In December 2023, OCR issued its largest-ever HIPAA settlement — a $4.75 million penalty against Montefiore Medical Center after a workforce member stole protected health information of over 12,000 patients. That case set the tone for what has become one of the most active regulatory periods in HIPAA's history. If your organization hasn't been tracking the latest HIPAA updates, you're already behind on changes that will directly affect your compliance obligations in 2025 and beyond.

The Latest HIPAA Updates You Can't Afford to Miss

The regulatory landscape has shifted more in the past 18 months than in the previous five years combined. HHS has proposed sweeping changes to the HIPAA Security Rule, OCR has sharpened its enforcement priorities, and new guidance on reproductive health information has added complexity for every covered entity and business associate.

Here's what matters most — broken down by the changes that require immediate action.

Proposed HIPAA Security Rule Overhaul: What's Coming

On December 27, 2024, HHS published a Notice of Proposed Rulemaking (NPRM) to modernize the HIPAA Security Rule under 45 CFR Part 164. This is the most significant proposed revision to the Security Rule since the Omnibus Rule of 2013.

Key proposals include:

  • Eliminating the distinction between "required" and "addressable" implementation specifications. Under the proposal, all specifications would become mandatory. Organizations that previously documented why an addressable specification was unreasonable would lose that flexibility.
  • Mandatory encryption of all electronic PHI at rest and in transit. No more treating encryption as addressable — every covered entity and business associate would need full encryption with no exceptions.
  • Written risk analysis requirements with specific methodology. The proposed rule would require a technology asset inventory, a threat identification process, and a vulnerability assessment — documented in writing and updated at least every 12 months.
  • 72-hour system restoration requirements. Organizations would need documented plans to restore critical systems within 72 hours of a disruption.
  • Annual compliance audits. The proposal calls for yearly audits verifying that all Security Rule safeguards are in place and functioning.

The public comment period closed on March 7, 2025. A final rule could arrive later this year, though the timeline remains uncertain. Healthcare organizations should begin gap assessments now — waiting for the final rule to start preparing is a mistake I've seen too many organizations make.

Reproductive Health Privacy Rule: Effective June 2025

The HIPAA Privacy Rule amendment addressing reproductive health information took effect on June 25, 2024, with a compliance deadline of December 23, 2024 for most provisions and a workforce training deadline of December 23, 2024.

This rule prohibits covered entities and business associates from using or disclosing PHI to investigate or impose liability on individuals seeking lawful reproductive healthcare. It also requires updates to your Notice of Privacy Practices to reflect these protections.

If your organization hasn't updated its Notice of Privacy Practices and retrained workforce members on these new restrictions, you are already out of compliance. HIPAA training and certification programs that cover the reproductive health amendments are essential for bringing your staff current.

OCR's enforcement activity in 2024 made one thing clear: the agency is not slowing down. Beyond the Montefiore settlement, OCR resolved multiple cases through its HIPAA Right of Access Initiative, collecting penalties from organizations that failed to provide patients with timely access to their records.

Notable 2024 enforcement actions include:

  • Heritage Valley Health System — $950,000 settlement for Security Rule failures exposed during a ransomware attack.
  • Rifkin Medical Associates — $160,000 penalty under the Right of Access Initiative for failing to provide a patient's records within 30 days.
  • Multiple small practices penalized between $30,000 and $100,000 for inadequate risk analysis — a consistent OCR target.

The pattern is unmistakable. OCR investigates breaches and routinely finds the same root causes: incomplete risk analysis, missing workforce training documentation, and insufficient technical safeguards. Your organization's risk analysis is the single most scrutinized document in any OCR investigation.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR § 164.530(b), every covered entity must train all workforce members on HIPAA policies and procedures. The proposed Security Rule changes would add specificity to security awareness training, potentially requiring training within specific timeframes and on defined topics.

In my work with covered entities, I consistently find that training documentation is the weakest link. Organizations conduct training but fail to maintain records proving who was trained, when, and on what content. OCR expects evidence — sign-in sheets, completion certificates, or system-generated reports.

Investing in workforce HIPAA compliance programs that generate auditable completion records solves this problem and positions your organization to demonstrate compliance during an OCR review.

How to Prepare for the Latest HIPAA Updates Right Now

Waiting for final rules to take effect before acting is a compliance failure in progress. Here's what your organization should prioritize today:

  • Conduct a comprehensive risk analysis using the methodology outlined in the proposed Security Rule. Even if the rule isn't finalized, OCR already expects thorough, documented risk analysis under the current rule.
  • Encrypt all electronic PHI at rest and in transit. If you're treating encryption as addressable now, shift to treating it as mandatory — the regulatory direction is clear.
  • Update your Notice of Privacy Practices to include reproductive health information protections.
  • Retrain your entire workforce on current HIPAA requirements, including the reproductive health amendments and the minimum necessary standard for PHI access and disclosure.
  • Review all business associate agreements to ensure they reflect current regulatory expectations and include provisions for the Security Rule changes under consideration.
  • Document everything. OCR enforcement succeeds most often when organizations cannot produce written evidence of their compliance activities.

The Cost of Falling Behind on HIPAA Compliance

HIPAA violations carry penalties ranging from $141 to $2,134,831 per violation category per year, as adjusted for inflation in 2024. But the real cost extends beyond fines — reputational damage, patient trust erosion, and operational disruption from OCR corrective action plans can cripple a healthcare organization.

The latest HIPAA updates signal a regulatory environment that demands proactive, documented compliance. OCR has made clear that ignorance of regulatory changes is not a mitigating factor. Whether you're a large health system or a solo practice, the expectations are the same.

Start with a current risk analysis. Update your policies. Train your workforce. These aren't aspirational goals — they're the baseline OCR expects when it opens your file.