Lessons from the Change Healthcare Incident and the HIPAA Security Rule

May 23, 2024

Lessons from the Change Healthcare Incident and the HIPAA Security Rule
Stethoscope placed on a long electrocardiogram tape

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Security Rule and urges covered entities and business associates to update their compliance programs, risk analyses, and policies. 

According to an article by law firm Holland & Knight, the recent massive cyberattack on Change Healthcare in February 2024 underscores the need for stringent cybersecurity measures. OCR is investigating this incident and has emphasized the necessity for business associate agreements and timely breach notifications.

OCR Director Melanie Fontes Rainer, in a May 2024 interview, called the breach unprecedented, noting a 275% rise in ransomware attacks over five years. While the primary focus is on Change Healthcare, OCR also has a secondary interest in associated entities. The incident highlights the importance of cybersecurity diligence post-acquisition, as identified by HHS and the National Institute of Standards and Technology (NIST) in their 2023 guidance.

Moreover, HIPAA-regulated entities are addressing OCR guidance on website tracking tools, balancing user-friendly design with compliance. Vendors are increasingly signing HIPAA business associate agreements to facilitate this.

Rainer mentioned upcoming revisions to the HIPAA Security Rule, aiming to incorporate modern practices like end-to-end encryption. She acknowledged the rule’s strengths and limitations, given its 20-year history, stressing the need for updates to match contemporary healthcare practices.

OCR prioritizes HIPAA Security Rule compliance, emphasizing the importance of conducting proper risk analyses and implementing security risk management plans. This is a common deficiency in cybersecurity breaches. With limited resources, OCR aims to encourage voluntary compliance and plans to re-initiate HITECH audits later this year, focusing on security risk analyses and management.

Sign up for our weekly newsletters specifically curated to different practice areas: litigation, cybersecurity & data privacy, legal ops, and compliance.

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top