Sarah Borders, CEBS April 1, 2024 2 min read

OCR Reminds Covered Entities that Safeguarding HIPAA PHI is Top Priority

As a result of the cyberattack on Change Healthcare (HIPAA business associate of United Health Group), OCR (a division of HHS) has issued a letter regarding an investigation into the potential breach of PHI. The letter also reminds covered entities and business associates that safeguarding protected health information (PHI) remains a top priority.

Who this applies to:

  • All group health plans

Go Deeper:
According to the letter, OCR’s investigation into the Change Healthcare cyberattack will focus on whether a breach of PHI actually occurred, and into UHG’s compliance with HIPAA privacy, security, and breach notification rules.
As a reminder, “covered entities” under HIPAA (group health plans are covered entities) are required to conduct a risk assessment and create policies and procedures, as should any business associates used by the covered entity.  
The letter provides several resources to assist in protecting PHI from cyberattacks, including guidance materials, training videos and webinars, HHS Security Risk Assessment Tool, and other helpful materials.
OCR recommends all covered entities and business associates, including employers sponsoring group health plans and their vendors, to review cybersecurity measures to ensure the protection of health information.


Sarah Borders, CEBS

Principal, Benefits Compliance Solutions. Sarah has spent the last 15 years in the employee benefits industry, has numerous designations and serves on NAHU’s Employer Working Group Subcommittee and is an active board member of Austin AHU. She recently stepped down as Vice President of Benefits Compliance at one of the nation's largest brokerage firms to start her own compliance consulting practice. Her designations include an active license with the Texas Department of Insurance, CEBS (Certified Employee Benefits Specialist), Certified Health Care Reform Professional, HIPAA certification and Health Care Service Associate. She holds an MBA from Texas A&M Corpus Christi and a BA from University of Incarnate Word. Her consulting firm, Benefits Compliance Solutions, partners with employers to identify unknown risks and avoid hundreds of thousands of dollars in fines and lawsuits from failure to comply with their healthplan obligations.