HIPAA Privacy Rule Update 2025 Explained: Examples, Risks, and Enforcement

Federal Court Vacates Reproductive Health Care Privacy Rule

On June 18, 2025, a federal district court in Texas vacated most of the 2024 “HIPAA Privacy Rule to Support Reproductive Health Care Privacy.” The court concluded HHS exceeded its authority, eliminating the special federal protections that would have limited certain uses and disclosures of reproductive health information and ended the nationwide attestation requirement for requesters of such data. However, portions of the Notice of Privacy Practices (NPP) changes unrelated to those vacated provisions remain intact and must still be implemented. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

What this means in practice: if, for example, an out‑of‑state investigator seeks records about a lawful abortion, the pre‑2024 HIPAA framework governs—there is no added federal prohibition triggered solely by the reproductive context and no special attestation to obtain first. Covered entities should update policies and training that were revised for the 2024 rule and remove any reproductive‑health attestations inserted into workflows, while continuing to follow standard HIPAA permissions and stricter state laws where applicable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

Appeals efforts to revive the 2024 reproductive privacy changes ended on September 10, 2025, when the Fifth Circuit dismissed an intervention appeal, leaving the vacatur in place nationwide. ([haynesboone.com](https://www.haynesboone.com/news/publications/hipaa-reproductive-healthcare-privacy-rule-remains-vacated-after-appeals-closed?utm_source=openai))

Ongoing HIPAA Security Rule Revisions

HHS/OCR has proposed the most significant Security Rule overhaul since 2013 to strengthen safeguards for electronic protected health information (ePHI). The Notice of Proposed Rulemaking (NPRM) would move from flexible “addressable” language to clearer, mandatory cybersecurity controls, reflecting the sector’s escalating threat landscape. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

Key proposals you should plan for

• Multi-factor authentication for ePHI access, encryption at rest and in transit, and required network segmentation. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• A current technology asset inventory and network map showing ePHI flows, reviewed at least annually and after material changes. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• More specific security risk assessments and ongoing risk management tied to identified threats and vulnerabilities. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Vulnerability scanning at least every six months and penetration testing at least annually. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Written incident response and contingency plans with the capability to restore critical ePHI systems within 72 hours, plus separate technical controls for backup and recovery. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Annual HIPAA compliance audits by regulated entities and stronger business associate oversight, including validations of deployed safeguards and 24‑hour notifications upon contingency plan activation. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

Timing and transition (if finalized)

If finalized as proposed, the Security Rule changes would take effect 60 days after publication, with a standard compliance date 180 days after the effective date. A separate transition window would give up to one year after the effective date to update existing business associate agreements, if certain conditions are met. Until a final rule is issued, current Security Rule requirements continue to apply. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Enhanced Notice of Privacy Practices for SUD Records

Separately from the reproductive privacy litigation, HHS finalized major updates to 42 CFR Part 2 (SUD confidentiality) on February 8, 2024, aligning many requirements with HIPAA and triggering required Notice of Privacy Practices modifications. Entities must revise their NPPs to explain how Part 2 records are used, disclosed, and protected, including new rights and breach notification obligations aligned with HIPAA. The compliance deadline is February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))

What changes for your NPP and operations

• Ability to obtain a single patient consent for future treatment, payment, and health care operations (TPO) uses of Part 2 records, with limits on re‑disclosure. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))
• Clear explanation of patients’ rights and Part 2‑specific protections in your NPP, consistent with HIPAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))
• Updated breach notification and penalty frameworks that more closely mirror HIPAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))

Compliance Deadlines and Enforcement Actions

Key dates

• February 16, 2026: Deadline to implement required Notice of Privacy Practices modifications for Part 2 and remaining NPP updates not vacated by the Purl decision. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))
• Security Rule NPRM: No final rule yet. If finalized, expect an effective date 60 days after publication and a compliance date 180 days later, with a limited extension for certain contract updates. ([federalregister.gov](https://www.federalregister.gov/public-inspection/2024-30983/health-insurance-portability-and-accountability-act-security-rule-to-strengthen-the-cybersecurity-of))

Current OCR enforcement posture

OCR has intensified “Office for Civil Rights enforcement” around cybersecurity, with multiple 2025 settlements emphasizing foundational security risk assessments and ransomware preparedness. Recent resolution agreements involved a billing vendor (Comstar), an ambulatory surgery center, a CPA firm acting as a business associate, and a small neurology practice—illustrating that organizations of every size and type are in scope. ([hhs.gov](https://www.hhs.gov/press-room/hhs-hipaa-comstar-agreement.html?utm_source=openai))

In addition, OCR launched 2024–2025 HIPAA compliance audits focused on selected Security Rule provisions most relevant to hacking and ransomware, with an industry report to follow after the audit cycle concludes. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/pilot-program/index.html?utm_source=openai))

Impact on Healthcare Providers and Patients

Providers and plans must recalibrate privacy operations post‑Purl: remove reproductive‑health attestations, revert to standard HIPAA permissions, and align with applicable state laws. At the same time, you must prepare for NPP changes tied to SUD records and ensure business associates who handle ePHI meet heightened expectations. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

For patients, the vacatur means HIPAA no longer includes the 2024 rule’s special federal protections for reproductive health information. However, the 42 CFR Part 2 updates strengthen protections and clarity for substance use disorder records, and the pending Security Rule proposals—if finalized—would materially improve safeguards for electronic protected health information across the ecosystem. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

Risk Management Strategies

Prioritize core controls now

• Run comprehensive security risk assessments at least annually and after major changes; document threats, vulnerabilities, and prioritized remediation tied to ePHI systems. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Deploy multi‑factor authentication everywhere ePHI can be accessed; enforce least‑privilege, role‑based access, rapid termination, and unique IDs for users and technology assets. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Implement network segmentation between EHR, imaging, labs, and public‑facing services to contain lateral movement during attacks. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Maintain a living technology asset inventory and network map that trace ePHI data flows across on‑prem, cloud, and medical devices. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Encrypt ePHI in transit and at rest; harden configurations, remove extraneous software, and establish regular vulnerability scanning and annual penetration testing. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Strengthen backup and recovery with logically separate, immutable copies and a proven ability to restore critical systems within 72 hours. Conduct frequent tabletop exercises. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Elevate business associate oversight: update BAAs, require evidence of deployed controls, and set 24‑hour notifications for contingency plan activation. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))
• Proactively conduct internal HIPAA compliance audits and retain documentation to be audit‑ready during OCR’s 2024–2025 audit cycle. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/pilot-program/index.html?utm_source=openai))

Future Regulatory Developments

HHS has stated it will determine next steps following the Purl decision, and the Fifth Circuit’s September 10, 2025 dismissal leaves the vacatur in place. Watch for agency guidance addressing post‑Purl operations, the Security Rule’s finalization timeline, and additional implementation materials for Part 2 and NPP updates as the February 16, 2026 deadline approaches. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

Conclusion

In 2025, the landscape shifted in two directions at once: the reproductive privacy rule was largely vacated, while cybersecurity and SUD confidentiality moved forward. If you zero in on NPP modifications for Part 2 by February 16, 2026, harden ePHI defenses in line with the NPRM’s thrust (MFA, segmentation, encryption, rigorous risk assessments), and stay alert to OCR audits and enforcement, you will reduce risk and remain prepared for what comes next. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))

FAQs

What are the key changes vacated by the 2025 HIPAA Privacy Rule update?

The court struck down most of the 2024 reproductive health privacy amendments, eliminating special prohibitions on certain uses and disclosures of PHI related to reproductive care and ending the attestation requirement. The ruling did not wipe out unrelated HIPAA provisions; select NPP modifications remained and still require attention. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html?utm_source=openai))

How does the new HIPAA Security Rule proposal affect ePHI protection?

If finalized as proposed, it would mandate concrete safeguards—multi‑factor authentication, encryption at rest and in transit, network segmentation, frequent vulnerability scanning and annual penetration testing, asset inventories and network maps, and stronger incident response and recovery—moving the sector toward consistent baseline cybersecurity for ePHI. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html))

What enforcement actions can healthcare providers expect for non-compliance?

Expect continued OCR settlements and corrective action plans emphasizing security risk assessments, ransomware readiness, and vendor oversight, alongside targeted HIPAA compliance audits in 2024–2025. Recent cases spanned small practices to large business associates, underscoring that size offers no safe harbor. ([hhs.gov](https://www.hhs.gov/press-room/hhs-hipaa-comstar-agreement.html?utm_source=openai))

How do the updates impact the handling of substance use disorder patient records?

The 42 CFR Part 2 final rule aligns many SUD confidentiality requirements with HIPAA and requires NPP updates that explain patients’ rights and how Part 2 records are used and disclosed. You may use a single consent for TPO purposes (with limits), and you must meet enhanced breach notification and enforcement provisions by February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))