OCR sharpens focus of HIPAA investigation. Even if your reimbursement and other operations have not been affected much by the ransomware incident at UnitedHealth Group’s subsidiary Change Healthcare, it should impact you on another front: HIPAA compliance. The HHS Office for Civil Rights has issued an update to its guidance on Change Healthcare in the form of a frequently asked question set. Question No. 1 is a repeat of OCR’s March 13 “Dear Colleagues” letter release and advice. Reminder: “Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” OCR Acting Director Melanie Fontes Rainer said in the letter. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.” Watch out: “While OCR is not prioritizing investigations of health care providers ... and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities,” Fontes Rainer stressed in the letter. That includes “ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.” In the recent FAQs, OCR offers more insight into its investigation of Change Healthcare in Questions 2 and 3 while providing covered entities with reminders on the HIPAA regulations, guidance on individual requirements and reporting in relation to the cyberattack, and links to past insight and provisions. For example: In Questions No. 6 through No. 9, OCR delves into the responsibility of both covered entities and their business associates under the HIPAA Breach Notification Rule. OCR guidance on the intersection of the regulation and the cyber incident includes: Note: The FAQs are at www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.