Toggle Side Panel
Wellness Collaborative
Wellness Collaborative

HIPAA and Compliance Changes in 2025–2026: What Clinicians Need to Know Now

cyrus
Cyrus November 23, 2025
0 Comments
HIPAA and Compliance Changes in 2025–2026: What Clinicians Need to Know Now

The next two years bring some of the most significant privacy and security updates since the original HIPAA Security Rule. Behavioral-health clinicians should be preparing now to update their NPPs by February 16, 2026, review changes to 42 CFR Part 2, and ready their practices for a major cybersecurity overhaul likely to finalize in 2026. Begin with risk analyses, asset inventories, MFA and encryption, vendor audits, and updated incident-response procedures.

The Most Turbulent Shift in Health Privacy Since 2013

If HIPAA updates usually move slowly, 2025–2026 is the exception. In just 24 months, clinicians will experience changes to federal privacy law that touch nearly every corner of practice: documentation, consent, telehealth, cybersecurity, business-associate oversight, and even the language in your Notice of Privacy Practices.

For behavioral-health practices, especially those working with trauma, substance use, anxiety, and complex clients in outpatient settings, these changes are not theoretical. They directly affect what you must tell your clients, how your systems must function, and what regulators expect you to monitor and document.

Many practices will wait until these rules become urgent. Forward-thinking clinicians can choose to prepare now, smoothing out operational risk and ensuring patient trust while avoiding the frantic regulatory catch-up that often happens in the final months before a compliance deadline.

Here’s what actually changed in 2025, what is on the horizon for 2026, and what your practice needs to begin doing today.

The 42 CFR Part 2 Overhaul: A Quiet but Enormous Shift

The most significant change already locked into law is the long-awaited modernization of 42 CFR Part 2, the federal regulation governing substance use disorder (SUD) records. Historically, Part 2 was more restrictive than HIPAA, requiring separate consent for nearly every disclosure and forcing many practices to silo SUD information in complicated ways.

The February 2024 final rule aligning Part 2 more closely with HIPAA is a game-changer for multidisciplinary mental-health practices. Under the new rule:

• A single patient consent can authorize disclosure of SUD information for treatment, payment, and healthcare operations.

• Redisclosure restrictions are simplified.

• Part 2 records now fall under HIPAA’s breach-notification framework.

• Practices must update their Notice of Privacy Practices to reflect expanded patient rights and explanations of SUD-related protections.

The practical takeaway: your NPP from 2022 or 2023 is no longer compliant. Even if you don’t specialize in substance use treatment, if you document SUD information, you are subject to these changes.

The deadline is firm.

Your updated NPP must be in place by February 16, 2026.

Most clinicians will wait. This is the moment to get ahead.

The Reproductive-Health PHI Rule: Big Ruling, Ongoing Uncertainty

Another major privacy rule landed in 2024, creating new protections for PHI related to seeking or providing lawful reproductive healthcare. The rule restricted disclosures for civil or criminal investigations and required specific attestations before releasing PHI.

But in June 2025, a federal district court struck down critical portions of this regulation, including elements tied to Notice of Privacy Practices updates. This has created a confusing landscape. Some of the rule’s requirements still matter; others may be unenforceable.

What clinicians need to know:

If your practice revised its policies or NPP to adopt the reproductive-health PHI language from 2024–2025, those revisions may need to be reviewed and possibly reverted. More litigation is probable, and states may introduce their own privacy rules.

This is a “stay tuned” situation – but an important one.

HIPAA Security Rule 2.0: A Transformation Is Coming

The biggest shift for 2026 doesn’t arrive as a surprise. For years, cybersecurity threats have outpaced the original HIPAA Security Rule, which was written at a time when “cloud-based EHRs” meant something very different than they do today.

In January 2025, HHS released a proposed overhaul of the Security Rule, and it is easily the most sweeping modernization since the rule’s introduction. Analysts expect the final rule to be published around mid-2026 with a relatively short compliance window.

If the rule becomes final as written, outpatient practices will face new mandatory requirements that used to be considered “addressable” or optional. These include:

• Mandatory multi-factor authentication on all systems accessing ePHI

• Mandatory encryption of ePHI both in transit and at rest

• A fully documented technology asset inventory

• A network or data-flow map showing where PHI travels

• Annual security audits

• Enhanced business-associate oversight

• Expanded incident-response and recovery requirements, including restoring essential operations within 72 hours

For small behavioral-health practices, this will require more documentation, more intentional technology oversight, and stronger collaboration with vendors.

It is not an overstatement to say this rule will change how nearly every clinician manages their practice.

So What Should Clinicians Do Now?

The mistake would be assuming you can wait until 2026 to make changes. HIPAA compliance is slow to build, and documentation can’t be retroactively created.

Here’s what forward-thinking practices are already doing in 2025:

1. Updating (or beginning to update) their Notice of Privacy Practices

This is the one requirement that already has a hard deadline. If you have not revised your NPP in the last year, you are almost certainly out of date.

2. Conducting a fresh HIPAA risk analysis

If you’re a small practice, you may not have done one in years. That will not be acceptable under the new rule. A risk analysis is the anchor point for every other compliance requirement.

3. Building a complete asset inventory

This is simply a list of every device, system, app, service, and vendor that touches PHI. If you use a cloud EHR, telehealth platform, email, scheduling software, or backup system, this list is already longer than you think.

4. Enforcing MFA and encryption

If any of your systems lack MFA, now is the time to transition or upgrade. Encryption is already an industry standard, and soon it will be a legal requirement.

5. Reviewing BAAs and vendor security

Under the proposed rule, you will be required to evaluate vendor security annually. Start building the process now.

6. Strengthening incident-response planning

Few small practices have a formalized plan. By 2026, you will need one that is written, documented, trainable, and reviewable.

7. Updating internal policies

Your privacy and security policies should reflect reality, not your ideal workflow. If you haven’t revised them in years, this is the time.

8. Documenting everything

In the new regulatory environment, documentation is not paperwork — it is protection.

Detailed Action Summary for Clinicians

To prepare for 2025–2026 regulatory changes, practitioners should:

• Update their Notice of Privacy Practices by February 16, 2026.

• Reassess reproductive-health PHI policies in light of vacated portions of the 2024 rule.

• Begin aligning with proposed HIPAA Security Rule requirements now, before they finalize.

• Conduct a full HIPAA risk analysis in 2025 and annually thereafter.

• Build and maintain a technology asset inventory.

• Ensure encryption and multi-factor authentication across all systems handling PHI.

• Review and strengthen Business Associate Agreements and create a vendor-audit process.

• Update and document their incident-response plan, including restoration timelines.

• Revise internal security policies so they match current practice and technology.

• Implement annual HIPAA and security training for all workforce members.

• Maintain thorough documentation of all compliance activities.

Preparing early will not only protect your practice but also reduce the administrative burden when deadlines arrive.

References

Alston & Bird LLP. (2025). HIPAA security rule overhaul expected in 2026.

Axonius. (2025). HIPAA 2025 changes: The impact and how to address the new requirements.

Chess Health Solutions. (2025). 2026 HIPAA rule updates: What health care providers need to know.

HHS Office for Civil Rights. (2024–2025). HIPAA regulatory initiatives.

HHS Office for Civil Rights. (2025). HIPAA Security Rule NPRM fact sheet.

HIPAA Journal. (2024–2025). HIPAA updates and Part 2 alignment.

Segal Group. (2024–2025). HIPAA privacy notice updates to consider.

Reuters. (2025). New legal developments for HIPAA compliance.

Reuters. (2024). Biden administration proposes new cybersecurity rules.

The Verge. (2024). US proposes rules to make healthcare data more secure.

Categories: Useful Stuff
Tags: , ,

Related Articles

Responses

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Message this member

Please allow a few minutes for this process to complete.

Report

You have already reported this .