The Department of Health and Human Services (HHS) Office for Civil Rights (OCR), updated an FAQ covering breach notification requirements arising from the Change Healthcare cyberattack. The FAQ covers breach notification responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA, P.L. 104-191) Privacy, Security, and Breach Notification Rules [refer to Washington Highlights, April 26]. The updated FAQ states that HIPAA-covered entities, such as providers, can request that Change Healthcare perform breach notification on their behalf. The updated FAQ also states that:
- Only one entity — the covered entity itself or Change Healthcare — must complete breach notifications to affected individuals, the HHS, and when applicable, the media.
- If covered entities work with Change Healthcare to perform the required breach notifications, they would not have additional HIPAA breach notification obligations under the HITECH Act of 2009 ( P.L 111-5) and HIPAA Breach Notification Rule.
Under HIPAA, covered entities must report a breach affecting 500 or more individuals within 60 calendar days of the date of discovery of a breach of unsecured protected health information. Breaches affecting fewer than 500 individuals must be reported within 60 calendar days of the end of the calendar year in which the breach was discovered.