OCR updates Change Healthcare cybersecurity incident FAQs

June 3, 2024
OCR cybersecurity update.

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) published an update to the frequently asked questions (FAQs) webpage concerning the Change Healthcare cybersecurity incident.  

The webpage, first published on April 19, 2024, provides answers to FAQs concerning the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group (UHG), and many other healthcare entities. 

The webpage updates address questions OCR has received concerning who is responsible for performing breach notification to HHS, affected individuals, and where applicable the media. Specifically, the FAQs make clear that: 

  • Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf. 

  • Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media. 

  • If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations. 

The new and updated FAQs on the Change Healthcare Cybersecurity Incident may be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html. 

The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at:https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.