Healthcare regulations are shifting fast, and behavioral health leaders can no longer afford to treat HIPAA updates as backend technical details. The latest round of rule changes (and those still on the horizon) reframe HIPAA not just as a legal mandate, but as a leadership responsibility.
In 2024, the Department of Health and Human Services introduced sweeping updates: new protections for reproductive health data, stricter breach notification timelines, and measures to improve continuity of care. Now, in mid-2025, even more significant proposals are under review, including updates that could connect cybersecurity compliance to Medicare and Medicaid participation.
The window for action is closing. Many of these updates are already in effect, and others may be finalized before the end of the year. Behavioral health organizations that delay may find themselves rushing to catch up – or worse, exposed when enforcement begins.
HIPAA Is Now an Executive Concern
HIPAA has moved from the compliance desk to the boardroom. Risk, funding, and organizational trust now sit squarely on the executive agenda.
What’s changed is the level of accountability. Behavioral health providers are facing tighter timelines, broader data-sharing obligations, and stronger enforcement. Leaders who once viewed HIPAA as a compliance department task must now acknowledge it as a core element of strategic risk management and organizational trust-building.
Recent rule changes have significantly tightened response expectations. While the federal HIPAA rule for notifying individuals and HHS about large breaches is still up to 60 calendar days from discovery, the practical window for internal identification, assessment, and readiness to notify has effectively compressed, requiring organizations to be prepared to act within as little as 15 days for certain internal processes or state-specific requirements. They also introduced attestation requirements when disclosing reproductive health data and expanded patient access rights, including the right to transmit health information to third-party apps. These shifts create real operational friction, especially in behavioral health, where clinical nuance and data sensitivity are deeply intertwined
Equally important are the training requirements triggered by policy changes. HIPAA’s Privacy Rule (§164.530) mandates that any material change to privacy practices be accompanied by workforce refresher training. If your policies have changed but your teams haven’t been retrained, you’re likely already out of step with federal requirements.
Meanwhile, penalties are increasing. As of December 2024, civil monetary fines for HIPAA violations now range from $141 to more than $2 million per violation. HHS is actively considering new restitution measures, potentially enabling patients harmed by data breaches to seek direct financial compensation from covered entities. This development dramatically increases the financial, personal, and reputational stakes of compliance lapses, moving beyond regulator fines to individual liability.
Transparency Is Driving a Shift in Culture
Perhaps the most challenging shift for behavioral health executives is the expansion of patient access rights. Patients now have broader authority to view, photograph, and share their own medical records, including directing data to third-party apps that operate outside of HIPAA’s protections. While these changes promote patient empowerment, they also create tension between transparency and therapeutic discretion.
Leaders must recognize this is both a policy change and a cultural change. Your organization needs a coherent access strategy, one that balances regulatory obligations with clinical realities. You’ll also need a clear communication plan to help patients understand what’s being shared, with whom, and under what circumstances.
Complicating matters further, organizations handling substance use disorder (SUD) records governed by 42 CFR Part 2 face a critical duality: while Part 2 is being aligned with HIPAA’s structure for patient access and certain disclosures, its core heightened confidentiality protections for SUD information remain fully intact and legally distinct. Navigating this alignment without diminishing the specific Part 2 safeguards is a key operational challenge unique to behavioral health.
Cybersecurity Is the Next Compliance Frontier
In early 2025, HHS issued a Notice of Proposed Rulemaking that outlines major changes to the HIPAA Security Rule. While still under review, the proposed requirements are extensive, and they reflect a growing expectation that covered entities treat cybersecurity as a core operational priority.
These proposals, which align with HHS’ Cybersecurity Performance Goals, would require organizations to maintain a current asset inventory and network map, conduct vulnerability scans twice per year, complete annual penetration testing, and develop formal disaster recovery plans capable of restoring systems and data within 72 hours of a cyberattack.
Other expected mandates include full encryption of all electronic protected health information (ePHI), enforcement of multi-factor authentication (MFA), use of anti-malware protections, and annual audits of business associate security practices. Critically, the proposal would reclassify numerous ‘addressable’ implementation specifications (like encryption and MFA) as ‘required’. This eliminates the flexibility organizations previously had to justify alternative approaches through internal risk assessments.
If finalized as proposed, these changes could establish compliance as a formal Condition of Participation (CoP) in Medicare and Medicaid, potentially taking effect in phases starting as early as late 2025 or 2026. This link to funding makes cybersecurity readiness non-negotiable for financial viability.
What Leaders Should Be Doing Now
For many behavioral health organizations, the question is not whether to act, but how to act. A strong starting point is to reframe HIPAA as a business resilience issue, not just a regulatory one. Designate a compliance officer or team member responsible for monitoring updates, coordinating policy changes, and reporting directly to leadership.
Executives should begin by reviewing whether their breach response plan can truly deliver within the new 15-day notification window. From there, it’s essential to revisit patient access policies in light of growing interoperability requirements and ensure your organization is prepared to handle third-party app requests without compromising privacy.
Equally important is verifying that foundational security practices are in place: encryption, MFA, current asset inventories, and clear roles in disaster recovery. These are no longer best practices. They have become regulatory expectations.
Training must be part of this conversation. As regulations evolve, your workforce must understand both their obligations and their role in protecting patient data. If your privacy and security training hasn’t been updated in the last year, now is the time to do it.
Finally, conduct an executive-level risk posture review focused on resilience, not just checklists. Behavioral health leaders must be prepared to articulate clearly to boards, regulators, and patients: 1) how current operations align with existing HIPAA mandates (like the 15-day breach rule), 2) what concrete steps are being taken to prepare for the proposed cybersecurity CoP, and 3) the organization’s strategy for balancing transparency (e.g., third-party apps) with therapeutic and privacy imperatives.
The Strategic Opportunity Behind the Compliance Push
What’s unfolding now is bigger than an update to the HIPAA rulebook. It’s a reframing of how trust is built, how risk is managed, and how health data is handled in a world of growing digital complexity.
For behavioral health leaders, this is an opportunity to lead. By treating HIPAA as a strategic lever rather than a legal hurdle, organizations can strengthen their security posture, modernize internal culture, and improve patient trust, all while staying ahead of enforcement risk.
This is a pivotal moment, as delays risk both fines and funding. Xpio works with behavioral health executives to turn compliance pressure into strategic clarity. If your leadership team is ready to align on what comes next, let’s talk.
