New HIPAA Rule mandates 72-hour data restoration

On December 27, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to enhance electronic protected health information (ePHI) protections. 

What happened  

The proposed modifications to the HIPAA Security Rule introduce updates to improve ePHI protection. Major changes include removing the distinction between 'required' and 'addressable' specifications, mandating ePHI encryption at rest and in transit, requiring multi-factor authentication, and implementing annual compliance audits.  

The NPRM also calls for:  

• A written technology asset inventory and network map updated annually or after major changes.  
• Specific risk analysis processes to assess threats, vulnerabilities, and risk levels.  
• Procedures for restoring data and systems within 72 hours of disruption.  
• Annual vulnerability scanning and penetration testing.  
• Notification within 24 hours of changes to workforce access or activation of contingency plans.  

Going deeper  

Other NPRM proposals include:  

• Technical safeguards: Anti-malware protection, network segmentation, and separate controls for backup and recovery.  
• Policy updates: Written documentation of all Security Rule policies, procedures, and plans, with specific compliance timeframes.  
• Audit requirements: Annual compliance audits and business associate certifications verifying technical safeguards.  
• Enhanced contingency planning: Detailed restoration and incident response procedures, with regular testing and updates.  

Learn more: Understanding the HHS’s proposed modifications to HIPAA's Security Rule

What was said  

According to the OCR’s fact sheet, released on December 27, 2024, “The proposed rule seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.”

Additionally, the HHS encourages stakeholders to submit comments via regulations.gov by the deadline, 60 days after the NPRM’s publication in the Federal Register.  

Why it matters  

Cyberattacks, especially ransomware, disrupt critical operations, delay patient care, and jeopardize sensitive data like ePHI. The NPRM aims to mitigate these issues and promote faster recovery after a cybersecurity breach. These requirements will help healthcare providers protect patient lives and preserve the integrity of healthcare services.

The bottom line

Healthcare providers must review the NPRM and provide input, upholding the shared responsibility of improving healthcare.

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

See also: How to respond to a data breach

What is a ransomware attack?

Ransomware attacks are a type of cyberattack where hackers gain unauthorized access to a computer, encrypt its data, and demand the return of this data upon payment.

Hackers often target sensitive information like personal, financial, or healthcare data, crippling their operations until the ransom is paid or recovered by other means. 

Ransomware typically spreads through phishing emails, malicious links, or software vulnerabilities, exploiting weak cybersecurity defenses. Even after paying the ransom, victims are not guaranteed data recovery.

Who needs to comply with HIPAA?

HIPAA compliance is required for covered entities, including healthcare providers, health plans, healthcare clearinghouses, and their business associates, who handle protected health information (PHI).