aamc.org does not support this web browser.
  • Washington Highlights

    OCR Issues FAQ on HIPAA Obligations Related to Change Healthcare Incident

    Shahid Zaman, Director, Hospital Payment Policy
    For Media Inquiries

    The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued an FAQ document regarding the Change Healthcare cyberattack. The FAQ covers breach notification responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA, P.L. 104-91) Privacy, Security, and Breach Notification rules. The OCR previously launched an investigation of Change Healthcare and its parent company, UnitedHealth Group [refer to Washington Highlights, March 15, 2024]. In the FAQ, the OCR provides more detail on its investigation of UnitedHealth Group and states that, while it has not yet received any breach reports from Change Healthcare, UnitedHealth Group, or any HIPAA-covered entities, covered entities must report a breach affecting 500 or more individuals within 60 calendar days of the date of discovery of a breach of unsecured protected health information. The OCR provides more information about the breach notification duties of covered entities and business associates, including reporting a breach to affected individuals, the HHS, and — in cases where 500 or more individuals are affected — to the media. The OCR document also includes resources for providers on protecting patients and record systems from cyberattacks.