HIPAA in 2025: What HIEs Should Actually Care About

Here’s the thing about HIPAA updates: they tend to arrive in waves of proposals, half-baked headlines, under-the-radar OCR emails, and a whole lot of regulatory noise. As someone who’s spent the better part of two decades translating that noise into action, let me say this clearly—most of what you’ve heard lately isn’t urgent, isn’t final, and doesn’t hit HIEs where we live.

But some of it does. And some of it will.

So let’s talk about what matters for health information exchanges, and what you can safely file under “wait and watch.”

First, a Reality Check on the Security Rule

Yes, earlier this year HHS released a Notice of Proposed Rulemaking to revise the HIPAA Security Rule. And yes, the changes are sweeping—think required asset inventories, mandatory multifactor authentication, detailed risk analysis protocols, and a long-overdue crackdown on “addressable” controls.

But let’s not treat a proposal like it’s gospel.

The rule isn’t final. And even if it doesn’t finalize in its entirety, or never finalizes, it is still a directional signal—HHS is tightening the screws on security hygiene, and it wants covered entities and business associates to modernize their playbooks.

If you haven’t updated your risk analysis and associated action plan since pre-pandemic, this is your warning. (This has been a requirement since the HIPAA security rule came out in 2003, after all)

Meanwhile, CMS Is Quietly Turning Up the Heat on SRAs

Here’s what’s not getting enough airtime: Medicare payment rules are now doing what HIPAA enforcement never quite managed to do—making Security Risk Assessments a financial imperative.

Under the 2026 Inpatient Prospective Payment System (IPPS) and Physician Fee Schedule (PFS) rules, hospitals and providers that don’t complete timely, documented SRAs, AND acting on risk management plans, are putting reimbursement at risk. That’s not a theoretical penalty—it’s money off the table. [Note, as of this writing the Physician Fee Schedule Rule is only in ‘proposed’ status but history tells us that what becomes final first in IPPS will also become final in PFS)

For HIEs, this doesn’t mean you’re on the hook. But your participants are. And you’re either part of their solution or part of their risk exposure.

Now is the time to ask:

• Are your connections secure enough to withstand a downstream audit?

• Do you support your partners with clear documentation, strong technical safeguards, and transparency, if not a recognized accreditation like DirectTrust or HITRUST?

• Can you help them meet the rising bar without adding burden?

You don’t need to be responsible for your participants’ full security posture, but if you ignore it, you’re not the kind of partner providers will lean on when the pressure is on.

Reproductive Health Privacy: On Pause, Not Ignored

Let’s clear this one up too. HHS finalized a rule last year to bolster privacy protections for reproductive health data, especially in cases involving law enforcement. Then came the court challenges. The result? Confusion, hesitation, and a general response by the provider community to “stand down” on completing implementation.

Here’s what I’d say:

• Watch the courts.

• Document your current access policies

• Don’t burn budget on system changes you might have to undo.

It’s smart to stay alert. It’s smarter not to build out ahead of clarity.

And obey the HIPAA Privacy & Security Rules already in place.

Where HIEs Should Focus Now

If you’re leading an HIE—or advising one—here’s your shortlist:

✅ Track the Security Rule proposals. Recognize and plan for the best practice recommendations within them.

✅ Support your partners on security risk management. Their compliance affects your ecosystem.

✅ Monitor reproductive health litigation. Prepare, don’t overreact.

Bottom Line: This Is About Trust, Not Just Compliance

HIPAA and other privacy & security requirements will keep evolving. Enforcement will ebb and flow. But for HIEs, the job hasn’t changed—we are trusted stewards of health data. And that trust is built not just by following the rules, but by staying two steps ahead of them.

So don’t get distracted by the noise. Focus on where the pressure is real, the need is clear, and your role is essential. That’s how we build the future of interoperability—with intention, not impulse.