Patient ProtectPatient Protect

Regulatory intelligence

HIPAA is changing. Here is what it means for your practice.

We track proposed rules, final rules, enforcement guidance, and OCR announcements — and translate them into plain-language analysis with specific action items for independent practices.

Last reviewed April 2026 · Updated when regulations change

Upcoming changes

Rules that will affect your practice.

These proposed or pending rules are not yet in effect but will require action when finalized. Start preparing now.

Proposed

HIPAA Security Rule Amendments

89 FR 980, January 6, 2025 (NPRM)

Proposed: Jan 6, 2025Comments: Mar 7, 2025Final: Expected 2026

The most significant update to the HIPAA Security Rule since its adoption. Proposes mandatory encryption of all ePHI at rest and in transit, multi-factor authentication for all users accessing ePHI, network segmentation, vulnerability scanning every 6 months, penetration testing annually, and 72-hour incident notification to HHS. Removes the distinction between 'required' and 'addressable' implementation specifications — everything becomes required.

What it means for your practice

  • Encryption becomes mandatory — no more 'addressable' exception. If you're not encrypting ePHI at rest and in transit today, you'll be in violation when this takes effect.
  • MFA required for every user accessing ePHI — shared logins and password-only access will be non-compliant.
  • Network segmentation required — your practice network must separate ePHI systems from general-use devices.
  • Vulnerability scans every 6 months and annual penetration testing — most independent practices have never done either.
  • 72-hour notification to HHS (vs. current 60 days) for breaches — drastically shorter response window.
  • Written technology asset inventory and network map required — you must document every system that touches ePHI.

What to do now

  • 1Verify encryption is enabled on all systems storing or transmitting ePHI (EHR, email, backups, cloud storage)
  • 2Implement MFA on all accounts with ePHI access — start with EHR and email
  • 3Conduct a technology asset inventory — document every device, system, and vendor that touches patient data
  • 4Engage an IT provider or MSP to assess network segmentation requirements
  • 5Review your incident response plan — update the notification timeline to 72 hours
  • 6Schedule your first vulnerability scan if you've never done one

Patient Protect: Patient Protect already enforces encryption (AES-256-CBC), role-based access with MFA, and immutable audit logging. When the final rule takes effect, practices on Patient Protect will already satisfy the majority of new requirements.

Currently in effect

Rules your practice must follow today.

Effective

Reproductive Health Information Privacy Protections

89 FR 32976, April 26, 2024

Strengthens privacy protections for reproductive health information under HIPAA. Prohibits use or disclosure of PHI related to lawful reproductive health care for investigation, prosecution, or identification purposes. Requires updated Notice of Privacy Practices and new attestation requirements before disclosing reproductive health information.

Practice impact & action items

What it means

  • Notice of Privacy Practices must be updated to include new reproductive health privacy protections.
  • New attestation requirement — before disclosing reproductive health information, requestors must attest the information will not be used for prohibited purposes.
  • Staff training must cover the new restrictions on reproductive health information disclosure.
  • Applies to all covered entities regardless of state — even in states without additional reproductive privacy laws.

What to do

  • 1Update your Notice of Privacy Practices to include reproductive health privacy language
  • 2Train staff on the new attestation requirement for reproductive health information requests
  • 3Review and update your policies on responding to law enforcement requests for reproductive health records
  • 4Document the updated NPP distribution to patients

Patient Protect: Patient Protect's policy generation templates include the updated NPP language and attestation requirements. Training modules cover the new reproductive health disclosure restrictions.

Effective

HIPAA Right of Access Enforcement Initiative

Ongoing OCR enforcement priority (2019-present)

OCR's sustained enforcement initiative targeting practices that fail to provide patients timely access to their medical records. Over 45 enforcement actions and settlements since 2019, with penalties ranging from $3,500 to $240,000. OCR has made clear that right of access violations are a top enforcement priority regardless of practice size.

Practice impact & action items

What it means

  • Patients must receive their records within 30 days of request (one 30-day extension allowed with written explanation).
  • You cannot charge more than a reasonable, cost-based fee for copies — and electronic copies must be provided at no more than the cost of labor.
  • OCR is actively pursuing small practices — several enforcement actions have been against solo providers and small groups.
  • Failure to respond to a records request at all results in the highest penalties.

What to do

  • 1Establish a documented process for receiving and fulfilling patient records requests
  • 2Train front desk staff on the 30-day response timeline and fee limitations
  • 3Verify your EHR can export records in the format patients request (especially electronic formats)
  • 4Log all records requests with dates — the timeline is your defense in an OCR investigation

Patient Protect: Patient Protect's record management module tracks patient access requests with deadline alerts and completion logging. Audit trail documents your response timeline for OCR evidence.

Effective

42 CFR Part 2 — Substance Use Disorder Records Alignment

89 FR 12472, February 16, 2024

Aligns the confidentiality requirements for substance use disorder (SUD) patient records with HIPAA, as required by the CARES Act. SUD records can now be used and disclosed under the same Treatment, Payment, and Health Care Operations (TPO) framework as other PHI, with certain additional protections maintained — including prohibitions on use in criminal proceedings without patient consent.

Practice impact & action items

What it means

  • If your practice treats substance use disorders, you can now share SUD records for TPO purposes under HIPAA rules — previously required separate patient consent for each disclosure.
  • Criminal use prohibition remains — SUD records still cannot be used to investigate or prosecute patients.
  • BAAs now apply to SUD records the same way they apply to other PHI.
  • Behavioral health and primary care practices with SUD patients benefit most from the streamlined disclosure rules.

What to do

  • 1Review your consent forms for SUD patients — update to reflect the new TPO disclosure permissions
  • 2Update BAAs with vendors who handle SUD records to ensure HIPAA-standard protections apply
  • 3Train staff on the distinction: TPO disclosures are now permitted, but criminal use prohibition remains
  • 4Update your Notice of Privacy Practices if it contains SUD-specific language that predates this rule

Patient Protect: Patient Protect's policy templates and training modules cover the updated 42 CFR Part 2 alignment. BAA management tracks vendor compliance across all PHI categories including SUD records.

Effective

Information Blocking Rules (ONC/CMS)

85 FR 25642 (ONC Final Rule, 2020); enforcement active 2024+

Prohibits healthcare providers, health IT developers, and health information exchanges from practices that unreasonably limit the access, exchange, or use of electronic health information (EHI). ONC can refer providers to HHS-OIG for investigation. Penalties of up to $1 million per violation for health IT developers; providers face appropriate disincentives determined by HHS.

Practice impact & action items

What it means

  • You cannot refuse to share electronic health information with patients or other providers unless an exception applies.
  • Switching EHR vendors? Your current vendor cannot block data portability or charge unreasonable fees for data export.
  • Applies to all EHI, not just the USCDI data set — broader than many practices realize.
  • Enforcement is escalating — ONC published its first enforcement actions in 2024.

What to do

  • 1Review your EHR vendor's data export capabilities — ensure you can provide complete EHI on request
  • 2Don't restrict patient portal access or limit the data patients can view without a valid exception
  • 3If switching EHR vendors, ensure your current vendor provides full data export at reasonable cost
  • 4Document any instances where you limit information sharing, with the specific exception that applies

Patient Protect: Patient Protect's compliance engine monitors information sharing practices and flags potential blocking behaviors. The platform ensures your record management workflows support full EHI access.

Effective

State-Level Health Privacy Laws (2024-2026)

Multiple state legislatures

Multiple states have enacted health privacy laws that exceed HIPAA in specific areas. These apply to healthcare practices regardless of HIPAA coverage and create additional compliance obligations that federal law does not address.

Practice impact & action items

What it means

  • Washington My Health My Data Act — applies to consumer health data NOT covered by HIPAA. Includes private right of action.
  • California CMIA + CCPA/CPRA — additional patient privacy protections and consumer data rights for California practices.
  • Texas TDPSA — comprehensive consumer data privacy with broad applicability to healthcare marketing data.
  • New York SHIELD Act — expanded security requirements and breach definitions for any entity holding NY residents' data.
  • Illinois BIPA — strict biometric data requirements affecting practices using fingerprint scanners or facial recognition.

What to do

  • 1Identify which state laws apply to your practice based on where your patients reside — not just where you're located
  • 2Review state-specific breach notification deadlines — some are as short as 30 days (CO, FL, ME, SC, WA)
  • 3Check whether your state requires AG notification and at what threshold
  • 4Consult the Patient Protect state compliance pages for your specific state requirements

Patient Protect: Patient Protect tracks state-specific compliance requirements for all 50 states. The breach intelligence dashboard includes state-level data with notification deadlines and AG requirements at patient-protect.com/breachdash/state.

Latest developments

Regulatory news — updated daily.

Live feed from HIPAA Pulse covering regulation changes, enforcement actions, and compliance guidance.

REGULATIONApr 14

CMS announces 150 participants for upcoming ACCESS model launch

Healthcare IT News

ENFORCEMENTApr 14

Australia's digital health ROI problem: Why focusing on dollars is holding transformation back

Healthcare IT News

ENFORCEMENTApr 13

FBI takedown of W3LL phishing service leads to developer arrest

Bleeping Computer

ENFORCEMENTApr 13

Health systems should prepare now for increasing enforcement around AI use

Healthcare IT News

REGULATIONApr 13

Getting ahead of the new HIPAA security rule: practical steps you can take now

Healthcare IT News

ENFORCEMENTApr 9

OCR Releases Risk Management Video

DataBreaches.net

REGULATIONApr 8

Q&A: The Slack channels powering CMS' Interoperability Framework

Healthcare IT News

REGULATIONMar 31

Turn CMS-0057-F Into a Competitive Advantage

Healthcare IT News

See all HIPAA Pulse articles →

Stay ahead

Get regulatory updates in your inbox.

HIPAA Pulse delivers breach alerts, enforcement actions, and regulatory changes to independent practices — weekly, free.

Subscribe to HIPAA PulseCheck Your Risk

FAQ

Common questions about HIPAA regulations.

How often does HIPAA change?

Major HIPAA rule changes happen infrequently — typically a few times per decade. However, enforcement priorities, guidance documents, and state-level laws change more frequently. The proposed Security Rule amendments (January 2025) are the most significant update in over 10 years. OCR also issues periodic guidance that doesn't change the rules but clarifies how they're enforced.

Who enforces HIPAA?

The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) is the primary HIPAA enforcement agency. OCR investigates complaints, conducts compliance reviews, and issues penalties. State Attorneys General can also enforce HIPAA provisions. The Department of Justice (DOJ) handles criminal HIPAA violations.

What happens if I don't comply with new HIPAA rules?

Non-compliance can result in civil monetary penalties ranging from $137 to $2,067,813 per violation, depending on the level of culpability. When new rules take effect, OCR typically provides an implementation period before active enforcement begins. However, OCR has stated that 'lack of awareness' is not a valid defense — covered entities are expected to monitor and implement regulatory changes.

Do state privacy laws override HIPAA?

State laws don't override HIPAA — but they can add requirements on top of it. When a state law provides stronger privacy protections than HIPAA, practices must comply with both. For example, California's CMIA provides a private right of action for patients, and Washington's My Health My Data Act covers consumer health data that HIPAA doesn't address.

Regulations change. Your compliance shouldn't break.

Patient Protect updates as the rules do.

When the Security Rule amendments take effect, practices on Patient Protect will already meet the majority of new requirements. That's the difference between compliance software and a compliance platform.

Start freeCheck Your Risk