New HIPAA Rules 2024: Key Updates and How to Stay Compliant

Healthcare privacy and security shifted significantly in 2024. This guide walks you through the key HIPAA Privacy Rule amendments affecting reproductive health information, the modernization of the Confidentiality of Substance Use Disorder Records under 42 CFR Part 2, and proposed upgrades to Electronic Protected Health Information safeguards under the HIPAA Security Rule—plus what you should do now to stay compliant.

Enhanced Privacy Protections for Reproductive Health Information

In April 2024, HHS issued HIPAA Privacy Rule amendments intended to strengthen protections for reproductive health-related Protected Health Information. The Final Rule would have prohibited using or disclosing PHI to investigate or impose liability for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances, and would have required signed attestations for certain requests (for example, law enforcement or judicial proceedings).

However, on June 18, 2025, a federal court vacated most of that Final Rule nationwide. As a result, the prohibition and attestation provisions are not in effect. What remains are certain Notice of Privacy Practices updates—providers and plans must revise their NPPs to reflect the surviving provisions, with compliance due February 16, 2026. Until further agency or court action, you should continue applying the baseline HIPAA Privacy Rule and carefully evaluate state law when handling reproductive health information.

What you should do now

• Plan and implement Notice of Privacy Practices Updates by February 16, 2026, reflecting surviving reproductive health language and the finalized Part 2 changes described below.
• Refresh procedures for responding to subpoenas and law-enforcement requests involving reproductive health data to ensure disclosures meet existing HIPAA conditions and applicable state law.
• Review Business Associate Agreement Obligations to confirm BAs handle any reproductive health information strictly under HIPAA-permitted purposes.

Modifications to Substance Use Disorder Patient Records

In February 2024, HHS finalized major updates to 42 CFR Part 2 to better align the Confidentiality of Substance Use Disorder Records with HIPAA. A single patient consent may now authorize future uses and disclosures for treatment, payment, and health care operations. HIPAA covered entities and business associates that receive SUD records under this consent may redisclose in accordance with HIPAA, subject to Part 2’s ongoing limitations (for example, restrictions on using SUD records in legal proceedings without a court order or patient consent).

The rule also aligns penalties with HIPAA, applies HIPAA Breach Notification Requirements to Part 2 records, and adds patient rights (including an accounting of disclosures and the ability to request certain restrictions). Part 2 patient notice requirements are aligned with the HIPAA NPP, and segmentation of SUD data is not required. Compliance for entities subject to Part 2 is required by February 16, 2026.

What you should do now

• Update consent forms to support a single TPO consent and incorporate redisclosure language consistent with HIPAA.
• Revise your NPP and Part 2 patient notices so they present a clear, consistent explanation of SUD confidentiality rights and uses/disclosures.
• Integrate Part 2 into incident response so breaches of SUD records follow HIPAA Breach Notification Requirements.
• Review Business Associate Agreement Obligations to ensure BAs protect SUD records, support breach reporting, and honor Part 2 limits.

Proposed Updates to the HIPAA Security Rule

In December 2024, OCR issued a Notice of Proposed Rulemaking to strengthen Electronic Protected Health Information Safeguards. While not yet final, the NPRM would convert many “addressable” specifications to required controls and add clear, testable cybersecurity expectations.

Key proposals (not yet final)

• Encryption of ePHI at rest and in transit, with limited exceptions.
• Mandatory multi-factor authentication and network segmentation.
• Vulnerability scanning at least every six months and annual penetration testing.
• Asset inventory and a current network map showing ePHI flows, reviewed at least annually and after material changes.
• More prescriptive risk analysis and risk management documentation.
• Contingency planning upgrades, including restoring critical systems and data within defined timeframes and documented incident response procedures.
• Annual compliance audits; stronger vendor oversight, including periodic verification that business associates maintain required technical safeguards.

Until a final rule is published, the existing HIPAA Security Rule remains in effect. Nonetheless, beginning alignment now will reduce risk and ease future compliance.

Compliance Considerations for Covered Entities

Prioritize near-term deliverables

• Finalize Notice of Privacy Practices Updates by February 16, 2026, to reflect surviving reproductive health language and Part 2 requirements.
• Modernize consent, authorization, and redisclosure workflows to incorporate the new Part 2 single TPO consent model.
• Embed HIPAA Breach Notification Requirements into SUD processes, including documentation, investigation, and timely notifications.

Strengthen governance and documentation

• Map data flows for PHI and SUD records; confirm minimum necessary access and retention limits.
• Update policies for subpoenas, court orders, and law-enforcement requests; ensure legal review before any disclosure involving sensitive categories.
• Reassess Business Associate Agreement Obligations: security controls, breach reporting, subcontractor flow-downs, and cooperation during investigations.

Staff Training and Policy Updates

• Educate staff on the Part 2 changes: single TPO consent, redisclosure allowances under HIPAA, and ongoing limits on use in legal proceedings.
• Clarify current status of the 2024 reproductive health rule: prohibition and attestation requirements are vacated; apply baseline HIPAA and state law, and update the NPP by February 16, 2026.
• Refresh incident response playbooks to incorporate SUD-specific breach steps and escalation paths.
• Train workforce and business associates on minimum necessary, identity verification, and documentation standards for all disclosures.

Risk Assessment and Cybersecurity Enhancements

A risk-based, defensible security program remains essential. Even before any Security Rule update is finalized, you can reduce exposure and demonstrate diligence by adopting the NPRM’s direction of travel.

Practical actions to take now

• Complete an enterprise-wide security risk analysis that inventories assets, maps ePHI flows, and ties findings to prioritized risk treatment plans.
• Implement or validate encryption for ePHI at rest and in transit; deploy multi-factor authentication across remote access, privileged accounts, and clinical systems.
• Segment networks to isolate high-value assets; ensure tested offline or logically separate backups and defined restoration time objectives.
• Establish routine vulnerability scanning and annual penetration testing; track remediation to closure.
• Exercise incident response and disaster recovery plans; document lessons learned and policy updates.
• Enhance vendor risk management with stronger Business Associate Agreement Obligations, security questionnaires, attestations, and right-to-audit clauses.

Conclusion

The new HIPAA Rules of 2024 brought meaningful changes to SUD privacy and teed up stronger cybersecurity, while reproductive health amendments now have a narrower effect following litigation. Focus on updating notices and consents by February 16, 2026, maturing breach and vendor oversight, and advancing cybersecurity controls so you are ready—legally and operationally—for what comes next.

FAQs.

What are the new restrictions on reproductive health information under HIPAA 2024?

The 2024 Final Rule would have prohibited using or disclosing PHI to investigate or impose liability for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances, and it introduced an attestation requirement for certain requests. On June 18, 2025, most of that rule was vacated by a federal court, leaving in effect only certain Notice of Privacy Practices updates, which must be implemented by February 16, 2026.

How have SUD record consent requirements changed in 2024?

Patients may give a single consent for future uses and disclosures of SUD records for treatment, payment, and health care operations. HIPAA covered entities and business associates that receive records under this consent may redisclose consistent with HIPAA, subject to Part 2’s protections (including limits on use in legal proceedings). Part 2 also now aligns penalties with HIPAA, applies HIPAA breach notifications to SUD records, and harmonizes patient notices with the NPP. Compliance is required by February 16, 2026.

What cybersecurity measures are proposed in the HIPAA Security Rule update?

The NPRM proposes mandatory encryption of ePHI at rest and in transit, multi-factor authentication, network segmentation, vulnerability scanning at least every six months, annual penetration testing, more prescriptive risk analysis, asset inventories and network maps, stronger contingency/incident response (including defined restoration timelines), annual compliance audits, and tighter business associate verification. These proposals are not yet final; the current Security Rule remains in force.

How should healthcare providers update their privacy policies to stay compliant?

Update the NPP by February 16, 2026, to reflect surviving reproductive health language and Part 2 changes; adopt the new single TPO consent for SUD records; extend HIPAA Breach Notification Requirements to SUD incidents; tighten procedures for subpoenas and law-enforcement requests; and revise Business Associate Agreement Obligations to ensure partners implement appropriate safeguards, incident reporting, and subcontractor flow-downs. Train your workforce and document all updates and decisions.