Home Blog Post


On Friday, May 31, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) published an update to the frequently asked questions (FAQs) webpage concerning the Change Healthcare cybersecurity incident. The webpage, first published on April 19, 2024, provides answers to FAQs concerning the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group (UHG), and many other health care entities.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.

In a statement from the OCR Director Melanie Fontes Rainer, “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”

The webpage updates address questions OCR has received concerning who is responsible for performing breach notification to HHS, affected individuals, and where applicable the media. Specifically, the FAQs make clear that:

  • Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
  • Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media.
  • If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.

The new and updated FAQs on the Change Healthcare Cybersecurity Incident may be viewed here.

What’s you HIPAA IQ?

Did you know that the OCR expects that all covered entities should have a HIPAA compliance program that includes policies and procedures, security and risk assessments, and employee training? If you are missing any of these, the van Halem Group can help! From a user-friendly HIPAA compliance program to guided security and risk assessments, our team can help! Contact us today to learn more!