Providers Urge HHS To Clarify Change Data Breach Reporting Requirements

An article from

Dive Brief:

• Providers are still looking for clarification on whether they’ll have to report or notify patients about data breaches stemming from the cyberattack against Change Healthcare earlier this year.
• In a letter sent to HHS Secretary Xavier Becerra Monday, more than 50 organizations — including the American Medical Association, the College of Healthcare Information Management Executives and the American Health Information Management Association— urged the federal government to publicly confirm that Change could manage data breach reporting and notification requirements, since the technology firm and major claims processor experienced the breach. 
• UnitedHealth Group, Change’s parent company, has previously said it would handle reporting for customers whose data may have been exposed — which could be a huge swath of Americans.

Dive Insight:

Under the HIPAA privacy law, covered entities and their business associates are required to notify affected individuals, the HHS and sometimes the media when unsecured protected health information is breached. 

The attack against Change represents a potentially huge data breach. The company, which was acquired by healthcare conglomerate UnitedHealth two years ago, processes billions of claims each year and touches one in three medical records.

Last month, UnitedHealth said it found files involved in the February ransomware attack containing protected health information or personally identifiable information that “could cover a substantial proportion of people in America.” 

In testimony to Congress earlier this month, UnitedHealth CEO Andrew Witty said the company was still working to determine the extent of the exposure, but the attack may have compromised the data of one-third of individuals in the U.S.

Some hospital groups have already urged the HHS’ Office for Civil Rights to clarify who would need to provide breach notifications after the Change attack. In March, the American Hospital Association and the Federation of American Hospitals argued requiring providers to send the letters could result in duplicate notifications, potentially confusing patients. 

In their latest letter, provider groups said the number of providers who have been affected by the breach are “so numerous that a specific number is not readily available.” 

“Given the well documented state of chaos in the provider community in the wake of this breach, OCR’s silence on this point is disappointing,” the groups wrote.

In a frequently asked questions page, the OCR wrote that covered entities are ultimately responsible for ensuring affected individuals are notified after a breach at a business associate, but they can delegate the process to the business associate.

The OCR added that HIPAA entities should contact Change and UnitedHealth with any questions on how breach notifications will be handled. 

However, provider groups said they needed more clarity from regulators beyond the FAQs and requested confirmation that UnitedHealth would ultimately handle breach reporting.