CBC Health News

New HIPAA FAQs Released by HHS in Response to Change Healthcare Cyber Attack

Jun 14, 2024

Photo of Covid-19 Test kit


The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has updated its FAQ webpage following the Change Healthcare cybersecurity incident. First published on April 19, 2024, this page offers important information about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules and the cybersecurity breach that affected Change Healthcare, a part of UnitedHealth Group (UHG), and many other healthcare organizations.

OCR enforces HIPAA's Privacy, Security, and Breach Notification Rules. These rules require covered entities—such as health plans, healthcare clearinghouses, and most healthcare providers—and their business associates to protect Personal Health Information (PHI). They also outline how to notify HHS and affected individuals if a breach happens. The updated FAQs help clarify these rules and offer guidance on handling and reporting cybersecurity incidents.

This blog covers recent HHS updates post-Change Healthcare cyber incident. It outlines HIPAA rules for PHI protection and offers breach notification guidance for healthcare.

HIPAA Breach Notification: FAQs Addressing Responsibility Updates

The FAQ updates clarify the responsibility for notifying HHS, affected individuals, and, when required, the media about breaches.

The FAQs specifically state that:

  • Covered entities impacted by the Change Healthcare breach can authorize Change Healthcare to manage breach notifications.
  • Only one entity, the covered entity or Change Healthcare, is responsible for issuing breach notifications.
  • Covered entities have no additional HIPAA breach notification obligations if Change Healthcare notifies breaches according to HIPAA Rules.

Fortifying Cybersecurity Protocols after the Change Healthcare Incident

Following the Change Healthcare cybersecurity incident, OCR urges HIPAA-covered entities such as health plans, insurers, healthcare providers, and their business partners to review their cybersecurity measures promptly. This ensures the protection of health information. While many employers may not directly handle PHI from their health plans, those engaging third-party vendors like Third-party Administrators (TPAs) and Pharmacy Benefit Managers (PBMs) should thoroughly assess and confirm these vendors' cybersecurity protocols during the selection process. Employers should also establish comprehensive business associate agreements that incorporate sufficient security safeguards for electronic PHI.


Taking Action in Response to Cybersecurity Concerns

With OCR's emphasis on securing electronic PHI, employers should take the following actions:

  • Review Current Cybersecurity Measures: Employers accessing PHI from their health plans should consider their existing cybersecurity protocols and implement necessary updates to upgrade protection.
  • Evaluate Third-party Vendors: Even if they do not directly handle PHI, employers should examine the cybersecurity practices of prospective Third-party Administrators (TPAs) or Pharmacy Benefit Managers (PBMs) during the selection process.
  • Strengthen Business Associate Agreements: Employers must ensure that their agreements with business associates include strong security provisions to safeguard electronic PHI effectively.


Accessible Resources for Every Business

Protecting PHI is a major focus for OCR. To assist covered entities and business associates in defending their systems against cyberattacks, OCR offers a range of resources, including:

Enhancing Healthcare Data Security:

Key Insights and Practical Measures for Safeguarding PHI with CBC

The recent updates from HHS and OCR regarding the Change Healthcare cyber incident highlight the importance of HIPAA compliance and cybersecurity in the healthcare sector. The FAQs provide valuable guidance on breach notification responsibilities, while OCR's focus on reviewing and enhancing cybersecurity measures reflects the urgency of protecting Personal Health Information (PHI).

Covered entities and their business associates should take proactive measures to strengthen cybersecurity protocols and ensure compliance with HIPAA rules. This includes reviewing current cybersecurity measures, evaluating third-party vendors' security practices, and enhancing business associate agreements. For additional support and resources, OCR offers various tools and guidance materials to help organizations safeguard electronic PHI and mitigate cyber threats effectively.

Custom Benefit Consultants (CBC), Inc. offers expert solutions and resources to help organizations strengthen cybersecurity and achieve HIPAA compliance. Our team of professionals specializes in providing user-friendly HIPAA compliance programs and guided security assessments. Contact us today to learn more about how we can assist you in safeguarding PHI and mitigating cyber threats effectively.

Recent Blog Posts:

PCORI Fees Heres What You Need to Know Before July 31

PCORI Fees: Here's What You Need to Know Before July 31

Read More »
Updated ACA Reporting Penalties for 2025 What You Need to Know

Updated ACA Reporting Penalties for 2025: What You Need to Know

Read More »
New HIPAA FAQs Released by HHS in Response to Change Healthcare Cyber Attack

New HIPAA FAQs Released by HHS in Response to Change Healthcare Cyber Attack

Read More »
Countdown to the RxDC Report Submission Deadline Are You Prepared

Countdown to the RxDC Report Submission Deadline: Are You Prepared?

Read More »
Is Individual Health Insurance Expensive in the USA

Is Individual Health Insurance Expensive in the USA?

Read More »
How To Get Temporary Health Insurance in the USA

How To Get Temporary Health Insurance in the USA

Read More »
What Is the Best Individual & Family Health Insurance

What Is the Best Individual & Family Health Insurance?

Read More »
Blog Archives »

© 2024 CBC. All Rights Reserved. | Terms of Service | Privacy Policy | Interest-Based Ads | Data Requests

Language Assistance:

Spanish / Español
Russian / русский

Polish / Polskie

Japanese / 日本語

Chinese / 中文

French Creole-Haitian Creole / Franse - Kreyòl

Portuguese / Português

German / Deutsche

Vietnamese / Tiếng Việt

Arabic / العربية

French / Français

Persian-Farsi / فارسی

Korean / 한국어


Italian / italiano

More Languages...

Attention: This website is operated by Custom Benefit Consultants, Inc. (CBC), Ken Bahl, NPN: 4579133 and is not the public Health Insurance Marketplace website available under the federal Affordable Care Act and related state laws. In offering this website, CBC is required to comply with all applicable federal laws, including the standards established under 45 CFR 155.220(c) and (d) and standards established under 45 CFR 155.260 to protect the privacy and security of personally identifiable information. This website may not display all data on Qualified Health Plans being offered in your state through the government's Health Insurance Marketplace website. To see all available data on Qualified Health Plan options in your state, go to the government's Health Insurance Marketplace website at HealthCare.gov.

Custom Benefit Consultants, Inc./CBC Benefit & Insurance Services are licensed insurance agents. Insurance plans are offered by licensed insurance companies or health maintenance organizations. Health insurance plans on the CBC Marketplace are brokered and /or serviced by CBC Benefit & Insurance Services; CA License #: 0D75486

If you would like assistance in another language, please visit Healthcare.gov or contact us at (855) 332-3821 to access our language line.

All insurance products are issued by licensed insurance companies and made available to applicants through Custom Benefit Consultants, Inc./CBC Benefit & Insurance Services, which receives a commission from insurers to distribute these products. Your insurance policy, not the information on this site, determine the applicable terms and conditions of the insurance product. Neither Custom Benefit Consultants, Inc./CBC Benefit & Insurance Services nor its affiliates guarantee the services of any insurance company.

Read more