Hospital Groups Question HHS About Data Breach Reporting After Change Attack

Dive Brief:

• In a Thursday letter to the HHS’ Office for Civil Rights, hospital lobbying organizations sought to clarify who may need to provide data breach notifications to patients following the cyberattack on UnitedHealth’s Change Healthcare: the hospitals that contracted with Change, or the organization directly attacked. 
• The letter, penned by counsels for the American Hospital Association and the Federation of American Hospitals, said the onus should be on UnitedHealth and Change alone to report a breach, should one be found. 
• Requiring hospitals to also issue breach notifications could result in patients receiving duplicate notifications, leading to unnecessary “public confusion, misunderstandings and added stress,” the letter warned.

Dive Insight:

Change has yet to say whether protected health information was compromised during the Feb. 21 cyberattack, which the AHA has called “the most significant and consequential” of its kind against the industry in its history. 

The OCR opened an investigation into the attack on March 13 to determine whether protected health information may have been compromised and if UnitedHealth complied with its legal requirements to safeguard health data. 

Although the OCR said its primary investigative focus was not on health care providers, health plans and business associates, it reminded those parties of their legal obligations to report data breaches — should they be found — to the HHS and affected individuals. 

In the letter, the AHA asked the OCR to clarify that Change and UnitedHealth would be required to send breach notifications, not hospitals or health systems.

The AHA said that Change serves as a clearinghouse for hospitals or as a business associate, and in both capacities is a covered entity under HIPAA’s privacy and security rules with an obligation to report violations of privacy. 

The letter said that while hospitals have “long honored” HIPAA’s privacy objectives, in this instance, health systems are “downstream victims” that have suffered in the wake of the outage. 

Providers have reported a slew of operational problems resulting from the cyberattack, including difficulty receiving payment from patients and insurers, verifying coverage, submitting prior authorization requests and exchanging clinical records. 

Ninety-four percent of 1,000 hospitals recently surveyed by the AHA reported that the cyberattack was impacting them financially. 

“Now is not the time to impose additional costs on America’s health care providers and the patients they serve,” the letter said.

Concern over reporting requirements comes as the HHS considers revamping its cybersecurity reporting requirements to potentially include higher penalties for HIPAA violations. In a December working paper, the HHS cited a need for “greater enforcement and accountability” around cybersecurity as attacks continue to vex the industry.

This month, the Biden administration released its proposed budget for the HHS for fiscal year 2025, which laid out a plan to tie Medicare incentives to hospitals’ adoption of cybersecurity protections. In the future, the HHS could levy fines onto hospitals that fail to comply with cybersecurity standards, according to the proposed budget.

The HHS also released voluntary cybersecurity standards for the healthcare industry in January, which include using multifactor authentication and offering basic cybersecurity training for employees.

The AHA has been outspoken about mandatory cybersecurity requirements for hospitals, particularly if fines are involved. In a December statement the group called possible fines counterproductive, noting that hospitals spend “billions of dollars” and work closely with government agencies to prevent cyberattacks.

“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime,” said Rick Pollack, president of the AHA, in a statement. “Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.