New HIPAA FAQs Released by HHS in Response to Change Healthcare Cyber Attack

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has updated its FAQ webpage following the Change Healthcare cybersecurity incident. First published on April 19, 2024, this page offers important information about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules and the cybersecurity breach that affected Change Healthcare, a part of UnitedHealth Group (UHG), and many other healthcare organizations.

OCR enforces HIPAA's Privacy, Security, and Breach Notification Rules. These rules require covered entities—such as health plans, healthcare clearinghouses, and most healthcare providers—and their business associates to protect Personal Health Information (PHI). They also outline how to notify HHS and affected individuals if a breach happens. The updated FAQs help clarify these rules and offer guidance on handling and reporting cybersecurity incidents.

This blog covers recent HHS updates post-Change Healthcare cyber incident. It outlines HIPAA rules for PHI protection and offers breach notification guidance for healthcare.

HIPAA Breach Notification: FAQs Addressing Responsibility Updates

The FAQ updates clarify the responsibility for notifying HHS, affected individuals, and, when required, the media about breaches.

The FAQs specifically state that:

• Covered entities impacted by the Change Healthcare breach can authorize Change Healthcare to manage breach notifications.
• Only one entity, the covered entity or Change Healthcare, is responsible for issuing breach notifications.
• Covered entities have no additional HIPAA breach notification obligations if Change Healthcare notifies breaches according to HIPAA Rules.

Fortifying Cybersecurity Protocols after the Change Healthcare Incident

Following the Change Healthcare cybersecurity incident, OCR urges HIPAA-covered entities such as health plans, insurers, healthcare providers, and their business partners to review their cybersecurity measures promptly. This ensures the protection of health information. While many employers may not directly handle PHI from their health plans, those engaging third-party vendors like Third-party Administrators (TPAs) and Pharmacy Benefit Managers (PBMs) should thoroughly assess and confirm these vendors' cybersecurity protocols during the selection process. Employers should also establish comprehensive business associate agreements that incorporate sufficient security safeguards for electronic PHI.

PROACTIVE MEASURES

Taking Action in Response to Cybersecurity Concerns

With OCR's emphasis on securing electronic PHI, employers should take the following actions:

• Review Current Cybersecurity Measures: Employers accessing PHI from their health plans should consider their existing cybersecurity protocols and implement necessary updates to upgrade protection.
• Evaluate Third-party Vendors: Even if they do not directly handle PHI, employers should examine the cybersecurity practices of prospective Third-party Administrators (TPAs) or Pharmacy Benefit Managers (PBMs) during the selection process.
• Strengthen Business Associate Agreements: Employers must ensure that their agreements with business associates include strong security provisions to safeguard electronic PHI effectively.

COMPLIANCE SUPPORT

Accessible Resources for Every Business

Protecting PHI is a major focus for OCR. To assist covered entities and business associates in defending their systems against cyberattacks, OCR offers a range of resources, including:

• HIPAA Security Rule Guidance Material
• OCR Webinar on HIPAA Security Rule Risk Analysis Requirement
• HIPAA Security Risk Assessment Tool
• Fact Sheet: Ransomware and HIPAA

Enhancing Healthcare Data Security:

Key Insights and Practical Measures for Safeguarding PHI with CBC

The recent updates from HHS and OCR regarding the Change Healthcare cyber incident highlight the importance of HIPAA compliance and cybersecurity in the healthcare sector. The FAQs provide valuable guidance on breach notification responsibilities, while OCR's focus on reviewing and enhancing cybersecurity measures reflects the urgency of protecting Personal Health Information (PHI).

Covered entities and their business associates should take proactive measures to strengthen cybersecurity protocols and ensure compliance with HIPAA rules. This includes reviewing current cybersecurity measures, evaluating third-party vendors' security practices, and enhancing business associate agreements. For additional support and resources, OCR offers various tools and guidance materials to help organizations safeguard electronic PHI and mitigate cyber threats effectively.

Custom Benefit Consultants (CBC), Inc. offers expert solutions and resources to help organizations strengthen cybersecurity and achieve HIPAA compliance. Our team of professionals specializes in providing user-friendly HIPAA compliance programs and guided security assessments. Contact us today to learn more about how we can assist you in safeguarding PHI and mitigating cyber threats effectively.