HIPAA Updates For Healthcare Professionals_Are You Ready is the theme of the image that shows a group of healthcare professionals staring straight at you
UncategorizedMarch 24, 2025
HIPAA Updates For Healthcare Professionals_Are You Ready is the theme of the image that shows a group of healthcare professionals staring straight at you

How will the new HIPAA updates impact your healthcare firm?

Here are some scenarios.

TLDR

The proposed 2025 HIPAA updates for healthcare professionals & entities is here. And they are expected to increase the burden on healthcare professionals in the short term. Updates will need to be made to policies and procedures and changes required for HIPAA notices of privacy practices. We have outlined the 15 major changes in this update.  And to make it easier to understand, have provided use cases along with changes that need to be rolled out by healthcare professionals in healthcare practices and organizations post the HIPAA update.

Table Of Contents

A Quick Primer On The New HIPAA Updates For Healthcare Professionals

 

The proposed updates to the HIPAA Privacy Rule are as follows:

  • Allowing patients to inspect PHI in person and take notes or photographs of their PHI.
  • Changing the maximum time to provide access to PHI from 30 days to 15 days.
  • Restricting the right of individuals to transfer ePHI to a third party to only ePHI that is maintained in an EHR.
  • Confirming that an individual is permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual.
  • Stating when individuals should be provided with ePHI without charge.
  • Requiring covered entities to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
  • The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
  • A definition has been added for electronic health records.
  • Wording change to expand the ability of a covered entity to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” (currently it is when harm is “serious and imminent.”)
  • A pathway has been created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
  • Covered entities will not be required to obtain a written acknowledgment from an individual that they have received a Notice of Privacy Practices.
  • HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
  • HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
  • The definition of healthcare operations has been broadened to cover care coordination and case management.
  • Covered healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans when individuals direct those entities to do so when they exercise the HIPAA right of access.
  • Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
  • The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.

 

HIPAA Updates Impact Scenarios For Healthcare Professionals & Entities

Here is a structured analysis of the proposed HIPAA Privacy Rule changes with real-world examples and organizational impacts:

Proposed ChangeExample/Use CaseChanges for Healthcare Entities
1. Patients allowed to inspect PHI in person and take notes/photosA diabetic patient takes photos of their glucose trends during an in-person chart review to share with a nutritionist.– Training: Staff must be trained to supervise inspections and handle device usage.
– Logistics: Designated private spaces for reviews.
– Departments: Front desk, IT (ensure real-time record access).7
2. PHI access timeframe reduced from 30 to 15 daysA cancer patient requests records for a second opinion; delays could impact treatment decisions.– Processes: Accelerated workflows for record retrieval.
– Technology: EHR optimization to automate requests.
– Departments: Medical records, IT, compliance.67
3. Third-party ePHI transfers limited to EHR dataA patient’s mental health app receives EHR treatment history but not separate billing records.– Policy Updates: Define EHR boundaries.
– Compliance: Audits to ensure non-EHR data (e.g., billing) isn’t shared.
– IT: Integrate disparate systems.6
4. Patients can direct ePHI to personal health appsA patient sends EHR data to a fitness app to track medication side effects.– Security Checks: Verify app compliance.
– Training: Staff to process app-bound data requests.
– IT: API integrations.7
5. ePHI provided without charge in certain casesA low-income patient accesses lab results via a portal without fees.– Fee Policies: Revise waiver criteria.
– Training: Billing staff on exemptions.
– Departments: Billing, patient services.7
6. Informing patients of third-party copy rights when summaries are offeredA clinic offers a visit summary but must notify the patient they can request full records.– Documentation: Update consent forms.
– Training: Front-desk communication.
– Legal: Ensure disclosures meet standards.7
7. Expanded PHI disclosures to all uniformed servicesA soldier’s injury records are shared with VA and Navy hospitals for continuity.– Policy Updates: Military disclosure protocols.
– Training: Identify valid requests.
– Legal: Coordinate with DoD.7
8. EHR definition clarified to include billing recordsA patient’s EHR now shows both clinical notes and payment history.– IT: Merge billing/treatment systems.
– Compliance: Ensure all EHR data meets access rules.7
9. Threat disclosure threshold broadened to “seriously and reasonably foreseeable” harmA psychiatrist discloses suicidal intent to a family member after assessing risk.– Training: Risk assessment protocols.
– Documentation: Justify disclosures.
– Departments: Risk management, behavioral health.7
10. Pathway for EHR PHI sharing among covered entitiesA PCP shares EHR data directly with a specialist via patient-directed HIE.– Technology: Invest in interoperable systems.
– Legal: Data-sharing agreements.
– IT: Secure transmission tools.7
11. No written NPP acknowledgment requiredPatients receive NPP via email instead of signing paper forms.– Processes: Shift to digital notices.
– Administrative: Reduce paperwork.
– IT: Email tracking systems.7
12. Fee schedules posted onlineA hospital lists “$0.25 per page” for records on its website.– Transparency: Standardize fees.
– IT: Website updates.
– Departments: Finance, web teams.7
13. Individualized fee estimates for PHI copiesA patient receives a $30 estimate for 120-page records.– Training: Staff to calculate variable costs.
– Tools: Fee calculators.
– Departments: Billing, medical records.7
14. Broadened “healthcare operations” to include care coordinationA hospital shares readmission data with a post-acute facility to manage COPD patients.– Policy Updates: Define care coordination scope.
– Training: Data-sharing limits.
– Departments: Care management, compliance.7
15. Good faith PHI disclosures permitted for patient benefitA nurse shares medication lists with a caregiver for a dementia patient.– Training: Judgment-based disclosure guidelines.
– Documentation: Record rationale.
– Legal: Mitigate liability risks.7

Key Cross-Cutting Impacts Of the HIPAA Updates For Healthcare Professionals:

Training: All staff handling PHI require updated HIPAA training, especially on tighter timelines (15-day rule) and app-directed disclosures.

Technology: EHR upgrades for interoperability, automated request processing, and API integrations.

Compliance: Enhanced auditing to avoid penalties like $30k–$125k fines for access delays.

Legal/Policy: Revise BA agreements, fee structures, and threat disclosure protocols.

Operational Costs: Potential investments in IT infrastructure and staff expansion to meet shorter deadlines.

 

HIPAA Updates Prep Healthcare Professionals Should Start NOW!

 With the rollout of the new HIPAA updates, all impacted employees across your organization will require retraining. That is because any material change in policies and procedures mandate (re)training as per HIPAA guidelines. So not only will new employees who have been recently onboarded need to go through this training, but so will the existing workforce. It is clear that this will place considerable burden on covered entities and could cause disruption in daily operations. With most healthcare practices & firms struggling to find qualified HIPAA trained experts internally, it might be wise to reach out to organizations such as Frigg. Subject matter experts like Frigg can help organize trainings & certifications to ensure practices, and business associates are HIPAA update compliant.

This HIPAA update might cause some sleepless nights for healthcare professionals on account of the PHI sharing clauses covered here. There are limitations placed on what can be transferred via third party ePHI transfers while also limiting the existing timeframes on sharing PHI with patients. The HIPAA updates also touch upon billing records which as most healthcare practices & entities know, are challenging at best. As billing records are often kept in different systems than healthcare records, there is a potential risk of errors not to mention it being a time consuming task.

Healthcare professionals & practices will need to plan for and ensure a sufficient (and trained) workforce plus efficient procedures to comply with these requirements. As it stands, healthcare organizations will only have 30 days (including extensions) to provide requested records to patients. Hence it is imperative that healthcare organizations start reviewing their organizational readiness now, rather than later. We recommend conducting a gap audit to figure out current preparedness & additional effort needed to comply. This will provide clarity on the time, effort & money needed to get this done.

And as the HIPAA Journal notes, ‘Bear in mind that OCR has been laser-focused on healthcare providers who fail to provide patients with timely access to their medical records and has imposed more than 50 penalties under the HIPAA Right of Access enforcement initiative’.

FAQ: HIPAA Updates For Healthcare Professionals

What is the HIPAA privacy rule?

The HIPAA Privacy Rule establishes nationwide guidelines to safeguard individuals’ medical records and other personally identifiable health information, collectively known as “protected health information.” It applies to health plans, health care clearinghouses, and health care providers that conduct certain electronic transactions. The Rule mandates proper safeguards to ensure the privacy of protected health information and outlines limits on how this information can be used or disclosed without the individual’s consent. Additionally, it grants individuals rights over their health information, including the ability to review and obtain copies of their records, request electronic transmission of their information to a third party, and seek corrections when necessary.

The Privacy Rule can be found in 45 CFR Part 160 and Subparts A and E of Part 164.

When was HIPAA last updated?

In 2024, HIPAA was updated to enhance the HIPAA Privacy Rule, reinforcing privacy protections for reproductive healthcare information. This update prohibits the use or disclosure of reproductive healthcare information for conducting criminal, civil, or administrative investigations, or for imposing liability on individuals who have lawfully sought, received, or facilitated reproductive healthcare that was legal in the location where it occurred.

Where is the best place to find changes to the HIPAA law?

The most reliable source for updates to HIPAA law, or more specifically, changes in the Administrative Simplification Regulations, is the HHS Office for Civil Rights website. Visitors can subscribe to their “Weekly News Digest,” which delivers updates on Proposed Rules, Interim Rules, and Final Rules directly to their email inbox.

How will HHS announce HIPAA updates in 2025?

In 2025, HHS will announce updates to HIPAA through one or more Final Rules published in the Federal Register. After the Final Rule is published, HHS will issue a News Release on its website. These News Releases are typically covered extensively by trade publications and compliance websites, making it unlikely that any significant HIPAA updates in 2025 will go unnoticed.

 

What are the top changes in the 2025 HIPAA update for healthcare professionals?

 

Big updates are coming to the HIPAA Privacy Rule… and they’re going to impact EVERY healthcare provider, vendor, insurance plan, and patient. Here are the top updates we believe are important.

  1. Faster Access: Patients will now get access to their health info in 15 days (not 30). 
  2. In-Person Access: Patients can now inspect, take notes, or snap photos of their PHI. 
  3. PHI Transfers Limited: Sending ePHI to third parties is now restricted to EHR-maintained data only. 
  4. Health Apps Included: Patients can request their ePHI be sent directly to their personal health app. 
  5. Free ePHI Access: Clear guidelines are now in place for when ePHI should be provided free of charge. 
  6. Transparency Boost: Providers must now post fee schedules for PHI access on their websites. 
  7. No More Acknowledgments: Providers are no longer required to obtain written proof that patients received their Notice of Privacy Practices. 
  8. EHR Sharing Made Easier: New pathways for individuals to direct sharing of their PHI between healthcare entities. 
  9. Expanded Definitions: Healthcare operations now explicitly include care coordination and case management. 
  10. Safety First: PHI can now be shared if harm is “seriously and reasonably foreseeable” — not just “serious and imminent.” 

 

What changes do healthcare professionals, providers, healthcare practices & vendors need to make under the new HIPAA updates for healthcare professionals? 

Changes that healthcare professionals, practices & vendors need to make in their workflow cover 

  1. Process & policy changes in line with the updated HIPAA guidelines.
  2. Technology – EHR optimization to retrieve & share records. Invest in interoperable systems.
  3. Training – Staff must be trained to respond to updated data sharing guidelines including billing information.
  4. Compliance – To ensure data audits & ensure access guidelines.
  5. Documentation as per updated protocols
  6. Legal – Mitigate liability risks

If You Need Guidance or Immediate Assistance

Contact us at (+91 733-113-2288), or write to us at (service@friggp2c.com | friggp2c@gmail.com)

Also, check out our services like Vulnerability Assessment, Penetration Testing, Code Review, Testing as a Service, and Risk Management on our website www.friggp2c.com. We are determined to work with and for you and make your organization one of the safest business organizations for you, your customers, and all prospective clients.

About the Authors

Amit Sarkar

Amit Sarkar (amit.sarkar@friggp2c.com) is the Founder of Frigg Business Solutions at Sheridan, Wyoming, USA, and Hyderabad, Telangana, India. A seasoned writer whose multiple articles have been published in HCCA and SCCE. He is a former CEO of a US Healthcare Regulatory Compliance service organization, and a senior global leader in HIPAA Compliance, IT Security, Risk Management, and Compliance Governance.

LinkedIn:  Amit Sarkar | LinkedIn

Ayan Chatterjee

A tenured business leader with over two decades of experience leading organizations across multiple domains including healthcare. He has seen the impact of security breaches first hand and has become a passionate advocate for security & compliance preparedness in organizations.

LinkedIn: Ayan Chatterjee | LinkedIn

Ayan Chatterjee Cybersecurity Marketing expert