See ONC’s Latest FAQs Addressing the Change Healthcare Cyberattack

The HHS Office of the National Coordinator (ONC) has updated FAQs on the Change Healthcare/UnitedHealth Group cyberattack, effective May 31, 2024. The FAQs address a variety of issues, including OCR’s investigation, breach report filing, ransomware guidance, HIPAA breach notifications by covered entities, and delegation of breach notifications. ONC indicates that under the HITECH Act, covered entities are ultimately responsible for ensuring that breach notifications occur. Of note, OCR says it understands that in this case, business associate notification to affected covered entities has not yet occurred and that UHG’s website states that they “are not announcing an official breach notification at this time. To help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UHG has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.”1 OCR says it will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG. ONC recommends that covered entities coordinate with Change Healthcare and UHG who will be providing the breach notifications. Review the HHS FAQs on the cyberattack. OCR plans to update the page as needed.