The core HIPAA Privacy and Security Rules were written in a very different era, before cloud computing, large-scale data exchange, and ransomware became a systemic risk to healthcare. While there have been updates to address the digital age (namely, HITECH), there are still gaps in HIPAA’s approach to distributed cloud systems.
The latest round of HIPAA updates, including proposed updates to both the Privacy Rule and the Security Rule, represents the most consequential modernization effort since the launch of HITECH.
Why HIPAA Is Being Updated Now
Over the last several years, healthcare has become one of the most targeted industries for hackers. But, at the same time, patients expect digital access to information. The friction involved in obtaining medical records has become increasingly difficult to justify.
The Department of Health and Human Services has openly acknowledged that HIPAA, as written, no longer reflects modern healthcare delivery or modern security realities. The updates now under consideration aim to close that gap by strengthening safeguards, reducing ambiguity, and modernizing expectations for access and accountability.
The Privacy Rule: Faster Access and Greater Transparency
The proposed updates to the HIPAA Privacy Rule are designed to modernize patient access, reduce administrative friction, and better reflect how healthcare data is actually used today. While the intent is to improve transparency and access, the operational impact for covered entities and business associates is significant.
The most notable proposed changes concern patient rights and efficiency.
Expanded and Accelerated Patient Access Rights
The updated rule shortens the timeframe for responding to patient requests for access to their health information. This change reflects growing expectations that electronic health data should be available quickly and without unnecessary administrative delays. Organizations will need to ensure their workflows, staffing models, and technical systems can support faster turnaround times without compromising security.
Clearer Rules for Directing PHI to Third Parties
Patients would gain greater control over their health information and be able to direct it to third-party applications and services. This includes health apps, care coordination platforms, and other digital tools. Covered entities will need clearer processes for validating these requests while ensuring data is transferred securely and in compliance with HIPAA’s minimum necessary standards.
Limits on Fees and Administrative Barriers
The proposed rule reinforces limits on what organizations can charge for copies of records and discourages practices that effectively block patient access. Excessive fees, unnecessary paperwork, or overly restrictive access processes may be treated as compliance failures.
Clear Definitions and Use Cases
Several long-standing gray areas are addressed through updated definitions and guidance, including:
- What qualifies as an electronic health record
- When disclosures are permitted for care coordination
- How PHI may be used for case management and population health activities
These clarifications aim to reduce inconsistent interpretations that have historically created compliance risk.
Better Portability
The Privacy Rule changes support broader federal efforts around interoperability and data portability. Regulators are increasingly treating patient access as a right that must be ensured through system design and policy language.
The Security Rule: High-Level Guidance to Operational Expectations
The proposed updates to the HIPAA Security Rule represent a more fundamental shift. While the Privacy Rule focuses on rights and access, the Security Rule shifts the focus to how organizations demonstrate that they are actively protecting health data.
Stronger Requirements for Risk Analysis and Risk Management
Organizations will be expected to conduct more thorough, ongoing risk analyses rather than treating them as periodic compliance exercises. Risk assessments must:
- Identify realistic threats and vulnerabilities: Risk analysis must reflect the organization’s actual operating environment, not generic threat lists. This includes identifying real-world exposure such as cloud misconfigurations, weak identity and access controls, outdated systems, insecure integrations, third-party access paths, and common attack vectors like phishing or credential compromise.
- Evaluate the likelihood and impact of compromise: Organizations are expected to assess both how likely a given threat is to occur and the consequences if it does. A meaningful risk analysis weighs probability against impact so security teams can prioritize controls based on real business risk rather than treating all findings as equal.
- Be updated regularly based on system or threat changes: Risk assessments can no longer be treated as annual check-the-box exercises. Regular updates demonstrate that the organization is actively monitoring risk and adjusting its security posture as conditions evolve.
- Directly inform security control decisions: Risk analysis should drive action, not sit in isolation. Regulators increasingly expect organizations to show a clear link between identified risks and the security controls selected to mitigate them.
Reduced Reliance on “Addressable” Safeguards
Historically, HIPAA allowed organizations to determine whether certain controls were “reasonable and appropriate.” The proposed updates reduce this flexibility by setting clearer expectations for the safeguards required.
Controls related to access management, audit logging, encryption, and system monitoring are increasingly treated as baseline requirements rather than optional measures.
Greater Emphasis on Technical Safeguards
The Security Rule updates reinforce the need for technical controls that actively prevent and detect security incidents, including strong access controls and identity management, audit logging and monitoring of system activity, data encryption, and regular vulnerability scans.
Enhanced Incident Response and Recovery Expectations
Organizations will be expected to demonstrate that they have documented response plans and reporting workflows, and the ability to contain and recover from events, as well as to perform forensics and prepare improvement reports after an event occurs.
Increased Focus on Vendor and Third-Party Risk
With so much PHI handled by vendors, cloud platforms, and service providers, the updated Security Rule places greater responsibility on organizations to assess and monitor third-party risk. This includes conducting due diligence on vendors, continuing reviews of SOPs, contracts, and in-place security, and managing data in and out of workflows across vendors.
Alignment With 42 CFR Part 2
Not all HIPAA-related changes are still in proposal form. One of the most significant finalized updates aligns HIPAA more closely with 42 CFR Part 2, which governs substance use disorder treatment records.
Historically, Part 2 imposed stricter privacy requirements than HIPAA, creating barriers to care coordination and operational complexity for providers. The updated rule allows for more consistent data sharing while maintaining strong privacy protections for particularly sensitive information.
What These Changes Mean for Healthcare
Taken together, the HIPAA updates signal a clear shift in regulatory philosophy. Compliance is no longer about having the right paperwork in place. It is about demonstrating that privacy and security are operationalized throughout the organization.
For healthcare providers and business associates, this has several practical implications.
- Compliance programs will need to become more dynamic. Annual risk assessments and static policies will no longer be sufficient. Organizations will need to show continuous risk evaluation and improvement.
- Technical safeguards will be subject to stronger reviews. Encryption, access controls, logging, and monitoring are now baseline expectations.
- Third-party risk management will become a bigger priority. As healthcare ecosystems become more interconnected, regulators are increasingly concerned with how organizations vet and monitor vendors that handle sensitive data.
- Workforce training will take on renewed importance. Human error remains a leading cause of healthcare breaches, and regulators are paying closer attention to whether employees understand their role in protecting patient data.
Stay Ahead of HIPAA Changes with Lazarus Alliance
The upcoming HIPAA changes reflect a broader truth about the modern healthcare environment: compliance cannot be static.
To learn more about how Lazarus Alliance can help, contact us.
- FedRAMP
- GovRAMP
- NIST 800-53
- DFARS NIST 800-171
- CMMC
- SOC 1 & SOC 2
- ENS
- C5
- HIPAA, HITECH, & Meaningful Use
- PCI DSS RoC & SAQ
- IRS 1075 & 4812
- CJIS
- LA DMF
- ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
- NIAP Common Criteria – Lazarus Alliance Laboratories
- And dozens more!
[wpforms id=”137574″]