HIPAA enforcement has intensified significantly over the past two years, with OCR (the Office for Civil Rights) issuing larger penalties and expanding the scope of investigations triggered by breach notifications. If your organization handles protected health information (PHI), here's what you need to know heading into 2025.
Key Changes to Watch
The most significant recent development is the proposed HIPAA Security Rule update โ the first substantial revision since 2005. The proposed changes would require more specific technical safeguards, including mandatory MFA, network segmentation requirements, and encryption standards that reflect current technology.
What's Still Catching Organizations Off Guard
- Business Associate Agreements (BAAs): Many organizations still have outdated or missing BAAs with vendors who access PHI. Any software vendor, IT company, or cloud service provider that touches PHI needs a current BAA.
- Risk Analysis: OCR's #1 finding in investigations is an inadequate or missing Security Risk Analysis. This needs to be a documented, formal process โ not a checkbox.
- Access Controls: Shared logins, over-privileged accounts, and lack of termination procedures remain persistent problems.
- Encryption: Laptops and mobile devices with PHI that aren't encrypted remain a major liability.
What To Do Right Now
Schedule a formal Security Risk Analysis if you haven't done one in the past 12 months. Review your BAA list and ensure every vendor with PHI access is covered. Enable MFA across your EHR and email systems. Document your policies and train staff annually.
Sentiva offers HIPAA compliance assessments for healthcare organizations. Contact us to get started.