Outgoing OCR Director Melanie Fontes Rainer reflects on a pivotal year for HIPAA compliance and charts a path forward.
Why It’s Crucial
HIPAA compliance is evolving rapidly, and 2024 saw landmark changes. These updates highlight the importance of staying informed and proactive to protect patients and practices alike.
Key Highlights
Substance Use Disorder Confidentiality:
What’s new? Rules were finalized to enhance privacy while improving care coordination for patients with substance use disorders.
Why it matters: Allows providers to better integrate behavioral health data without compromising patient confidentiality.
Reproductive Health Privacy Protections:
What’s new? OCR introduced new rules limiting PHI use in reproductive care investigations and requiring patient notice updates.
Why it matters: Helps ensure patient safety and trust in accessing sensitive care.
Cybersecurity Overhaul on the Horizon:
What’s new? Proposed updates to the HIPAA Security Rule emphasize proactive, regularly tested policies to protect ePHI.
Why it matters: As cyber threats increase, this is a step toward stronger healthcare data protection.
By the Numbers
3 major rulemakings finalized or proposed in 2024—the most in OCR’s history.
22 enforcement actions led to $9.9 million in settlements and penalties.
Big Picture

The proposed cybersecurity updates reflect OCR’s commitment to tackling modern threats. Organizations are being called to adopt robust measures to protect ePHI, such as assessing policies and stronger safeguards against phishing and ransomware attacks.
Enforcement Trends
Top issues: Ransomware, phishing, improper disclosures, and delays in PHI access requests.
What it means: Non-compliance is costly, not just in financial penalties but also in patient trust and practice reputation.
What’s Next
It’s expected that the Trump administration will continue efforts to reinforce the security and resilience of critical infrastructure, including the healthcare sector.
That said, the pace and specifics of these updates remain unclear. Some experts believe the new administration may review prior proposals with scrutiny but are likely to move forward with finalizing updates to the HIPAA Security Rule.
What does this mean for you? Now is the time to take action. Even as we wait for new regulations, you can make meaningful progress by focusing on the basics:
Adopt multi-factor authentication to protect sensitive systems.
Schedule your risk assessment to identify and address vulnerabilities.
Train your team on recognizing and responding to cyber threats.
The takeaway: We’re all navigating a complex and evolving landscape, but you don’t have to face it alone. Together, we can stay proactive, safeguard our practices, and continue building trust with those we serve. Let’s not wait for change to happen—let’s prepare for it.
Comments