- Home
- Advocacy
- Latest News and Practice Data
- HHS Deems Change Healthcare Responsible for Breach Notifications
The CAP, the American Medical Association (AMA) and more than 50 provider groups asked the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) to enforce the Health Insurance Portability and Accountability Act (HIPAA) reporting requirements involving the Change Healthcare cyber incident announced on February 21. Specifically, the groups asked for clarification around reporting responsibilities to assure affected providers that reporting, and notification obligations will be handled by Change Healthcare. On May 29, the HHS announced that covered entities (providers, hospitals, insurance companies) affected by the cyberattack do not have to take on the HIPAA-mandated responsibility of notifying patients that their health data have been breached and can delegate that responsibility to Change Healthcare. As a result of CAP advocacy, pathologists are not responsible for bearing the cost and administrative burden of sending out HIPAA notifications for a cyberattack which negatively affected them. For more information visit: HHS OCR’s recently updated frequently asked questions webpage.
The CAP, the American Medical Association (AMA) and more than 50 provider groups asked the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) to enforce the Health Insurance Portability and Accountability Act (HIPAA) reporting requirements involving the Change Healthcare cyber incident announced on February 21. Specifically, the groups asked for clarification around reporting responsibilities to assure affected providers that reporting, and notification obligations will be handled by Change Healthcare.
On May 29, the HHS announced that covered entities (providers, hospitals, insurance companies) affected by the cyberattack do not have to take on the HIPAA-mandated responsibility of notifying patients that their health data have been breached and can delegate that responsibility to Change Healthcare. As a result of CAP advocacy, pathologists are not responsible for bearing the cost and administrative burden of sending out HIPAA notifications for a cyberattack which negatively affected them.
For more information visit: HHS OCR’s recently updated frequently asked questions webpage.