Back to Resources
HIPAACompliance·4 min read

The 2025 HIPAA Security Rule Update: What Clinics Need to Know

The biggest HIPAA overhaul in a decade is coming. Here is what the proposed changes mean for small and mid-size clinics - and what to do now before enforcement begins.

By Prerak Trivedi·

In January 2025, HHS published a Notice of Proposed Rulemaking to modernize the HIPAA Security Rule - the first major revision since 2013. The changes are sweeping, and they affect every organization handling electronic protected health information (ePHI), from hospital systems down to solo dental practices.

If you run a clinic, this matters. The days of treating certain safeguards as optional are over.

What Is Actually Changing

The single most important shift: the "addressable" vs. "required" distinction is gone. Under the old rule, clinics could skip encryption by documenting a rationale. That era is over.

Here are the five core changes, side by side:

Old Rule (2013) New Rule (2025) 725+ breaches in 2023 alone Encryption: Addressable skip with justification REQUIRED for all ePHI at rest and in transit MFA: Not required no mandate existed REQUIRED for all systems every ePHI access point Risk Assessment: Unspecified frequency not defined Annual + documented scope, threats, remediation Reporting: 60 days breach notification window 72 hours report to HHS immediately BA Verification: BAA exists file and forget Verify annually written cert from every BA Every safeguard is now mandatory - no more addressable loopholes

Timeline Is Tighter Than You Think

The final rule is expected late 2025 or early 2026, with a 180-day compliance window after publication. No staggered timeline has been proposed - small clinics face the same deadline as large health systems. Organizations that wait for the final rule before acting will be scrambling.

Here is how that 180-day window breaks down in practice:

Days 1-30 Gap analysis & ePHI inventory INVENTORY Days 31-90 Encrypt + MFA across all systems ENCRYPT + MFA Days 91-150 72-hr response plan and staff training RESPONSE PLAN Days 151-180 Final audit and compliance sign-off VENDOR AUDIT DEADLINE Day 0 No extensions - same deadline for all clinic sizes

What to Do Right Now

You do not need to wait for the final rule to start preparing. Every action below is good practice regardless of when enforcement begins.

Inventory your ePHI touchpoints. Every device, app, and service that stores or transmits patient data - workstations, EHR, email, cloud storage, intake tablets, third-party tools.

Enable encryption everywhere. Confirm ePHI is encrypted at rest and in transit across every system. If your EHR vendor does not encrypt data at rest, start that conversation today.

Turn on MFA. Most EHR platforms and email providers already support it. For systems that do not, begin evaluating replacements.

Build a 72-hour incident response plan. The clock starts when any staff member becomes aware of an incident, not when leadership is notified. Document the escalation path and train everyone on it.

Audit your vendors. Confirm a signed BAA exists with every Business Associate. Prepare a process to collect annual written compliance certifications.

For clinics evaluating AI tools: Any vendor processing ePHI must now meet every requirement above - encryption, MFA support, audit logs, BAA with annual certification, and 72-hour incident reporting. If a vendor cannot clearly demonstrate these capabilities, that is a disqualifying red flag regardless of the product. Learn more about how JustReva approaches this on our Security page.

Your HIPAA Readiness Checklist

Use this checklist to gauge where your clinic stands today. Each item maps directly to the new proposed requirements.

HIPAA Readiness Checklist
ePHI encrypted at rest and in transit across all systems
Check EHR, email, cloud storage, backups, and mobile devices
MFA enabled on every system that accesses ePHI
EHR login, email, cloud drives, remote access portals
Annual risk assessment scheduled with documented methodology
Must include scope, threat identification, and remediation plan
72-hour incident response plan written and rehearsed
Every staff member should know the escalation path by memory
Signed BAA on file with every Business Associate
Includes EHR, billing, AI tools, cloud hosting, IT support
Annual vendor compliance verification process established
Collect written certifications from every BA, every year

If you have more red X items than green checkmarks, now is the time to act. The 180-day clock will not wait for you to catch up.

Key Takeaways

  • The "addressable" loophole is eliminated - encryption and MFA are now mandatory, full stop.
  • The incident reporting window shrinks from 60 days to 72 hours, requiring a documented response plan every staff member understands.
  • Clinics must actively verify vendor compliance annually, not just file a BAA and forget it.
  • The 180-day compliance window applies equally to small practices and large systems - there is no grace period for size.
  • None of these requirements are exotic. The challenge is prioritization and follow-through, not technical complexity. Start now.
  • For a deeper look at how JustReva handles security and compliance, visit our Security page.

Sources: HHS OCR Breach Portal | Verizon 2024 DBIR | NIST CSF 2.0 | Federal Register NPRM

Ready to stop missing patient calls?

REVA answers every call in under 1 second, 24/7. Book a demo to see it in action.