Feds Issue Guide for Change Health Breach Reporting Duties
BankInfoSecurity
|
Contributed by: Drex DeFord
Summary
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued guidance indicating that it has not yet received mandatory HIPAA breach reports from Change Healthcare or its parent company UnitedHealth Group (UHG) following a significant cyberattack. The guidance underscores the requirement for HIPAA-covered entities and their vendors to report breaches of protected health information (PHI) within 60 days of discovery for incidents affecting 500 or more individuals. The notice also discusses the obligations of these entities to notify affected individuals and outlines the unclear timeline for when Change Healthcare and UHG discovered the breach and the extent of their notification responsibilities. Further, HHS has initiated an investigation into the incident due to its broad impact on patient privacy and healthcare provider operations, emphasizing the importance of compliance with HIPAA rules in the wake of the cyberattack's implications.