Home Health & Hospice Week

HIPAA:

United Health-Change Healthcare Attack Underscores Your HIPAA Duties

OCR sharpens focus of HIPAA investigation.

Even if your reimbursement and other operations have not been affected much by the ransomware incident at United­Health Group’s subsidiary Change Healthcare, it should impact you on another front: HIPAA compliance.

The HHS Office for Civil Rights has issued an update to its guidance on Change Healthcare in the form of a frequently asked question set. Question No. 1 is a repeat of OCR’s March 13 “Dear Colleagues” letter release and advice.

Reminder: “Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” OCR Acting Director Melanie Fontes Rainer said in the letter. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

Watch out: “While OCR is not prioritizing investigations of health care providers ... and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities,” Fontes Rainer stressed in the letter. That includes “ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”

In the recent FAQs, OCR offers more insight into its investigation of Change Healthcare in Questions 2 and 3 while providing covered entities with reminders on the HIPAA regulations, guidance on individual requirements and reporting in relation to the cyberattack, and links to past insight and provisions.

For example: In Questions No. 6 through No. 9, OCR delves into the responsibility of both covered entities and their business associates under the HIPAA Breach Notification Rule. OCR guidance on the intersection of the regulation and the cyber incident includes:

  • Reminders that loss of protected health information (PHI) due to the Change Healthcare ransomware attack is in fact a breach and must be reported to OCR.
  • Links to the regulation and the breach reporting tool.
  • Explanations on how to report, why you must report, and who needs to be notified based on both conclusive and inconclusive evidence that a breach has actually occurred.
  • Breakdown on business associates’ liability and what they must do adjacent to the covered entity’s duties.
  • Change Healthcare’s responsibility to contact individuals and CEs and BAs subsequent responsibilities to be in contact with the payer.

Note: The FAQs are at www.hhs.gov/hipaa/for-profes­sionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.

Other Articles in this issue of

Home Health & Hospice Week

View All