HHS: ‘Who is responsible for ensuring that individuals affected by the Change Healthcare breach receive notification?’
The Department of Health and Human Services Office of Civil Rights (OCR) has updated a FAQ webpage it maintains on the Change Healthcare data breach. The FAQ serves as the OCR’s primary method of disseminating regulatory guidance on the breach and subsequent HIPAA reporting requirements.
HIPAA-covered entities are required to notify patients and offer identity protection services when data has been stolen by hackers. Given the unique scope of the Change Healthcare breach—which impacted roughly a third of all Americans—more than 100 industry groups signed a letter asking OCR to confirm that sending out the notifications and meeting reporting requirements was ultimately the responsibility of UnitedHealth Group, the parent company of Change Healthcare.
OCR stopped short of making the declaration but did clarify that the reporting requirement can legally be filed by UnitedHealth, which has previously said it will take on the responsibility.
“Yes, a covered entity may delegate to its business associate the tasks of providing the required HITECH Act and HIPAA Breach Notification Rule breach notifications on the covered entity’s behalf,” the OCR said.
However, the OCR added that, should UnitedHealth fail to send out notifications as required under the law, the burden would still fall on covered entities that were impacted—in this case, provider groups.
OCR said they have yet to receive a breach report from Change Healthcare or UnitedHealth, but, once they do, covered entities will have 60 days to send out notifications. UnitedHealth is still investigating the breach and is not sure what data was taken.
“OCR will not consider the 60-calendar-day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UnitedHealth Group,” the OCR added.
Whether or not this additional information will assuage the anxiety of provider groups is yet to be seen.