HHS: ‘Who is responsible for ensuring that individuals affected by the Change Healthcare breach receive notification?’

Chad Van Alstin | June 03, 2024 | Health Exec | Policy & Regulations
computer_hacker.jpg
Photo by Max Duzij via Unsplash

The Department of Health and Human Services Office of Civil Rights (OCR) has updated a FAQ webpage it maintains on the Change Healthcare data breach. The FAQ serves as the OCR’s primary method of disseminating regulatory guidance on the breach and subsequent HIPAA reporting requirements. 

HIPAA-covered entities are required to notify patients and offer identity protection services when data has been stolen by hackers. Given the unique scope of the Change Healthcare breach—which impacted roughly a third of all Americans—more than 100 industry groups signed a letter asking OCR to confirm that sending out the notifications and meeting reporting requirements was ultimately the responsibility of UnitedHealth Group, the parent company of Change Healthcare. 

OCR stopped short of making the declaration but did clarify that the reporting requirement can legally be filed by UnitedHealth, which has previously said it will take on the responsibility. 

“Yes, a covered entity may delegate to its business associate the tasks of providing the required HITECH Act and HIPAA Breach Notification Rule breach notifications on the covered entity’s behalf,” the OCR said. 

However, the OCR added that, should UnitedHealth fail to send out notifications as required under the law, the burden would still fall on covered entities that were impacted—in this case, provider groups.

OCR said they have yet to receive a breach report from Change Healthcare or UnitedHealth, but, once they do, covered entities will have 60 days to send out notifications. UnitedHealth is still investigating the breach and is not sure what data was taken. 

“OCR will not consider the 60-calendar-day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UnitedHealth Group,” the OCR added. 

Whether or not this additional information will assuage the anxiety of provider groups is yet to be seen.

Related Articles:

100+ groups ask OCR for clarification on HIPAA requirements after Change Healthcare hack
Breached Change Healthcare server lacked multifactor authentication, UnitedHealth CEO admits
Hackers were inside Change Healthcare’s systems 9 days before attack
Massive data trove from Change Healthcare hack now for sale on dark web
Change Healthcare faces second ransom as cybercriminals leak stolen data
Chad Van Alstin Health Imaging Health Exec
Chad Van Alstin

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Related Content

Research shows hospital mergers contribute to overdoses, suicides
Medical staff must have a say in what AI is adopted for patient care, says AMA
Change Healthcare begins sending breach notifications
Adventist Health settles with DoJ over sharing patient data with police
Novant Health backs out of North Carolina hospital buyout after FTC pressure
Emergency reimbursement for Change Healthcare breach ends in July

Design by Adaptive Theme
Trimed Popup
Trimed Popup