HHS Office for Civil Rights Creates FAQ Webpage in Response to the Change Healthcare Cyberattack

_________________________________________________

April 19, 2024

HHS Office for Civil Rights Creates FAQ Webpage in Response to the Change Healthcare Cyberattack

Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) posted a new webpage to share answers to frequently asked questions (FAQs) concerning the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group (UHG), and many other health care entities. The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health care industry.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most health care providers, health plans, and health care clearinghouses) and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.

The webpage answers questions and provides helpful information on many topics, including:

• Why did OCR issue the March 13, 2024, “Dear Colleague Letter”?
• Why is OCR initiating an investigation and what does it cover?
• Has OCR received breach reports from Change Healthcare, UHG, or any affected health care providers?
• Are large breaches (those affecting 500 or more individuals) posted on the HHS Breach Portal on the same day that OCR receives a regulated entity’s breach report?
• Is OCR’s 2016 ransomware guidance applicable to the Change Healthcare cyberattack?
• Are covered entities that are affected by the cyberattack involving Change Healthcare and UHG required to file breach notifications?
• What HIPAA breach notification duties do covered entities have with respect to the Change Healthcare cyberattack?
• What HIPAA breach notification duties do business associates have with respect to the Change Healthcare cyberattack?

The new FAQs on the Change Healthcare Cybersecurity Incident may be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html

The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. Guidance about the Privacy Rule, Security Rule, and Breach Notification Rules can also be found on OCR’s website.

If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

________________________________________________________________________________________________________ This email is being sent to you from the OCR-Privacy-List listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services. This is an announce-only list, a resource to distribute information about the HIPAA Privacy, Security, and Breach Notification Rules. For additional information on a wide range of topics about the HIPAA Rules, please visit https://www.hhs.gov/hipaa/index.html. Information about OCR’s civil rights authorities and responsibilities can be found at https://www.hhs.gov/civil-rights/index.html. If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint at https://www.hhs.gov/hipaa/filing-a-complaint/index.html To subscribe to or unsubscribe from the list serv, go to https://list.nih.gov/cgi-bin/wa.exe?SUBED1=OCR-PRIVACY-LIST&A=1.