.st0{fill:#FFFFFF;}

Podcast

Change is Gonna Make Change Happen – Ep 456 

 May 3, 2024

By  Donna Grindle

Share0
Tweet0
Share0

The U.S. healthcare sector is facing significant changes with new HIPAA rules boosting privacy protections, particularly for reproductive health. At the same time, the industry is tackling serious cybersecurity issues highlighted by a major ransomware attack on Change Healthcare. This dual focus on strengthening legal compliance and enhancing data security underscores the urgency of protecting patient information and maintaining trust in healthcare systems.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Change is Gonna Make Change Happen – Ep 456

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Briefs

[04:11] As expected another NPRM has moved to final rule status.

The Biden-Harris Administration Issues New Rule to Support Reproductive Health Care Privacy Under HIPAA

Many Americans are scared their private medical information will be being shared, misused, and disclosed without permission. This has a chilling effect on women visiting a doctor, picking up a prescription from a pharmacy, or taking other necessary actions to support their health,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration is providing stronger protections to people seeking lawful reproductive health care regardless of whether the care is in their home state or if they must cross state lines to get it. With reproductive health under attack by some lawmakers, these protections are more important than ever.
Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home. Patients and providers are scared, and it impedes their ability to get and to provide accurate information and access safe and legal health care,” said OCR Director Melanie Fontes Rainer. “Today’s rule prohibits the use of protected health information for seeking or providing lawful reproductive health care and helps maintain and improve patient-provider trust that will lead to improved health outcomes and protect patient privacy.OCR Director Melanie Fontes Rainer

OCR administers and enforces the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses, and business associates (collectively, “regulated entities”) to safeguard the privacy of PHI and sets limits and conditions on the uses and disclosures of such information. The HIPAA Privacy Rule also gives individuals certain rights over their PHI. In April 2023, OCR published proposed modifications to the HIPAA Privacy Rule to address changes in the legal landscape affecting reproductive health care privacy that make it more likely than before that PHI may be used and disclosed in ways that HIPAA intended to protect. OCR received almost 30,000 comments on the proposed rule from the public. After carefully considering these comments, the Department is issuing a Final Rule that:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires regulated health care providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive health care privacy.

Change is Gonna Make Change Happen

[13:41] The latest on the Change Healthcare attack lets us know that, as expected, it is still not cleared up to the point they are recovered and getting things fully back to normal. The impact continues and it is not just a little bit.

Change Healthcare cyberattack fallout continues

At this time, we know that the data had some quantity of personal health information and personally identifiable information,” UHG said.”We are working to determine the quantity of impacted data, and we are fully committed to providing notifications to impacted individuals when determinations are able to be made — and will work with the Office for Civil Rights and our customers in doing so.”

“We are committed to providing updates as we progress through the data, not just at the end,” UHG emphasized. “We also know customers are interested in hearing about what data is impacted to determine if they have notification obligations. We will be offering to do the notification work for customers where permitted.”

Re-ransomed:

Change Healthcare Faces Another Ransomware Threat—and It Looks Credible | WIRED

The biggest news is all the testimony about the impact and recommendations from leaders in the sector to congress.

Hearing on Change Healthcare cyberattack yields more questions for UHG

The House Energy and Commerce Committee hearing about healthcare cybersecurity in the wake of the Change Healthcare cyberattack has included leadership from our very own HSCC ED Greg Garcia and others in the sector focused on this kind of work. One thing this article pointed out is that there has not been an appearance by anyone from UnitedHealth Group (UHG).

Details from the official prepared statement Greg gave were sent out to all of us. Here is the summary they put together in the official announcement. Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack – Congressional Testimony

Garcia concluded his testimony with a challenge to the Sector: “The health industry must be sensitized to the imperative that cyber safety is patient safety. All healthcare stakeholders – that means providers, payers, medical technology and health IT, pharmaceuticals, public health, and government – are responsible for cyber safety, so that our nation’s clinicians can do their job.”

HSCC Cybersecurity Working Group Recommendations Summary

[26:35]
  1. Perform a health infrastructure mapping and risk assessment.
  2. Assess consolidation proposals for mergers and acquisitions against their potential for increased cyber incident and impact risk.
  3. Hold third party product and service providers and business associates to a higher standard of “secure by design and secure by default” for technology services and capabilities used in critical healthcare infrastructure.
  4. Invest in a government-industry rapid response capability.
  5. Invest in a cyber safety net for the nation’s underserved providers, built on accountability and incentives.
  6. Implement the HSCC 5-year Health Industry Cybersecurity Strategic Plan. We reviewed this 5 year plan in Help Me With HIPAA podcast Critical to Stable Condition in 5 Years – Ep 448.
[44:13] John Riggi from AHA: “The widespread impact on the healthcare sector was not completely surprising,” Riggi added. “That’s because Change Healthcare is the predominant source of more than 100 critical functions that keep the healthcare sector operating. The company processes 15 billion healthcare transactions annually and touches one in every three patient records.”

Other Important Points to Note

Speaking about private practices, I think this point is a very important one included in the mix with testimony from Dr. Adam Bruggeman, M.D., an orthopedic surgeon at Texas Spine Center. Both he and Riggi, point out that we are likely in the “too big to fail” when they were emphasizing the risks inherent with how big some of the companies have gotten through M&A .

“My concern that cyber threats will drive further consolidation is not just hypothetical. We are seeing this play out as a direct result of the February attack. For practices whose cash flow was completely cut off and whose cash reserves were spent dry, the financial relief offered by CMS and Optum, the parent company of Change Healthcare and a subsidiary of UnitedHealth Group, was slow to arrive, it was complicated, and it was insufficient,” Bruggeman noted.

Bruggeman also alluded to reports that Optum was leveraging the financial emergency caused by the cyberattack as justification for accelerating its acquisition of physician practices.

Bruggeman urged Congress to examine whether “growing consolidation within the US healthcare market truly serves the best interests of patient care.”

The Q1 earnings report from UHG came out when this hearing was taking place. In their report they

Included that there was an $872 million expense in “unfavorable cyberattack effects”. Don’t feel too bad for them though because UHG’s 2024 Q1 revenues grew nearly $8 billion year-over-year to $99.8 billion.

Of course they are spinning it already. Claiming how they are taking this very seriously. The CEO’s statement in the report says:

“The core story at UnitedHealth Group remains our colleagues delivering improved experiences for the people we serve and driving balanced growth even while swiftly and effectively addressing the attack on Change Healthcare.”

[58:40] OCR did release an FAQ on the Change Healthcare breach because of its “unprecedented magnitude of this cyberattack, its widespread impact on patients and health care providers nationwide, and in the interest of patients and health care providers”. They will update accordingly when there’s things to add about the notifications, the investigation, conversations with Change and their lawyers, etc.

Change Healthcare Cybersecurity Incident Frequently Asked Questions | HHS.gov

Go to top

In the end, the cybersecurity debacle at Change Healthcare has thrown a stark light on just how intertwined healthcare operations and technology have become. As the saga continues, it’s clear that the attack is more than a wake-up call—it’s a clear signal that the healthcare industry needs to seriously beef up its defenses. The broad impact of this breach has shown that securing patient data isn’t just about avoiding inconvenience; it’s about ensuring the fundamental reliability and trustworthiness of our healthcare systems. Moving forward, it’s crucial for healthcare providers and tech partners to work together more closely to shield patient information from cyber threats and keep healthcare safe and dependable for everyone.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: