These updates represent the first major revision to HIPAA security requirements since 2003. All covered entities and business associates must comply.
Healthcare data breaches increased 93% in 2024, affecting over 133 million patients. These updates mandate modern security controls that were previously "addressable" (optional if documented). MFA, encryption, and faster breach notification are now required specifications with no exceptions.
In December 2024, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) finalized long-anticipated updates to the HIPAA Security Rule. These changes were developed in response to the dramatic increase in healthcare cyberattacks, ransomware incidents, and data breaches affecting millions of patients.
The updates transition several "addressable" specifications to "required" status, meaning organizations can no longer opt out even with documented alternative measures. This marks a fundamental shift in how HIPAA compliance is enforced.
Organizations that fail to implement these new requirements face significantly increased enforcement actions, with OCR specifically targeting these areas in audits and investigations starting in 2025.
Each of these changes is now a required specification under the Security Rule
These requirements apply to all HIPAA covered entities and business associates
Hospitals, clinics, medical practices, dental offices, mental health providers
100% of covered entities must comply
IT vendors, cloud providers, billing services, consultants
Direct liability for non-compliance
EHR vendors, health apps, telemedicine platforms
Enhanced technical requirements
Since the 2013 HIPAA Omnibus Rule, business associates carry the same compliance obligations and face the same penalties as covered entities. If you provide services to healthcare organizations and handle PHI, these updates apply to you with no exceptions.
Follow this roadmap to ensure your organization meets all 2025 requirements