Skip to content

OCR launches HIPAA investigation into Change Healthcare breach

  • Health

The Office for Civil Rights in the U.S. Department of Health and Human Services announced that it is opening an investigation into the cyberattack that targeted UnitedHealthcare Group’s Change Healthcare subsidiary and has sent ripples of disruption across the healthcare ecosystem for the past month.

“The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the healthcare industry,” said OCR in announcing its investigation.

As the federal agency tasked with enforcing HIPAA, it noted that covered entities – which include providers, payers and electronic data clearinghouses such as Change Healthcare – are required to safeguard the privacy and security of protected health information and to notify HHS and affected individuals after a breach.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” said OCR Director Melanie Fontes Rainer in the March 13 “Dear Colleague” letter.

“OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

The Change Healthcare cyberattack – “the most serious incident of its kind leveled against a U.S. health care organization,” as the American Hospital Association calls it – “is so significant because of the sheer number of healthcare organizations of all sizes and types that work with and depend on the company for prior authorization, claims processing and payment.

“While OCR is not prioritizing investigations of health care providers, health plans and business associates that were tied to or impacted by this attack,” Fontes Rainer wrote, “we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”

Change Healthcare joins a very long list of reported breach cases under OCR investigation.

The agency notes that the past five years have seen a massive increase – more than 250% – in large breaches reported to OCR involving hacking. There’s also been a more than 260% increase in ransomware.

“In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.”

AHA seeks relief as challenges snowball

As the reverberations of the Change Healthcare breach continue to echo at healthcare organizations across the U.S., health systems are increasingly desperate for more policies and protections to help them weather the severe financial aftereffects of the Feb. 21 cyberattack.

The American Hospital Association this week wrote to leaders of the Senate Finance Committee, outlining just how serious the situation is for its 5,000 members nationwide.

“In response to a recent AHA survey of hospitals with nearly 1,000 responses, 74% reported direct patient care impact, including delays in authorizations for medically necessary care,” wrote AHA president Rick Pollack.

“In addition, hospitals, health systems and other providers are experiencing extraordinary reductions in cash flow, threatening their ability to make payroll and to acquire the medical supplies needed to provide care,” he said, noting that “94% of hospitals reported that the Change Healthcare cyberattack was impacting them financially, with more than half reporting the impact as ‘significant or serious.’

“Indeed, a third of the survey respondents indicated that the attack has disrupted more than half of their revenue,” Pollack wrote. “The urgency of this matter grows by the day.”

More than once, the healthcare fallout from the Change attack has been likened to the early days of the coronavirus crisis. The AHA letter acknowledged that the government has limited tools available, because, “unlike with COVID-19, the government is not operating under a declared Public Health Emergency.”

While the Centers for Medicare and Medicaid Services have offered accelerated and advance payments as during the pandemic, “the agency only has authority to do so for limited time periods and amounts and with very high interest rates after repayments are due,” Pollack wrote.

The AHA appreciates that CMS and HHS are working with stakeholders to find ways to ameliorate the attack’s impact on hospitals, physicians and other providers, he said. “However, we are concerned that this program is limited in its impact due to certain statutory constraints, including the repayment timeline and interest rate on AAPs.

“In addition, we still need to address what is likely to be a substantial problem on the backend: excessive denials by payers of claims that either could not be filed timely or because the provider could not obtain the necessary authorization.”

Providers “need certainty that they will not face billions in denials for technical reasons beyond their control” as a result of the cyberattack, said Pollack, who called on Congress to do more – urging lawmakers to “consider any statutory limitations that exist for an adequate response” to help health systems minimize further fallout from the attack.

“The staggering loss of revenue means that some hospitals and health systems may be unable to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary and environmental services,” he wrote

Meanwhile, Pollack again pushed back on proposed HHS cybersecurity requirements for hospitals.

“Many recent cyberattacks against hospitals and the health care system, including the current Change Healthcare cyberattack, have originated from third-party technology and other vendors,” he said. “No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.

Leave a Reply

Your email address will not be published. Required fields are marked *