Skip to Content

Important Office for Civil Rights Headlines: Updated Tracking Technology Guidance; the Change Healthcare Cyberattack; and New HIPAA Privacy Rule

on Wednesday, 24 April 2024 in Health Law Alert: Erin E. Busch, Editor

The Office for Civil Rights (OCR) has been quite busy the last several weeks communicating with HIPAA covered entities through several different formats – updated Guidance, a Dear Colleague Letter and an FAQ webpage – to remind covered entities of their obligations under HIPAA.  In each of these communications, OCR is sending an important message to covered entities.

Updated Guidance on the Use of Tracking Technologies

On March 18, 2024, while the legal battle in the courts continues to wage on, OCR issued updated guidance regarding the use of online tracking technologies by covered entities and business associates.  Unfortunately the provider community did not get the relief they were hoping to receive.  Rather, OCR seems to have doubled down on their commitment to hold covered entities accountable for sharing information with tracking technology vendors.  While OCR acknowledges there can be important services that tracking technology vendors provide, it reaffirms its position that information such as IP address is protected health information when it relates to an individual’s past, present or future health, health care or payment for health care.

OCR identifies scenarios when an individual is visiting a provider’s website that would not be related to the past, present or future health, health care or payment for health care – such as visiting a webpage with general information about the regulated entity like their location, services they provide, visiting hours, employment opportunities, or their policies and procedures. It distinguishes its position with the following examples:

“For example, if a student were writing a term paper on the changes in the availability of oncology services before and after the COVID-19 public health emergency, the collection and transmission of information showing that the student visited a hospital’s webpage listing the oncology services provided by the hospital would not constitute a disclosure of PHI, even if the information could be used to identify the student.

However, if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information showing their visit to that webpage is a disclosure of PHI to the extent that the information is both identifiable and related to the individual’s health or future health care.”

What the updated guidance fails to acknowledge is that a covered entity, in most cases, would have no means or mechanism to distinguish between which visitors to its website are for the purpose outlined in the first example or the second.  The updated guidance provides more specificity in pointing out the opportunity for covered entities to find a vendor that will enter into a business associate agreement with the provider to de-identify information prior to it being disclosed to the tracking technology vendor.  

What may be of even more significance to providers is the discussion of OCR’s enforcement priorities.  OCR has highlighted its intention in investigations to focus on a provider’s security risk assessment to ensure “that regulated entities have identified, assessed, and mitigated the risks to ePHI when using online tracking technologies” and to confirm compliance with the Security Rule.  A covered entity’s failure to conduct an appropriate security risk analysis is frequently the basis for moving an investigation toward a financial resolution or civil monetary penalty.  OCR is sending a message that it will find a way to hold the covered entity community accountable for this (or perhaps another) issue through the review of its security risk analysis requirements.  Providers should take careful note to ensure that it is conducting a thorough risk analysis of all systems that may collect PHI – including your webpages.

Dear Colleague Letter and FAQ Webpage

On March 13, 2024, OCR issued a Dear Colleague letter in the wake of the Change Healthcare cyberattack that crippled the health care industry.  While an important message in the letter was OCR’s acknowledgement that it had opened an investigation into Change Healthcare and United Health Group to determine whether a breach of protected health information occurred, another important message cannot be overlooked.  OCR noted:

“OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”  

This message was reiterated in recently published FAQs.  On April 19, 2024, OCR posted a new webpage to share answers to frequently asked questions (FAQs) concerning the HIPAA Rules and the cybersecurity incident impacting Change Healthcare.  OCR confirms that as of the date of posting the FAQs, OCR has not received any breach notification by Change Healthcare, UHG or any of its affiliates.  OCR also continues to remind covered entities that it is a requirement of the covered entity to provide notice:

  1. Are covered entities that are affected by the cyberattack involving Change Healthcare and UHG required to file breach notifications?

A: Yes, a breach of PHI is presumed to have occurred unless the covered entity can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors in the Breach Notification Rule. The covered entity must comply with the applicable breach notification requirements, including notification to affected individuals without unreasonable delay, to the HHS Secretary, and to the media (for breaches affecting over 500 individuals). See 45 CFR 164.400-414.

The required breach notification to an individual must include to the extent possible: a brief description of the breach; a description of the types of information that were involved in the breach; the steps affected individuals should take to protect themselves from potential harm; a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and contact information for the covered entity (or business associate, as applicable).  

  1. What HIPAA breach notification duties do covered entities have with respect to the Change Healthcare cyberattack?

A: Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the HHS Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.

OCR also includes a question and answer regarding a business associate’s duty to notify the covered entity of a breach discovered by the business associate and confirms, in bold lettering, that the covered entity may delegate the responsibility of providing individual notices to the business associate.  However, it defers all questions to Change Healthcare as to whether Change Healthcare will be providing breach notification on behalf of affected covered entities.

Beyond all of the steps covered entities have been taking to resume normal operations following the cyberattack, covered entities should be taking a few additional steps in response to these communications by OCR.  First, covered entities should confirm that they have a business associate agreement in place that covers all services/relationships with Change Healthcare, UHG or any affiliate of UHG.  Second, covered entities should review the applicable BAA to determine whether it addresses which entity will provide breach notification in the event of a breach by the business associate.  If the BAA is silent, covered entities should consider whether it would be prudent to be proactive in communicating with Change Healthcare their intent or desire to have Change Healthcare provide breach notification on behalf of the covered entity.  

On April 22, 2024, Change Healthcare made its first substantive public announcement regarding the potential compromise to patient data.  It confirmed that protected health information was compromised, and noted that the compromised data could “cover a substantial proportion of people in America.” However, they noted that it is “likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.”  Importantly, the press release states:

“While this comprehensive data analysis is conducted, the company is in communication with law enforcement and regulators and will provide appropriate notifications when the company can confirm the information involved. This is not an official breach notification. The company will reach out to stakeholders when there is sufficient information for notifications and will be transparent with the process.

To help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.” 

What is unclear at the time of publishing this article is what mechanism UHG has used to make this offer.  Covered entities should have all points of communication with or from Change Healthcare and UHG on alert for any formal notification of its discovery of the breach and its offer to provide notification so that next steps can be evaluated, decided and communicated quickly.

The statement that the press release is not formal breach notification is important from a covered entity notification timeline.  Because the ability to do an appropriate breach notification is out of a covered entity’s hands until Change Healthcare provides the necessary information, a covered entity will be forced to argue that until Change Healthcare or UHG has formally notified it of the breach, the covered entity’s sixty (60) day notification timeline has not begun.  It is too early to speculate whether OCR will accept that argument or not in light of the information confirming a breach was provided publicly in this recent press release.  OCR has committed to updating its FAQ webpage so we recommend you continue to monitor for important updates as the issue is evolving rapidly.

Bonus OCR News:  The Reproductive Health Care Privacy Final Rule

In more late breaking news from OCR, the anticipated HIPAA Privacy Rule to Support Reproductive Health Care Privacy was issued on April 22, 2024.  Watch for more analysis and information from Baird Holm to come soon on this new final rule that changes the HIPAA Privacy Rule for the first time in over ten years.  We will also cover this new final rule at the May Compliance & Privacy Network meeting.

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design