Health News
Check Out the New HIPAA FAQs by HHS Post CH-Attack
August 12, 2024
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has recently updated its FAQ webpage in light of the recent cybersecurity breach at Change Healthcare. Originally published on April 19, 2024, these updates provide crucial information on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and offer guidance on handling similar cybersecurity incidents. The Change Healthcare breach, which impacted a number of healthcare organizations including those under UnitedHealth Group (UHG), underscores the need for robust cybersecurity measures in the healthcare sector.
Understanding HIPAA Breach Notification Responsibilities
The updated FAQs clarify the responsibilities of covered entities—such as health plans, healthcare providers, and healthcare clearinghouses—in notifying HHS, affected individuals, and, where necessary, the media about breaches of Personal Health Information (PHI). Key points from the FAQs include:
- Delegation of Breach Notifications: Covered entities affected by the Change Healthcare breach have the option to authorize Change Healthcare to handle breach notifications on their behalf. This streamlines the process and ensures that notifications are managed effectively.
- Notification Responsibilities: The updated guidance confirms that either the covered entity or Change Healthcare is responsible for issuing breach notifications. This means that covered entities will not face additional HIPAA breach notification obligations if Change Healthcare complies with the requirements.
Strengthening Cyber Security Protocols
In response to the Change Healthcare incident, OCR urges all HIPAA-covered entities, including health plans, insurers, healthcare providers, and their business associates, to promptly review and enhance their cybersecurity protocols. Even if your organization does not directly handle PHI, it is crucial to assess the security measures of third-party vendors such as Third-party Administrators (TPAs) and Pharmacy Benefit Managers (PBMs). Ensuring these vendors have strong cybersecurity practices is essential to protecting PHI.
Proactive Measures for Enhanced Security
To address cybersecurity concerns and safeguard PHI effectively, consider the following actions:
- Review and Upgrade Cybersecurity Measures: Organizations should evaluate their existing cybersecurity protocols and implement necessary updates to enhance protection against cyber threats.
- Evaluate Third-Party Vendors: When selecting TPAs or PBMs, thoroughly assess their cybersecurity practices to ensure they meet industry standards and protect PHI effectively.
- Strengthen Business Associate Agreements: Ensure that business associate agreements include comprehensive security provisions to protect electronic PHI and mitigate risks associated with cybersecurity breaches.
Compliance Support and Resources
OCR offers a range of resources to assist covered entities and business associates in defending their systems against cyberattacks, including:
- HIPAA Security Rule Guidance Material
- OCR Webinar on HIPAA Security Rule Risk Analysis Requirement
- HIPAA Security Risk Assessment Tool
- Fact Sheet: Ransomware and HIPAA
We Are Prepared
The recent updates from HHS and OCR underscore the critical importance of HIPAA compliance and robust cybersecurity measures in the healthcare sector. The new FAQs provide valuable insights into breach notification responsibilities and reflect the urgency of protecting Personal Health Information (PHI). For organizations navigating these requirements, proactive measures are essential.
At The CBC Health Insurance Marketplace for Costco Members, we are committed to helping organizations strengthen their cybersecurity protocols and achieve HIPAA compliance. Our team of experts offers tailored solutions and resources to assist you in safeguarding PHI and mitigating cyber threats effectively. Contact us today to learn more about how we can support you in enhancing your cybersecurity measures and ensuring compliance with HIPAA regulations.
FAQs
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a federal law that establishes standards for the protection of patient health information.
What are the new HIPAA FAQs released by HHS?
The new FAQs guide HIPAA compliance and security practices in response to recent cyberattacks.
What should covered entities do to enhance security?
Entities are encouraged to assess their current security practices, implement updated protocols, and provide staff training on data protection.
What are the penalties for HIPAA violations?
Penalties for HIPAA violations can range from fines to criminal charges, depending on the severity and nature of the violation.
Brought to you by the insurance professionals at Custom Benefit Consultants, Inc.
Blog Tags:
Employees, Organizational Mission, hybrid work models, remote work models, Connecting with Employees
