Change Healthcare has responsibility to notify patients data breach, says OCR

The U.S. Department of Health and Human Services’ Office for Civil Rights updated its Change Healthcare cybersecurity incident frequently asked questions page on Friday to address questions the agency has received asking which entities are responsible for performing breach notification to HHS, affected individuals and where applicable, the media. 


Published on April 19, the FAQ addresses HIPAA rules as it relates to the February 9 cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group, which had a widespread impact on healthcare organizations across the United States.

“Our updated FAQs webpage on the Change Healthcare breach reiterates that importance by making clear that individuals affected by this breach must be notified that their protected health information was breached,” said OCR Director Melanie Fontes Rainer in a statement.

OCR said that to avoid duplicative letters to patients:

  • Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
  • Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS and where applicable, the media.

HIPAA-covered entities working with Change Healthcare “to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule” would not be subject to further notification obligations, the agency noted.


In April, the Medical Group Management Association asked HHS by letter to ensure providers would avoid regulatory actions related to the Change Healthcare attack and require UHG to take on the required HIPAA breach notifications.

UHG pledged to “help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack,” and offered to “make notifications and undertake related administrative requirements on behalf of any provider or customer.”

In the future, chain reaction breaches like the Change Healthcare attack and subsequent outage affecting a broad swath of the healthcare ecosystem could get a lot more confusing, in terms of breach notifications. The Federal Trade Commission seeks to amend and expand its Health Breach Notification Rule to cover entities, like third-party prescription apps, not previously covered by HIPAA.


“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,” Fontes Rainer said in a statement. “All of the required HIPAA breach notifications may be performed by Change Healthcare.”

Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]

Healthcare IT News is a HIMSS Media publication.

Related Articles

Back to top button