HHS: ‘Who is responsible for ensuring that individuals affected by the Change Healthcare breach receive notification?’

The Department of Health and Human Services Office of Civil Rights (OCR) has updated a FAQ webpage it maintains on the Change Healthcare data breach. The FAQ serves as the OCR’s primary method of disseminating regulatory guidance on the breach and subsequent HIPAA reporting requirements. 

HIPAA-covered entities are required to notify patients and offer identity protection services when data has been stolen by hackers. Given the unique scope of the Change Healthcare breach—which impacted roughly a third of all Americans—more than 100 industry groups signed a letter asking OCR to confirm that sending out the notifications and meeting reporting requirements was ultimately the responsibility of UnitedHealth Group, the parent company of Change Healthcare. 

OCR stopped short of making the declaration but did clarify that the reporting requirement can legally be filed by UnitedHealth, which has previously said it will take on the responsibility. 

“Yes, a covered entity may delegate to its business associate the tasks of providing the required HITECH Act and HIPAA Breach Notification Rule breach notifications on the covered entity’s behalf,” the OCR said. 

However, the OCR added that, should UnitedHealth fail to send out notifications as required under the law, the burden would still fall on covered entities that were impacted—in this case, provider groups.

OCR said they have yet to receive a breach report from Change Healthcare or UnitedHealth, but, once they do, covered entities will have 60 days to send out notifications. UnitedHealth is still investigating the breach and is not sure what data was taken. 

“OCR will not consider the 60-calendar-day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UnitedHealth Group,” the OCR added. 

Whether or not this additional information will assuage the anxiety of provider groups is yet to be seen.

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

The scheme took place over a period of at least seven years, resulting in Medicare being billed for more than $70 million in fraudulent claims for unnecessary scans. 

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals.