Change Healthcare has responsibility to notify patients of data breach, says OCR

While UnitedHealth has yet to file a data breach report with HHS, covered entities can delegate the job of notifying patients that their healthcare data was exposed in the crippling ransomware attack to the UHG subsidiary.
By Andrea Fox
03:26 PM

Photo: Liza Summer/Pexels

The U.S. Department of Health and Human Services’ Office for Civil Rights updated its Change Healthcare cybersecurity incident frequently asked questions page on Friday to address questions the agency has received asking which entities are responsible for performing breach notification to HHS, affected individuals and where applicable, the media. 

WHY IT MATTERS

Published on April 19, the FAQ addresses HIPAA rules as it relates to the February 9 cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group, which had a widespread impact on healthcare organizations across the United States.

"Our updated FAQs webpage on the Change Healthcare breach reiterates that importance by making clear that individuals affected by this breach must be notified that their protected health information was breached," said OCR Director Melanie Fontes Rainer in a statement.

OCR said that to avoid duplicative letters to patients:

  • Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
  • Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS and, where applicable, the media.

HIPAA-covered entities working with Change Healthcare "to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule" would not be subject to further notification obligations, the agency noted.

THE LARGER TREND

In April, the Medical Group Management Association asked HHS by letter to ensure providers would avoid regulatory actions related to the Change Healthcare attack and require UHG to take on the required HIPAA breach notifications.

UHG pledged to "help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack," and offered to "make notifications and undertake related administrative requirements on behalf of any provider or customer."

In the future, chain reaction breaches like the Change Healthcare attack and subsequent outage affecting a broad swath of the healthcare ecosystem could get a lot more confusing, in terms of breach notifications. The Federal Trade Commission seeks to amend and expand its Health Breach Notification Rule to cover entities like third-party prescription apps not previously covered by HIPAA.

ON THE RECORD

"Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare," Fontes Rainer said in a statement. "All of the required HIPAA breach notifications may be performed by Change Healthcare."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.