Therapy Comply - OCR Updates Change Healthcare Cybersecurity Incident FAQs

Upcoming Webinars

America/Chicago
Medicare and Tricare Billing and Coverage of Orthotics and Prosthetics

23 Oct 2024 12:00 PM
America/New_York
Medicare and Tricare Billing and Coverage of Orthotics and Prosthetics

24 Oct 2024 12:00 PM

Site Updates

The Ohio Occupational Therapy Compliance Guides have been updated

7 Oct 2024 4:23 PM

Zachary Edgar
The Ohio Physical Therapy Compliance Guides have been updated

7 Oct 2024 4:18 PM

Zachary Edgar
The Georgia Physical Therapy Compliance Guides have been updated

7 Oct 2024 4:17 PM

Zachary Edgar
The Georgia Occupational Therapy Compliance Guides have been updated

7 Oct 2024 4:16 PM

Zachary Edgar
National Correct Coding Initiative (NCCI) has been updated

1 Oct 2024 8:32 AM

Zachary Edgar

Disclaimer

The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Home
HIPAA
HIPAA Blog
OCR Updates Change Healthcare Cybersecurity Incident FAQs

Back to list

OCR Updates Change Healthcare Cybersecurity Incident FAQs

31 May 2024 9:17 AM | Zachary Edgar (Administrator)

Today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) published an update to the frequently asked questions (FAQs) webpage concerning the Change Healthcare cybersecurity incident. The webpage, first published on April 19, 2024, provides answers to FAQs concerning the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group (UHG), and many other health care entities.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.

“Ensuring patient privacy is one of the pillars of HIPAA. Our updated FAQs webpage on the Change Healthcare breach reiterates that importance by making clear that individuals affected by this breach must be notified that their protected health information was breached. This ensures that the potentially millions of Americans, including the elderly, the disabled, those with limited English proficiency, those with limited access to technology, and more, will understand the impact of this breach on their private medical records and their health care,” said OCR Director Melanie Fontes Rainer. “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”

The webpage updates address questions OCR has received concerning who is responsible for performing breach notification to HHS, affected individuals, and where applicable the media. Specifically, the FAQs make clear that:

Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media.
If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.

The new and updated FAQs on the Change Healthcare Cybersecurity Incident may be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.

Reference

HIPAA News Releases & Bulletins

Therapy Comply does not claim copyright over US Federal and State materials

About Us

Therapy Comply is a healthcare compliance firm that seeks to bring high quality web-based compliance guidance and one-on-one consulting services to small and medium size physical, occupational, and speech therapy practices.

Learn More

Join Us

Join today as either a monthly or a yearly member and enjoy full access to the site and a significant discount to our live and recorded webinars. Members also have access to compliance and billing support.

Join Today

Find Us