Change Healthcare has responsibility to notify patients data breach, says OCR

The US Department of Health and Human Services’ Office for Civil Rights (OCR) has updated its FAQs in response to the Change Healthcare cybersecurity incident from February. The update clarifies that covered entities can delegate the tasks of providing required HIPAA breach notifications to Change Healthcare, limiting duplicative notices. The agency also stated that covered entities adhering to this approach would not be subject to further notification requirements.