This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

What's Trending

Tracking trends critical to life sciences and technology companies. Subscribe to stay up to date.

| less than a minute read

Change Breach Results in Notification Clarity

On May 31, 2024, more than four months after the February 2024 Change Healthcare ransomware attack, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) updated its Change Healthcare FAQs. The updates clarify that only one entity—in this case, either the impacted covered entities or Change Healthcare—must notify individuals of the recent breach. 

If covered entities delegate to Change Healthcare their obligations to provide the required breach notifications to affected individuals, HHS and, where applicable, media outlets, they will have no additional Health Insurance Portability and Accountability Act (HIPAA) breach notification obligations.

With delegation, covered entities may be absolved of notification costs and obligations, however, OCR specifies covered entities remain responsible for ensuring all delegated notifications comply with the HIPAA Breach Notification Rule timing, content, and form requirements. Specifically, in the case of the Change Healthcare breach, the revised FAQs clarified that “OCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG [United Health Group]."

“Ensuring patient privacy is one of the pillars of HIPAA. Our updated FAQs webpage on the Change Healthcare breach reiterates that importance by making clear that individuals affected by this breach must be notified that their protected health information was breached. This ensures that the potentially millions of Americans ... will understand the impact of this breach on their private medical records and their health care,” said OCR Director Melanie Fontes Rainer.


healthcare regulatory, privacy & cybersecurity, healthtech, insurtech, life sciences