Change Healthcare, a health payment processor hit by a crippling cyberattack in February, is under investigation by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR).

In an open letter intended for hospitals and healthcare offices published Wednesday, OCR Director Melanie Fontes Rainer said the agency was investigating whether Change Healthcare violated Health Insurance Portability and Accountability Act (HIPAA) rules by not following breach notification requirements and properly safeguarding patient information.

Change Healthcare, a unit of Optum, which is owned by insurer UnitedHealth Group (UHG), processes 15 billion financial and other transactions annually for healthcare entities nationwide, from hospitals to pharmacies. The massive attack the company endured on Feb. 21 has meant health entities across the country have not been able to process electronic payments and records.

The attack “poses a direct threat to critically needed patient care and essential operations of the healthcare industry,” Rainer said in the letter. “… Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and healthcare providers, OCR is initiating an investigation into this incident.”

The OCR said it was focusing on Change Healthcare and that its interest in the companies, hospitals, health plans, and providers that have partnered with Change Healthcare was “secondary.”

However, the agency served notice to entities associated with Change Healthcare that they should have business associate agreements in place and need to comply with the HIPAA breach notification rules, which include contacting HHS and any impacted individuals, if they were impacted by the cyberattack.

The incident has resulted in hospitals, health plans, and doctors with Medicare and Medicaid patients being unable to send required claims and other information to HHS, the Centers for Medicare and Medicaid Services said in a press release Tuesday.

The federal government, under pressure from some of the biggest healthcare companies and organizations in the nation, has been scrambling.

In a meeting Tuesday with leaders from those companies and groups, the HHS ran through what it has done so far, including setting up payment workarounds for providers, being flexible with deadlines, and offering technical guidance, HHS Secretary Xavier Becerra said.

The leaders were urged to have their hospitals and health plans implement the HHS’s voluntary cybersecurity performance goals.

Guidance for states, which share Medicaid responsibility with the government, will be released by the HHS soon, officials said at the meeting.

UHG has said its Optum network is safe and unaffected by the attack.

The company is working to restore its systems, it said in a March 7 press release.

“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said UHG Chief Executive Andrew Witty in the release. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices and that patients can get their medications. We’re determined to make this right as fast as possible.”

Adrianne Appel writes regulatory news, policy, and trends for Compliance Week. She previously reported about policy developments for Bloomberg Law and Bloomberg Government.View full Profile

More from Adrianne Appel

Topics