As the ransomware incident that clocked UnitedHealth Group’s subsidiary Change Healthcare continues to evolve, so does the federal HIPAA guidance. Details: On April 19, the HHS Office for Civil Rights (OCR) issued an update to its guidance on Change Healthcare in the form of a frequently asked question (FAQ) set. Question No. 1 is a repeat of OCR’s March 13 “Dear Colleagues” letter release and advice (see Medicare Compliance & Reimbursement, Vol. 50, No. 6). OCR offers more insight into its investigation of Change Healthcare in Questions 2 and 3 while providing covered entities with reminders on the HIPAA regulations, guidance on individual requirements and reporting in relation to the cyberattack, and links to past insight and provisions.
For example in Questions No. 6 through No. 9, OCR delves into the responsibility of both covered entities and their business associates under the HIPAA Breach Notification Rule. OCR guidance on the intersection of the regulation and the cyber incident includes: