HIPAA Security Rule 2025: Separating Facts from Fear for Chiropractic Practices

HIPAA Security Rule Changes Explained — What Chiropractors Really Need to Know

Hot Topics from the KMC University HelpDesk

Don’t Panic — Understand the Process

Recently, talk about “new HIPAA security rules” has created confusion across the chiropractic profession. Articles and social posts often make it sound like major changes are already in place, leaving many practices scrambling. The reality is different: most of these updates refer to a Notice of Proposed Rulemaking (NPRM) — not a final rule. Until the final rule is published, the existing HIPAA Security Rule still applies.

---

Let’s break down what the NPRM means, how the rulemaking process works, and what actions you should take now to stay compliant without unnecessary stress.

What Is the HIPAA Security Rule NPRM?

The NPRM (Notice of Proposed Rulemaking) is the first step toward updating a regulation. In this case, the proposed changes aim to strengthen cybersecurity requirements for healthcare providers. Once the NPRM appears in the Federal Register, a comment period opens. During this time, doctors, hospitals, and other stakeholders review the proposed rule and submit feedback.

After the comment period closes, regulators analyze the feedback and draft the final rule. Only when the final rule is published do the new requirements become enforceable. Until then, the current HIPAA Security Rule remains in effect.

Common Myths vs. Reality

❌ Myth #1: “You must report breaches within 15 days.”

Some articles claim you must report breaches within 15 days. That’s not accurate. The official Breach Notification Rule states that notifications must be provided “without unreasonable delay and no later than 60 days.” Until the government changes that timeline in a final rule, the 60-day standard stands.

❌ Myth #2: “You’re required to audit your business associates.”

Another widespread misconception is that practices must audit their vendors’ security systems or perform vulnerability scans. While reviewing your vendors’ practices is smart, the current Privacy Rule only requires you to obtain “satisfactory assurances.” Typically, this means having a signed Business Associate Agreement (BAA) that outlines how both parties will protect patient information.

Vendors share equal responsibility for HIPAA compliance, but you don’t have to conduct official audits or collect certifications. Instead, verify that agreements are in place and that vendors understand their obligations.

How to Stay Proactive Without the Panic

Even though the proposed rule isn’t final, you can still prepare for future changes without overreacting.

• ✅ Go to the source: Always verify information directly from the HHS website and the Federal Register.
• ✅ Review your current compliance: Make sure your HIPAA risk assessment is up to date and your security policies reflect current standards.
• ✅ Communicate with vendors: Ensure all BAAs are signed and current. Discuss how they safeguard protected health information (PHI), even if audits aren’t required.
• ✅ Monitor updates: Proposed rules often evolve based on feedback. Keeping an eye on the process helps you anticipate changes early.

Final Thoughts: Compliance Starts With Clarity

It’s easy to feel overwhelmed by headlines about “new security rules.” However, until the final rule is published, the current HIPAA Security Rule still governs your chiropractic practice. By staying informed, maintaining strong compliance practices, and preparing for potential changes, you’ll protect your practice from unnecessary risk.

If you’re unsure about where your practice stands, KMC University can help. We offer tools, courses, and even a FREE HIPAA assessment to help you evaluate your current compliance level and prepare for the future.