HEALTH & MEDICAL

Change Healthcare has responsibility to instruct patients records breach, says OCR

The U.S. Division of Health and Human Providers’ Location of business for Civil Rights updated its Change Healthcare cybersecurity incident frequently requested questions page on Friday to deal with questions the agency has got asking which entities are accountable for performing breach notification to HHS, affected people and the build relevant, the media. 

WHY IT MATTERS

Published on April 19, the FAQ addresses HIPAA guidelines as it pertains to the February 9 cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group, which had a common influence on healthcare organizations all over the US.

“Our updated FAQs webpage on the Change Healthcare breach reiterates that importance by making sure that people tormented by this breach may per chance presumably per chance silent be notified that their safe smartly being records used to be breached,” stated OCR Director Melanie Fontes Rainer in a assertion.

OCR stated that to lend a hand a ways from duplicative letters to patients:

  • Covered entities tormented by the Change Healthcare breach may per chance presumably per chance delegate to Change Healthcare the projects of providing the desired HIPAA breach notifications on their behalf.
  • Easiest one entity – which often is the lined entity itself or Change Healthcare – desires to end breach notifications to affected people, HHS and the build relevant, the media.

HIPAA-lined entities working with Change Healthcare “to accomplish the desired breach notifications in a capacity in accordance to the HITECH Act and HIPAA Breach Notification Rule” would no longer be arena to extra notification responsibilities, the agency famed.

THE LARGER TREND

In April, the Medical Group Administration Affiliation requested HHS by letter to make certain suppliers would lend a hand a ways from regulatory actions related to the Change Healthcare assault and require UHG to select on the desired HIPAA breach notifications.

UHG pledged to “wait on ease reporting responsibilities on diversified stakeholders whose records may per chance presumably need been compromised as phase of this cyberattack,” and equipped to “accomplish notifications and undertake related administrative requirements on behalf of any supplier or customer.”

Within the ruin, chain reaction breaches love the Change Healthcare assault and subsequent outage affecting a tall swath of the healthcare ecosystem may per chance presumably per chance get rather more complex, through breach notifications. The Federal Commerce Commission seeks to amend and enhance its Health Breach Notification Rule to masks entities, love third-occasion prescription apps, no longer beforehand lined by HIPAA.

ON THE RECORD

“Affected lined entities that prefer Change Healthcare to offer breach notifications on their behalf may per chance presumably per chance silent contact Change Healthcare,” Fontes Rainer stated in a assertion. “All of the desired HIPAA breach notifications may per chance presumably very smartly be performed by Change Healthcare.”

Andrea Fox is senior editor of Healthcare IT News.


Electronic mail: afox@himss.org


Healthcare IT News is a HIMSS Media newsletter.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button