Lessons from the Change Healthcare Incident and the HIPAA Security Rule

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Security Rule and urges covered entities and business associates to update their compliance programs, risk analyses, and policies. 

According to an article by law firm Holland & Knight, the recent massive cyberattack on Change Healthcare in February 2024 underscores the need for stringent cybersecurity measures. OCR is investigating this incident and has emphasized the necessity for business associate agreements and timely breach notifications.

OCR Director Melanie Fontes Rainer, in a May 2024 interview, called the breach unprecedented, noting a 275% rise in ransomware attacks over five years. While the primary focus is on Change Healthcare, OCR also has a secondary interest in associated entities. The incident highlights the importance of cybersecurity diligence post-acquisition, as identified by HHS and the National Institute of Standards and Technology (NIST) in their 2023 guidance.

Moreover, HIPAA-regulated entities are addressing OCR guidance on website tracking tools, balancing user-friendly design with compliance. Vendors are increasingly signing HIPAA business associate agreements to facilitate this.

Rainer mentioned upcoming revisions to the HIPAA Security Rule, aiming to incorporate modern practices like end-to-end encryption. She acknowledged the rule’s strengths and limitations, given its 20-year history, stressing the need for updates to match contemporary healthcare practices.

OCR prioritizes HIPAA Security Rule compliance, emphasizing the importance of conducting proper risk analyses and implementing security risk management plans. This is a common deficiency in cybersecurity breaches. With limited resources, OCR aims to encourage voluntary compliance and plans to re-initiate HITECH audits later this year, focusing on security risk analyses and management.