OCR Clarifies Breach Notification Responsibility for Change Healthcare Cyberattack

June 4, 2024
Faridat Animashaun

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) on May 31 clarified the parties responsible for issuing HIPAA breach notifications for the Change Healthcare cybersecurity incident.

In the wake of a data breach, affected entities must provide breach notifications in accordance with the HIPAA Breach Notification Rule and the HITECH Act. In updates to FAQ on the Change Healthcare cyberattack, the agency confirmed that affected covered entities may delegate all breach notifications to Change Healthcare. Only one entity (the covered entity or Change Healthcare) is required to complete breach notifications.

Entities that coordinate with Change Healthcare to provide breach notifications will have no additional HIPAA breach notification obligations. Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact the company.

On May 8, America’s Essential Hospitals and other hospital groups urged Change Healthcare and its parent company, UnitedHealth Group, to take responsibility for breach notifications following the cyberattack. The new OCR guidance responds to many concerns the association raised.

Contact Director of Policy Rob Nelb, MPH, at rnelb@essentialhospitals.org or 202.585.0127 with questions.

Keep up with the pulse of America's Essential Hospitals

Members: Sign up for email updates.