OCR investigating Change Healthcare compliance with HIPAA rules following cyberattack

OCR investigating Change Healthcare compliance with HIPAA rules following cyberattack

The Department of Health and Human Services’ Office for Civil Rights has launched an investigation into the cyberattack on Change Healthcare, as announced in a “Dear Colleague” letter on March 13. The agency has deemed the scale of the cyberattack unprecedented and has decided to investigate to protect the interests of patients and healthcare providers. The focus of OCR’s investigation will be on determining if there was a breach of protected health information and examining Change Healthcare’s and UHG’s compliance with HIPAA Rules.

While OCR’s primary interest lies in investigating Change Healthcare and UHG, the agency has stated that it will also look into other entities that have collaborated with these organizations. Although investigations into healthcare providers, health plans, and business associates linked to the cyberattack are not a priority for OCR, they have reminded these entities of their regulatory obligations. This includes ensuring that proper business associate agreements are in place and that any breaches are reported in a timely manner to both HHS and affected individuals, as outlined in the HIPAA Rules.

Leave a Reply