OCR Opens HIPAA Compliance Investigation of Change Healthcare
The HHS’ Office for Civil Rights has opened an investigation of Change Healthcare following its February 21, 2024, cyberattack, just three weeks after the attack occurred. Typically, OCR’s investigations of cyberattacks and data breaches are initiated several months after the breach is reported, which may even be years after the breach occurred. In this case, the incident has not even been reported to OCR as it is still under investigation. Change Healthcare has only just brought its systems back online – 99% of pharmacy and payment platforms are now up and running according to a recent statement – and there are still 5 weeks before the HIPAA Breach Notification Rule’s deadline for reporting breaches is reached.
The rapidly initiated investigation is in response to the magnitude of the incident, which is disrupting health care and billing information systems nationwide and has been estimated to be costing providers well over a billion in reimbursement losses per day due to Change Healthcare’s systems being unavailable. The disruption caused to providers that use Change Healthcare’s systems is causing extreme financial difficulties and some providers have had to make difficult decisions about whether they can continue to operate. As such, the incident poses a direct threat to critically needed patient care and essential operations of the healthcare industry.
In a “Dear Colleague” letter uploaded to the HHS website, OCR Director Melanie Fontes Rainer said “Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident. OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”
OCR also explained in the letter that its interest in other entities that partner with Change Healthcare and UnitedHealth Group is secondary. While OCR is not prioritizing investigations of healthcare providers, health plans, and business associates that have partnered with Change Healthcare or UnitedHealth Group, OCR has taken the opportunity to remind them that they have regulatory responsibilities under HIPAA and they must ensure that they have business associate agreements in place and that they issue timely notifications to the HHS and any affected individuals. In the letter, the OCR Director shared resources to assist HIPAA-regulated entities with protecting records, systems, and patients from cyberattacks.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“This is an unusual move by OCR but given the far-reaching impact of the cyberattack and the massive effect it is having on healthcare organizations that rely on Change Healthcare’s services and systems, the breach warrants swift investigation to determine if Change Healthcare and its parent company were fully compliant with the HIPAA Rules,” commented Steve Alder, Editor-in-Chief, The HIPAA Journal.
Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance (NCA), offered some advice for readers of The HIPAA Journal and shared some of the lessons that can be learned from this devastating cyberattack.
The cyberattack on UnitedHealth Group and Change Healthcare serves as a stark reminder of the critical need for robust cybersecurity measures within the healthcare sector. Firstly, healthcare organizations must prioritize comprehensive risk assessments and implement stringent security protocols to safeguard sensitive patient data. This includes regular security audits, employee training on cybersecurity best practices, encryption of data both at rest and in transit, and proactive monitoring for suspicious activities. Furthermore, investments in cutting-edge cybersecurity technologies and partnerships with reputable cybersecurity firms can bolster defenses against evolving cyber threats.
Additionally, the incident highlights the indispensable role of government oversight and regulation in safeguarding healthcare data. Government agencies, such as the Department of Health and Human Services’ Office for Civil Rights, play a vital role in enforcing compliance with health privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA). Through rigorous investigations and enforcement actions, regulatory bodies can hold healthcare entities accountable for lapses in data protection and ensure swift responses to cyber incidents. Moreover, collaboration between government agencies, law enforcement, and private sector stakeholders is essential to enhance threat intelligence sharing and coordinate responses to cyber threats, ultimately bolstering the resilience of the healthcare sector against future cyberattacks.
In light of the recent cyberattack on UnitedHealth Group and Change Healthcare, consumers and patients also play a crucial role in protecting their personal health information. One key step is to remain vigilant about sharing sensitive data, both online and offline, only with trusted healthcare providers and entities. Patients should inquire about the security measures implemented by their healthcare providers, including encryption protocols and data breach response plans. Additionally, individuals should regularly review their medical bills and insurance statements for any discrepancies or unauthorized charges, which could indicate fraudulent activity. Furthermore, maintaining strong, unique passwords for healthcare portals and enabling multi-factor authentication can add an extra layer of security to personal health information. By staying informed, vigilant, and proactive, consumers can contribute to safeguarding their own health data and mitigating the risks posed by cyber threats in the healthcare sector.