HHS Announces Investigation into Change Healthcare Cyberattack

On March 13, 2024, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued a "Dear Colleagues" letter announcing its investigation into the Change Healthcare cybersecurity incident last month that disrupted and continues to disrupt health care and billings systems across the U.S. OCR administers and enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, and breach notification rules, which establish privacy and security requirements for protected health information and breach notification requirements that covered entities (healthcare providers, health plans, and clearinghouses) and their business associates must follow. OCR stated in its March 13 letter that "[g]iven the unprecedented magnitude of this cyberattack, and in the best interests of patients and healthcare providers," its investigation of Change Healthcare and its corporate parent, UnitedHealth Group (UHG), "will focus on whether a breach of protected health information occurred and Change Healthcare's and UHG's compliance with the HIPAA Rules."  

OCR goes on to state: 

"OCR's interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules."

A "business associate" under the privacy rules is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A "business associate" also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. The HIPAA rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. The Federal Trade Commission (FTC) enforces similar breach notification rules that apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the Health Information Technology for Economic and Clinical Health Act (HITECH) Act.

OCR's letter contains links to guidance materials and resources related to the HIPAA privacy, security, and breach notification rules. We previously reported on guidance the U.S. Department of Labor (DOL) issued in 2021 related to ERISA retirement plan cybersecurity best practices, which the agency has subsequently said applies in large part to health plan cybersecurity as well.

Multiple Proposed ERISA and Plan Regulations Under Final Review at OMB

We are likely to see multiple federal agency rules impacting employee benefits and ERISA plans released in the coming weeks. Here are some to look out for that have undergone or are currently undergoing review at the Office of Management and Budget (OMB), which is usually the final step before issuance.

Limited-Duration Insurance: Independent, Non-coordinated Excepted Benefits Coverage; Level-Funded Plan Arrangements; and Tax Treatment of Certain Accident and Health Insurance (RIN: 0938-AU67)

OMB completed its review of this multi-faceted rule on March 25, 2024, so its release is expected any day. The proposed rule aimed to amend the definition of short-term, limited duration insurance, which is excluded from the definition of individual health insurance coverage under the Public Health Service Act. It also set forth amendments to the requirements for hospital indemnity or other fixed indemnity insurance to be considered an excepted benefit in the group and individual health insurance markets, as well as amendments to the longstanding tax treatment of certain benefit payments received under employer-provided supplemental health coverage. 

Retirement Security Rule: Definition of an Investment Advice Fiduciary (RIN: 1210-AC02)

This latest version of the DOL "fiduciary rule" was sent to OMB on March 8, 2024. This rulemaking would amend the regulatory definition of the term "fiduciary" set forth at 29 CFR 2510.3-21(c) and expand the persons who qualify as fiduciaries within the meaning of section 3(21) of ERISA and section 4975(e)(3) of the Internal Revenue Code on account of rendering investment advice for a fee to employee benefit plans. In conjunction with this rulemaking, DOL's Employee Benefits Security Administration (EBSA) also proposed amendments to existing prohibited transaction exemptions, which are also pending at OMB and will likely be released with the final rule.

Definition of "Employer" Under Section 3(5) of ERISA-Association Health Plans (RIN: 1210-AC16)

In this rulemaking, sent to OMB on March 22, 2024, DOL will withdraw, or withdraw and replace, its regulation at 29 CFR 2510.3-5, published as a final rule in 2018, which established an alternative set of criteria for determining when an employer association may act indirectly in the interest of an employer under section 3(5) of ERISA for purposes of establishing a multiple employer group health plan. The U.S. District Court for the District of Columbia vacated portions of the 2018 final rule in a 2019 decision in New York v. United States Department of Labor, 363 F. Supp. 3d 109 (D.D.C. 2019). 

We will be reporting on these highly anticipated final rules in upcoming editions of this newsletter. Note that DOL's proposed rule to amend the Abandoned Plan Program (RIN: 1210-AC04), which was reintroduced in 2021 and sent to OMB on July 19, 2023, could also see some movement in the coming months, as may the amendments to the tri-agency Mental Health Parity and Addiction Equity Act (MHPAEA) rules. 

Upcoming Speaking Engagements and Events 

On April 12, Joanne and Anthony will serve as facilitators for the workshop "Case Law Updates" at the 2024 NOPLG Conference in Seattle, WA.

Joanne will speak at the American Bar Association's Joint Committee on Employee Benefits (JCEB) and the American College of Employee Benefits Counsel's "ERISA: Beyond the Basics" CLE program on May 7.

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.