On May 31, 2024, more than four months after the February 2024 Change Healthcare ransomware attack, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) updated its Change Healthcare FAQs. The updates clarify that only one entity—in this case, either the impacted covered entities or Change Healthcare—must notify individuals of the recent breach.
If covered entities delegate to Change Healthcare their obligations to provide the required breach notifications to affected individuals, HHS and, where applicable, media outlets, they will have no additional Health Insurance Portability and Accountability Act (HIPAA) breach notification obligations.
With delegation, covered entities may be absolved of notification costs and obligations, however, OCR specifies covered entities remain responsible for ensuring all delegated notifications comply with the HIPAA Breach Notification Rule timing, content, and form requirements. Specifically, in the case of the Change Healthcare breach, the revised FAQs clarified that “OCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG [United Health Group]."
/Passle/660d68b6653e644c49237200/SearchServiceImages/2024-07-01-11-54-10-737-668298e2490035a497fc9fcf.jpg)
/Passle/660d68b6653e644c49237200/SearchServiceImages/2024-06-28-21-33-44-696-667f2c3800331bcd391484e8.jpg)
/Passle/660d68b6653e644c49237200/SearchServiceImages/2024-06-25-19-39-33-005-667b1cf5965b1a6b46acc5fd.jpg)