June 26, 2025

Healthcare compliance is an ever-evolving landscape, with new initiatives and updates announced to better protect patients and staff. As the year progresses to its midpoint, it’s crucial to seize this opportunity to stay informed on the latest developments in the field. 

HIPAA and OSHA both have new significant updates that will directly impact practices. 

New HIPAA Security Rule Legislation

In December 2024, the Office for Civil Rights (OCR) released proposed updates to the HIPAA Security Rule. 

One of the pillars of the Health Information Portability and Accountability Act, the Security Rule focuses on the safeguards that must be deployed to keep Protected Health Information (PHI) secure. 

In response to the rise of large breach ransomware attacks, which have nearly tripled in the last several years, the OCR is increasing cybersecurity requirements when handling patient PHI. 

For instance, under this new legislation, some new requirements include an asset log, network segmentation, and multi-factor authentication. These requirements are all heightened precautions when protecting patient data. 

Under this new legislation, the vendors your practice works with will also experience increased scrutiny. For example, under this proposed rule, Business Associates (BAs) now must have their compliance practices verified by a cybersecurity expert annually. BAs must also alert Covered Entities within 24 hours after a breach with a contingency plan. 

These soon-to-be added responsibilities demonstrate the vital role BAs play in protecting patients.

The comment period for these updates wrapped up in March, and the OCR is reviewing all 4,000 comments before a final rule is announced. 

Workplace Violence Prevention Legislation 

When healthcare workers are five times as likely to experience workplace violence, federal legislation is soon to follow. 

While Workplace Violence Prevention currently falls under the General Duty Clause of OSHA, or the basic requirement of providing a safe workplace for employees, state-level legislation focused on this continues to go into effect.

State legislation regarding this vastly differs. Nearly every state has heightened charges for attacking a healthcare worker, being classified as a felony rather than a misdemeanor. Still, now many are requiring specialized training and reporting requirements specifically addressing violence in healthcare workplaces.

For example, California, Texas, and Virginia all have comprehensive healthcare workplace violence plans. California even requires near misses and threats to be logged for the state. 

While federal legislation has not been released yet, a Notice of Proposed Rulemaking (NPRM) will likely be announced this year. 

HIPAA Audit Program & Risk Analysis Initiative

The OCR has reintroduced the HIPAA Audit Program, randomly selecting HIPAA-regulated entities and reviewing their current HIPAA programs. The last time this program was in effect was in 2017. 

The last round of audits found that 86% of Covered Entities could not produce a compliant Security Risk Analysis (SRA) when prompted by the OCR. The SRA is a thorough assessment of the safeguards and routines currently in place to secure PHI. 

Practices frequently overlook the Security Risk Analysis (SRA), yet it’s a primary defense, proactively addressing concerns. In fact, the OCR’s October 2024 Risk Analysis Initiative specifically targets practices that fail to complete an SRA, and this initiative has already resulted in nearly a million dollars in fines.

Right of Access Fines

Improper patient records release continue to be a common pitfall for practices. Records must be provided to patients within 30 days of a request. With over 50 enforcements of the Right of Access Initiative, millions of dollars have been paid by practices.  

This easily preventable fine highlights the significant impact of patient complaints (the leading cause for investigations) and the OCR’s diligence in addressing Right of Access violations.

Getting Prepared for the Rest of the Year

While it feels like new initiatives are frequently being announced by the OCR, it is your practice’s responsibility to implement new updates. With the right HIPAA compliance program, smart software can ensure your practice will always be prepared, with new legislation instantly updating in the software. 

To learn more about what’s next in HIPAA, watch our latest webinar regarding current events in HIPAA here.