Change Healthcare Cybersecurity Incident Frequently Asked Questions HHSgov
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppUpdated as of May 31 2024pp1 Why did OCR issue the Dear Colleague letter about the Change Healthcare cybersecurity incidentppA Given the unprecedented magnitude of this cyberattack its widespread impact on patients and health care providers nationwide and in the interest of patients and health care providers OCR issued the Dear Colleague letter addressing the followingpp2 Why is OCR initiating an investigation now and what does it coverppA Ensuring continuity of care and patient privacy is the utmost priority In the interest of patients and health care providers who are reeling from the impact of this cyberattack of unprecedented magnitude OCR initiated investigations of Change Healthcare and UHG The investigations are primarily focused on whether a breach of unsecured PHI occurred and on Change Healthcares and UHGs compliance with the HIPAA Rulespp3 Have Change Healthcare or UHG filed a breach report with HHSppA No Change Healthcare and UHG have not provided breach notification to HHS concerning this breach Covered entities have up to 60 calendar days from the date of discovery of a breach of unsecured PHI to file breach reports to HHSs breach portal for breaches affecting 500 or more individuals HHSs breach portal contains a list of all reported breaches of unsecured PHI affecting 500 or more individualsppSee FAQ 6 for more information on when a covered entitys breach notification obligations are triggered after a breach occurs at a covered entitys business associatepp4 Are large breaches those affecting 500 or more individuals posted on the HHS Breach Portal on the same day that OCR receives a regulated entitys breach reportppA No Before a breach is posted on the HHS Breach Portal OCR verifies the report it receives OCR discusses the breach reported with the regulated entity that reported the breach and verifies that the information in the breach report is accurate Once breach verification is completed the breach report will be posted on the HHS Breach Portal The amount of time that the breach verification process takes can vary depending on the circumstances but generally the verification process is completed within 14 dayspp5 Is OCRs 2016 ransomware guidance applicable to the Change Healthcare cyberattackppA Yes OCRs ransomware guidance provides specific information on the steps covered entities and business associates should take to determine if a ransomware incident is a HIPAA breach A breach under the HIPAA Rules is defined as the acquisition access use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI See 45 CFR 164402 Whether the presence of ransomware would be a breach under the HIPAA Rules is a factspecific determinationpp6 Are covered entities whose patients or beneficiaries protected health information was impermissibly disclosed as a result of the cyberattack involving Change Healthcare and UHG required to perform HIPAA breach notificationsppA A covered entity that discovers a breach including when notified of a breach by their business associate must comply with the applicable breach notification requirements including notification to affected individuals without unreasonable delay to the HHS Secretary and to the media for breaches affecting over 500 individuals See 45 CFR 164400414 A breach of PHI is presumed to have occurred unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised based on the factors in the Breach Notification RuleppUnder the HITECH Act and Breach Notification Rule the covered entity is ultimately responsible for ensuring that such notifications occur See 42 USC 17932 and 45 CFR 164404 Affected covered entities should coordinate with Change Healthcare and UHG on who will be providing breach notificationsppThe required breach notification to an individual must include to the extent possible a brief description of the breach a description of the types of information that were involved in the breach the steps affected individuals should take to protect themselves from potential harm a brief description of what the covered entity is doing to investigate the breach mitigate the harm and prevent further breaches and contact information for the covered entity or business associate as applicableppWhen a breach of unsecured PHI occurs at a business associate the business associate must provide notice to affected covered entities without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach by the business associate To the extent possible a business associate is required to provide the covered entity with the identification of each individual affected by the breach Additionally the business associate must provide the covered entity with any other available information required to be provided by the covered entity in its notification to affected individuals at the time the business associate notifies the covered entity or promptly thereafter as information becomes available Because we allow this information to be provided to a covered entity after the initial notification of the breach as it becomes available a business associate should not delay the initial notification to the covered entity of the breach in order to collect information needed for the notification to the individualppOCR understands that in this case business associate notification to affected covered entities has not occurred yet UHGs website states that they are not announcing an official breach notification at this time To help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer1 OCR will not consider the 60calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHGpp7 May a covered entity delegate its breach notification obligations to Change HealthcareUHGppA Yes a covered entity may delegate to its business associate the tasks of providing the required HITECH Act and HIPAA Breach Notification Rule breach notifications on the covered entitys behalf Only one entitywhich could be the covered entity itself or its business associateneeds to complete notifications to affected individuals the HHS Secretary and where applicable the mediappAs such if covered entities affected by this breach ensure that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule those covered entities would not have additional HIPAA breach notification obligationspp8 What HIPAA breach notification duties do covered entities have with respect to the Change Healthcare cyberattackppA Following a breach of unsecured PHI covered entities must provide notification of the breach to affected individuals the HHS Secretary and in certain circumstances to the media In addition business associates must notify covered entities if a breach occurs at or by the business associate A covered entity may delegate to its business associate the tasks of providing these required notifications on the covered entitys behalf Only one entitywhich could be the covered entity itself or its business associateneeds to complete notifications to affected individuals the HHS Secretary and where applicable the media See FAQ 7 on delegation of this dutyppPlease visit the OCR Breach Notification webpage for detailed guidance Please visit the Breach Reporting webpage for instructions on how submit a breach notification to the HHS Secretary and to access the electronic breach notification formppBelow is a summary of breach notification requirements and reporting procedures for covered entitiesppBreach Notification for Covered Entities See 45 CFR 164404 and 164408ppA covered entitys breach notification obligations differ depending on whether the breach affects 500 or more individuals or fewer than 500 individualsppCovered Entities Submitting a Notice for a Breach Affecting 500 or More IndividualsppIf a breach of unsecured PHI affects 500 or more individuals a covered entity must notify the HHS Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach The covered entity must submit the notice electronically by clicking here to access the breach notification form and completing all of the required fieldsppCovered Entities Submit a Notice for a Breach Affecting Fewer than 500 IndividualsppIf a breach of unsecured PHI affects fewer than 500 individuals a covered entity must notify the HHS Secretary of the breach within 60 calendar days of the end of the calendar year in which the breach was discovered A covered entity is not required to wait until the end of the reporting period to report breaches affecting fewer than 500 individuals a covered entity may report these breaches at the time they are discovered The covered entity may report all of its breaches affecting fewer than 500 individuals on one date but the covered entity must complete a separate notice for each breach incident The covered entity must submit the notice electronically by clicking here to access the breach notification form and completing all of the required fieldsppNumber Uncertain If the number of individuals affected by a breach is uncertain at the time of notification submission the covered entity should provide an estimate and if it discovers additional information submit updates in the manner specified below If only one option is available in a particular submission category the covered entity should pick the best option and may provide additional details in the free text portion of the submissionppAdditional Information Discovered If a covered entity discovers additional information that supplements modifies or clarifies a previously submitted notice to the HHS Secretary it may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report using the transaction number it received after its submission of the initial breach reportppCovered Entities Media Notice See 45 CFR 164406ppCovered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are in addition to notifying the affected individuals required to provide notice to prominent media outlets serving the State or jurisdiction Covered entities may provide this notification in the form of a press release to appropriate media outlets serving the affected area Like individual notice this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual noticeppCovered Entities Substitute Notice See 45 CFR 164404d2ppThe HIPAA Breach Notification Rule allows for the use of substitute notice to affected individuals where there is insufficient or outofdate contact information that precludes written notification to the individual In such instances a substitute form of notice reasonably calculated to reach the individual shall be provided Substitute notice can be provided in the following waysppi In the case in which there is insufficient or outofdate contact information for fewer than 10 individuals then such substitute notice may be provided by an alternative form of written notice telephone or other meansppii In the case in which there is insufficient or outofdate contact information for 10 or more individuals then such substitute notice shallppA Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside andppB Include a tollfree phone number that remains active for at least 90 days where an individual can learn whether the individuals unsecured PHI may be included in the breachpp9 What HIPAA breach notification duties do business associates have with respect to the Change Healthcare cyberattackppA Breach Notification for Business Associates See 45 CFR 164410ppIf a breach of unsecured PHI occurs at or by a business associate the business associate must notify the covered entity following the discovery of the breach This notice must be provided without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach To the extent possible the business associate must provide the covered entity with the identification of each individual affected by the breach or each individual reasonably believed to have been affected as well as any other available information required to be provided by the covered entity in its notification to affected individualsppAdditionally with respect to a breach at or by a business associate while the covered entity is ultimately responsible for ensuring individuals are notified the covered entity may delegate the task of providing individual notices to the business associate Covered entities and business associates should consider which entity is in the best position to provide notice to the individual which may vary depending on the circumstances such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual Only one entitywhich could be the covered entity itself or its business associateneeds to complete notifications to affected individuals the HHS Secretary and where applicable the mediapp10 How will Change Healthcare notify affected covered entities and business associates of the breachppA HIPAA regulated entities affected by this incident should contact Change Healthcare and UHG with any questions on how HIPAA breach notification will occurpp11 Is Change Healthcare performing breach notification on behalf of affected entities to HHS and affected individualsppA Decisions about who will perform breach notification to HHS and affected individuals are up to the covered entities affected by this breach See FAQ 7 on delegation of this dutypp12 Who is responsible for ensuring that individuals affected by the Change Healthcare breach receive notificationppA Covered entities are responsible for ensuring that HHS affected individuals and where applicable the media are timely notified of the breach of unsecured PHI HIPAA breach notification to affected individuals patients beneficiaries and others is essential for providing transparency about what caused the breach when the breach occurred what PHI was disclosed what steps affected individuals should take to protect themselves and information about what the HIPAA regulated entity health plans health care clearing houses most health care providers and business associates is doing to investigate the breach mitigate harm to affected individuals and protect against further breachesppBusiness associates are responsible for ensuring that HIPAA covered entities are timely notified of the breach of unsecured PHI To the extent possible a business associate is required to provide the covered entity with the identification of each individual affected by the breach Additionally the business associate must provide the covered entity with any other available information required to be provided by the covered entity in its notification to affected individuals at the time the business associate notifies the covered entity or promptly thereafter as information becomes available Because we allow this information to be provided to a covered entity after the initial notification of the breach as it becomes available a business associate should not delay the initial notification to the covered entity of the breach in order to collect information needed for the notification to the individualppSee FAQ 7 on delegation of this dutypp13 Does OCR plan to update this FAQ pageppA OCR plans to update this page as neededpp1 httpswwwunitedhealthgroupcomnschangehealthcarefaqhtml As of May 31 2024ppReceive the latest updates from the Secretary Blogs and News Releasespp200 Independence Avenue SW
Washington DC 20201
Toll Free Call Center 18776966775p
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppUpdated as of May 31 2024pp1 Why did OCR issue the Dear Colleague letter about the Change Healthcare cybersecurity incidentppA Given the unprecedented magnitude of this cyberattack its widespread impact on patients and health care providers nationwide and in the interest of patients and health care providers OCR issued the Dear Colleague letter addressing the followingpp2 Why is OCR initiating an investigation now and what does it coverppA Ensuring continuity of care and patient privacy is the utmost priority In the interest of patients and health care providers who are reeling from the impact of this cyberattack of unprecedented magnitude OCR initiated investigations of Change Healthcare and UHG The investigations are primarily focused on whether a breach of unsecured PHI occurred and on Change Healthcares and UHGs compliance with the HIPAA Rulespp3 Have Change Healthcare or UHG filed a breach report with HHSppA No Change Healthcare and UHG have not provided breach notification to HHS concerning this breach Covered entities have up to 60 calendar days from the date of discovery of a breach of unsecured PHI to file breach reports to HHSs breach portal for breaches affecting 500 or more individuals HHSs breach portal contains a list of all reported breaches of unsecured PHI affecting 500 or more individualsppSee FAQ 6 for more information on when a covered entitys breach notification obligations are triggered after a breach occurs at a covered entitys business associatepp4 Are large breaches those affecting 500 or more individuals posted on the HHS Breach Portal on the same day that OCR receives a regulated entitys breach reportppA No Before a breach is posted on the HHS Breach Portal OCR verifies the report it receives OCR discusses the breach reported with the regulated entity that reported the breach and verifies that the information in the breach report is accurate Once breach verification is completed the breach report will be posted on the HHS Breach Portal The amount of time that the breach verification process takes can vary depending on the circumstances but generally the verification process is completed within 14 dayspp5 Is OCRs 2016 ransomware guidance applicable to the Change Healthcare cyberattackppA Yes OCRs ransomware guidance provides specific information on the steps covered entities and business associates should take to determine if a ransomware incident is a HIPAA breach A breach under the HIPAA Rules is defined as the acquisition access use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI See 45 CFR 164402 Whether the presence of ransomware would be a breach under the HIPAA Rules is a factspecific determinationpp6 Are covered entities whose patients or beneficiaries protected health information was impermissibly disclosed as a result of the cyberattack involving Change Healthcare and UHG required to perform HIPAA breach notificationsppA A covered entity that discovers a breach including when notified of a breach by their business associate must comply with the applicable breach notification requirements including notification to affected individuals without unreasonable delay to the HHS Secretary and to the media for breaches affecting over 500 individuals See 45 CFR 164400414 A breach of PHI is presumed to have occurred unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised based on the factors in the Breach Notification RuleppUnder the HITECH Act and Breach Notification Rule the covered entity is ultimately responsible for ensuring that such notifications occur See 42 USC 17932 and 45 CFR 164404 Affected covered entities should coordinate with Change Healthcare and UHG on who will be providing breach notificationsppThe required breach notification to an individual must include to the extent possible a brief description of the breach a description of the types of information that were involved in the breach the steps affected individuals should take to protect themselves from potential harm a brief description of what the covered entity is doing to investigate the breach mitigate the harm and prevent further breaches and contact information for the covered entity or business associate as applicableppWhen a breach of unsecured PHI occurs at a business associate the business associate must provide notice to affected covered entities without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach by the business associate To the extent possible a business associate is required to provide the covered entity with the identification of each individual affected by the breach Additionally the business associate must provide the covered entity with any other available information required to be provided by the covered entity in its notification to affected individuals at the time the business associate notifies the covered entity or promptly thereafter as information becomes available Because we allow this information to be provided to a covered entity after the initial notification of the breach as it becomes available a business associate should not delay the initial notification to the covered entity of the breach in order to collect information needed for the notification to the individualppOCR understands that in this case business associate notification to affected covered entities has not occurred yet UHGs website states that they are not announcing an official breach notification at this time To help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer1 OCR will not consider the 60calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHGpp7 May a covered entity delegate its breach notification obligations to Change HealthcareUHGppA Yes a covered entity may delegate to its business associate the tasks of providing the required HITECH Act and HIPAA Breach Notification Rule breach notifications on the covered entitys behalf Only one entitywhich could be the covered entity itself or its business associateneeds to complete notifications to affected individuals the HHS Secretary and where applicable the mediappAs such if covered entities affected by this breach ensure that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule those covered entities would not have additional HIPAA breach notification obligationspp8 What HIPAA breach notification duties do covered entities have with respect to the Change Healthcare cyberattackppA Following a breach of unsecured PHI covered entities must provide notification of the breach to affected individuals the HHS Secretary and in certain circumstances to the media In addition business associates must notify covered entities if a breach occurs at or by the business associate A covered entity may delegate to its business associate the tasks of providing these required notifications on the covered entitys behalf Only one entitywhich could be the covered entity itself or its business associateneeds to complete notifications to affected individuals the HHS Secretary and where applicable the media See FAQ 7 on delegation of this dutyppPlease visit the OCR Breach Notification webpage for detailed guidance Please visit the Breach Reporting webpage for instructions on how submit a breach notification to the HHS Secretary and to access the electronic breach notification formppBelow is a summary of breach notification requirements and reporting procedures for covered entitiesppBreach Notification for Covered Entities See 45 CFR 164404 and 164408ppA covered entitys breach notification obligations differ depending on whether the breach affects 500 or more individuals or fewer than 500 individualsppCovered Entities Submitting a Notice for a Breach Affecting 500 or More IndividualsppIf a breach of unsecured PHI affects 500 or more individuals a covered entity must notify the HHS Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach The covered entity must submit the notice electronically by clicking here to access the breach notification form and completing all of the required fieldsppCovered Entities Submit a Notice for a Breach Affecting Fewer than 500 IndividualsppIf a breach of unsecured PHI affects fewer than 500 individuals a covered entity must notify the HHS Secretary of the breach within 60 calendar days of the end of the calendar year in which the breach was discovered A covered entity is not required to wait until the end of the reporting period to report breaches affecting fewer than 500 individuals a covered entity may report these breaches at the time they are discovered The covered entity may report all of its breaches affecting fewer than 500 individuals on one date but the covered entity must complete a separate notice for each breach incident The covered entity must submit the notice electronically by clicking here to access the breach notification form and completing all of the required fieldsppNumber Uncertain If the number of individuals affected by a breach is uncertain at the time of notification submission the covered entity should provide an estimate and if it discovers additional information submit updates in the manner specified below If only one option is available in a particular submission category the covered entity should pick the best option and may provide additional details in the free text portion of the submissionppAdditional Information Discovered If a covered entity discovers additional information that supplements modifies or clarifies a previously submitted notice to the HHS Secretary it may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report using the transaction number it received after its submission of the initial breach reportppCovered Entities Media Notice See 45 CFR 164406ppCovered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are in addition to notifying the affected individuals required to provide notice to prominent media outlets serving the State or jurisdiction Covered entities may provide this notification in the form of a press release to appropriate media outlets serving the affected area Like individual notice this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual noticeppCovered Entities Substitute Notice See 45 CFR 164404d2ppThe HIPAA Breach Notification Rule allows for the use of substitute notice to affected individuals where there is insufficient or outofdate contact information that precludes written notification to the individual In such instances a substitute form of notice reasonably calculated to reach the individual shall be provided Substitute notice can be provided in the following waysppi In the case in which there is insufficient or outofdate contact information for fewer than 10 individuals then such substitute notice may be provided by an alternative form of written notice telephone or other meansppii In the case in which there is insufficient or outofdate contact information for 10 or more individuals then such substitute notice shallppA Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside andppB Include a tollfree phone number that remains active for at least 90 days where an individual can learn whether the individuals unsecured PHI may be included in the breachpp9 What HIPAA breach notification duties do business associates have with respect to the Change Healthcare cyberattackppA Breach Notification for Business Associates See 45 CFR 164410ppIf a breach of unsecured PHI occurs at or by a business associate the business associate must notify the covered entity following the discovery of the breach This notice must be provided without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach To the extent possible the business associate must provide the covered entity with the identification of each individual affected by the breach or each individual reasonably believed to have been affected as well as any other available information required to be provided by the covered entity in its notification to affected individualsppAdditionally with respect to a breach at or by a business associate while the covered entity is ultimately responsible for ensuring individuals are notified the covered entity may delegate the task of providing individual notices to the business associate Covered entities and business associates should consider which entity is in the best position to provide notice to the individual which may vary depending on the circumstances such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual Only one entitywhich could be the covered entity itself or its business associateneeds to complete notifications to affected individuals the HHS Secretary and where applicable the mediapp10 How will Change Healthcare notify affected covered entities and business associates of the breachppA HIPAA regulated entities affected by this incident should contact Change Healthcare and UHG with any questions on how HIPAA breach notification will occurpp11 Is Change Healthcare performing breach notification on behalf of affected entities to HHS and affected individualsppA Decisions about who will perform breach notification to HHS and affected individuals are up to the covered entities affected by this breach See FAQ 7 on delegation of this dutypp12 Who is responsible for ensuring that individuals affected by the Change Healthcare breach receive notificationppA Covered entities are responsible for ensuring that HHS affected individuals and where applicable the media are timely notified of the breach of unsecured PHI HIPAA breach notification to affected individuals patients beneficiaries and others is essential for providing transparency about what caused the breach when the breach occurred what PHI was disclosed what steps affected individuals should take to protect themselves and information about what the HIPAA regulated entity health plans health care clearing houses most health care providers and business associates is doing to investigate the breach mitigate harm to affected individuals and protect against further breachesppBusiness associates are responsible for ensuring that HIPAA covered entities are timely notified of the breach of unsecured PHI To the extent possible a business associate is required to provide the covered entity with the identification of each individual affected by the breach Additionally the business associate must provide the covered entity with any other available information required to be provided by the covered entity in its notification to affected individuals at the time the business associate notifies the covered entity or promptly thereafter as information becomes available Because we allow this information to be provided to a covered entity after the initial notification of the breach as it becomes available a business associate should not delay the initial notification to the covered entity of the breach in order to collect information needed for the notification to the individualppSee FAQ 7 on delegation of this dutypp13 Does OCR plan to update this FAQ pageppA OCR plans to update this page as neededpp1 httpswwwunitedhealthgroupcomnschangehealthcarefaqhtml As of May 31 2024ppReceive the latest updates from the Secretary Blogs and News Releasespp200 Independence Avenue SW
Washington DC 20201
Toll Free Call Center 18776966775p
