OCR Launches HIPAA Investigation into Change Healthcare Breach

The U.S. Department of Health and Human Services’ Office for Civil Rights announced it has opened an investigation into the cyberattack that targeted UnitedHealthcare Group’s Change Healthcare subsidiary last month for disrupting the healthcare ecosystem. took care.

“The cyberattack disrupts healthcare and billing information across the country and poses a direct threat to critically needed patient care and essential operations of the healthcare industry,” OCR said in announcing its investigation.

As the federal agency charged with enforcing HIPAA, it noted that covered entities – including providers, payers and electronic data clearinghouses such as Change Healthcare – are required to maintain the privacy and security of protected health information and to inform HHS and to notify affected persons after a breach.

“Given the unprecedented scale of this cyberattack, and in the best interests of patients and healthcare providers, OCR is launching an investigation into this incident,” OCR Director Melanie Fontes Rainer said in the statement. March 13 Letter “Dear colleague”..

“OCR’s investigation into Change Healthcare and UHG will focus on whether there has been a breach of protected health information and whether Change Healthcare and UHG are in compliance with HIPAA rules.”

The Change Healthcare cyber attack – “the most serious incident of its kind against a US healthcare organization,” said the American Hospital Association calls it” – is so important because of the large number of healthcare organizations of all sizes that partner with the company and depend on it for prior authorization, claims processing and payment.

“While OCR is not prioritizing investigations into healthcare providers, health plans, and business associates involved in or affected by this attack,” Fontes Rainer wrote, “we remind entities working with Change Healthcare and UHG of their legal obligations and responsibilities, including guarantee this agreements with business partners are present and that will be on time notification of infringement to HHS and affected individuals as required by HIPAA rules.”

Change Healthcare joins a very long list of reported infringement cases subject to OCR investigation.

The agency notes that over the past five years there has been a dramatic increase – more than 250% – in the number of major breaches reported to OCR involving hacking. There has also been a more than 260% increase in ransomware.

“In 2023, hacking was responsible for 79% of major breaches reported to OCR. Major breaches reported in 2023 affected over 134 million individuals, an increase of 141% from 2022.”

AHA seeks relief as challenges snowball

As the resonance of the Change Healthcare breach continues to resonate across healthcare organizations across the US, healthcare systems are increasingly desperate for more policies and protections to help them weather the dire financial fallout from the February 21 cyberattack.

The American Hospital Association this week wrote to the leaders of the Senate Finance Committeeoutlining how serious the situation is for its 5,000 members across the country.

“In response to a recent AHA survey of hospitals with nearly 1,000 responses, 74% reported direct impacts to patient care, including delays in approval of medically necessary care,” AHA President Rick Pollack wrote.

“Additionally, hospitals, health care systems and other providers are experiencing extraordinary declines in cash flow, threatening their ability to meet payroll costs and acquire the medical supplies needed to provide care,” he said, noting that “94% of hospitals reported that the Change Healthcare cyber attack had a financial impact on them, with more than half reporting the impact as ‘significant or severe’.

“Indeed, a third of respondents said the attack disrupted more than half of their revenue,” Pollack wrote. “The urgency of this matter is growing every day.”

More than once, the consequences of the Change attack on healthcare have been compared to the early days of the coronavirus crisis. The AHA letter acknowledged that the government has limited tools because “unlike COVID-19, the government is not operating under a declared public health emergency.”

While the Centers for Medicare and Medicaid Services has offered accelerated and advance payments, as it has during the pandemic, “the agency only has the authority to do so for limited periods and amounts and at very high interest rates after reimbursements are due,” Pollack wrote .

The AHA appreciates that CMS and HHS are working with stakeholders to find ways to mitigate the impact of the attack on hospitals, physicians and other healthcare providers, he said. “However, we are concerned that the impact of this program is limited due to certain regulatory restrictions, including the repayment schedule and interest rates on AAPs.

“Additionally, we still need to address what will likely be a substantial problem on the back end: excessive denials by payers of claims that either could not be submitted in a timely manner or because the provider could not obtain the necessary authorization.”

Providers “need assurance that they will not face billions in denials for technical reasons beyond their control” as a result of the cyberattack, said Pollack, who called on Congress to do more — and urged lawmakers “consider all legal constraints that exist for an adequate response” to help healthcare systems minimize further consequences of the attack.

“The staggering loss of revenue means that some hospitals and healthcare systems may be unable to pay the salaries of physicians and other healthcare team members, acquire necessary medications and supplies, and pay for mission-critical contract work in areas such as physical safety, diet and environmental services,” he wrote

Meanwhile, Pollack has again pushed back on proposed HHS cybersecurity requirements for hospitals.

“Many recent cyberattacks against hospitals and healthcare, including the current Change Healthcare cyberattack, have come from third-party and other vendor technology,” he said. “No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or reducing Medicare payments would reduce hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of prevent cyber attacks.”

Mike Miliard is editor-in-chief of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.