As a result of the cyberattack on Change Healthcare (HIPAA business associate of United Health Group), OCR (a division of HHS) has issued a letter regarding an investigation into the potential breach of PHI. The letter also reminds covered entities and business associates that safeguarding protected health information (PHI) remains a top priority.
Who this applies to:
- All group health plans
Go Deeper:
According to the letter, OCR’s investigation into the Change Healthcare cyberattack will focus on whether a breach of PHI actually occurred, and into UHG’s compliance with HIPAA privacy, security, and breach notification rules.
As a reminder, “covered entities” under HIPAA (group health plans are covered entities) are required to conduct a risk assessment and create policies and procedures, as should any business associates used by the covered entity.
The letter provides several resources to assist in protecting PHI from cyberattacks, including guidance materials, training videos and webinars, HHS Security Risk Assessment Tool, and other helpful materials.
OCR recommends all covered entities and business associates, including employers sponsoring group health plans and their vendors, to review cybersecurity measures to ensure the protection of health information.
COMMENTS