New HIPAA Rules Explained: Latest Updates, Key Changes, and Compliance Deadlines

HIPAA Security Rule Updates

Where things stand now

The HIPAA Security Rule remains in force, and OCR has proposed the first major update since 2013 to strengthen protections for electronic protected health information (ePHI). While not yet final, the proposal signals more prescriptive requirements and tighter expectations for how you safeguard ePHI across your ecosystem and with business associates.

What OCR has proposed

• Make all implementation specifications effectively mandatory (with limited, clearly defined exceptions), reducing ambiguity about what “addressable” means in practice.
• Require multi-factor authentication for system and remote access to ePHI, with narrow exceptions and documented compensating controls when MFA cannot be implemented.
• Mandate encryption of ePHI in transit and at rest, again allowing only limited exceptions with written risk-based justifications.
• Strengthen access governance (for example, prompt termination of user access on role change or separation) and continuous monitoring of high-risk activities.
• Require written, tested security policies and contingency plans, including defined recovery time objectives (e.g., restoring critical systems and data within a short, specified window after an incident).
• Emphasize ongoing risk analysis and risk management, supported by documented reviews, audits, and corrective actions.

How to prepare now

• Complete a current, enterprise-wide risk analysis, prioritize remediation, and schedule annual compliance audits to verify control effectiveness.
• Implement MFA everywhere feasible (clinical apps, VPN, email, privileged access, patient portals) and close any encryption gaps for ePHI at rest and in transit.
• Harden identity and access management: least privilege, rapid deprovisioning, and periodic access recertifications.
• Test your incident response and disaster recovery plans; verify breach notification workflows and evidence capture.
• Update business associate agreements to reflect security expectations, monitoring, and rapid incident cooperation.

Reproductive Health Privacy Rule

Current status and what still applies

Most provisions of the 2024 HIPAA Privacy Rule to support reproductive health care privacy were vacated by a federal court in June 2025. However, remaining Notice of Privacy Practices (NPP) updates survived and must still be implemented. You should revise NPPs and internal policies to reflect the surviving changes and train staff on how to handle requests involving potentially sensitive reproductive health information in light of existing HIPAA permissions and prohibitions.

Operational implications

• Update and redistribute NPPs across intake packets, portals, and care settings; ensure your posted, printable, and electronic versions match.
• Reinforce standard verification, minimum necessary, and disclosure decisioning for law enforcement, litigation, or oversight requests.
• Keep a clear record of how you determine whether a request is permissible and how you applied HIPAA’s existing rules.

Substance Use Disorder Records

42 CFR Part 2 now aligned more closely with HIPAA

The 42 CFR Part 2 final rule modernizes protections for SUD records while easing care coordination. With a single patient consent, Part 2 programs, HIPAA covered entities, and business associates may use and disclose SUD records for treatment, payment, and health care operations; recipients may re-disclose in accordance with HIPAA. SUD counseling notes receive heightened protection and still require separate consent.

Key changes you must operationalize

• Penalties and enforcement align with HIPAA; breaches of Part 2 records now follow the HIPAA breach notification framework.
• Patient rights expand (for example, accounting of disclosures and certain restriction requests), with timing to align as HIPAA updates roll out.
• Segregating or segmenting Part 2 data in your systems is not required, but you must be able to honor consent terms and prevent impermissible uses or disclosures.
• Revise consent forms, patient notices, workflows, and training so frontline staff can process Part 2 authorizations and restrictions correctly.

Patient Access Rights

What remains unchanged—and strictly enforced

Under HIPAA’s Right of Access, you must provide individuals (or their personal representatives) access to PHI in the designated record set within 30 days, with one permissible 30-day extension when documented. Fees must be reasonable and cost-based, and you should provide records in the requested form and format if readily producible, including electronic copies of ePHI.

Interplay with interoperability and information blocking

Information blocking rules set expectations to avoid unnecessary delays in releasing electronic health information. Align your HIPAA access workflows with your portal release policies so patients can get records quickly while you still apply HIPAA’s permitted denials and safeguards (for example, preventing harm or honoring privacy constraints like 42 CFR Part 2 consents).

Information Blocking Compliance

What providers must know now

Information blocking applies to providers, certified health IT developers, and HIEs/HINs. For providers, enforcement occurs through program “disincentives,” which are now in effect. If OIG determines you committed information blocking, you can lose Medicare Promoting Interoperability credit, receive a zero score in the MIPS Promoting Interoperability category for the performance year in which the conduct occurred, and face exclusion from the Medicare Shared Savings Program for at least one year.

Use the information blocking exceptions correctly

Document when an exception applies and why. The recognized information blocking exceptions include: preventing harm; privacy; security; infeasibility; content and manner; health IT performance; licensing; and fees. Build clear SOPs that map these exceptions to your HIPAA processes (for example, applying the privacy exception when a valid 42 CFR Part 2 consent is absent).

Practical steps

• Adopt a single, enterprise policy that harmonizes HIPAA Right of Access, 42 CFR Part 2, and information blocking exceptions.
• Train clinicians and HIM teams on when exceptions apply and how to document them.
• Measure turnaround times and automate routine releases while routing complex requests to privacy/security for rapid review.

Compliance Deadlines

• February 16, 2026 — 42 CFR Part 2 final rule compliance date. All applicable Part 2 modifications (including alignment with HIPAA breach notification and penalties) are enforceable.
• February 16, 2026 — Remaining HIPAA NPP modifications from the reproductive health privacy rule are due. Update, publish, and distribute your revised Notices of Privacy Practices (NPPs).
• August 1, 2024 — Information blocking provider disincentives took effect. Ongoing compliance is required; determinations can affect your Medicare program participation and MIPS scoring.
• Security Rule modernization — Final rule pending. Expect a 60-day effective date followed by a 180-day compliance period for most provisions once published; begin readiness work now (MFA, encryption, documentation, testing, and annual compliance audits).

Conclusion

The “new HIPAA rules” landscape centers on three action fronts: prepare for a more prescriptive Security Rule, implement the modernized 42 CFR Part 2 framework, and sustain fast, well-documented patient access while applying information blocking exceptions correctly. Updating NPPs, tightening identity and encryption controls, and running annual compliance audits will keep you on track for current obligations and upcoming deadlines.

FAQs.

What are the key changes in the new HIPAA Security Rule?

OCR has proposed—though not yet finalized—more prescriptive safeguards: making implementation specifications effectively mandatory, requiring multi-factor authentication and encryption for ePHI (with narrow exceptions), tightening access governance, and requiring written, tested security and contingency plans. The final rule is pending; plan for a short runway (typically 180 days) once it’s issued.

How do the updated rules affect substance use disorder records?

The 42 CFR Part 2 final rule aligns key elements with HIPAA. With a single consent, SUD records can be used and disclosed for treatment, payment, and health care operations, and recipients may re-disclose consistent with HIPAA. Part 2 breaches now follow HIPAA’s breach notification framework, penalties align with HIPAA, SUD counseling notes need separate consent, and segmenting Part 2 data is not required.

What are the new patient access rights under HIPAA?

Your core obligations remain: provide access to the designated record set within 30 days (with one 30-day extension when documented), charge only reasonable, cost-based fees, and deliver records in the requested form and format when readily producible. Information blocking rules raise expectations for timely electronic release, so align portal and HIM workflows to minimize delays while honoring HIPAA and 42 CFR Part 2 limits.

When are the compliance deadlines for the HIPAA updates?

Two dates now drive planning: February 16, 2026 for full compliance with the 42 CFR Part 2 final rule and for the remaining HIPAA NPP updates; and August 1, 2024 for the start of provider disincentives under information blocking (ongoing). The HIPAA Security Rule update is pending; expect a 60-day effective date and a 180-day compliance period after the final rule publishes, so complete readiness work now.