Electronic health records (EHRs), telehealth, and cloud-based systems have transformed how healthcare professionals interact with patients and each other. But with progress comes vulnerability, as digital systems, while faster and more efficient, are more exposed to cyber threats, technical failures, and human error. In fact, according to the US Department of Health and Human Services, as quoted from the Hacker News, “There's been a 93% increase in large breaches from 2018 to 2022. In that same period, there's been a 278% increase in breaches involving ransomware.” This makes modern healthcare communication more prone to data breaches and compliance risks if not properly secured. The recent HIPAA Security Rule updates stress the need for healthcare organizations to modernize their communication systems and strengthen cybersecurity defenses.
“Recent HIPAA updates signal an urgent need to modernize outdated communication systems and fortify cybersecurity defenses,” says David Chou, Founder of Chou Group Healthcare Technology Advisory Services. “The challenge lies in upgrading 24/7 operational systems without disruption, making it critical for leaders to prioritize multifactor authentication and proactive incident response planning.” Chou’s insights are timely as the healthcare industry continues to face an increase in cyberattacks.
Healthcare is evolving rapidly, and the way information is exchanged must keep up. Outdated communication systems, once standard, are now ill-equipped to handle the demands of a digital, data-driven healthcare environment. An example of this is the use of fax machines in healthcare. 70% of healthcare providers were still using fax machines in 2021. However, these machines cannot integrate with electronic health records (EHRs).
From growing cybersecurity threats to rising patient expectations, the pressure to modernize is increasing. In the first half of 2025, U.S. healthcare organizations reported 311 data breaches to the HHS OCR involving 500 or more individuals. These incidents affected approximately 23.1 million individuals, and most of these breaches stemmed from hacking and IT incidents, many of which may involve outdated communication systems.
This is where modern communication tools, like email, come in. They ensure efficiency and continuity of care but also safeguard sensitive patient information. This is proven in the study Methods and Effectiveness of Communication Between Hospital Allied Health and Primary Care Practitioners: A Systematic Narrative Review, which states that “advances in health IT may offer a promising solution to the inconsistency of healthcare communication.”
Legacy systems like fax machines, unsecured email, and siloed databases may only increase the risk of data breaches and hinder collaboration between providers. As regulatory standards, like HIPAA, are updated to reflect today’s digital realities, healthcare organizations must view modernization as a necessity.
Read also: Technology in healthcare
Healthcare organizations often operate 24/7, relying on infrastructure that must always be available. Yet many of these systems were designed years ago, before cybersecurity became a central concern. Upgrading them is not as simple as flipping a switch, but involves phasing out the old technology and phasing in the new.
Legacy systems create several problems:
These risks are especially pronounced during transitions. As David Chou points out, "The challenge lies in upgrading 24/7 operational systems without disruption, making it critical for leaders to prioritize multifactor authentication and proactive incident response planning."
Read also: How legacy systems disrupt patient care
In December 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) aimed at modernizing the HIPAA Security Rule, marking the first substantial update since 2013. These updates include:
Previously, “addressable” standards allowed entities to decide whether to implement certain safeguards, often considered as optional. The new proposal removes this distinction, making all implementation specifications mandatory, with only limited exceptions.
Encryption is no longer optional; it is now required for ePHI both at rest and in transit, ensuring that even if data is intercepted or stolen, it remains unreadable and protected.
MFA transitions from “strongly recommended” to mandatory for access to all ePHI systems, with limited exceptions for very specific legacy medical devices (with transition plans).
Organizations must now:
The draft adds mandates for:
The proposal requires documented and tested incident response procedures, including:
Businesses handling ePHI must:
Go deeper: HHS proposes updated HIPAA security rule
The 2025 HIPAA Security Rule updates reshape healthcare communication by raising the security baseline, enforcing accountability, and closing long-standing compliance loopholes. Here's how:
All digital communication, emails, patient portals, messaging apps, and document exchanges must use automatic encryption. This forces organizations to upgrade from legacy systems (e.g., unencrypted email, fax machines) to HIPAA compliant platforms like secure email providers, encrypted messaging apps, and telehealth tools.
This sets a higher standard for user verification in messaging platforms, EHR portals, and collaboration tools. Providers must now integrate MFA into all communication endpoints, adding a layer of defense against phishing, credential theft, and unauthorized access.
Healthcare organizations must now formally track every communication tool in use (e.g., email platforms, texting apps, file-sharing services). Shadow IT, unapproved or informal communication tools, will be considered a serious compliance risk and must be eliminated or integrated into governance.
Ongoing penetration tests, vulnerability scans, and staff training become essential parts of system upkeep. This creates a more resilient and proactive communication environment.
Healthcare organizations must re-evaluate their vendor relationships. All email, telehealth, and messaging providers must offer full HIPAA compliance, rapid breach response protocols, and technical safeguards, pushing the industry toward more transparent and secure communication ecosystems.
Healthcare communication tools must now support incident response, including breach notifications, system lockdowns, audit logs, and secure backup channels. Real-time alerts and traceability become standard requirements.
As healthcare providers face new HIPAA mandates in 2025, Paubox emerges as a leading solution that already meets or exceeds many of the proposed standards. Its all-in-one, HIPAA compliant email platform simplifies secure communication without sacrificing usability, helping organizations transition smoothly into this new regulatory landscape.
With the updated HIPAA Security Rule making encryption of ePHI mandatory, both in transit and at rest, Paubox encrypts every email by default, without requiring patient portals, login credentials, or message retrieval links. This automatic and seamless encryption ensures compliance while maintaining provider-patient communication flow, whether on desktop or mobile.
With MFA now required for system access, Paubox supports two-factor authentication (2FA) and integrates seamlessly with identity management systems like Google Workspace and Microsoft 365. This provides an extra layer of protection against credential theft and phishing.
To meet HIPAA’s updated requirements for activity monitoring, Paubox provides detailed audit logs of sent, received, and encrypted emails. These logs support internal reviews, compliance reporting, and incident response investigations.
Paubox Email Suite includes inbound threat protection, scanning emails for malware, ransomware, and phishing attempts. This aligns with the 2025 requirement for formalized risk management and early incident detection.
Paubox signs a business associate agreement (BAA) with every customer, demonstrating full commitment to HIPAA compliance. With tighter oversight of business associates under the new rule, the contract ensures shared accountability for data protection.
Should a breach occur, Paubox is equipped to support your incident response plan with:
Learn more: Features of Paubox Email Suite
Any communication that involves protected health information (PHI), including emails, text messages, telehealth platforms, EHR messaging, and cloud file sharing, must meet HIPAA compliance standards, including encryption, access control, and audit logging.
Penalties can range from $142 to $71,162 per violation, with an annual maximum of over $2 million for identical provisions. OCR may also impose corrective action plans, audits, or referrals for criminal investigation in cases of willful neglect.
Yes. HIPAA applies to all covered entities and business associates, regardless of size. Small practices must take appropriate steps to meet the new requirements, such as using encrypted email, enabling MFA, and maintaining up-to-date policies and training.
Yes. Business associates, like email providers, cloud platforms, and IT support, must also adhere to the stricter requirements, including encryption, security assessments, and breach notification protocols.