Xavier Becerra United States Secretary of Health and Human Services | Official Website
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has updated the frequently asked questions (FAQs) webpage regarding the Change Healthcare cybersecurity incident. Initially published on April 19, 2024, the webpage provides information related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the cybersecurity incident affecting Change Healthcare, a unit of UnitedHealth Group (UHG), along with many other healthcare entities.
OCR is responsible for enforcing HIPAA Privacy, Security, and Breach Notification Rules. These rules set forth requirements that HIPAA-covered entities—such as health plans, healthcare clearinghouses, and most healthcare providers—and their business associates must follow to protect the privacy and security of protected health information. They also outline the necessary notifications to HHS and affected individuals following a breach.
“Ensuring patient privacy is one of the pillars of HIPAA. Our updated FAQs webpage on the Change Healthcare breach reiterates that importance by making clear that individuals affected by this breach must be notified that their protected health information was breached,” said OCR Director Melanie Fontes Rainer. “This ensures that potentially millions of Americans, including the elderly, the disabled, those with limited English proficiency, those with limited access to technology, and more will understand the impact of this breach on their private medical records and their healthcare.”
Rainer added, “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that HIPAA breach notifications are prioritized.”
The updates address questions concerning who is responsible for performing breach notification to HHS, affected individuals, and where applicable, the media. Specifically:
- Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing required HIPAA breach notifications on their behalf.
- Only one entity—either the covered entity itself or Change Healthcare—needs to complete breach notifications to affected individuals, HHS, and where applicable, the media.
- If covered entities work with Change Healthcare to perform required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.
The new and updated FAQs on this cybersecurity incident can be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.
Further information about notifying HHS regarding breaches can be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
OCR remains committed to enforcing HIPAA Rules that protect privacy and security in healthcare information. Guidance about these rules is available on OCR’s website.
Individuals who believe their health information privacy or civil rights have been violated can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.
