HIPAA Privacy Rule Update 2025: What Changed and How to Comply

Reproductive Health Care Privacy Rule

In 2024, HHS finalized a HIPAA Privacy Rule amendment intended to restrict certain uses and disclosures of protected health information (PHI) related to lawful reproductive health care and to require signed attestations before disclosing potentially related records for specified purposes. On June 18, 2025, a federal court vacated most of that rule nationwide; only certain Notice of Privacy Practices (NPP) modifications remain, with compliance required by February 16, 2026. As a result, the attestation requirement and prohibitions on specified uses/disclosures are no longer in effect. Covered entities should revert to baseline HIPAA permissions and requirements when responding to requests for PHI. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

Practically, you should: (1) remove workflow checkpoints that depended on the now-vacated attestation; (2) retrain staff on standard HIPAA pathways for disclosures (required by law, law enforcement, judicial processes) and documentation; and (3) track evolving litigation or agency actions that could alter obligations again. Maintain careful review of Data Sharing Consent practices where state laws may impose separate constraints. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

Notice of Privacy Practices Updates

Despite the vacatur, HHS confirms that remaining NPP updates are still required by February 16, 2026. These updates chiefly align HIPAA notices with the 42 CFR Part 2 final rule for Substance Use Disorder (SUD) records and clarify how PHI that is also Part 2 data may be used and disclosed. Prepare updated, plain-language notices that explain patient rights, breach notification standards, and how SUD information is handled alongside HIPAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

Implementation tips: map where SUD records intersect with your HIPAA records; ensure portal and intake workflows surface the new NPP at first service delivery and upon request; and coordinate with business associates so their processes support your posted notice commitments. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))

HIPAA Security Rule Proposed Updates

OCR issued a Notice of Proposed Rulemaking (NPRM) to modernize the Security Rule, emphasizing concrete cybersecurity controls for electronic PHI (ePHI). The proposal would require Multi-Factor Authentication (MFA), encryption of ePHI at rest and in transit, vulnerability scanning and annual penetration tests, network segmentation, tested incident response and disaster recovery (including restoring critical systems within 72 hours), annual compliance audits, and ongoing technology asset inventories with data-flow maps. It would also mandate enhanced vendor oversight, including periodic verification by business associates that required safeguards are in place. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

While the NPRM is not yet final, OCR links its approach to sector Cybersecurity Performance Goals and to the surge in large health data breaches, underscoring the urgency for entities to adopt these controls now. Begin gap assessments against the NPRM’s specifics, prioritize MFA and encryption, and plan contract updates to reflect new verification duties for Business Associate Agreements. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html))

Compliance Deadlines

• June 18, 2025: Court vacates most of the 2024 reproductive health privacy amendments; no attestation requirement or special prohibitions remain in effect. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))
• February 16, 2026: Deadline to implement the remaining NPP modifications, including those aligning HIPAA notices with the SUD Part 2 final rule. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))
• Security Rule NPRM: Not final as of November 26, 2025. Monitor for a final rule and phased timelines; early adoption of MFA, encryption, backups/restore, and vendor verification will reduce risk and ease transition. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

Impact on Covered Entities

Covered entities and business associates should recalibrate privacy operations: remove reproductive-health attestation gates; re-standardize legal-process responses under existing HIPAA permissions; and finalize a workplan to update NPPs by the 2026 deadline. Where PHI overlaps with SUD Records, implement clear Data Sharing Consent pathways that reflect Part 2’s alignment with HIPAA for treatment, payment, and health care operations, and refresh training and forms accordingly. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))

Security-wise, treat NPRM elements as a near-term blueprint: enforce role-based access, MFA, and Encryption of Electronic PHI (ePHI); document risk analyses tied to asset inventories and data-flow maps; and expand Business Associate Agreements to include the proposed verification and rapid contingency-plan notifications. Expect continued Office for Civil Rights (OCR) Enforcement focus on risk analysis, vendor management, and breach response, especially in the wake of large-scale incidents. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

Legal Challenges

The June 18, 2025 decision in Purl v. HHS vacated most of the reproductive health privacy amendments nationwide, leaving only specified NPP changes intact. HHS has indicated it is assessing next steps; additional appeals or guidance could follow. Maintain agility: keep legal counsel engaged, document your decisioning for PHI disclosures, and watch for agency updates that could reinstate, revise, or replace elements of the vacated rule. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

Cybersecurity Enhancements

Prioritize controls that both reduce real-world risk and position you for future compliance: deploy MFA across all ePHI systems, encrypt endpoints and databases, segment networks to isolate critical clinical systems, implement continuous vulnerability management, and test incident response with 72-hour restoration objectives. Build an authoritative asset inventory and ePHI data-flow map, and require business associates to evidence controls on a recurring basis. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

Conclusion

The 2025 landscape narrows immediate privacy changes to NPP updates while elevating cybersecurity expectations. Focus on NPP revisions (especially for SUD Records), re-center disclosure workflows under existing HIPAA standards, and advance toward MFA, encryption, and vendor verification so you are ready when the Security Rule is finalized. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

FAQs

What are the key changes in the 2025 HIPAA Privacy Rule update?

The pivotal change is legal: a federal court vacated most of the 2024 reproductive health privacy amendments on June 18, 2025, eliminating the attestation requirement and special prohibitions on certain uses/disclosures. What remains are specific NPP updates, due by February 16, 2026, largely to align notices with new rules for SUD Records. Separately, OCR’s Security Rule NPRM proposes mandatory MFA, encryption, and other safeguards, but it is not yet final. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

How do the reproductive health care privacy provisions affect compliance?

Because the court vacated most of the amendments, you should discontinue reliance on the attestation workflow and manage requests under the existing HIPAA framework (e.g., disclosures required by law, court orders, or other Privacy Rule permissions). Continue preparing your NPP for the 2026 deadline and monitor for appeals or replacement rulemaking that could alter obligations again. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

When must updated Notice of Privacy Practices be implemented?

By February 16, 2026, for the remaining, undisturbed NPP modifications—principally those aligning HIPAA notices with 42 CFR Part 2 confidentiality requirements for SUD Records. Plan updates, approvals, posting, and workforce training well in advance of that date. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))