Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) posted a new webpage to share answers to frequently asked questions (FAQs) concerning the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group (UHG), and many other health care entities. The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health care industry.
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most health care providers, health plans, and health care clearinghouses) and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.
The webpage answers questions and provides helpful information on many topics, including:
- Why did OCR issue the March 13, 2024, “Dear Colleague Letter”?
- Why is OCR initiating an investigation and what does it cover?
- Has OCR received breach reports from Change Healthcare, UHG, or any affected health care providers?
- Are large breaches (those affecting 500 or more individuals) posted on the HHS Breach Portal on the same day that OCR receives a regulated entity’s breach report?
- Is OCR’s 2016 ransomware guidance applicable to the Change Healthcare cyberattack?
- Are covered entities that are affected by the cyberattack involving Change Healthcare and UHG required to file breach notifications?
- What HIPAA breach notification duties do covered entities have with respect to the Change Healthcare cyberattack?
- What HIPAA breach notification duties do business associates have with respect to the Change Healthcare cyberattack?
The new FAQs on the Change Healthcare Cybersecurity Incident may be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html
The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. Guidance about the Privacy Rule, Security Rule, and Breach Notification Rules can also be found on OCR’s website.
If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.