OCR clarifies Change Healthcare breach reporting requirements for covered entities

The HHS Office for Civil Rights (OCR) updated its frequently asked questions (FAQ) webpage regarding the Change Healthcare cyberattack, clarifying breach reporting requirements for affected covered entities.

As previously reported, more than 100 industry groups undersigned a letter to OCR in mid-May seeking clarity about data breach reporting responsibilities related to the Change Healthcare cyberattack, which resulted in operational and financial difficulties for healthcare providers nationwide.

UnitedHealth Group (UHG) offered to “make notifications and undertake related administrative requirements on behalf of any provider or customer,” which would ease individual reporting requirements for affected entities. However, OCR’s initial FAQ page stressed that it is ultimately the responsibility of each affected covered entity to ensure that notifications occur, even if they delegate those responsibilities to a business associate.  

OCR’s updated FAQ page once again emphasized that covered entities are responsible for ensuring that notifications occur but provided additional information about the process.

“Yes, a covered entity may delegate to its business associate the tasks of providing the required HITECH Act and HIPAA Breach Notification Rule breach notifications on the covered entity’s behalf,” OCR stated.

“Only one entity—which could be the covered entity itself or its business associate—needs to complete notifications to affected individuals, the HHS Secretary, and where applicable the media.”

OCR said that Change Healthcare and UHG have not filed a breach report with HHS yet, though they have 60 days from the date of discovery to do so.

“OCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG,” OCR clarified.

OCR’s statements more clearly defined the reporting responsibilities for covered entities, ideally easing concerns about the regulatory implications of this large-scale cyberattack and data breach.