In this post, we break down what the new cybersecurity-related HIPAA expectations mean for your training program and how to build a program that not only meets regulatory standards but actively reduces risk.
Stricter Data Privacy & HIPAA Updates
In early 2025, the Department of Health and Human Services (HHS) proposed sweeping updates to the HIPAA Security Rule. These updates reflect a growing push to prepare healthcare systems for cyberattacks and data breaches by setting higher expectations for proactive planning and staff readiness.
Under the proposed rules, organizations must:
Penalties for HIPAA violations are also being reinforced, with HHS and the FTC signaling a stricter enforcement posture. For organizations, this means increased HIPAA fines can climb into the millions and reputational damage that takes far longer to repair than systems.
Training is no longer a compliance formality. Every staff member, from clinical to administrative, needs to understand how cybersecurity intersects with their role.
CMS Quality Reporting & Payment Reforms
While cybersecurity dominates headlines, CMS is making equally consequential updates that impact funding. In 2025, Medicare continues its shift toward value-based care by tightening performance measures across multiple programs:
Failure to meet IQR requirements can lead to a 25% reduction in the annual Medicare payment update. That’s a revenue cut few hospitals can afford.
Operationally, these reforms demand more than tech upgrades. They require workforce-wide understanding of what’s being measured, how it’s tracked, and why it matters. Your training programs, especially for quality, safety, and EHR use, must help bridge the gap between care and compliance.
Evolving Telehealth & Licensure Regulations
The pandemic jumpstarted telehealth. Now, 2025 is shaping its long-term rules.
At the federal level, the American Relief Act of 2025 temporarily removed geographic barriers for Medicare telehealth and expanded provider eligibility. While these provisions are set to expire by March 31, the expectation is that more permanent policies will follow.
Meanwhile, states are tightening licensure requirements. Some are reintroducing restrictions on cross-state care, while others are pushing for interstate compacts. For hospitals and health systems operating across state lines, this introduces layers of complexity.
To stay compliant, organizations need to:
Cybersecurity remains part of the conversation too. State Medicaid programs and commercial payers are demanding that virtual care meets the same data privacy standards as in-person services. That means encrypted platforms, protected access, and patient-specific consent; all of which must be covered in training.
The Joint Commission’s 2025 Accreditation Standards
Unlike previous years, the Joint Commission released its 2025 updates later than expected, giving hospitals little time to prepare. The new standards are already in effect and focus on three key areas:
Expectations around infection control, health equity, and medication safety are also being refined. While the Joint Commission doesn’t issue fines, falling short can risk accreditation and with it, your ability to bill Medicare or commercial insurers.
Because updates came late, many organizations are scrambling to close gaps. This means revising policies, ordering equipment, retraining staff, and updating compliance checklists. In some hospitals, facilities teams are working overtime to meet new life safety requirements, while department leads are being tasked with rolling out fast-turnaround training.
To manage this kind of change, some organizations are assigning “standard champions”, designated team members who track Joint Commission updates and ensure local readiness. That effort starts with better awareness and more agile training.
State-Level Compliance Laws: Workforce Safety, Data Security, and Patient Rights
While federal agencies dominate the conversation, state laws are quietly raising the bar across the board.
For multi-state organizations, the patchwork of laws is a full-time challenge. Training must now reflect not only your federal compliance obligations, but also the unique demands of each state in which you operate.
What This Means for Training in 2025
If compliance has moved to the front of the strategic plan, training needs to move with it.
Healthcare leaders need scalable, smart training that supports daily work, keeps pace with change, and proves its value both in learner outcomes and compliance readiness.
How Automation Helps
Modern learning platforms are stepping in to fill the gap. The best solutions do more than deliver content; they integrate with credentialing, issue alerts, track task completion, and update in response to new regulations.
Benefits include:
This isn’t about technology for its own sake—it’s about making compliance achievable in a world where manual oversight isn’t enough.
Key Takeaways
2025 is not the year to get caught off guard. Between HIPAA updates, CMS reforms, telehealth laws, accreditation changes, and state mandates, the compliance landscape is moving fast and healthcare organizations must move faster.
Pivto Better Learning helps healthcare organizations build great learning that can be launched from your platform or ours. Whether you're preparing for HIPAA audits or integrating state-specific mandates, Pivto will deliver targeted, proactive, and standards-aligned learning at scale.
Let’s chat about how Pivto can help you unlock the power of digital-first learning for your teams, your customers, and your community.