If you work in healthcare, you've probably noticed that HIPAA doesn't sit still. Rules shift, enforcement priorities change, and new guidance keeps coming from the Department of Health and Human Services (HHS). Keeping up with HIPAA news isn't just good practice—it's a compliance requirement that protects your patients and your organization.
This page covers the most important recent developments in HIPAA law, enforcement trends, and what they mean for covered entities and business associates. Whether you're studying for a HIPAA practice test or managing compliance for a healthcare organization, you'll want to bookmark this.
The HHS Office for Civil Rights (OCR) is the agency that investigates HIPAA complaints and enforces the rules. Over the past couple of years, their focus has shifted in some notable ways.
First, right of access enforcement has been a top priority. Patients have a legal right to get copies of their medical records quickly and at low cost—and OCR has been cracking down hard on providers who drag their feet or charge excessive fees. More than 50 enforcement actions related to patient access have been resolved since OCR launched this initiative. Penalties have ranged from a few thousand dollars for small practices to over a million for large health systems.
Second, ransomware and cybersecurity incidents keep driving breach reports. Healthcare remains one of the most targeted sectors for cyberattacks, and OCR expects covered entities to have strong technical safeguards in place. If you're hit by ransomware, OCR presumes it's a reportable breach unless you can prove the data wasn't compromised—that's a high bar to clear.
Third, tracking pixel enforcement is newer territory. OCR issued guidance clarifying that using third-party tracking technologies (like Meta Pixel or Google Analytics) on patient-facing websites or patient portals can violate HIPAA if those tools transmit protected health information to vendors without proper authorization. Several large health systems have faced class-action lawsuits and regulatory scrutiny over this issue.
One of the biggest HIPAA news stories in recent memory is the proposed update to the Security Rule. HHS published a Notice of Proposed Rulemaking (NPRM) in early 2025 that would significantly strengthen cybersecurity requirements for covered entities and business associates.
Here's what the proposed changes would do:
These are proposals, not final rules yet. But healthcare organizations are already starting to assess gaps because the compliance window after a final rule is published is typically 180 days to 2 years—and the gap analysis alone takes months for large organizations.
If you're studying HIPAA for certification purposes, it's worth understanding both the current Security Rule and what's proposed, since exam content often reflects recent regulatory activity.
Following the Supreme Court's 2022 decision on abortion access, HHS issued new HIPAA privacy rules to address concerns about states attempting to access patient reproductive health information for law enforcement purposes.
The final rule—effective in 2024—prohibits covered entities and business associates from disclosing protected health information related to reproductive health care for the purpose of investigating or imposing liability on patients, providers, or others who seek or provide lawful reproductive health care. This applies even when law enforcement officials request that information through legal process.
There's a specific attestation requirement attached to this rule. When someone requests PHI for activities that could potentially relate to reproductive health care, covered entities must obtain a signed attestation that the request isn't for a prohibited purpose. This adds a procedural step that your team needs to be trained on.
Healthcare organizations have had to update their policies, train staff, and in some cases modify their Notice of Privacy Practices to reflect these new protections.
During the COVID-19 public health emergency, HHS issued enforcement discretion policies that let covered entities use non-HIPAA-compliant video platforms for telehealth visits without penalty. That discretion has ended—you're now expected to use HIPAA-compliant telehealth platforms with proper Business Associate Agreements in place.
The rush back to full compliance caught some smaller practices off guard. If you're still using a platform without a BAA, that's a live compliance gap. Common platforms like Zoom for Healthcare, Doxy.me, and Teladoc offer HIPAA-compliant options, but you need the BAA executed before you can legally use them for protected communications.
The telehealth landscape also raises questions about where patients are located during visits. If your provider is licensed in one state but the patient is calling from another, you're dealing with both HIPAA and state law—and state laws on health privacy can be stricter than HIPAA in ways that matter.
Looking at actual OCR settlements gives you a clearer picture of where risk lies. A few recent examples stand out:
A large healthcare system paid $4.75 million after a ransomware attack exposed the PHI of over 2 million patients. OCR found the organization had failed to conduct a thorough risk analysis and hadn't implemented adequate technical safeguards—two foundational Security Rule requirements.
A small medical practice was fined $25,000 for failing to provide a patient with timely access to their records. This was part of OCR's right-of-access initiative. The fine looks modest, but for a solo practice it's significant—and it came with a corrective action plan and two years of monitoring.
A business associate (a medical transcription company) faced a $350,000 settlement after an employee's laptop containing unencrypted PHI was stolen. No encryption on portable devices remains one of the most common—and most avoidable—HIPAA failures.
These cases reinforce some basic compliance priorities: do your risk analysis, train your staff, encrypt your devices, and respond promptly to patient record requests. These aren't exotic requirements—they're HIPAA fundamentals that still trip up organizations every year.
The biggest development is the proposed overhaul of the HIPAA Security Rule, published by HHS in early 2025. The proposed changes would mandate multi-factor authentication, network segmentation, specific system recovery timelines, and annual compliance audits—eliminating the flexibility that currently lets organizations choose whether to implement certain safeguards. This isn't final yet, but organizations should be tracking it closely.
A final rule effective in 2024 prohibits covered entities and business associates from using or disclosing PHI related to reproductive health care for the purpose of investigating or imposing liability on patients or providers. When requests for such information arrive, organizations must obtain a signed attestation that the request isn't for a prohibited purpose. Staff training and updated privacy policies are required.
They can be. OCR guidance clarifies that if a tracking technology transmits protected health information—including information that could identify a user as a patient—to a third-party vendor without a BAA or proper authorization, that's a potential HIPAA violation. Several health systems have faced legal action over this. Any patient-facing website or portal that uses analytics tools should be audited for PHI exposure.
The most frequent violations that lead to enforcement actions include: failure to conduct or document a security risk analysis, failure to provide patients with timely access to their records, insufficient technical safeguards (especially unencrypted devices), lack of employee training, and inadequate business associate agreements. Ransomware incidents have also driven many recent enforcement cases.
Yes—directly, since the 2013 Omnibus Rule. Business associates are directly liable for HIPAA compliance and can face OCR enforcement independently of the covered entity they serve. They must implement all Security Rule safeguards, follow the Breach Notification Rule, and sign Business Associate Agreements with covered entities. Subcontractors who handle PHI on behalf of business associates are also subject to HIPAA.
First, contain the breach and assess its scope. You have 60 days from discovering the breach to notify HHS and affected individuals. For breaches affecting 500 or more individuals in a state, you must also notify prominent media in that state. Your organization should document the breach thoroughly, evaluate what went wrong, and implement corrective measures. Reporting to OCR through their online portal is required—late reporting can result in additional penalties.
The proposed Security Rule update published in 2025 would make MFA mandatory for accessing ePHI in nearly all circumstances. Currently, MFA is an addressable specification—organizations can choose alternatives if they document a reason. The proposed rule would eliminate that flexibility for most situations. This isn't final yet, but many organizations are treating it as inevitable and moving toward MFA implementation now.
HIPAA compliance isn't a one-time project—it's an ongoing process that requires staying informed. Here's how compliance professionals actually keep up:
Subscribe to HHS OCR updates. The OCR website posts new guidance, enforcement actions, and rulemaking notices. Their email list is free and keeps you in the loop without having to check the site manually.
Follow industry associations. Organizations like AHIMA, HIMSS, and the American Medical Association publish HIPAA analysis written specifically for healthcare professionals. Their interpretations of new guidance are often more practical than reading the regulatory text directly.
Build internal review cycles into your compliance program. Annual risk analyses, periodic policy reviews, and regular training updates aren't just HIPAA requirements—they're also how you catch issues before OCR does. Organizations with mature compliance programs tend to self-identify and fix gaps rather than waiting for a complaint to trigger an investigation.
Don't ignore state law. Several states—California, Texas, and Washington among them—have health privacy laws that go beyond HIPAA in certain areas. If you operate across state lines or handle reproductive health data, you need a clear picture of both federal and state obligations.
For anyone building HIPAA knowledge for professional purposes, the best foundation is understanding the core rules thoroughly. That means knowing the Privacy Rule, Security Rule, and Breach Notification Rule well enough to apply them to real scenarios—not just reciting definitions. A solid HIPAA practice test helps you check whether your understanding holds up under pressure, and it's good preparation for compliance roles, certification exams, or organizational training responsibilities.
Healthcare data is valuable—and vulnerable. Cyberattacks on healthcare organizations increased significantly over the past several years, and enforcement activity has followed. Organizations that treat HIPAA as a checkbox exercise rather than a living compliance program are the ones showing up in OCR settlement announcements.
If you're in a healthcare IT, administrative, clinical, or compliance role, understanding HIPAA news and regulatory changes is part of your professional responsibility. It's also, increasingly, a differentiator. Employers value people who can connect regulatory changes to practical workflow adjustments—not just people who know the rules exist.
Whether you're building toward a privacy officer role, a healthcare IT position, or certification in health information management, staying current on HIPAA developments is how you stay relevant in a field where the rules keep moving.