In an effort to crack down on rampant cyber attacks, the Department of Health and Human Services have proposed updates to the HIPAA regulatory framework. Healthcare organizations must now assess their current data protection and security practices and make the necessary adjustments. In this blog post, we summarize the biggest HIPAA changes in 2025 and suggest 7 important next steps.
In 2024, the US healthcare industry experienced one the largest data breaches of all time. Change Healthcare, a payment processing conglomerate that handles around one third of all healthcare transactions in the US, was infiltrated by an infamous ransomware group. The cyber attack affected a staggering 190 million people in America.
This is only one example in what’s become an ongoing, insidious cybersecurity problem.
A problem that has resulted in the Department of Health and Human Services (HHS) proposing amendments to the HIPAA framework.
For healthcare organizations like yours, this means tighter responsibilities surrounding data protection, patient access, and security best practices.
But what exactly are these HIPAA changes, and what do they mean for your business, people, and operations?
The HHS’s proposed amendments to the HIPAA framework are sweeping. If you don’t familiarize yourself with the key changes now, you may find yourself caught up in the regulatory riptide.
The headline updates are as follows:
For more information and updates, we’d advise reading the guidance and fact sheets on the HHS website.
Change is coming, and there’s no escaping it. To fortify your data, protect your patients, and stay compliant, your organization must take action sooner rather than later.
With that in mind, here are 7 next steps that’ll help you comply with the new HIPAA proposals.
First and foremost, parse through the existing and proposed amendments to the HIPAA framework. This will give you a better understanding of the HHS’s expectations and your upcoming responsibilities.
Depending on the size and sophistication of your IT teams, it may be necessary to consult with dedicated security or HIPAA consultants.
Once you have a firm grasp of the updates, conduct a gap analysis for all your documents, procedures, and compliance frameworks. How do they measure up against the HIPAA framework? Are there any inconsistencies or missing pieces?
At this stage, we’d recommend:
Implementing a thorough risk assessment is also necessary. This involves; identifying areas of non-compliance; mapping ePHI data and the systems that store it; and assessing any data protection risks, whether they’re paper-based, digital, or external.
The idea is to find and diagnose problems that need fixing — before hackers exploit them or regulators penalize you for them.
Compliance should never become a siloed effort. To ensure everyone in your organization adheres to these new updates, you must communicate with them from day one.
Of course, this isn’t something you can share via printed pamphlets or email threads. These methods of communication are unreliable, untraceable, and — for many field workers — inaccessible. There’s no way to gauge who has and hasn’t read the updates, never mind whether they’ve understood them or not.
Instead, use a centralized digital workplace to share HIPAA news articles, pinned announcements, and RSS feeds across your workforce.
Some software providers, such as Claromentis, also offer integrated AI-powered policy management applications that enable you to distribute policies, track acceptance rates, and improve understanding with intelligent Q&A chatbots. This ensures every obligation is read, understood, and ingrained in your workplace culture.
The powers that be have expressed a clear need for stronger security controls. As a result, you’ll need to secure every nook and cranny of your digital ecosystem, from your CRM systems to your intranet.
In accordance with HIPAA guidance:
For healthcare organizations that rely on disparate platforms for their day-to-day operations, interoperability may be a considerable hurdle.
Ideally, you must be able to integrate data and platforms across your entire tech stack. Only then can you ensure effective patient data access.
A centralized digital workplace solution like Claromentis enables you to do just this. With the help of native or custom built APIs, you can stitch together all of your key tools and foster greater collaboration, communication, and interoperability. Because our solution is packed full of features, you may even be able to cull some less-important platforms from your ecosystem. This allows you to consolidate your tech stack and rein-in your data.
Under the HHS’s proposed HIPAA changes, your organization will have to act more quickly than ever before. Especially if you plan on meeting the tighter breach notification and patient data access timelines.
A robust no-code business process automation platform offers a brilliant way to handle these tasks efficiently.
Simply build standardized e-forms and workflows for these processes and embed them into your centralized digital workplace. After a form is filled, an automated workflow filters the ticket through the designated next steps and assigns tasks to users — whether that’s locating patient data, contacting the authorities, or taking remedial action. Custom service level agreements (SLAs) allow you to keep track of progress and flag any neglected tickets. Meaning you’ll never knowingly miss an important deadline.
According to a recent survey by HIPAA Journal, over 20% of organizations don’t test employee HIPAA knowledge. Of those that do, only 58.7% of quiz users during the training and certify the results.
Needless to say, a lack of consistent and tested HIPAA training will only increase your chances of non-compliance.
The good news is, implementing effective training pathways doesn’t have to be time-consuming or resource-draining.
With a comprehensive learning management system, you can:
There’s no need to coordinate in-person sessions or continuously repeat the same virtual course three times a week. Once the compulsory training is live, you can notify employees, monitor progress, and tweak your courses as you go.
As it stands, only 21% of organizations are “completely confident” that they could demonstrate full compliance if selected for a HIPAA audit.
Throw the new updates into the mix, and we’re willing to bet this number would reduce significantly.
But now’s not the time to admit defeat or bury your head in the sand. Instead, take this as an opportunity to prepare your teams, fortify your defenses, and secure your data.
This is where Claromentis can help.
Our digital workplace for regulated industries helps you navigate HIPAA changes with ease. Comprising intranet, e-learning, and automation capabilities, Claromentis is your foundation for centralizing knowledge, enforcing policy compliance, streamlining regulatory procedures, and educating employees. Third-party integrations and custom APIs enable you to consolidate your data points, encouraging greater interoperability. Built-in security features keep your sensitive data safe. And our self-hosted, SaaS, and on-premise deployment options give you full control over where your data lives.
As a HIPAA compliant organization ourselves, we’re familiar with the difficulties surrounding regulatory updates. It’s one of the many reasons why heavily regulated industries across the globe trust and depend on our software for their day-to-day operations.
To see how your healthcare organization can overcome HIPAA hurdles with Claromentis, book a quick discussion call with one of our experts. We’ll assess your requirements, share recommendations based on our 25+ years of experience, and build you a bespoke demo environment.