HHS Shifts Stance on Breach Notifications

The Department of Health and Human Services (HHS) has reversed its previous stance, now allowing Change Healthcare to file breach notifications on behalf of entities affected by the February ransomware attack. Initially, HHS required each impacted organization to individually report breaches, causing frustration among the thousands of affected healthcare providers.

The updated guidance permits Change Healthcare to handle all required HIPAA breach notifications, easing the burden on healthcare entities still recovering from the attack’s financial impact. Change Healthcare, processing about half of all U.S. medical claims, reported that one-third of Americans had their information accessed during the breach.

The healthcare industry has praised HHS’s decision, highlighting the practicality and legal backing for the move, and noting the reduced confusion and costs for providers.