Due to the magnitude of the Change Healthcare cyberattack, OCR maintains a FAQ page with updates and investigation status reports. As of May 31, Change Healthcare had not yet officially filed a breach notification with HHS and continues to consider options for when and how it will notify covered entities and business associates of the breach. The responsibility of covered entities and their business associates also remains unclear. An OCR response to the College of Healthcare Information Management Executives (CHIME) inquiry stated covered entities may delegate HIPAA breach notification obligations to Change Healthcare, however, the covered entity must ensure that Change Healthcare fulfills its obligations. CHIME is seeking clarification on this response to better understand individual providers’ responsibilities and requirements.
Menu
