May 13, 2024

What HIPAA Security Rule Surprises Await Healthcare Providers for the Second Half of 2024?

OCR in Overdrive: Significant Regulatory Changes for the Healthcare Industry – Part 2
Holland & Knight Alert
Beth Neal Pitman | Eddie Williams III | Shannon Britton Hartsfield


  • U.S. Health and Human Services Office for Civil Rights (OCR) Director Melanie Fontes Rainer speaks at length on the growing threat of ransomware cyberattacks, upcoming rule changes and enforcement priorities.
  • Health Insurance Portability and Accountability Act (HIPAA) risk analysis initiative addresses inadequate security risk analysis and management that are often at the root of data breaches.
  • This Holland & Knight alert is part of our continuing "OCR in Overdrive" series focused on emerging regulatory developments at OCR and the impact on patient privacy and data security requirements for healthcare providers and their business associates.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has, as part of its mandate, the responsibility to enforce the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. For HIPAA covered entities and business associates that have not dusted off their HIPAA Security Rule compliance programs in a while, now is an excellent time to try to make sure that their risk analyses and policies and procedures are up to date.

The Change Healthcare Cyberattack

The massive Change Healthcare cyberattack in February 2024 is just the latest in a long line of significant incidents that potentially compromise the privacy and security of protected health information (PHI). While healthcare providers and plans are still struggling with the aftermath of significant payment disruption caused by the incident experienced by an affiliate of United HealthGroup (UHG), they also must navigate the potential HIPAA ramifications. OCR has published resource information, including FAQs, for providers and plans whose data may be involved. While OCR is investigating the Change Healthcare incident, it has not ruled out investigating other entities, although it has said that "OCR's interest in other entities that have partnered with Change Healthcare and UHG is secondary." OCR has emphasized that covered entities doing business with Change Healthcare have "regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules."

In an interview with the Information Security Media Group on May 7, 2024, OCR Director Melanie Fontes Rainer described the incident as a "breach" that is "unprecedented on many levels in its size and its nature." Ransomware attacks have gone up 275 percent in the last five years, and the number of affected individuals is increasing. Director Rainer reiterated that although investigating Change Healthcare is OCR's main priority right now, a "secondary interest is everybody else." When asked whether the breach notices that Change Healthcare has offered to provide would be sufficient, she said that the law requires Change Healthcare to file its breach notification, and they have not yet done that. Because OCR is in a pending investigation, she could not say much more. She noted, "in some instances, Change Healthcare is a covered entity and in some instances it's the business associate," and breach notifications are important in terms of transparency for consumers.

The incident at Change Healthcare, which was acquired by UHG approximately 18 months prior to the ransomware attack, emphasizes the importance of stringent cybersecurity due diligence, post-closing updating of security risk analysis and management to incorporate acquired systems, and attention to post-acquisition remediation. In 2023, HHS identified supply chain/vendor risk as one of the primary cybersecurity vulnerabilities in the industry, and the National Institute of Standards and Technology (NIST) issued guidance regarding supply chain/vendor risk management processes. The Change Healthcare incident has highlighted this issue.

Website Tracking Tools

Some HIPAA-regulated entities are still scrambling to address OCR guidance regarding website tracking tools and the wave of litigation brought against companies that use pixels and other tracking tools on their healthcare-related websites. Increasingly, vendors are willing to sign HIPAA business associate agreements to enable regulated entities to include certain website features without running afoul of HIPAA. Designing websites that are user friendly and allow easy interaction with the public while avoiding use of certain tracking tools remains challenging.

Security Rule Changes on the Horizon

Director Rainer also indicated in her May 7 interview that the HHS also has proposed regulatory revisions in the works related to the HIPAA Security Rule. She indicated that OCR is working to have the proposed regulations completed by the end of the year. She observed, "I think the beauty of the HIPAA Security Rule is that it's 20 years old, it's technology neutral, and it's scalable, so we're still able to use it and enforce the law vigorously. The downside of the HIPAA Security Rule is that it's 20 years old and doesn't reflect how we receive healthcare today, so that's why we're taking a look at it to make sure we're building into it practices we know like end-to-end encryption, things like that, to think about in the state of healthcare." She noted that breaches are becoming larger and so much of what we do is online, so the Security Rule needs to be updated to reflect changes that have come about in the past two decades.

Risk Analyses

Director Rainer indicated that OCR is making Security Rule compliance an enforcement priority, and a HIPAA risk analysis initiative was announced last year. She noted that covered entities frequently do not have a risk analysis on the front end. OCR has provided extensive technical assistance regarding this requirement. In hacking incidents resulting in OCR enforcement actions, OCR identified the lack of a security risk analysis, implementing and adopting security risk management plans, and appropriately performed analyses as significant deficiencies contributing to cybersecurity incidents and breaches. Director Rainer pointed out that OCR sees both failure to perform an appropriate security risk analysis and failure to implement and follow a security risk management plan based on a risk analysis as frequent occurrences in OCR enforcement actions. She also noted that OCR will focus on enforcement actions that will provide education to regulated entities regarding the security risk analysis and management requirements.

Could a HITECH Audit Be in Your Future?

According to Director Rainer, "OCR's budget has been flatlined for a long time," and there are only two investigators per state. With limited resources, OCR is trying to drive voluntary compliance. OCR has, most recently in 2017, engaged in an auditing process authorized by the Health Information Technology for Economic and Clinical Health Act (HITECH). She said OCR has re-opened the HITECH audit program and plans to "initiate audits of HIPAA-regulated entities later this year." Impending HITECH audits will focus on the Security Rule and specifically, security risk analyses and risk management. 

For additional information, please contact the authors or another member of Holland & Knight's HIPAA and Healthcare Privacy Team.

Earlier in This Series

For more on regulatory developments at OCR, please see Holland & Knight's previous alerts in the OCR in Overdrive series.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.

Related Insights