The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has, as part of its mandate, the responsibility to enforce the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. For HIPAA covered entities and business associates that have not dusted off their HIPAA Security Rule compliance programs in a while, now is an excellent time to try to make sure that their risk analyses and policies and procedures are up to date.
The Change Healthcare Cyberattack
The massive Change Healthcare cyberattack in February 2024 is just the latest in a long line of significant incidents that potentially compromise the privacy and security of protected health information (PHI). While healthcare providers and plans are still struggling with the aftermath of significant payment disruption caused by the incident experienced by an affiliate of United HealthGroup (UHG), they also must navigate the potential HIPAA ramifications. OCR has published resource information, including FAQs, for providers and plans whose data may be involved. While OCR is investigating the Change Healthcare incident, it has not ruled out investigating other entities, although it has said that "OCR's interest in other entities that have partnered with Change Healthcare and UHG is secondary." OCR has emphasized that covered entities doing business with Change Healthcare have "regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules."
In an interview with the Information Security Media Group on May 7, 2024, OCR Director Melanie Fontes Rainer described the incident as a "breach" that is "unprecedented on many levels in its size and its nature." Ransomware attacks have gone up 275 percent in the last five years, and the number of affected individuals is increasing. Director Rainer reiterated that although investigating Change Healthcare is OCR's main priority right now, a "secondary interest is everybody else." When asked whether the breach notices that Change Healthcare has offered to provide would be sufficient, she said that the law requires Change Healthcare to file its breach notification, and they have not yet done that. Because OCR is in a pending investigation, she could not say much more. She noted, "in some instances, Change Healthcare is a covered entity and in some instances it's the business associate," and breach notifications are important in terms of transparency for consumers.
The incident at Change Healthcare, which was acquired by UHG approximately 18 months prior to the ransomware attack, emphasizes the importance of stringent cybersecurity due diligence, post-closing updating of security risk analysis and management to incorporate acquired systems, and attention to post-acquisition remediation. In 2023, HHS identified supply chain/vendor risk as one of the primary cybersecurity vulnerabilities in the industry, and the National Institute of Standards and Technology (NIST) issued guidance regarding supply chain/vendor risk management processes. The Change Healthcare incident has highlighted this issue.
Website Tracking Tools
Some HIPAA-regulated entities are still scrambling to address OCR guidance regarding website tracking tools and the wave of litigation brought against companies that use pixels and other tracking tools on their healthcare-related websites. Increasingly, vendors are willing to sign HIPAA business associate agreements to enable regulated entities to include certain website features without running afoul of HIPAA. Designing websites that are user friendly and allow easy interaction with the public while avoiding use of certain tracking tools remains challenging.
Security Rule Changes on the Horizon
Director Rainer also indicated in her May 7 interview that the HHS also has proposed regulatory revisions in the works related to the HIPAA Security Rule. She indicated that OCR is working to have the proposed regulations completed by the end of the year. She observed, "I think the beauty of the HIPAA Security Rule is that it's 20 years old, it's technology neutral, and it's scalable, so we're still able to use it and enforce the law vigorously. The downside of the HIPAA Security Rule is that it's 20 years old and doesn't reflect how we receive healthcare today, so that's why we're taking a look at it to make sure we're building into it practices we know like end-to-end encryption, things like that, to think about in the state of healthcare." She noted that breaches are becoming larger and so much of what we do is online, so the Security Rule needs to be updated to reflect changes that have come about in the past two decades.
Risk Analyses
Director Rainer indicated that OCR is making Security Rule compliance an enforcement priority, and a HIPAA risk analysis initiative was announced last year. She noted that covered entities frequently do not have a risk analysis on the front end. OCR has provided extensive technical assistance regarding this requirement. In hacking incidents resulting in OCR enforcement actions, OCR identified the lack of a security risk analysis, implementing and adopting security risk management plans, and appropriately performed analyses as significant deficiencies contributing to cybersecurity incidents and breaches. Director Rainer pointed out that OCR sees both failure to perform an appropriate security risk analysis and failure to implement and follow a security risk management plan based on a risk analysis as frequent occurrences in OCR enforcement actions. She also noted that OCR will focus on enforcement actions that will provide education to regulated entities regarding the security risk analysis and management requirements.
Could a HITECH Audit Be in Your Future?
According to Director Rainer, "OCR's budget has been flatlined for a long time," and there are only two investigators per state. With limited resources, OCR is trying to drive voluntary compliance. OCR has, most recently in 2017, engaged in an auditing process authorized by the Health Information Technology for Economic and Clinical Health Act (HITECH). She said OCR has re-opened the HITECH audit program and plans to "initiate audits of HIPAA-regulated entities later this year." Impending HITECH audits will focus on the Security Rule and specifically, security risk analyses and risk management.
Earlier in This Series
For more on regulatory developments at OCR, please see Holland & Knight's previous alerts in the OCR in Overdrive series.
