On May 31,2024, HHSโs Office for Civil Rights (OCR) released updated FAQs addressing the investigation of Change Healthcare (a unit of United Healthcare Group (UHG) that serves as a HIPAA business associate for health plans and providers nationwide).
The updated FAQs emphasized that if a covered entity is aware of a potential business associate breach, it must proactively investigate whether a breach has occurred and timely report the breach as outlined in the HITECH Act and the HIPAA breach notification rule.
Under the HITECH Act and Breach Notification Rule, the covered entity is ultimately responsible for ensuring that such notifications occur[1]. Therefore, the affected covered entities should coordinate with the business associate on who will be providing the required breach notifications.
Covered entities are obligated to assure that notices issued by the business associate comply with the breach notification ruleโs requirements regarding timing, content, and form.
The FAQs confirm that while a covered entity may delegate the responsibility of providing breach notices to the business associate, it is responsible for ensuring individuals are notified of a breach without unreasonable delay, and in no case later than 60 calendar days from the discovery of the breach.
The updated FAQs were prompted by Change Healthcare cybersecurity incident.ย Given the magnitude of the cyberattack, OCR issued the Dear Colleague Letter.
For more information on HIPAA, reach out to ComplianceDashboard regarding our HIPAA10 modules.
[1] See 42 USC 17932 and 45 CFR 164.404
