OCR Opens HIPAA Compliance Investigation of Change Healthcare

The HHS’ Office for Civil Rights started the investigation of Change Healthcare three weeks after its cyberattack on February 21, 2024. Usually, OCR’s cyberattack and data breach investigations are started a few months after the breach report submission. Sometimes, it investigates years after the breach happened. In this case, the data breach is not yet reported to OCR because it is still being investigated. Change Healthcare has just restored its systems online at 99% for its pharmacy and payment platforms. The due date for reporting breaches based on the HIPAA Breach Notification Rule is still a few weeks away.

The quickly started investigation is because of the magnitude of the occurrence, which disrupted medical care and billing data systems across the country and is costing companies approximately a billion in payment losses each day because of the unavailability of Change Healthcare’s systems. The trouble brought on companies that employ Change Healthcare’s systems is resulting in serious financial issues and some companies had to decide whether to continue operating. Therefore, the incident presents a direct risk to critically required patient care and important operations of the healthcare sector.

OCR Director Melanie Fontes Rainer stated in a “Dear Colleague” letter published on the HHS website that because of the unparalleled magnitude of the Change Healthcare cyberattack, and considering the welfare of patients and healthcare companies, OCR is investigating this incident now. The investigation of UHG and Change Healthcare will concentrate on knowing if a breach of protected health information (PHI) happened and if Change Healthcare and UHG were compliant with the HIPAA Guidelines.

OCR additionally mentioned in the letter that its involvement in other organizations that work with UnitedHealth Group and Change Healthcare is secondary. Although OCR is not making it a priority to investigate the healthcare providers, business associates, and health plans that are partners with UnitedHealth Group or Change Healthcare, OCR has reminded them of their regulatory duties under HIPAA. They need to make sure that they have signed business associate agreements and that they have promptly notified the HHS and any impacted persons. The letter also provided resources to help HIPAA-covered entities in securing systems, records, and patients from cyberattacks.

This is not a typical move by OCR however because of the great effect of the cyberattack and the huge impact it has on healthcare companies that depend on Change Healthcare’s services and systems, the breach demands a quick investigation to find out whether Change Healthcare and its parent organization were completely HIPAA compliant.

Executive Director Lisa Plaggemier of the National Cybersecurity Alliance (NCA) provided some lessons that can be realized from this disastrous cyberattack. The cyberattack on UnitedHealth Group and Change Healthcare provides a reminder of the importance of strong cybersecurity measures in the healthcare industry.

Firstly, healthcare companies need to prioritize extensive risk assessments and apply strict security practices to protect sensitive patient information. This consists of routine security audits, data encryption, employee training on cybersecurity best practices, and proactive tracking for suspicious activities. In addition, investments in modern cybersecurity systems and relationships with respected cybersecurity companies can reinforce defenses against changing cyber threats.

Furthermore, the incident shows the essential function of government monitoring and rules in protecting healthcare information. Government organizations, including the Department of Health and Human Services Office for Civil Rights, have an important role in implementing compliance with health privacy regulations, for instance, the Health Insurance Portability and Accountability Act (HIPAA). By means of thorough inspections and enforcement actions, regulatory organizations can make healthcare organizations responsible for non-compliance with data privacy protection requirements and ensure quick responses to cyber events. Collaboration between law enforcement, government institutions, and private industry stakeholders is important to improve threat intelligence sharing and organize reactions to cyber threats, eventually strengthening the strength of the healthcare industry against potential cyberattacks.

Given the cyberattack on Change Healthcare and UnitedHealth Group, customers and patients have an important role in securing their health data. One important step is to stay cautious of disclosing sensitive information, on the web and in the real world. Share only with respected healthcare companies and entities. Patients must ask about the safety measures enforced by their healthcare companies, which include encryption procedures and data breach response programs. Also, individuals ought to routinely check their medical bills and insurance reports for any differences or unauthorized transactions, which could point to bogus activity. Using strong, unique passwords for healthcare sites and activating multi-factor authentication can create an added layer of protection for personal health data. By staying educated, alert, and proactive, individuals can protect their own health information and mitigate the risks presented by cyber threats in the healthcare industry.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA