Building Effective HIPAA Training Programs for the New Cybersecurity Requirements

In this post, we break down what the new cybersecurity-related HIPAA expectations mean for your training program and how to build a program that not only meets regulatory standards but actively reduces risk.

Stricter Data Privacy & HIPAA Updates

In early 2025, the Department of Health and Human Services (HHS) proposed sweeping updates to the HIPAA Security Rule. These updates reflect a growing push to prepare healthcare systems for cyberattacks and data breaches by setting higher expectations for proactive planning and staff readiness.

Under the proposed rules, organizations must:

• Complete comprehensive risk analyses that go beyond documentation.

• Maintain a full inventory of all IT assets handling protected health information (PHI).

• Develop contingency plans with defined timelines like restoring systems within 72 hours of a breach.

Penalties for HIPAA violations are also being reinforced, with HHS and the FTC signaling a stricter enforcement posture. For organizations, this means increased HIPAA fines can climb into the millions and reputational damage that takes far longer to repair than systems.

Training is no longer a compliance formality. Every staff member, from clinical to administrative, needs to understand how cybersecurity intersects with their role.  

CMS Quality Reporting & Payment Reforms

While cybersecurity dominates headlines, CMS is making equally consequential updates that impact funding. In 2025, Medicare continues its shift toward value-based care by tightening performance measures across multiple programs:

• The Hospital Inpatient Quality Reporting (IQR) Program now includes new measures like “Patient Safety Culture” and “Age-Friendly Care.”

• The Value-Based Purchasing Program aligns payment more tightly with performance outcomes.

• The Medicare Promoting Interoperability (PI) Program raises the minimum score hospitals must achieve to avoid penalties, from 60 to 70 and eventually 90.

• CMS is also increasing expectations around electronic clinical quality measures (eCQMs) over the next few years.

Failure to meet IQR requirements can lead to a 25% reduction in the annual Medicare payment update. That’s a revenue cut few hospitals can afford.

Operationally, these reforms demand more than tech upgrades. They require workforce-wide understanding of what’s being measured, how it’s tracked, and why it matters. Your training programs, especially for quality, safety, and EHR use, must help bridge the gap between care and compliance.

Evolving Telehealth & Licensure Regulations

The pandemic jumpstarted telehealth. Now, 2025 is shaping its long-term rules.

At the federal level, the American Relief Act of 2025 temporarily removed geographic barriers for Medicare telehealth and expanded provider eligibility. While these provisions are set to expire by March 31, the expectation is that more permanent policies will follow.

Meanwhile, states are tightening licensure requirements. Some are reintroducing restrictions on cross-state care, while others are pushing for interstate compacts. For hospitals and health systems operating across state lines, this introduces layers of complexity.

To stay compliant, organizations need to:

• Monitor which clinicians are licensed in which states.

• Track legislative changes and compact participation.

• Train providers on coding, billing, and consent requirements specific to telehealth.

Cybersecurity remains part of the conversation too. State Medicaid programs and commercial payers are demanding that virtual care meets the same data privacy standards as in-person services. That means encrypted platforms, protected access, and patient-specific consent; all of which must be covered in training.

The Joint Commission’s 2025 Accreditation Standards

Unlike previous years, the Joint Commission released its 2025 updates later than expected, giving hospitals little time to prepare. The new standards are already in effect and focus on three key areas:

• Environment of Care (EC)

• Life Safety (LS)

• Emergency Management (EM)

Expectations around infection control, health equity, and medication safety are also being refined. While the Joint Commission doesn’t issue fines, falling short can risk accreditation and with it, your ability to bill Medicare or commercial insurers.

Because updates came late, many organizations are scrambling to close gaps. This means revising policies, ordering equipment, retraining staff, and updating compliance checklists. In some hospitals, facilities teams are working overtime to meet new life safety requirements, while department leads are being tasked with rolling out fast-turnaround training.

To manage this kind of change, some organizations are assigning “standard champions”, designated team members who track Joint Commission updates and ensure local readiness. That effort starts with better awareness and more agile training.

State-Level Compliance Laws: Workforce Safety, Data Security, and Patient Rights

While federal agencies dominate the conversation, state laws are quietly raising the bar across the board.

• Workforce Safety: California’s AB 977 upgrades violence against hospital staff from misdemeanor to felony. Washington has expanded its ban on mandatory overtime, now covering smaller facilities by mid-year. These laws require revised staffing models, training programs, and violence prevention policies.

• State Cybersecurity Regulations: Connecticut’s new law mandates annual cybersecurity audits for hospitals, with findings reported to state authorities. More states may follow. Training must now cover local rules, not just HIPAA, especially in states with layered privacy or breach response laws.

• Patient Care Mandates: New Jersey requires postpartum care plans for all new mothers. Pennsylvania mandates insurance coverage for biomarker testing. These policies touch everything from discharge planning to test ordering, and require process updates that often depend on frontline staff understanding what’s changed.

For multi-state organizations, the patchwork of laws is a full-time challenge. Training must now reflect not only your federal compliance obligations, but also the unique demands of each state in which you operate.

What This Means for Training in 2025

If compliance has moved to the front of the strategic plan, training needs to move with it.

• One-size-fits-all courses won’t meet role-specific or state-specific demands.

• Annual “click-through” modules can’t prepare teams for high-stakes, real-time issues.

• Paper documentation and spreadsheet tracking won’t survive an audit.

Healthcare leaders need scalable, smart training that supports daily work, keeps pace with change, and proves its value both in learner outcomes and compliance readiness.

How Automation Helps

Modern learning platforms are stepping in to fill the gap. The best solutions do more than deliver content; they integrate with credentialing, issue alerts, track task completion, and update in response to new regulations.

Benefits include:

• Centralized training records that streamline audits.

• Role-based content delivery that improves engagement.

• Automation of license checks, reminders, and escalations.

• Faster response to regulatory updates with built-in content changes.

This isn’t about technology for its own sake—it’s about making compliance achievable in a world where manual oversight isn’t enough.

Key Takeaways

2025 is not the year to get caught off guard. Between HIPAA updates, CMS reforms, telehealth laws, accreditation changes, and state mandates, the compliance landscape is moving fast and healthcare organizations must move faster.

Pivto Better Learning helps healthcare organizations build great learning that can be launched from your platform or ours. Whether you're preparing for HIPAA audits or integrating state-specific mandates, Pivto will deliver targeted, proactive, and standards-aligned learning at scale.

‍