HHS: Change Healthcare responsible for cyberattack data breach notifications

Editor's Note

Change Healthcare is responsible for notifying affected parties about privacy breaches resulting from the February cyberattack on the company, The U.S. Department of Health and Human Services (HHS) announced May 31.

The announcement took the form of an update to an FAQ webpage from HHS’ Office for Civil Rights (OCR) dedicated to the incident’s impact on rules associated with hte Health Insurance Portability and Accountability Act of 1996 (HIPAA). The update clarifies that affected entities can delegate breach notifications to Change Healthcare, a unit of UnitedHealth Group, and underscores that only one entity—either the covered entity or Change Healthcare—needs to complete notifications to affected individuals, HHS, and the media. The OCR encourages prioritizing HIPAA breach notifications and provides links to relevant resources and complaint filing options.

“This ensures that the potentially millions of Americans, including the elderly, the disabled, those with limited English proficiency, those with limited access to technology, and more, will understand the impact of this breach on their private medical records and their health care,” said OCR Director Melanie Fontes Rainer. “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”