Nelson Mullins partner Brad Moody, Co-Chair of the firm’s Data Breach Response practice, was recently featured in a Q&A interview with Part B News on January 22, 2025. Moody discussed HHS' latest proposed HIPAA Security Rule, published Jan. 6, which would mandate several changes to the way health care providers protect patient information. Below is an excerpt from the interview: 

When asked about what the big lifts for providers would be under this rule, Moody said, “My experience is that it will be a change for a lot of organizations. I think most organizations know what’s in their electronic health records (HER), but data mapping throughout a network is typically not a priority for organizations.

“[The requirement to recover] electronic systems within 72 hours of a ransomware attack is a big ask,” he continued. “In my experience, safely recovering within 72 hours is not feasible even when viable backups are available. It can take at least 72 hours just to contain an attack and deploy monitoring software to ensure the environment is safe for restoring.”

Another significant change Moody highlighted is the requirement for business associates to report major security incidents to covered entities within 24 hours.

“This change is understandable to mitigate the risk of threats spreading to other environments,” he said. “However, the concern is that OCR [HHS' Office for Civil Rights] may ultimately find that the 24-hour notice triggers the 60-day breach reporting requirement for a covered entity even if a business associate does not know whether PHI has been compromised.” 

Read the full article here.