In December 2023, HHS published a Notice of Proposed Rulemaking (NPRM) that would represent the most significant overhaul of the HIPAA Security Rule since its original adoption in 2003. If your organization has been treating compliance as a set-it-and-forget-it exercise, these recent HIPAA updates should be your wake-up call. The regulatory landscape is shifting, and covered entities and business associates that fail to adapt face real enforcement consequences.

Recent HIPAA Updates to the Security Rule: The Proposed 2024 Overhaul

The proposed Security Rule changes, formally published in the Federal Register on January 6, 2025, eliminate the distinction between "required" and "addressable" implementation specifications. Under the current rule, organizations have used the "addressable" label as an excuse to skip controls they deemed too costly or complex. That loophole is closing.

Key proposals include mandatory encryption of all electronic protected health information (ePHI) both at rest and in transit, written technology asset inventories updated at least every 12 months, and network segmentation requirements. Organizations would also need to conduct a risk analysis annually — not just when they feel like it.

Perhaps most notable: the proposal requires covered entities to verify at least once every 12 months that their business associates' security controls are actually in place. Compliance on paper will no longer satisfy OCR.

Even before these proposed changes become final, OCR enforcement actions throughout 2023 and 2024 have telegraphed the agency's priorities. In 2023, OCR settled or imposed penalties in cases totaling over $4 million, with risk analysis failures appearing in nearly every resolution agreement.

The agency's continued use of its HIPAA Right of Access Initiative is another trend your organization cannot ignore. Since launching the initiative in 2019, OCR has settled over 45 cases involving organizations that failed to provide patients timely access to their records. Penalties have ranged from $3,500 to $240,000 — even for small practices.

OCR Director Melanie Fontes Rainer has publicly stated that compliance with the HIPAA Privacy Rule's individual access provisions is a top enforcement priority. If your workforce doesn't understand the 30-day response requirement for access requests, you are exposed.

Reproductive Health Privacy Protections Now in Effect

One of the most consequential recent HIPAA updates took effect on June 25, 2024. The final rule amending the Privacy Rule prohibits covered entities and business associates from disclosing PHI related to lawful reproductive healthcare for certain purposes — including law enforcement investigations or civil litigation in states where that care is legal.

This change added a new layer of complexity to your Notice of Privacy Practices. Every covered entity was required to update their Notice of Privacy Practices by December 23, 2024, to reflect these new reproductive health protections. Organizations that missed this deadline are already in potential violation.

The rule also introduced a new attestation requirement: entities requesting PHI related to reproductive health for certain purposes must provide a signed attestation that the information will not be used to investigate or penalize lawful reproductive care.

The Workforce Training Requirement Most Organizations Underestimate

Each of these regulatory changes triggers an obligation under 45 CFR §164.530(b): workforce training. The Privacy Rule requires that every member of your workforce receive training on policies and procedures relevant to their job functions — and that this training is updated whenever material changes occur.

With the reproductive health amendments, the proposed Security Rule overhaul, and ongoing enforcement around right of access, your training program from 2022 is already outdated. A comprehensive HIPAA training and certification program ensures your staff understands current requirements, not yesterday's rules.

OCR has specifically cited inadequate workforce training as a contributing factor in multiple enforcement actions. Training isn't a checkbox — it's an ongoing obligation tied directly to every policy change your organization implements.

Action Steps to Address Recent HIPAA Updates Now

Healthcare organizations consistently struggle with translating regulatory changes into operational action. Here's what you should prioritize immediately:

  • Conduct a fresh risk analysis. If the proposed Security Rule becomes final, annual risk analyses will be mandatory. Start building the habit now. Document every identified risk and your mitigation plan.
  • Audit your business associate agreements. Ensure every BAA is current, includes breach notification timelines consistent with the Breach Notification Rule, and accounts for any new security requirements.
  • Update your Notice of Privacy Practices. If you haven't incorporated the reproductive health protections, do it immediately. Distribute the updated notice to patients and post it on your website.
  • Implement or verify encryption. The proposed rule makes encryption non-negotiable. Evaluate your current ePHI encryption status across all systems, devices, and transmission methods.
  • Retrain your entire workforce. Every material change to HIPAA policy requires updated training. Partner with a dedicated HIPAA compliance platform to ensure your team stays current as rules evolve.

What These Recent HIPAA Updates Mean for Your Compliance Posture

The common thread across every 2024 and 2025 development is accountability. OCR is moving away from vague, flexible standards and toward specific, verifiable, and enforceable requirements. The minimum necessary standard remains in effect, but the bar for demonstrating compliance is rising.

Organizations that proactively adapt — updating policies, retraining staff, and documenting their efforts — will be positioned to weather enforcement scrutiny. Those that wait for final rules before acting will find themselves scrambling to catch up under compressed timelines.

The recent HIPAA updates are not subtle. They reflect an agency that has studied two decades of compliance failures and is closing the gaps. Your organization's response should match that urgency.