Data Privacy & Security/HIPAA/HITECH

Electronic medical record with patient data and health care information in tablet. Doctor using digital smart device to read report online. Modern technology in hospital.

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

The Health Insurance Portability and Accountability Act (HIPAA) has long been the cornerstone of patient privacy and data protection. Among its most patient-centric provisions is the Right of Access rule, which guarantees individuals timely access to their medical records. This right is not just a regulatory requirement—it’s a fundamental principle of patient empowerment, enabling individuals to make informed decisions about their health.

Healthcare_148231933-300x268.jpg

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

In 2025, eight new U.S. state privacy laws took effect and several states tightened existing regulations, significantly impacting healthcare organizations. Major changes

Doctor writing survey, insurance and claim form for medical paperwork, document and script for patient records, test result and research in a hospital. Physician hands signing and planning healthcare

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Reproductive health privacy rule vacated.

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated the HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (Privacy Rule). As a result, the additional privacy protections that had been granted to reproductive healthcare information through President Biden’s Executive Order 14076, (“Protecting Access to Reproductive Health Care Services”), are no longer enforceable or required.

HIPAA Regulations

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

Why Now? The Rising Cyber Threats Driving HIPAA Reform 

In December 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) proposed the first significant update to the HIPAA Security Rule since 2013, prompted by a surge in cyberattacks against healthcare organizations that have compromised patient information and disrupted care. 

HC Privacy & Security Top 10 Graphic

The 2025 Top Ten list reflects a regulatory environment in significant transition. Last year’s healthcare privacy and security landscape presented extraordinary challenges for compliance professionals, marked by sweeping regulatory changes on the federal and state level, intensified enforcement activity, and a growing and evolving environment that demanded constant vigilance. The volatile landscape demanded adaptability, careful attention to the regulatory details, and comprehensive compliance programs. The Top Ten list offers a capsulized version of the year’s highlights—and what it all means for healthcare privacy and security professionals moving forward.

The regulatory landscape for substance use disorder (SUD) treatment records is changing—and the impact will extend far beyond traditional addiction treatment programs. With treatment options for SUD limited, some providers are exploring ketamine as a potential therapy due to its effects on glutamatergic neurotransmission.[i] Additionally, psychedelic-assisted therapies involving certain Schedule I substances – such as psilocybin, ibogaine, and MDMA – are currently being studied by researchers as potential treatments for SUDs.[ii] While these investigational therapies are not yet available in clinical practice and the new federal privacy rules do not apply to research records, providers should be aware of the evolving treatment landscape as these therapies move closer to potential approval and clinical use.

Artificial intelligence (AI) continues to dominate headlines—not just for its technological leaps, but also for the policies shaping its future. In a major development, a new Republican-backed tax bill, released by the House Energy and Commerce Committee on May 11, 2025, seeks to preempt states from regulating AI models for the next decade. If passed, this bill would prevent state laws governing AI systems, allowing only limited exceptions for measures that simply facilitate or streamline AI development and deployment. Laws attempting to regulate artificial intelligence models, artificial intelligence systems, or automated decisions systems would be disallowed during the 10 year period.

This proposed federal approach aligns with the current administration’s emphasis on AI innovation over regulation, reflecting a belief that a unified, national policy will spur American competitiveness in this rapidly evolving field.

Healthcare-Data-HIPAA

On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (the Proposed Rule) to strengthen the cybersecurity protections that HIPAA-regulated entities are required to maintain for electronic protected health information (ePHI).

Close up of doctor working on computer in doctor's office. Physician doing paperwork and administration.

Keypoint: With the increased frequency and severity of cyberattacks against healthcare systems, state and federal agencies strive to improve cybersecurity controls with varied success.

In November 2023, New York Governor Kathy Hochul announced proposed regulations that would be the first state regulations for hospitals in New York. The governor described the proposed regulation as a “nation-leading blueprint” that would complement the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule enforced by the U.S. Department of Health and Human Services (HHS).

What Are the Changes?

On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) issued a final rule (the “Final Rule”) along with guidance updating the Health Insurance Portability and Accountability Act (“HIPAA”) regulations at 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”). The Final Rule prohibits the use or disclosure of protected health information (“PHI”) for the purpose of (1) conducting criminal, civil, or administrative investigations into, or (2) imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is legal when provided. The Final Rule also prohibits the use or disclosure of PHI in order to (3) identify any person for any of those purposes (the “Prohibition”).[1]