Patients who once waited a month for copies of their health records may soon see them in just fifteen days. This change is at the heart of the HIPAA 2025 Privacy Rule and Patient Rights Update. In Part 2 we examined how technical safeguards like encryption and multifactor authentication became mandatory under the Security Rule. Now, in Part 3, the focus shifts from system security to patient experience, covering new standards for record access, transparency in copy fees, data sharing with apps, and updated privacy notices.
The New Standard for Patient Access
Faster Access: The 15-Day Rule
One of the most visible changes in the forthcoming HIPAA 2025 Privacy Rule and Patient Rights Update is the shortened timeline for patient access. Covered entities will be required to respond to record requests within 15 calendar days, down from the current 30. An additional extension of up to 15 days will be allowed, but only once and only with proper notice to the patient.
This timeline is framed around the expectation of fulfilling requests “as soon as practicable.” Providers are expected to act promptly, not simply wait until day 15. Patients requesting their medical information for ongoing treatment, a second opinion, or legal reasons should receive their records without unnecessary delay.
For larger health systems, this proposed change may be manageable with existing release-of-information teams. Smaller practices, however, may feel the strain. Limited staff, outdated technology, and competing priorities could make the 15-day deadline a consistent challenge. To prepare, providers may need to adopt more streamlined record-keeping systems and train staff on handling requests quickly and accurately.
In-Person Inspection Rights
Another significant proposed change is the strengthened right for patients to inspect their records in person. Under the forthcoming rule, individuals will be able to schedule on-site time to review their protected health information (PHI). They will also be permitted to take notes or capture photographs of their records using personal devices.
While this provision enhances patient empowerment, it raises operational concerns. Providers will need to ensure that inspection areas safeguard the privacy of other patients’ information. That may require designating private spaces, implementing appointment systems, and training staff to monitor the process appropriately.
For patients managing chronic conditions or preparing for legal matters, in-person inspection can be invaluable. It provides immediate access to details that might otherwise take weeks to obtain, helping to bridge gaps for individuals without reliable internet access to patient portals.
Why This Matters
Patients have long faced delays in getting their medical records. These delays disrupted treatment and left families waiting for essential information. By requiring faster turnaround and allowing in-person inspection, the forthcoming HIPAA 2025 Privacy Rule and Patient Rights Update gives patients more timely access to their own data. Providers gain clear expectations for compliance, though meeting the 15-day deadline may create new pressures.
Transparency in Copy Fees
Public Fee Schedules
The forthcoming HIPAA 2025 Privacy Rule and Patient Rights Update is expected to require providers to publish their standard fees for copies of protected health information (PHI). Covered entities must make these fee schedules available both online and upon request. The schedules must include:
- Per-page charges for paper records
- Flat rates for digital copies
- Any other routine charges that may apply
By making fee schedules public, the rule aims to eliminate surprises. Patients will have a clearer idea of costs before requesting records, giving them more confidence in choosing how they want to access their health information.
Itemized Estimates and Final Bills
In addition to public schedules, providers will be expected to give individualized estimates upon request. If a patient asks for a copy of their records, the provider must provide an upfront estimate of the likely costs. After completing the request, the provider must also issue a final itemized bill.
This process offers patients predictability and holds providers accountable by requiring fees to be explained in detail.
When Fees Do Not Apply
The proposed rule clarifies that some forms of access must remain free of charge. For example:
- Viewing information in an online patient portal
- Accessing test results through existing secure electronic tools
However, when patients request that copies be transmitted elsewhere — such as mailed paper copies or electronic transfers to apps — reasonable cost-based fees may still apply. Providers will need to clearly explain these distinctions so that patients understand which access options are free and which may incur charges.
Impact on Provider Operations
These requirements will affect healthcare organizations of all sizes. Providers will need to:
- Update websites to display accurate fee schedules
- Train staff to prepare and communicate individualized estimates
- Standardize billing practices to reduce disputes and inconsistencies
Smaller practices may find this process time-consuming, but greater transparency has long been a priority for patients and regulators alike. Clear, upfront information helps reduce billing conflicts and improves overall trust between patients and providers.
Sharing Data with Personal Health Apps
Patient Rights to Third-Party Transfers
The forthcoming HIPAA 2025 Privacy Rule and Patient Rights Update is expected to strengthen patients’ ability to direct providers to send an electronic copy of their records to third-party health applications. This right applies specifically to information maintained in electronic health records (EHRs).
That means:
- Providers will be required to send electronic copies of EHR data when requested.
- They will not be required to scan or digitize paper records for these transfers.
- The process will be treated the same as sending records to another provider, attorney, or other third-party designee chosen by the patient.
This update acknowledges that many patients rely on mobile applications to track medications, monitor lab results, or manage chronic conditions. For these individuals, the right to direct transfers offers greater flexibility in managing their health information.
The Privacy Trade-Off
Once health data leaves a HIPAA-covered entity and enters a personal health app, HIPAA protections no longer apply. Instead, the data is governed by:
- Federal Trade Commission (FTC) rules
- State consumer privacy laws
- The app’s own terms and conditions
This shift carries potential risks. Apps may collect or share information in ways patients do not anticipate, including selling data to advertisers or operating without strong safeguards. Patients should be aware that their information may be less protected once transferred.
Provider Responsibilities
Providers are not required to vet or monitor apps, but they do carry responsibilities in processing patient-directed transfers. They must:
- Receive a clear, patient-directed request specifying the recipient and format.
- Confirm the correct destination before sending records.
- When possible, inform patients that HIPAA protections end once data is transferred outside covered entities.
HHS guidance encourages providers to educate patients about potential risks, but providers cannot refuse a request simply because of concerns about an app’s privacy practices.
To support staff, many organizations may develop scripts that explain:
- What types of data can be transferred
- How quickly the transfer may occur
- What happens once the data is under the app’s control
This helps ensure patients make informed decisions, even if the provider has no authority over the app’s practices.
Modernizing the Notice of Privacy Practices (NPP)
Elimination of Signature Requirement
For years, providers have been required to obtain a patient’s signed acknowledgment of receiving the Notice of Privacy Practices (NPP). In practice, this often became a formality with little benefit for patients or providers.
However, under the forthcoming 2025 HIPAA Privacy Rule and Patient Rights Update, this requirement will be removed entirely. Once finalized, providers will no longer need to collect signatures or store signed forms. This change is expected to:
- Reduce paperwork at check-in and registration
- Save time for staff who previously tracked compliance with these forms
- Simplify patient interactions by removing an unnecessary step
The focus will shift from collecting signatures to making sure the notice itself is useful and understandable.
New Content Requirements
The update will also require NPPs to present patient rights in clearer, more practical language. Expected inclusions are:
- The shortened 15-day access timeframe for records
- The right to inspect and photograph records in person
- The right to direct transfers of EHR data to third-party apps
- How the provider manages sensitive records, including Substance Use Disorder (SUD) information under 42 CFR Part 2
HHS has committed to releasing updated model NPP language that providers can adopt and adapt. This will help ensure consistency across organizations while allowing flexibility to reflect local practices.
It is worth noting that NPP updates for SUD/Part 2 information are already required, as part of the 2024 final rule aligning Part 2 with HIPAA. Providers must already be incorporating those disclosures.
Making NPPs Useful Again
Historically, many patients skimmed or ignored NPPs, viewing them as lengthy legal documents. The forthcoming update aims to change this by requiring notices that:
- Use plain language that patients can understand
- Highlight rights and the steps patients can take to exercise them
- Be readily available online and in physical settings
To support these goals, providers will need to update websites, redistribute notices, and train staff to explain the rights and obligations described in the NPP.
Aligning Substance Use Disorder Records
Historical Divide Between Part 2 and HIPAA
Substance Use Disorder (SUD) records have long carried stricter protections than general medical records. Under 42 CFR Part 2, providers historically had to obtain written consent nearly every time these records were shared. Re-disclosure without explicit consent was prohibited, which often made care coordination difficult.
While these rules helped protect confidentiality, they sometimes limited clinicians’ ability to deliver coordinated care, leaving patients with gaps in their treatment experience.
Key Changes (Finalized 2024; Compliance by February 16, 2026)
In February 2024, HHS issued the Part 2 Final Rule, aligning many elements of SUD privacy protections with HIPAA while keeping certain safeguards intact. The major updates include:
- One-time TPO consent. Patients may now give a single consent allowing future uses and disclosures of Part 2 records for treatment, payment, and healthcare operations (TPO).
- HIPAA-consistent redisclosure. Once disclosed under a patient’s consent, Part 2 records may be used or disclosed by HIPAA-covered entities and business associates in the same way as other HIPAA records for TPO purposes.
- Unified breach notification. Part 2 programs must now follow HIPAA’s Breach Notification Rule, including notifying patients and HHS if records are compromised.
- Civil enforcement. In addition to criminal penalties, Part 2 violations can now trigger civil monetary penalties, consistent with HIPAA enforcement.
- NPP updates. Covered entities that handle Part 2 information must update their Notice of Privacy Practices (NPP) to explain how these records are protected and how patients can exercise their rights.
Ongoing Special Protections
Even with these updates, several protections remain unique to Part 2 records:
- Use in investigations or proceedings. Part 2 records cannot be used to investigate or prosecute a patient without consent or a qualifying court order.
- Anti-retaliation. Part 2 programs may not intimidate, threaten, coerce, or discriminate against a patient for exercising their rights, including filing complaints.
- SUD counseling notes. Notes kept separately by an SUD or mental health professional require distinct consent and cannot be disclosed under a general TPO consent.
Practical Implementation for Providers
To prepare for compliance by February 16, 2026, providers should:
- Update consent forms to reflect the new one-time TPO authorization.
- Reconfigure EHR systems to flag and tag Part 2 data appropriately.
- Train staff to understand which records fall under HIPAA alone and which are subject to both HIPAA and Part 2 rules.
Reproductive Health Privacy: A Rule Enacted, then Vacated
Why the Rule Was Issued (2024)
After the Supreme Court’s Dobbs decision, abortion and reproductive care regulation returned to the states. In April 2024, HHS issued the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This was a separate final rule designed to limit certain disclosures of protected health information (PHI) related to lawful reproductive health services.
The rule’s core provisions included:
- Prohibition on disclosures for investigations or prosecutions of reproductive health care that was lawful where it was provided.
- Attestation requirements for law enforcement and oversight requests, requiring confirmation that the request was not tied to reproductive care investigations.
- Presumption of lawfulness, unless a provider had substantial evidence to believe otherwise.
The goal was to protect patients and providers from being targeted under restrictive state laws.
The Legal Challenge and Vacatur (June 2025)
The rule quickly faced legal challenges. In Purl v. HHS, the Northern District of Texas reviewed the regulation. On June 18, 2025, the court vacated most of the rule nationwide, holding that HHS had exceeded its statutory authority and conflicted with HIPAA’s statutory carveouts for state reporting laws, such as child abuse and public health.
The only provision left intact was an unrelated amendment requiring Notices of Privacy Practices (NPPs) to include information on Substance Use Disorder (SUD) records. By September 2025, appeals had been dropped, leaving the vacatur final.
Post-vacatur Reality
After the June 2025 court decision in Purl v. HHS, most of the reproductive health privacy rule was vacated. HIPAA returned to its baseline framework. Disclosures to law enforcement remain permitted but not required when supported by a court order, warrant, subpoena, or state law requiring reporting. No special HIPAA protections remain for reproductive health information. State laws now determine whether providers may or must disclose this type of data. This patchwork leaves providers balancing federal discretion, state mandates, and patient trust.
Why This Matters
The reproductive health privacy rule was short-lived, but its rise and fall highlight how political and legal forces directly shape health privacy protections. Patients and providers remain in a gray area where HIPAA alone does not extend extra safeguards for reproductive care.
The HIPAA 2025 Privacy Rule and Patient Rights Update advances patient rights in other areas, but reproductive health privacy remains unsettled — shaped more by state law and politics than federal regulation.
Compliance Burdens and Operational Implications
For Large Health Systems
Large hospital networks and integrated delivery systems will face significant logistical challenges in applying the new Privacy Rule requirements consistently across multiple locations.
Key considerations include:
- Updating Notices of Privacy Practices (NPPs) across all facilities and ensuring consistency in language and availability.
- Integrating SUD data handling into enterprise EHRs may require major configuration changes to flag sensitive records appropriately.
- Managing reputational risk when it comes to reproductive health. Patients may seek reassurance about confidentiality, even though federal protections have been narrowed.
Large systems often have the resources to adapt but must coordinate across multiple departments and geographies, which can increase complexity.
For Smaller Practices and Clinics
Smaller organizations, including community health centers and physician offices, may experience the greatest strain.
Key challenges include:
- Meeting the 15-day deadline for record requests with limited staff.
- Facilitating in-person inspections securely, which may require rearranging physical spaces or creating new processes.
- Posting and maintaining fee schedules online can be burdensome for providers without strong IT support.
For many smaller practices, compliance may require hiring or retraining administrative staff, as well as investing in modest technological upgrades.
Technology and Training
Regardless of size, all providers will need to strengthen their compliance infrastructure. Practical steps include:
- Logging systems to track patient-directed transfers to apps and third parties.
- Staff scripts for explaining patient rights around fees, apps, and access.
- Ongoing training to ensure front-line employees understand both the new rights and the limitations (for example, when HIPAA protections no longer apply).
- Documentation updates to align policies and procedures with OCR expectations.
Technology can help with these requirements, but staff training and clear communication remain just as important. Compliance is not only about systems but also about ensuring patients feel heard and supported when exercising their rights.
Legal Uncertainty and Future Outlook
Enforcement Trends
The Office for Civil Rights (OCR), which oversees HIPAA enforcement, has a history of focusing on patient access cases. Delays in providing medical records have led to settlements and civil monetary penalties, even before the 2025 changes.
Once the 15-day deadline takes effect, enforcement will intensify. Regulators may audit or investigate providers who miss timelines. Likewise, they will closely monitor transparency in copy fees, since the rule emphasizes fairness and accountability.
Beyond access rights, OCR is also expected to focus on:
- Compliance with SUD record handling
- Documentation of patient-directed app transfers
- Updated Notices of Privacy Practices that reflect the new rules
Political and Legal Crosscurrents
The HIPAA 2025 Privacy Rule and Patient Rights Update does not exist in isolation. Broader political and legal debates continue to shape its impact.
- Reproductive health privacy remains unsettled. With the vacatur of the 2024 rule, state laws now determine the level of protection or exposure patients face. This creates a patchwork that may shift depending on the political climate.
- Federal vs. state conflicts are likely to continue. Some states may pass laws designed to strengthen reproductive privacy, while others may impose stricter reporting obligations.
- Technology regulation is evolving. As personal health apps gain traction, lawmakers may revisit the boundaries of HIPAA, the FTC Act, and state consumer protection statutes.
These dynamics mean providers must remain attentive not just to HIPAA, but also to other legal frameworks that intersect with patient privacy.
What Providers Should Do Now
Given the uncertainty, healthcare organizations should prepare rather than wait for enforcement actions. Practical steps include:
- Auditing and updating policies to reflect both finalized and forthcoming HIPAA changes
- Training staff regularly so they understand patient rights, fee disclosures, and data transfer risks
- Monitoring state laws to stay aligned with local requirements, particularly in areas such as reproductive health
- Engaging legal counsel for guidance on conflicts between federal and state mandates
- Keeping patients informed about their rights and how the organization protects their information
Frequently Asked Questions (FAQs)
1. What is the biggest change in the HIPAA 2025 Privacy Rule and Patient Rights Update?
The most visible change will be the new 15-day deadline for fulfilling patient record requests, replacing the current 30-day deadline. Patients will also gain the right to inspect records in person and use personal devices to take notes or photos.
2. Do providers still need to get patient signatures for Notices of Privacy Practices (NPPs)?
No. The forthcoming update will remove the requirement for providers to collect signed acknowledgments. Instead, Notices must use clear language and highlight patient rights.
3. Can patients ask providers to send their health records to personal health apps?
Yes. Once finalized, patients will be able to direct providers to send EHR data to apps of their choice. HIPAA protections will not apply once data leaves covered entities. Instead, consumer privacy laws and app policies will govern.
4. How do the updates affect fees for medical records?
Providers will be expected to post fee schedules online, provide individualized estimates on request, and give an itemized bill after requests are completed. Access through patient portals must remain free.
5. What changes were made to Substance Use Disorder (SUD) records?
The February 2024 Part 2 Final Rule allows one-time consent for treatment, payment, and operations. It also brings SUD programs under HIPAA’s breach notification rules and subjects violations to civil penalties. Providers must comply by February 16, 2026.
6. What happened to the reproductive health privacy rule introduced in 2024?
Most of the rule was struck down in June 2025 by a Texas federal court. Providers now follow HIPAA’s baseline framework and look to state law for disclosure rules.
7. When do providers need to be fully compliant with these changes?
The SUD rule is final, with compliance due by February 16, 2026. The Privacy Rule modernization is expected to take effect in 2025 once finalized. The reproductive health rule has been vacated, so no compliance is required.
8. What should healthcare organizations do right now?
Providers should prepare by updating policies, training staff, and adjusting NPPs to reflect the changes in SUD. They should also monitor state laws, especially around reproductive health, and seek legal guidance where federal and state rules differ.
Conclusion
The HIPAA 2025 Privacy Rule and Patient Rights Update is not just another regulatory adjustment. It redefines the relationship between patients and providers by giving individuals faster access, clearer costs, and greater control over where their data flows. For providers, these changes demand more than new policies. They require practical adjustments in staffing, technology, and patient communication.
Substance Use Disorder records highlight the shift. By February 2026, a single consent will cover treatment, payment, and operations, bringing HIPAA and Part 2 closer together. At the same time, the failed reproductive health privacy rule shows how vulnerable regulatory initiatives remain to political and legal challenges. Providers must prepare for compliance with finalized rules while staying alert to the uncertainties of ongoing litigation and state-level mandates.
Large health systems will need to coordinate across dozens of facilities, while smaller practices will feel the burden of shorter deadlines and limited staff. Both face the same reality: OCR is expected to enforce patient access timelines and fee disclosures with greater intensity. That means operational readiness will be as important as legal compliance.
Part 4 turns to the final piece of the HIPAA 2025 update: breach notifications and penalties. If the Privacy Rule is about patient rights, the Breach Notification Rule is about accountability when those rights are violated. The deadlines are shorter, the fines more structured, and the risks wider than ever before.
