In an announcement calling the cyberattack that crippled Change Healthcare a “direct threat to critically needed patient care,” the HHS Office for Civil Rights (OCR) said it would open an investigation into the incident focused on Change and its parent company, UnitedHealth Group (UHG).
“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” states a “Dear Colleague” letter from OCR director, Melanie Fontes Rainer. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and [on] Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”
Fontes Rainer adds that, while OCR isn’t prioritizing investigations of any specific Change or UHG partner, providers or health plans should still ensure they are aware of their “regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”
To that end, Fontes Rainer ends the letter by linking to a variety of cybersecurity and HIPAA guidance materials for partners of Change and UHG.