Unpacking the Change Healthcare cybersecurity incident: FAQs

The Change Healthcare incident refers to a cybersecurity breach within Change Healthcare, a subsidiary of UnitedHealth Group (UHG), one of the largest healthcare companies globally. 

The breach involved unauthorized access to sensitive information, potentially compromising the security and privacy of protected health information (PHI) stored within Change Healthcare's systems. The incident had widespread implications across the healthcare industry, impacting millions of stakeholders, including healthcare providers, patients, and insurance companies. 

Go deeper: The Change Healthcare attack

OCR’s response to Change Healthcare cyberattack

Following the Change Healthcare cyberattack, regulatory bodies like the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) launched investigations to assess the extent of the breach and ensure HIPAA compliance. 

Additionally, the OCR has released an updated version of its frequently asked questions (FAQs) webpage regarding the Change Healthcare cybersecurity incident. According to the OCR’s recent press release, “The webpage updates address questions OCR has received concerning who is responsible for performing breach notification to HHS, affected individuals, and where applicable, the media.”

The OCR Director Melanie Fontes Rainer explains “Ensuring patient privacy is one of the pillars of HIPAA. Our updated FAQs webpage on the Change Healthcare breach reiterates that importance by making clear that individuals affected by this breach must be notified that their protected health information was breached.”

Understanding Change Healthcare cybersecurity FAQs

1. Why did OCR issue the Dear Colleague letter about the Change Healthcare cybersecurity incident?

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” explains the OCR’s Dear Colleague letter.

More specifically, the letter includes:

• OCR's primary investigation into Change Healthcare and UHG.
• Potential PHI breaches and HIPAA compliance.
• Secondary investigations extend to entities partnering with Change Healthcare and UHG.
• HIPAA obligations, including timely breach notification and business associate agreements.
• Resources to assist entities in safeguarding PHI and protecting against cyberattacks.

2. Why is OCR initiating an investigation now and what does it cover?

OCR initiated an investigation to ensure continued care and patient privacy, in the interest of patients and health care providers, where investigations “are primarily focused on whether a breach of unsecured PHI occurred and on Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

3. Has Change Healthcare or UHG filed a breach report with HHS?

No. Change Healthcare and UHG have not filed a breach report with HHS regarding this incident. Covered entities have a 60-calendar day window from the discovery of a breach to report it to HHS, as per breach notification requirements.

4. Are large breaches posted on the HHS Breach Portal on the same day OCR receives a breach report?

No, before a breach is posted on the HHS Breach Portal, OCR verifies the report it receives. Once verification is complete, the breach report will be posted on the portal, typically within 14 days.

5. Is OCR’s 2016 ransomware guidance applicable to the Change Healthcare cyberattack?

Yes, OCR’s ransomware guide applies to the Change Healthcare cyberattack, with “specific information on the steps covered entities and business associates should take to determine if a ransomware incident is a HIPAA breach.”

6. Are covered entities required to perform HIPAA breach notifications?

Yes, covered entities must promptly notify affected individuals, the HHS Secretary, and the media (for breaches affecting over 500 individuals). Business associates must also notify covered entities of breaches promptly.

7. May a covered entity delegate its breach notification obligations?

Yes, covered entities may delegate breach notification tasks to their business associates. However, the covered entity must ensure notifications are done according to HIPAA requirements.

8. What HIPAA breach notification duties do covered entities have?

Covered entities must provide timely notification of breaches to affected individuals, the HHS Secretary, and the media, if necessary. Additionally, “A covered entity may delegate to its business associate the tasks of providing these required notifications on the covered entity’s behalf.”

The HHS’ breach notification requirements can be summarized as follows:

a) Breach affecting 500 or more individuals:

- Must notify the HHS Secretary within 60 days of breach discovery.

- Submission through electronic breach notification form.

b) Breach affecting fewer than 500 individuals:

- Notify the HHS Secretary within 60 days of the end of the calendar year of breach discovery.

- Multiple breaches may be reported on one date, but separate notices are required.

- Submission through electronic breach notification form.

c) Uncertain number of individuals affected:

- Provide an estimate if the number is uncertain.

- Updates are required if additional information is discovered.

d) Media notice for breaches affecting more than 500 residents:

- Notify affected individuals and prominent media outlets within 60 days of breach discovery.

e) Substitute notice:

- Used when contact information for individuals is insufficient or outdated.

- Methods include alternative written notice, telephone, or conspicuous media posting with a toll-free phone number provided.

9. What HIPAA breach notification duties do business associates have?

If a business associate experiences a breach, they must promptly inform the covered entity no later than 60 calendar days after discovering the breach. 

Additionally, the business associate should provide the covered entity with affected individuals’ details so the covered entity can fulfill its notification obligations.

10. How will Change Healthcare notify affected entities of the breach?

Affected entities should contact Change Healthcare and UHG for information on how breach notifications will occur.

11. Is Change Healthcare performing breach notification on behalf of affected entities?

Decisions on breach notification delegation are left to the covered entities affected by the breach.

12. Who is responsible for ensuring individuals affected by the breach receive notification?

- Covered entities (including providers, health plans, and clearinghouses) must promptly notify the HHS, affected individuals, and potentially the media, of PHI breaches.

- Business associates must promptly notify covered entities of breaches, providing them with affected individuals’ information.

Therefore, HIPAA breach notifications must detail breach causes, timing, disclosed PHI, protective measures, and entity actions, to ultimately ensure compliance with federal regulations and protect patient privacy. Additionally, organizations must provide affected individuals with information to mitigate potential harm from the breach and prevent future incidents.

13. Does OCR plan to update the FAQ page?

Yes, OCR intends to update the FAQ page as necessary, providing healthcare entities with ongoing guidance and support.

How HIPAA compliant emails can help

Covered entities can use HIPAA compliant emails to share sensitive patient details after the Change Healthcare cybersecurity incident. These emails use encryption protocols to safeguard protected health information (PHI) transmitted between healthcare entities, including covered entities and business associates. 

Additionally, HIPAA compliant email platforms, like Paubox, implement access controls and authentication mechanisms to restrict PHI access and allow audit trails to monitor and prevent breaches of PHI, safeguarding patient privacy in the aftermath of the cybersecurity incident.

FAQs

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPA) is a federal law that protects the privacy and security of individuals' health information.

Go deeper: What is HIPAA? 

Who does HIPAA apply to?

HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI).

What is protected health information (PHI)?

PHI includes any information related to a person's health condition, treatment, or payment for healthcare services that can be used to identify the individual.