Lessons learned from the Change Healthcare cybersecurity incident

The Change Healthcare breach impacts covered entities (healthcare providers, health plans, and clearinghouses) and business associates. 

Both parties must understand the breach's implications and follow the Office for Civil Rights (OCR) guidance on ensuring the privacy and security of protected health information (PHI).

What is the Change Healthcare incident?

Change Healthcare, a subsidiary of UnitedHealth Group (UHG), one of the world's largest healthcare companies, experienced a significant breach, that potentially compromised the privacy and security of protected health information (PHI). The incident impacts millions of stakeholders, including healthcare providers, patients, and insurance companies. 

In response, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched an investigation, assessing the breach's scope and how well Change Healthcare, UHG, and their partners adhere to HIPAA requirements. 

The OCR press release states that “OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.”

Additionally, the OCR updated its frequently asked questions (FAQs), outlining breach notification requirements.

Impact on covered entities and their business associates

Increased regulatory pressure

The Change Healthcare breach has led to increased scrutiny from the OCR, particularly regarding HIPAA breach notification procedures and the protection of PHI. Covered entities now face increased regulatory pressure to evaluate their associate's security practices and ensure their business associate agreements (BAAs) are HIPAA compliant. 

BAAs should include a comprehensive HIPAA compliance strategy, stipulating breach notification protocols, data protection measures, and accountability mechanisms.

Enhanced breach notification responsibilities

Covered entities must notify affected individuals, the HHS Secretary, and the media (for breaches impacting more than 500 individuals) within the required 60-day window. 

Similarly, business associates must promptly inform covered entities of breaches, providing the information needed for the covered entity to fulfill its notification responsibilities. 

However, if the breach is the business associate’s fault, the covered entity can delegate the notification duties to their business associates but must “consider which entity is in the best position to provide notice to the individual, which may vary depending on the circumstances…”

Shared liability

Covered entities and their business associates face increased legal and financial risks from data breaches. Covered entities must ensure their business associates comply with HIPAA regulations, while business associates must implement their own policies to protect PHI. 

Both parties should have guidelines and open communication to address security vulnerabilities and ensure HIPAA compliance. 

Additionally, the OCR’s 2016 ransomware guidance outlines the steps covered entities and business associates should take to determine whether a ransomware incident constitutes a HIPAA breach.

Long-term implications

As cyberattacks evolve, regulatory bodies, like the OCR, will scrutinize covered entities and their business associates more closely. So, covered entities and their business associates need to stay informed about potential regulatory changes and adapt their practices accordingly. 

Breaches like these can also damage patient trust, leading to concerns about the confidentiality of their PHI and the overall security of their care. So, these parties must protect PHI to maintain patient trust and ultimately improve the patient-provider relationship. 

Furthermore, covered entities and their business associates should inform affected individuals about what happened, what steps are being taken to protect their information moving forward, and how the breach will be handled to prevent future incidents.

Proactive security measures

According to a study on HIPAA compliance efforts, “most organizations focus on the greatest areas of risk, which include the transmission of electronic data and the security and privacy... To avoid financial penalties and imprisonment, facilities must demonstrate and adhere to the regulations outlined.”

So, covered entities and their business associates must do regular security audits, train employees on data protection, and use advanced security technologies to strengthen their defenses, 

Moreover, covered entities and business associates must use HIPAA compliant emailing platforms that offer encryption, multi-factor authentication, and access controls to protect PHI and minimize the risk of data breaches.

Benefits of using HIPAA compliant emails

Security of patient data

HIPAA compliant email platforms, like Paubox, encrypt PHI during transit and at rest, so even if an email is intercepted, the contents are unreadable to anyone except the intended recipient.

Control and monitoring

Covered entities and business associates can use the audit trails to see when an email was sent, when it was opened, and by whom.

Risk management

HIPAA compliant emails reduce the risk of costly data breaches, potential fines, and reputational damage. Furthermore, compliance builds trust with patients, who are increasingly aware of digital security issues.

Integration with existing systems

HIPAA compliant platforms can be integrated with existing email platforms like Microsoft Outlook or Gmail, making it an easy integration process for healthcare organizations.

User-friendly

While HIPAA compliant emails have advanced security features, these emails are user-friendly. So, covered entities can communicate with patients and business associates without specialized training.

Read also: Top 5 reasons users choose Paubox for HIPAA compliant emails

FAQs

What is HIPAA compliance?

HIPAA compliance refers to adhering to regulations outlined in the Health Insurance Portability and Accountability Act to safeguard patients’ protected health information (PHI).

Furthermore, HIPAA compliance is required for covered entities, like healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle PHI.

What makes an email HIPAA compliant?

Providers must use a HIPAA compliant email solution, like Paubox, to safeguard patients’ protected health information (PHI). HIPAA compliant emails offer encryption, access controls, and other security measures, preventing unauthorized access and potential breaches.

What are the penalties for HIPAA violations?

The penalties for HIPAA violations vary based on the level of negligence and can range from fines to criminal charges. Civil penalties can range from $100 to $50,000 per violation, with an annual maximum of $1.5 million. Criminal penalties include fines of up to $250,000 and imprisonment for up to ten years.

Go deeper: What are the penalties for HIPAA violations?