HHS Office of Civil Rights Letter Re: Cyberattack on Change Healthcare (Mar. 13, 2024) Available at https://www.hhs.gov/sites/default/files/cyberattack-change-healthcare.pdf
Following the ransomware cyberattack on Change Healthcare (a unit of United Healthcare Group (UHG) that serves as a HIPAA business associate for health plans and providers nationwide), HHS’s Office for Civil Rights (OCR) has announced in a letter that it is initiating an investigation into the incident, given the “unprecedented magnitude” of the attack. The investigation will focus on whether a breach of protected health information (PHI) has occurred and on Change Healthcare’s and UGH’s compliance with HIPAA’s privacy, security, and breach notification rules without mention that a breach notification report was formally filed. Typically, OCR enters into resolution agreements with business associates after there are allegations of noncompliance to ensure that they are protecting ePHI on behalf of covered entities by having both risk analysis and management plans in place.
According to the letter, “OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary,” but OCR reminds these entities that safeguarding PHI is a “top priority.” The letter also reminds covered entities that engage with business associates of their regulatory responsibilities under HIPAA to ensure that business associate agreements are in place and that timely breach notifications to HHS and affected individuals occur. OCR also provides links to resources to help protect record systems and patients against cyberattacks, such as sample business associate agreement provisions, the OCR HIPAA Security Rule Guidance Material webpage, a video on the HIPAA security rule and cyberattacks, a webinar on HIPAA security rule risk analysis requirements, the HHS Security Risk Assessment tool, and a fact sheet on ransomware.
EBIA Comment: OCR urges covered entities to review cybersecurity measures “with urgency,” and has outlined in its latest report to Congress key areas of improvement for covered entities to focus on. Covered entities should address in their risk analysis and risk management plans their due diligence process in selecting business associates, including ensuring that contracts include appropriate provisions to safeguard ePHI. If a covered entity knows of a pattern of activity or practice of a business associate that constitutes a material breach of the contract, it may be obligated to take certain steps to cure the breach and, if those steps are unsuccessful, to terminate the contract. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX (“Enforcement of Privacy, Security, and EDI Rules”), XXIII (“How the Privacy and Security Rules Affect Group Health Plans and Plan Sponsors”), XXIV (“Business Associate Contracts”), and XXV (“Breach Notification for Unsecured PHI”). See also the manual’s Sample Checklist for Business Associate Contract Provisions, Sample Business Associate Contract Provisions, and Sample Business Associate Security Questionnaire (and the Guides to these sample documents), which may assist covered entities in ensuring that their business associates are complying with HIPAA’s privacy and security rules.
Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.
