1 minute read
On May 31, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) updated its FAQs regarding HIPAA and the recent cybersecurity incident involving Change Healthcare, part of UnitedHealth Group. OCR enforces HIPAA Privacy, Security and Breach Notification Rules (HIPAA Rules) which require entities to protect PHI and report breaches to HHS and affected individuals.
FAQ Updates
The updated FAQs discuss the obligation to notify HHS, impacted individuals, and, when relevant, the media about breaches. The FAQs state that:
- Covered entities affected by the Change Healthcare breach can delegate breach notifications to Change Healthcare
- Only one entity needs to provide breach notifications, and
- if Change Healthcare provides the required breach notifications in a manner consistent with the HIPAA Rules, covered entities have no additional breach notification obligations.
Cybersecurity Measures
OCR has urged HIPAA-covered entities and their business associates to promptly review cybersecurity measures to protect health information. Employers using third-party vendors like third-party administrators (TPAs) and pharmacy benefit managers (PBMs) should verify their cybersecurity practices and have secure business associate agreements in place for electronic PHI. Download the bulletin for more details.
Compliance Resources
HIPAA Security Rule Guidance Material
OCR Webinar on HIPAA Security Rule Risk Analysis Requirement
HIPAA Security Risk Assessment Tool
Fact Sheet: Ransomware and HIPAA
