Medicare Compliance & Reimbursement

As the ransomware incident that clocked UnitedHealth Group’s subsidiary Change Healthcare continues to evolve, so does the federal HIPAA guidance.

Details: On April 19, the HHS Office for Civil Rights (OCR) issued an update to its guidance on Change Healthcare in the form of a frequently asked question (FAQ) set. Question No. 1 is a repeat of OCR’s March 13 “Dear Colleagues” letter release and advice (see Medicare Compliance & Reimbursement, Vol. 50, No. 6).

OCR offers more insight into its investigation of Change Healthcare in Questions 2 and 3 while providing covered entities with reminders on the HIPAA regulations, guidance on individual requirements and reporting in relation to the cyberattack, and links to past insight and provisions.

For example in Questions No. 6 through No. 9, OCR delves into the responsibility of both covered entities and their business associates under the HIPAA Breach Notification Rule. OCR guidance on the intersection of the regulation and the cyber incident includes:

• Reminders that loss of protected health information (PHI) due to the Change Healthcare ransomware attack is in fact a breach and must be reported to OCR.
• Links to both the regulation and the breach reporting tool.
• Explanations on how to report, why you must report, and who needs to be notified based on both conclusive and inconclusive evidence that a breach has actually occurred.
• Breakdown on business associates liability and what they must do adjacent to the covered entity’s duties.
• Change Healthcare’s responsibility to contact individuals and CEs and BAs subsequent responsibilities to be in contact with the payer.