HIPAA’s New Era: Navigating the Regulatory Changes to Strengthen Cyber Risk, TPRM, Privacy, and GRC

By Bev Najarian

The healthcare industry is no stranger to regulatory frameworks, with HIPAA standing as one of the most significant. As a Risk Analyst at MorganFranklin Consulting, I’ve seen firsthand how updates to regulatory frameworks—especially HIPAA—can transform the way organizations approach data security and privacy. Recent shifts to HIPAA’s rules and proposed changes (highlighted in the HIPAA Security Rule NPRM Factsheet) reflect an increasingly urgent and required call to bolster cyber defenses, reinforce vendor management, and elevate governance practices.

HIPAA: The Foundation of Healthcare Privacy and Security

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, originally focused on protecting patient health information (PHI) while allowing for the secure flow of healthcare data. Two critical components—The Privacy Rule and The Security Rule—established the framework for safeguarding PHI, (detailed in 45 CFR Part 160 and Part 164).

• The Privacy Rule (45 CFR Part 160) governs the use and disclosure of PHI, ensuring individuals’ rights to their data.
• The Security Rule (45 CFR Part 164) sets standards for safeguarding electronic PHI (ePHI) against unauthorized access, ensuring confidentiality, integrity, and availability.

Why The Changes Matter

For years, the healthcare industry has relied on the foundational aspects of HIPAA to protect patient health information. Now, the stakes are higher than ever. Evolving cyber threats, complex vendor relationships, and heightened patient expectations require organizations to adapt quickly and effectively. In many ways, the “old” HIPAA laid the groundwork, while the new changes—and proposed changes—require a forward-thinking approach.

A Brief Look at Old vs. New (or Proposed) HIPAA Requirements

Below is a concise breakdown of how key HIPAA provisions have evolved, contrasting the former regulations with the latest changes and proposals.

1. Privacy Rule

Old Requirements

• Use and Disclosure of PHI: Established guidelines on permissible uses, disclosures, and minimum necessary standards.
• Patient Rights: Patients could request copies of their medical records, ask for amendments, and had to receive a notice of privacy practices.
• Business Associates: Required business associate agreements (BAAs) to ensure PHI protection by vendors.

New/Updated Requirements (and NPRM Proposals)

• Accelerated Patient Access: Patients must receive access to their PHI more quickly, and delays can attract regulatory penalties.
• Refined Minimum Necessary Standards: Heightened clarity on limiting PHI disclosure to the minimum necessary, with stricter repercussions for over-disclosure.
• Greater Transparency & Consent: Proposed modifications reinforce the importance of transparent data-sharing practices, including clearer notices and potentially shorter turnaround times for fulfilling requests.

2. Security Rule

Old Requirements

• Risk Analysis: Required a baseline risk assessment and periodic re-evaluations, but enforcement mainly focused on whether a risk analysis existed rather than its depth.
• Administrative Safeguards: Called for policies, procedures, and workforce training, but offered flexibility on specifics.
• Technical Safeguards: Required controls like access management and audit logs, yet guidelines were sometimes broad and open to interpretation.

New/Updated Requirements (and NPRM Proposals)

• Ongoing, In-Depth Risk Assessment: Entities must now conduct more rigorous, continuous assessments that go beyond checklists and address the entire IT environment, including emerging threats like ransomware.
• Proactive Cybersecurity Measures: Stronger emphasis on encryption, data backup, and incident response to demonstrate “reasonable and appropriate” protection, as the NPRM clarifies the need for explicit, documented security practices.
• Increased Enforcement: Greater scrutiny in audits and heavier penalties for inadequate or outdated risk assessments, pushing organizations to demonstrate not just compliance but also resilience.

3. Third-Party Risk Management (TPRM)

Old Requirements

• Business Associate Agreements (BAAs): Ensured vendors understood their security obligations.
• Limited Oversight: Often, organizations relied on a BAA and a one-time due diligence process without ongoing vendor monitoring.
• Reactive Approach: Vendor reviews tended to happen post-incident or at contract renewal.

New/Updated Requirements (and NPRM Proposals)

• Comprehensive Vendor Oversight: HIPAA rules now emphasize the need for robust, continuous third-party risk management, including deep-dive assessments and ongoing security reviews.
• Stricter Accountability: The covered entity or business associate could face penalties if a third-party vendor breaches PHI due to insufficient oversight.
• Detailed Contractual Obligations: BAAs increasingly include clauses outlining breach notification timelines, required safeguards, and financial accountability.

4. Governance, Risk, and Compliance (GRC) Alignment

Old Requirements

• Isolated Compliance Silos: HIPAA compliance was often managed separately from enterprise risk and governance.
• Static Policies: Policies were typically reviewed annually or in response to a breach.
• Limited Metrics & Reporting: Compliance status wasn’t consistently reported to executive leadership.

New/Updated Requirements (and NPRM Proposals)

• Integrated GRC Frameworks: Entities are encouraged to embed HIPAA into their corporate governance and risk management processes, ensuring a more holistic, proactive approach.
• Continuous Monitoring & Reporting: Real-time tracking of incidents, vulnerabilities, and regulatory updates is now crucial.
• Executive Visibility: With enforcement tightening, leadership at the highest levels must be informed of HIPAA-related risks, ensuring accountability for compliance.

5. Enforcement & Penalties

Old Requirements

• Varied Penalties: Civil monetary penalties on a tiered scale, with corrective action plans for noncompliance.
• Less Frequent Audits: Although high-profile breaches triggered attention, broad enforcement was inconsistent.
• Voluntary Compliance: Many organizations avoided severe penalties by showing a “good faith” effort to comply.

New/Updated Requirements (and NPRM Proposals)

• Steeper Fines & More Aggressive Audits: Regulators conduct more audits and repeat offenses can lead to larger penalties.
• Stricter Breach Notification Enforcement: Delays or inadequate notifications may immediately trigger enforcement actions.
• Incident Patterns: The NPRM underscores that repeat or systemic noncompliance can bring harsher consequences, highlighting the importance of ongoing process improvement.

Why These Changes Matter for Risk, TPRM, Privacy, and GRC

Cyber Risk Management

The enhanced emphasis on cybersecurity means organizations must routinely perform in-depth risk analyses that account for evolving threats. Robust incident response plans and advanced threat detection tools (e.g., SIEM platforms) are no longer optional but vital for demonstrating ongoing compliance and preparedness.

Third-Party Risk Management (TPRM)

Under the new or proposed HIPAA updates, a single vendor’s security lapse can have major consequences for covered entities or business associates. Strengthening third-party oversight—via continuous monitoring, frequent vendor questionnaires, and detailed contractual obligations—remains a top priority.

Privacy Programs

Patient-focused provisions demand faster response times and clearer communications around data sharing. As a result, privacy programs must enhance transparency and patient education, all while ensuring internal policies remain aligned with updated regulatory expectations.

Governance, Risk, and Compliance (GRC)

Adopting an integrated GRC approach allows organizations to monitor HIPAA risks alongside other regulatory frameworks, streamline documentation, and provide executive leadership with real-time insights. HIPAA compliance is no longer a siloed endeavor—it should be part of your overarching governance strategy.

A Positive Outlook: Embracing Change as Growth

As a working professional in risk management, I view these HIPAA changes—and their proposed expansions —as a catalyst for transformation. Healthcare organizations can use these stricter rules to refine their processes, invest in better cybersecurity measures, build stronger vendor relationships, and ultimately foster greater trust with patients and partners.

Yes, the changes can be daunting, but they also push us toward a more secure, transparent, and patient-focused healthcare environment. At MorganFranklin Consulting, we stand ready to guide organizations through this next phase—whether by conducting a comprehensive HIPAA risk assessment, implementing advanced TPRM strategies, or helping you integrate HIPAA requirements into a broader GRC framework.

How MorganFranklin Consulting Can Help

1. HIPAA Risk Assessment

• Conduct thorough, ongoing risk evaluations aligned with the NPRM’s guidance and best practices.
• Prioritize vulnerabilities and design tailored remediation strategies.

2. Third-Party Risk Management (TPRM) Program Enhancement

• Implement end-to-end vendor lifecycle oversight, from due diligence to contract termination.
• Customize TPRM processes to reflect HIPAA’s heightened expectations.

3. Privacy Policy & Procedures

• Update policies to meet accelerated patient access requirements and refined consent rules.
• Train staff to be vigilant and proactive in privacy protection.

4. Integrated GRC Solutions

• Develop frameworks that monitor HIPAA compliance in real time, allowing for swift policy updates and consistent executive reporting.
• Leverage technology platforms to centralize compliance data, measure risk, and streamline audits.

5. Incident & Breach Response

• Craft incident response plans that align with the new HIPAA enforcement landscape and emphasize swift breach notification.
• Establish processes to learn from incidents, ensuring continuous program improvement.

Looking Ahead

In this era of heightened cybersecurity threats and increased enforcement, HIPAA’s new and proposed changes can serve as a blueprint for strengthening all facets of your risk management and compliance initiatives. By embracing these updates as opportunities rather than obstacles, your organization can stand out as a trusted leader in protecting patient data.

If you want to learn more about how MorganFranklin Consulting can help you adapt and thrive under these new HIPAA changes, don’t hesitate to reach out. Let’s turn compliance into a strategic advantage—one that safeguards your organization, partners, and, most importantly, the patients you serve.