Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published an update to its Frequently Asked Questions (FAQs) webpage regarding the Change Healthcare cybersecurity incident. The webpage, first published on April 19, 2024, provides answers to frequently asked questions about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations and the cybersecurity incident that affected Change Healthcare, a division of UnitedHealth Group (UHG), and many other healthcare organizations.
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rule, which sets forth the requirements that HIPAA-covered entities (health plans, health clearinghouses, and most health care providers) and their business associates must follow to protect the privacy and security of protected health information and to provide required notifications to HHS and affected individuals following a breach.
“Ensuring patient privacy is one of the pillars of HIPAA, and our updated FAQ webpage regarding the Change Healthcare breach reemphasizes its importance by clarifying the need to notify individuals affected by this breach that their protected health information has been compromised so that potentially millions of Americans, including seniors, people with disabilities, those with limited English proficiency, and those with limited access to technology, can understand the impact this breach has on their personal medical records and healthcare,” said OCR Director Melanie Fontes Rainer. “Affected covered entities who would like Change Healthcare to serve as their breach notification agent should contact Change Healthcare. All required HIPAA breach notifications can be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure HIPAA breach notifications are prioritized.”
The webpage updates answer questions OCR has received about who is responsible for carrying out breach notifications to HHS, affected individuals, and media, if applicable. Specifically, the FAQs clarify that:
- A covered entity affected by a Change Healthcare breach may contract with Change Healthcare the task of providing the required HIPAA breach notice on its behalf.
- Only one entity, either the covered entity itself or Change Healthcare, is required to complete a breach notification to affected individuals, HHS, and, if applicable, the media.
- If a covered entity works with Change Healthcare to perform the required breach notification in a manner consistent with the HITECH Act and the HIPAA Breach Notification Regulations, it will not incur any additional HIPAA breach notification obligations.
The new and updated FAQs about the Change Healthcare Cybersecurity Incident can be found at https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html .
HHS Breach Portal: Notifications to the HHS Secretary of breaches of unsecured protected health information are available at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf .
OCR works to enforce the HIPAA Rule, which protects the privacy and security of people's health information. Guidance on the Privacy Rule, Security Rule, and Breach Notification Rule is also available on the OCR website.
If you believe the privacy or civil rights of your health information or someone else's health information has been violated, you may file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html .