256% Increase in Large HIPAA Breaches Reported to OCR

The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) enforces the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security, and Breach Notification Rules, which set forth the requirements that HIPAA-covered entities (including health plans) and their business associates must follow to protect the privacy and security of protected health information – and the required notifications to HHS and affected individuals following a breach.

According to a recent “Dear Colleague” letter addressing the “unprecedented” cybersecurity incident impacting Change Healthcare, over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware.  Given the world we live in where cyber attacks seem to be all around us, this is not surprising.  Both the Dear Colleague letter and a subsequent set of OCR frequently asked questions state that OCR only has a “secondary” interest in group health plans and business associates who partnered with Change Healthcare, but that means there is some interest – and at some point, group health plans and their business associates may become the center of attention and need to demonstrate their compliance with the law.

Health plan fiduciaries should take note of this and take action now – not only to ensure compliance with any related notice requirements – but also to ensure updated business associate agreements are in place with all business associates.  This is also a really good time for employers and health plan fiduciaries to have conversations with all of their vendors (networks, third-party administrators, PBMs, etc.) about how they protect data, what they are doing to mitigate efforts by criminals to access confidential data, and what their process is to respond to a security incident.  Health plan fiduciaries should document this analysis and these conversations to be able to prove that they take their obligations serious.