The 2025 HIPAA Security Rule Update: What Clinics Need to Know
The biggest HIPAA overhaul in a decade is coming. Here's what the proposed changes mean for small and mid-size clinics — and what to do now before enforcement begins.
In January 2025, HHS published a Notice of Proposed Rulemaking to modernize the HIPAA Security Rule -- the first major revision since 2013. The changes are sweeping, and they affect every organization handling electronic protected health information (ePHI), from hospital systems down to solo dental practices.
What Is Actually Changing
The single most important shift: the "addressable" vs. "required" distinction is gone. Under the old rule, clinics could skip encryption by documenting a rationale. That era is over.
Here are the five core changes:
| Area | Current Rule (2013) | Proposed Rule (2025) |
|---|---|---|
| Encryption | "Addressable" -- can skip with justification | Required for all ePHI at rest and in transit |
| MFA | Not explicitly required | Required for all ePHI-accessing systems |
| Risk Assessments | Required, frequency unspecified | Required annually with documented methodology |
| Incident Reporting | 60-day breach notification window | 72-hour notification to HHS for any security incident |
| Business Associates | BAAs must exist | Must verify BA compliance annually with written certification |
Timeline Is Tighter Than You Think
The final rule is expected late 2025 or early 2026, with a 180-day compliance window after publication. No staggered timeline has been proposed -- small clinics face the same deadline as large health systems. Organizations that wait for the final rule before acting will be scrambling.
What to Do Right Now
Inventory your ePHI touchpoints. Every device, app, and service that stores or transmits patient data -- workstations, EHR, email, cloud storage, intake tablets, third-party tools.
Enable encryption everywhere. Confirm ePHI is encrypted at rest and in transit across every system. If your EHR vendor doesn't encrypt data at rest, start that conversation today.
Turn on MFA. Most EHR platforms and email providers already support it. For systems that don't, begin evaluating replacements.
Build a 72-hour incident response plan. The clock starts when any staff member becomes aware of an incident, not when leadership is notified. Document the escalation path and train everyone on it.
Audit your vendors. Confirm a signed BAA exists with every Business Associate. Prepare a process to collect annual written compliance certifications.
Key Takeaways
- The "addressable" loophole is eliminated -- encryption and MFA are now mandatory, full stop.
- The incident reporting window shrinks from 60 days to 72 hours, requiring a documented response plan every staff member understands.
- Clinics must actively verify vendor compliance annually, not just file a BAA and forget it.
- The 180-day compliance window applies equally to small practices and large systems -- there is no grace period for size.
- None of these requirements are exotic. The challenge is prioritization and follow-through, not technical complexity. Start now.
Sources: HHS OCR Breach Portal | Verizon 2024 DBIR | NIST CSF 2.0 | Federal Register NPRM
Ready to stop missing patient calls?
REVA answers every call in under 1 second, 24/7. Book a demo to see it in action.