Abstract

Last week, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) issued a “Dear Colleague” letter addressing the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealthcare Group (UHG), and many other health care entities. The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health care industry. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which require that HIPAA covered entities – virtually all health care providers, clearinghouses, and insurance companies – protect the privacy and security of protected health information. The likelihood that substance use disorder (SUD) treatment information was included in the breach is very likely. However, OCR does not mention 42 CFR Part 2, just HIPAA. HHS views ransomware and hacking as the “primary cyber threats in health care.” There has been a 256% increase in large breaches involving hacking, and a 264% increase in ransomware, over the last 5 years, and this only includes those breaches OCR was notified of. $22 million was reportedly paid to the Change Healthcare hackers, in the form of bitcoin, likely from UHG, according to news reports. HHS OCR says: “If you believe that your or another person's health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.” The one bright side of the new Part 2 rules are that OCR now enforces the regulation.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.