2024 Privacy Rule Change: Here's What You Need to Know

At the end of 2024, HHS’ Office for Civil Rights (OCR) rolled out major updates to the HIPAA Privacy Rule. Changes focus on reproductive health PHI (Protected Health Information), substance use disorder (SUD) alignment, patient record protections, and proposed sweeping cybersecurity overhauls. 

As a managed IT service provider in the business of servicing healthcare industry businesses, we’re providing our deep dive into the 2024 Privacy Rule and related Security Rule updates. It’s vital for businesses with HIPAA compliance requirements to understand these shifts in order to ensure compliant IT frameworks, IT operations, and technical safeguards. 

This breakdown will clarify critical IT and cybersecurity implications for your business and guide actionable next steps.

1. Reinforced Protections for Reproductive Health PHI

Primary notable changes surround reinforced protections for reproductive health PHI. Changes will include: 

• Mandatory attestation for disclosure requests: IT systems processing PHI must now support collection and storage of signed attestations when responding to law enforcement, subpoenas, oversight, or coroner requests involving reproductive health PHI. HHS will publish model forms soon.
• Updated Notice of Privacy Practices (NPP): By February 16, 2026, systems must help display and distribute NPPs that explain the new PHI safeguards. 
• Court storm update: A June 18, 2025 court in Texas vacated most reproductive PHI restrictions, but NPP changes remain enforceable. MSPs must factor in both ongoing rule compliance and evolving legal status.

IT Impact

Modify document management and EHR/PHI workflows to tag reproductive care records, flag related access events, store attestation files securely, and enable rapid policy updates in NPP presentation layers.

2. SUD Confidentiality Aligns with HIPAA

The Privacy Rule now harmonizes Part 2 SUD consent with HIPAA processes. This means that IT systems must:

• Accept a single consent form covering treatment, payment, operations, and re-disclosure by BAs (Business Associates).
• Enable restrictions and patient accountings on SUD records.
• Configure systems to enforce stricter use/disclosure protections for SUD records (i.e., only court-ordered or authorized disclosures) 

IT Implications

Design EHR modules to label SUD PHI, enforce consent-based gating, audit PPE-only record logs, and maintain tagging to support restricted access and accounting features.

3. 2025 Security Rule NPRM: Proactive Cybersecurity Requirements

OCR’s January 2025 Notice of Proposed Rulemaking (NPRM) modernizes the HIPAA Security Rule. As an MSP, we are tasked to ready our clients’ systems to meet or exceed the following standards:

1. No more “addressable” controls: every specification is now required.
2. Encryption mandatory: ePHI must be encrypted at rest and in transit, with annual key rotations.
3. MFA required for all ePHI access.
4. Patching deadlines: Critical vulnerabilities fixed within 15 days; high-risk within 30.
5. Annual risk assessments with documented inventory/network maps, mitigation steps archived for 6 years.
6. Network segmentation, anti-malware, secure configurations, disabled unnecessary ports.
7. Bi-annual vulnerability scans and annual penetration tests.
8. Incident response & contingency plans: Formalized IR, DR, and backups.
9. Business Associate/vendor oversight: Written annual attestations of technical safeguards, 24‑hour breach/plan activation notifications.

MSP Action Plan for 2025 Compliance

As an MSP focused on the healthcare industry, this is how we will prepare to serve our clients in maintaining HIPAA compliance. If your business requires HIPAA compliance, your MSP provider should be providing the following services: 

1. Harden Technical Infrastructure

• Implement multi-factor authentication (MFA) on all services with ePHI.
• Enforce encryption end-to-end, i.e. file storage, database, backups, data in motion.
• Configure patch management to meet 15/30-day
•  SLAs (Service Level Agreements).
• Deploy network segmentation and remove unused services/ports.

2. Enhance Monitoring & Vetting

• Maintain a live inventory of devices, ePHI flows, and vendor systems.
• Schedule semi-annual scans, annual pen-tests with documented results.
• Develop automated alerting for suspicious activity.

3. Revise Policies & Documentation

• Shift “addressable” written determinations to fully implemented configuration.
• Establish formal incident response plans, DR strategies, recovery SLAs.
• Maintain logs, risk assessments, training records, invariant for six years.

4. Reinforce Business Associate Relationships

• Conduct annual reviews and obtain written compliance attestation from each BA.
• Include 24‑hour notification clauses (e.g. breaches, ePHI exposure incidents).
• Delegate a security official via contract where appropriate.

5. Align IT with Privacy Workflows

• Build attestation workflows and storage for reproductive/SUD PHI disclosures.
• Tag and gate access by PHI type—reproductive, SUD, general.
• Enable patient request tracking modules for record disclosures, accounting, and NPP updates.

6. Invest in Ongoing Training & Testing

• Include MFA, phishing, reproductive/SUD PHI handling, incident protocol training.
• Run regular tabletop exercises across IT, privacy, clinical staff.

Looking Ahead: AI, Emerging Tech & Enforcement

With recent changes and ongoing updates to HIPAA compliance requirements over the years, it’s natural to wonder, what’s next? Looking ahead, we’re focused on AI, potential emerging tech, and shifts in enforcement. 

• AI & tracking tech: OCR warns about unauthorized PHI use in AI tools or trackers. MSPs must vet third-party integrations and audit telemetry.
• Increased OCR enforcement: With ransomware up 264% in 2024, expect tighter scrutiny of risk analyses. Perfunctory reviews will no longer cut it. 
• Emerging tech compliance: Prepare for quantum-resistant encryption, VR/AR/telehealth gaps, and AI risk assessments.

Final Thoughts: 2024 Privacy Rule Change

As a managed IT service provider, we think 2025 represents a paradigm shift: Privacy Rule updates mean supporting new PHI workflows (reproductive, SUD), while the Security Rule NPRM demands enterprise‑grade cybersecurity. For our clients subject to HIPAA compliance, we will be focusing on: 

• IT architecture upgrades (encryption, MFA, segmentation)
• Robust operations (patching, scanning, Incident Response plans)
• Privacy-aligned workflows (attestations, consent gates)
• Documentation & training excellence

Policy becomes audit-ready compliance standards. Businesses who embrace changes early will safeguard themselves and strengthen trust with their patient base. 

If your business needs guidance navigating HIPAA compliance and recent policy changes, we are here to help. Schedule a time to chat with our team here.