The 2025 Top Ten list reflects a regulatory environment in significant transition. Last year’s healthcare privacy and security landscape presented extraordinary challenges for compliance professionals, marked by sweeping regulatory changes on the federal and state level, intensified enforcement activity, and a growing and evolving environment that demanded constant vigilance. The volatile landscape demanded adaptability, careful attention to the regulatory details, and comprehensive compliance programs. The Top Ten list offers a capsulized version of the year’s highlights—and what it all means for healthcare privacy and security professionals moving forward.

1. Major HIPAA Security Rule Changes on the Horizon
Authored by Taylor White and Lisa Luetkemeyer

In December 2024, the U.S. Department of Health and Human Services Office for Civil Rights proposed the first major update to the HIPAA Security Rule since 2013, responding to the sharp rise in cyberattacks that have threatened patient information and disrupted healthcare delivery. The proposed revisions introduce significant structural changes, most notably eliminating the distinction between “required” and “addressable” safeguards in favor of mandatory implementation standards. Key provisions include annual compliance audits, comprehensive asset inventory and network mapping requirements, enhanced risk management protocols, and stricter technical controls such as mandatory multi-factor authentication and encryption. Requirements for business associates have become stricter, now mandating annual written proof of compliance and breach notifications within 24 hours. The rule is expected to become effective in July or August 2026, with most provisions requiring implementation within 180 days. Healthcare organizations should begin gap assessments immediately to ensure readiness for these comprehensive new requirements. 

2. Reproductive Health Privacy Rule Vacated
Authored by Kasey Ciolfi and Wendy Keegan 

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule, eliminating the additional privacy protections that were established through Executive Order 14076. The vacatur means these enhanced protections for reproductive health information are no longer enforceable or required under federal law. However, a complex patchwork of state-level privacy laws, directives, and guidance remains in effect, with significant variation across jurisdictions. Some state requirements conflict with federal approaches, creating compliance challenges for multi-state healthcare organizations. Legal professionals anticipate that additional states will enact their own reproductive health privacy legislation to address the gaps created by the federal rule’s vacatur, further complicating the compliance landscape for covered entities operating across state lines. 

3. 2025 State Privacy Changes–What Healthcare Leaders Need to Know
Authored by Colleen Pert and Kela Feldman

In 2025, multiple states either issued new privacy laws or tightened their existing regulations: strengthening opt-out rights, creating compliance incentives, offering new protections for minors, expanding coverage to new entities, and increasing enforcement, particularly around consumer-facing technologies and data disclosures. In view of these changes, healthcare leaders will have to reassess their compliance strategies, update consent workflows, and audit technical platforms to stay aligned with evolving requirements and enforcement trends. 

4. Enforcement Ramps Up on Patient Right of Access
Authored by Kelsey Toledo and Wendy Keegan 

The U.S. Department of Health and Human Services Office for Civil Rights has significantly intensified enforcement of the Right of Access rule, with the latest wave of actions in 2025 underscoring the agency’s commitment to protecting patient rights. In March 2025, OCR announced its 53rd Right of Access enforcement action, imposing a $200,000 civil monetary penalty against an academic medical center for failing to provide timely access to a patient’s personal representative. Under HIPAA’s Privacy Rule, covered entities must provide individuals access to their protected health information within 30 days of receiving a request, with a single 30-day extension permitted only when the entity provides a written explanation for the delay. The consistent enforcement pattern demonstrates that OCR views timely patient access as a fundamental right requiring strict compliance. Healthcare organizations should review their access request processes, ensure adequate staff training, and implement tracking systems to monitor compliance with regulatory deadlines. 

5. Shaping the Future: Navigating State-Level AI Legislation in Healthcare
Authored by Ashton Harris and Noreen Vergara

While artificial intelligence offers significant benefits for healthcare delivery, it also presents substantial risks including potential HIPAA and FTC Act violations, malpractice liability, and data breach vulnerabilities. State legislatures have actively pursued AI regulation in response to these concerns, with the White House issuing an executive order on December 11, 2025, titled “Ensuring a National Policy Framework for Artificial Intelligence,” to establish a unified federal strategy. However, the healthcare industry currently faces a fragmented regulatory landscape, with comprehensive AI laws enacted by states like Colorado, Texas, and Utah, while other jurisdictions have passed narrower legislation addressing AI in specific healthcare contexts. Emerging AI legislation consistently prioritizes three key themes: avoiding algorithmic discrimination, preserving clinical decision-making authority with healthcare professionals, and ensuring transparency through disclosure requirements when AI is used in patient care. Healthcare organizations must monitor regulatory developments across all jurisdictions where they operate and implement governance frameworks that address this evolving compliance landscape. 

6. Supply Chain Attacks Expose Vendors and Patient Data
Authored by Kristina Abdalla and Noreen Vergara 

The healthcare sector continues to experience an unprecedented wave of cyberattacks, with a notable shift in 2024 and 2025 toward targeting third-party vendors and business associates entrusted with sensitive protected health information. This trend has led to a surge in data breaches affecting tens of millions of Americans and prompting heightened regulatory scrutiny over vendor relationship management. While 2024 saw a record 184 million individuals affected by healthcare data breaches, preliminary data from the first half of 2025 indicates over 31 million individuals were affected. Regulators have intensified their focus on provider oversight of business associates, with proposed HIPAA Security Rule updates requiring healthcare organizations to implement multi-factor authentication, data encryption, and proactive security testing across their vendor ecosystem. The regulatory message is unequivocal: healthcare organizations cannot outsource accountability for safeguarding patient data. Organizations must conduct thorough vendor risk assessments, implement robust contractual protection, and maintain ongoing monitoring of business associate security practices. 

7. HHS Crackdown on Information Blocking
Authored by Taylor Crossley and Noreen Vergara 

2025 marks a significant turning point in federal enforcement against information blocking in healthcare, with HHS dedicating substantial resources and issuing clear warnings that enforcement is now a top priority. Information blocking refers to practices that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information, unless required by law or justified under a regulatory exception. The September 2025 enforcement alert from HHS-OIG and ASTP/ONC made clear that enforcement is now active, coordinated, and well-resourced, with civil monetary penalties reaching up to $1 million per violation for certain actors. HHS has encouraged patients, providers, and innovators to report suspected information blocking, creating multiple channels for identifying potential violations. The substantial penalty structure is a powerful incentive for organizations to prioritize compliance with information sharing requirements. Healthcare organizations should review their health information exchange practices, ensure proper documentation of any limitations on data sharing, and verify that any restrictions fall within recognized regulatory exceptions. 

8. New DOJ Regulations on Bulk Sensitive Personal Data Transfers
Authored by Neha Khan and Kela Feldman 

Executive Order 14117, implemented through Department of Justice regulations that took effect on April 8, 2025, created sweeping new restrictions on transferring Americans’ health data to certain foreign countries and entities. These regulations add a significant compliance layer beyond HIPAA for healthcare organizations that collaborate with international partners, offshore vendors, or utilizing artificial intelligence systems with international components. Data is considered “bulk” if it exceeds specific volume thresholds within a 12-month period: more than 10,000 U.S. persons for personal health data, more than 100 U.S. persons for human genomic data, and more than 1,000 U.S. persons for biometric identifiers. The regulations identify six “countries of concern”: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. Healthcare organizations must map their data flows, identify potential transfers to these jurisdictions, and implement controls to ensure compliance with the new restrictions, which operate independently of existing HIPAA requirements. 

9. What HHS’s Major Restructuring Means for Healthcare Privacy
Authored by Bhargavi Kalaga and Lisa Luetkemeyer 

On March 27, 2025, the U.S. Department of Health and Human Services announced a comprehensive reorganization under the Department of Government Efficiency Workforce Optimization Initiative. This consolidates 28 divisions into 15, reducing regional offices from 10 to 5, and introducing a new entity called the Administration for a Healthy America. HHS anticipates reducing its workforce from approximately 82,000 to 62,000 full-time employees, generating an estimated $1.8 billion in annual savings. The restructuring may result in slower response times to Office for Civil Rights inquiries and breach investigations, longer appeals cycles, and reduced day-to-day oversight capacity. A significant development for privacy and security practitioners is the creation of a new Assistant Secretary for Enforcement, who will oversee all enforcement and appeals functions across HHS, including OCR. This centralization may lead to increased coordination of civil monetary penalties and more uniform enforcement approaches, while potentially enabling more strategic and targeted enforcement priorities. 

10. FTC Settles with Data Brokers Over Unlawful Sale of Sensitive Location Data
Authored by Elizabeth Ignowski and Noreen Vergara 

In December 2024, the FTC announced separate settlements against Mobilewalla, Inc. and Gravy Analytics, Inc., asserting that the companies unlawfully tracked and sold sensitive location data from users without consent, including data related to visits to health centers. Mobilewalla was alleged to have used sensitive location data to develop audience segments including pregnant women by tracking data from pregnancy centers. Gravy Analytics was accused of geofencing around events related to medical conditions and selling that data. Under the settlement terms, both companies are prohibited from selling, disclosing, or using sensitive location data obtained from visits to health clinics, with restrictions also extending to data collected from religious institutions, labor union offices, and other protected locations. These settlements address the sale of health-related geolocation data that falls outside HIPAA’s jurisdiction, recognizing that consumer behaviors, when aggregated and analyzed, can reveal sensitive information about health status. The enforcement actions serve as a reminder that privacy obligations extend beyond traditional protected health information to encompass broader categories of health-related consumer data. 

Contact us 

For further details or additional information, please contact Noreen Vergara or another member of the Husch Blackwell Healthcare Privacy and Security Work Group.

Attorneys Pete Enko and Josi Wergin contributed to the editorial efforts for the series “The Top 2025 Privacy and Security Issues Still Shaping Healthcare.”