In late February of this year, Change Healthcare, a unit of UnitedHealthcare Group (UHG), experienced a large-scale cyberattack. With UHG being the largest billing and payment system in the U.S., the attack has affected healthcare organizations across the country, delaying payments and other essential healthcare operations. The Department of Health and Human Services’ Office for Civil Rights (OCR) is still investigating the cause and scope of the attack. OCR published a letter regarding the ongoing investigation.
These wide-reaching cyberattacks serve as reminders to implement appropriate safeguards to protect the EPHI for which each covered entity is responsible. The letter from OCR emphasizes the importance of business associate agreements. Such agreements serve to protect covered entities if a business associate with whom they share EPHI experiences a breach or cyberattack.
In addition to reviewing your organization’s business associate agreements, conducting an annual Security Risk Analysis will help your organization assess both internal and external risks posed to EPHI and implement corrective actions to mitigate those risks.
Subscribers to Eagle Associates’ HIPAA Compliance System have access to templates for a Security Risk Analysis and an Audit Plan/implementation guide.
