Breach Notification
,
Healthcare
,
HIPAA/HITECH
HHS OCR Advises HIPAA-Covered Entities to Coordinate Notification Duties With UHG
Tens of thousands of hospitals and medical practices can breathe a little easier now. Federal regulators have given the green light for Change Healthcare to handle the breach notification to tens of millions of individuals potentially affected by the company’s February cyberattack. But these entities are still ultimately on the hook to ensure the notification happens.
See Also: Double-Click on Risk-Based Cybersecurity
HIPAA-regulated organizations affected by the hack will not need to notify their patients and regulators about the breach – as long as they’ve properly delegated those duties to Change Healthcare, said the U.S. Department of Health and Human Services’ Office for Civil Rights on Friday in guidance that was updated for at least the third time since it was first issued in April (see: Feds Issue Guide for Change Health Breach Reporting Duties).
But HHS OCR reiterated that under the HITECH Act, covered entities are still ultimately responsible for ensuring that such notifications occur.
So, covered entities affected by the Change Healthcare incident “should coordinate with Change Healthcare and UnitedHealth Group on who will be providing breach notifications” to ensure that all affected individuals are indeed notified,” HHS OCR said.
“All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized,” said Melanie Fontes Rainer, director of HHS OCR, in a statement. “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare.”
HHS OCR said on Friday that so far, neither Change Healthcare nor its parent company, UnitedHealth Group, has reported a breach to the agency.
Until Friday’s latest update, HHS OCR’s guidance about breach notification involving the Change Healthcare attack maintained that despite the company’s offer to handle breach notification for affected customers, covered entities affected by the attack were still required to file breach reports to HHS and to provide individual notifications to their affected patients “without unreasonable delay” upon discovery of a breach.
But in recent weeks, more than 100 healthcare industry groups, medical societies and professional associations have lobbied HHS OCR with letters and public statements calling for the agency to hold Change Healthcare and parent company UHG accountable for breach notification in the aftermath of the massive cyberattack in February (see: 100 Groups Urge Feds to Put UHG on Hook for Breach Notices).
The American Medical Association, which represents thousands of doctors; the American Hospital Association, which represents thousands of hospitals; and the College of Healthcare Information and Management Executive, or CHIME, which represents thousands of healthcare CIOs and CISOs; were among the groups pressuring HHS OCR on clarifying the breach notification and related HIPAA compliance concerns involving the Change Healthcare incident.
But while HHS OCR’s latest update guidance appears to be loosening the noose around covered entities in terms of their duties to notify their patients, the devil is in the details, some experts warn.
“We are pleased that OCR has acknowledged the impact the Change Healthcare cyberattack has had on providers and patients and that they are attempting to ease the impact of the cyberattack on our community,” said Mari Savickis, head of government relations at CHIME. “We do, however, have several questions regarding how this process will work,” she told Information Security Media Group.
For instance, “OCR has said at the end of the day the responsibility lies with the covered entity to make sure the breach can be reported,” she said. So, she asked, will Change Healthcare or UHG require a contract to be “reopened” if a provider – acting as the covered entity – has not already delegated these duties to Change?
Also, Savickis wondered how Change Healthcare will handle the process. “Will the company provide an online request form that providers can complete to make the process seamless? How will Change track all of these requests? Because many healthcare entities will undoubtedly have thousands of patients affected by the breach, she also wondered how Change would provide that information to the affected organizations.
Change Healthcare and UnitedHealth Group did not immediately respond to Information Security Media Group’s request for details on how the company will handle those and other breach notification details.
“We appreciate OCR clarifying that providers and other HIPAA-covered entities can delegate their notice obligations to Change, which reiterates our previously stated preference to ease the reporting obligations of our customers,” UHG said in a statement provided to ISMG.
Read the Fine Print
Regulatory attorney Sara Goldstein of law firm BakerHostetler said covered entities must pay close attention to breach notification in the Change Healthcare situation, even if they delegate those duties to Change Healthcare and UHG.
“If covered entities opt to delegate notifications to Change Healthcare/UHG, they need to make sure the notices comply with HIPAA,” she said.
“For example, HIPAA only permits electronic notification to patients if the covered entity has consent from patients for electronic notice and such consent has not been withdrawn,” she said.
“Most healthcare providers either do not have such consents or do not have a means of tracking if such consent have been withdrawn. Therefore, if Change Healthcare/UHG is only offering to provide electronic notice to patients on behalf of covered entities and the covered entities do not have such consents, then the covered entities may need to mail notices to individuals – as opposed to electronic notice,” she said.
“If the incident involved a Change Healthcare/ UHG customer’s PHI, the customer is ultimately responsible for the notifications – not Change Healthcare/UHG, even if the notifications are handled by the company.”
Regardless of whether Change Healthcare handles the bulk of notification duties on behalf of most affected covered entities, the incident is expected to result in a massive, record-breaking HIPAA breach notification event for the healthcare sector.
UnitedHealth Group CEO Andrew Witty told Congress last month that the breach potentially affects one-third of Americans. The U.S. Census bureau counts the U.S. population at more than 336 million (see: Lawmakers Grill UnitedHealth CEO on Change Healthcare Attack).
UnitedHealth Group has admitted paying a $22 million ransom to BlackCat, also known as Alphv, for a decryptor key and to prevent a data leak. But within a month of the attack and ransom demand, a BlackCat affiliate who took credit for the Change Healthcare attack subsequently claimed BlackCat kept all of the ransom payment, rather than sharing the affiliate’s cut. The cybercrime group RansomHub then tried to extort UHG again, claiming to have possession of 4 terabytes of data stolen by the BlackCat affiliate in the attack (see: A Second Gang Shakes Down UnitedHealth Group for Ransom).