Legal Brief: HHS authorizes UnitedHealth Group to make breach notifications

Posted on: 6/7/24


Last Friday, HHS announced that it will permit UnitedHealth Group to make HIPAA breach notifications on behalf of hospitals and health systems that were impacted by the Change Healthcare cyberattack on Feb. 22, 2024. If an affected covered entity wants Change Healthcare to provide breach notifications on their behalf, they will need to contact Change Healthcare, as they are authorized to perform HIPAA breach notifications on behalf of impacted covered entities. 

HHS Office for Civil Rights has stated that if Change Healthcare performs the breach notifications in compliance with the HIPAA Breach Notification Rules, then hospitals affected by the cyberattack would not be obligated to provide additional HIPAA breach notifications. (Maggie Martin)