OCR Clarifies Who is Responsible for Issuing Notifications About the Change Healthcare Cyberattack

Change Healthcare cyberattack breach reporting requirements.

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has updated its Change Healthcare Cyberattack Frequently Asked Questions page to clarify the breach reporting requirements for the Change Healthcare cyberattack.

More than 100 industry groups wrote to OCR requesting greater clarity about who will be responsible for issuing individual notifications about the data breach. OCR had previously stated in the FAQs that under the HITECH Act and the HIPAA Breach Notification Rule, the covered entity is ultimately responsible for ensuring that notifications about a data breach are issued, including when a data breach occurs at a business associate. When there is a business associate suffers a data breach, the covered entity may delegate the responsibility for issuing notifications to the business associate.

UnitedHealth Group (UHG), the parent company of Change Healthcare said, โ€œTo help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.โ€ The industry groups wanted OCR to publicly confirm that UHG will be issuing notifications on behalf of all affected covered entities.

OCRโ€™s updated FAQs do not include a declaration that UHG will be issuing notifications; however, they do now confirm that notifications can legally be issued by either UHG or the affected covered entities.ย OCR also said that the affected covered entities should coordinate with Change Healthcare and UHG on who will be providing breach notifications. Should UHG fail to issue notifications, the burden for issuing notifications would fall on the affected covered entities.

At this moment in time, neither Change Healthcare nor UHG has confirmed which individuals need to be notified. UHG issued a press release confirming a breach stating that โ€œBased on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.โ€ UHG CEO Andrew Witty also said that the breach could potentially affect 1 in 3 Americans.

Until the investigation has been completed and the individuals affected have been confirmed, notifications cannot be issued and the countdown for issuing notifications has not yet started for the affected covered entities.ย โ€œOCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG,โ€ explained OCR.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/