HHS Office for Civil Rights Creates FAQ Webpage in Response to the Change Healthcare Cyberattack

Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a new webpage to share answers to frequently asked questions (FAQs) about the Data Portability and Accountability Act rules. Health Insurance Act of 1996 (HIPAA) and the Cybersecurity Incident that affected Change Healthcare, a unit of UnitedHealth Group (UHG), and many other healthcare entities. The cyberattack is disrupting healthcare and billing information operations nationwide and represents a direct threat to critically needed patient care and essential operations of the healthcare industry.

OCR enforces the HIPAA Privacy, Security and Breach Notification Rules, which establish requirements that HIPAA-covered entities (most healthcare providers, health plans, and healthcare clearinghouses) and their business partners must continue to protect the privacy and security of protected persons. health information and required notifications to HHS and affected individuals following a breach.

The website answers questions and provides useful information on many topics, including:

  • Why did OCR issue the “Letter to Dear Colleagues” of March 13, 2024?
  • Why does OCR initiate an investigation and what does it cover?
  • Has OCR received reports of noncompliance from Change Healthcare, UHG, or any affected healthcare providers?
  • Are major breaches (those affecting 500 or more people) posted to the HHS Breaches Portal on the same day that OCR receives the breach report from a regulated entity?
  • Is OCR’s 2016 Ransomware Guidance Applicable to the Change Healthcare Cyberattack?
  • Are covered entities that are affected by the cyberattack involving Change Healthcare and UHG required to file breach notices?
  • What HIPAA breach notification obligations do covered entities have regarding the Change Healthcare cyberattack?
  • What HIPAA breach notification obligations do business associates have regarding the Change Healthcare cyberattack?

The new Change Healthcare Cybersecurity Incident FAQ can be found at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequency-asked-questions /index. Html

HHS Breach Portal: The notice to the Secretary of HHS regarding a breach of unsecured protected health information can be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

OCR is committed to enforcing HIPAA rules that protect the privacy and security of individuals’ health information. You can also find guidance on the Privacy Rule, Security Rule, and Breach Notification Rules on the OCR website.

If you believe that the privacy of your health information or your or another person’s civil rights have been violated, you may file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

We will be happy to hear your thoughts

Leave a reply

Register New Account
Compare items
  • Total (0)
Shopping cart