HHS Issues Updates on Cybersecurity Incidents
On May 31,2024, HHS’s Office for Civil Rights (OCR) released updated FAQs addressing the investigation of Change Healthcare (a unit of United Healthcare Group (UHG) that serves as a HIPAA business associate for health plans and providers nationwide).
Practically Speaking:
- A covered entity may delegate its notification responsibilities to the business associate in the wake of a business associate breach.
- However, the covered entity is still required to investigate and timely report the breach and ensure that the notification responsibilities meet the standards in the HITECH Act and the HIPAA breach notification rule.
- Only one entity—which could be the covered entity itself or its business associate—needs to complete notifications to affected individuals, the HHS Secretary, and where applicable the media.
The updated FAQs emphasized that if a covered entity is aware of a potential business associate breach, it must proactively investigate whether a breach has occurred and timely report the breach as outlined in the HITECH Act and the HIPAA breach notification rule.
Under the HITECH Act and Breach Notification Rule, the covered entity is ultimately responsible for ensuring that such notifications occur[1]. Therefore, the affected covered entities should coordinate with the business associate on who will be providing the required breach notifications.
Covered entities are obligated to assure that notices issued by the business associate comply with the breach notification rule’s requirements regarding timing, content, and form.
The updated FAQs explain that:
- Covered entities affected by a breach may delegate to the business associate the task of providing the required HIPAA breach notifications on their behalf,
- Only one entity (either the covered entity or the business associate) needs to complete breach notifications to affected individuals, HHS, and the media, and
- If covered entities work with a business associate to perform the required breach notifications, those notifications are required to be consistent with the HITECH Act and HIPAA Breach Notification Rule.
The FAQs confirm that while a covered entity may delegate the responsibility of providing breach notices to the business associate, it is responsible for ensuring individuals are notified of a breach without unreasonable delay, and in no case later than 60 calendar days from the discovery of the breach.
The updated FAQs were prompted by Change Healthcare cybersecurity incident. Given the magnitude of the cyberattack, OCR issued the Dear Colleague Letter.
For more information on HIPAA, reach out to ComplianceDashboard regarding our HIPAA10 modules.
[1] See 42 USC 17932 and 45 CFR 164.404