HIPAA Security Rule 2025 Updates: What San Diego Providers Need to Know
A breakdown of the 2025 HIPAA Security Rule changes and how they affect healthcare practices in San Diego County.
The Department of Health and Human Services (HHS) finalized significant updates to the HIPAA Security Rule in 2025, marking the first major revision since 2013. These changes directly affect every healthcare provider in San Diego County that handles electronic protected health information (ePHI). Here is what changed, what it means for your practice, and what you need to do about it.
The Big Changes
The 2025 update eliminates the old distinction between "required" and "addressable" implementation specifications. Under the previous rule, practices could document why certain security measures were not reasonable or appropriate and implement alternative measures. That flexibility is gone. Every specification is now required, full stop.
For many small practices in neighborhoods like Hillcrest, Normal Heights, and Chula Vista, this is the most disruptive change. A two-physician family medicine clinic that previously documented why full disk encryption was not feasible must now implement it. There are no more workarounds.
Encryption Is No Longer Optional
The updated rule mandates encryption for all ePHI at rest and in transit. Previously, encryption was an addressable specification, which meant practices could use alternative safeguards if they documented the rationale. That loophole closed.
What this means in practical terms: every laptop, workstation, portable device, and server in your practice that stores patient data must use full-disk encryption. Email containing PHI must be encrypted end-to-end. Data backups must be encrypted. If you are using an EHR hosted on a local server in your office, that server's drives need encryption enabled.
Most modern operating systems support this natively. Windows Pro and Enterprise editions include BitLocker. macOS includes FileVault. The cost is minimal, but the configuration and verification take time. If your practice has not enabled these features, start now.
Mandatory Multi-Factor Authentication
Multi-factor authentication (MFA) is now required for all systems that access ePHI. This applies to your EHR system, your patient portal admin access, your email if it ever contains PHI, and any cloud storage where patient records reside.
San Diego has a large population of independent practitioners and small group practices. Many still rely on simple username-and-password access to their systems. The 2025 rule forces a change. Every user who touches ePHI needs a second factor: an authenticator app, a hardware key, or a biometric verification.
Talk to your EHR vendor about enabling MFA if you have not already. Most major platforms (Epic, Athenahealth, eClinicalWorks, DrChrono) support it. If your vendor does not, that is a serious red flag.
Written Risk Analysis and Asset Inventory
The updated rule requires a written technology asset inventory and a network map. You must document every system, device, and application that creates, receives, maintains, or transmits ePHI. This inventory must be reviewed and updated at least annually.
This requirement formalizes what should have been standard practice. But the reality is that many San Diego practices, particularly smaller ones, have never completed a formal asset inventory. You need to know where your data lives before you can protect it.
The risk analysis itself must also be more rigorous. HHS has signaled through recent enforcement actions that a checkbox-style risk assessment is no longer sufficient. The analysis needs to identify specific threats to specific assets, assess the likelihood and impact of each threat, and document the security measures in place to mitigate each risk.
72-Hour Incident Reporting to Business Associates
When a business associate experiences a security incident involving your practice's ePHI, they must now notify you within 72 hours. This is a significant tightening from the previous rule, which did not specify a notification timeline for general security incidents (as opposed to confirmed breaches).
Review your Business Associate Agreements (BAAs) to ensure they reflect this 72-hour requirement. If your BAA still uses older language, update it. This is particularly relevant for San Diego practices that work with IT service providers, billing companies, cloud storage vendors, and answering services.
Annual Compliance Audits
The rule now requires annual compliance audits to verify that security measures are functioning as intended. This goes beyond the risk analysis requirement. You need to test your controls: verify that encryption is actually enabled, confirm that access logs are being generated and reviewed, ensure that terminated employees have had their access revoked, and check that your backup systems actually work.
San Diego's healthcare community learned hard lessons from the Scripps Health ransomware attack in 2021, which disrupted patient care across the county for weeks. That incident demonstrated that having security policies on paper means nothing if the controls are not implemented and tested. The new audit requirement aims to close that gap.
What San Diego Practices Should Do Now
The compliance deadline for existing covered entities is 180 days from the final rule publication. Here is a practical action plan:
First, complete your technology asset inventory. List every device, application, and system that touches ePHI. Include cloud services, mobile devices, and any personal devices staff use for work.
Second, enable encryption everywhere. Turn on BitLocker or FileVault on every workstation. Verify that your EHR vendor encrypts data at rest and in transit. Set up encrypted email for any communications containing PHI.
Third, implement MFA. Start with your EHR system and email, then extend to all systems that access ePHI.
Fourth, update your BAAs. Add the 72-hour notification requirement and ensure all other terms reflect the 2025 changes.
Fifth, schedule your annual audit. Whether you do it internally or hire an outside firm, get it on the calendar.
These changes are substantial, but they reflect the reality of healthcare cybersecurity threats in 2025. The OCR has increased enforcement activity, and penalties for non-compliance have grown. For San Diego practices, getting ahead of these requirements is not just about avoiding fines. It is about protecting your patients and your practice.