ahead? Book a no-cost compliance review today at www.tidyviewit.com/book-online