Until now, Part 2 programs had no duty to report breaches under Part 2—even if disclosures clearly violated the rule. That “free pass” ends in February 2026, when HIPAA’s breach reporting framework will officially be grafted onto Part 2. What does this mean for programs? A new world of reporting obligations, OCR enforcement, and tougher compliance decisions.
What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.
The American Hospital Association, joined by a few others, has sued the federal government to enjoin them from enforcing their published Guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.”