change healthcare breach notification

Breach Notification Clarified for Change Healthcare Incident

After enduring months of uncertainty, patients affected by the massive Change Healthcare ransomware incident in February may soon receive a breach notification explaining what happened. UnitedHealth Group, Change’s parent company, had not yet notified affected individuals, nor had the hospitals and health systems (UHG customers) that had provided those patients health care.

The Change Healthcare cyberattack is the largest known to date, affecting millions of individuals and thousands of providers. The Department of Health and Human Services (HHS) and Congress are investigating the incident because of its devastating impact on the healthcare sector. UnitedHealth Group CEO Andrew Witty testified before Congress in April, answering questions about what happened and the company’s plan to repair the damage.

Confusion About Breach Notification Responsibility

In April, Change said it would send breach notifications, but it had yet to begin. Unraveling the compromised data and the individuals linked to that data is complicated and time-consuming. On April 22, the company explained that its analysis would take several months before it had enough information to notify affected customers and individuals. HIPAA requires that notifications be sent within 60 days after discovering a breach.

Change set up a website and hotline to inform the public about the breach. It is offering two years of free credit monitoring and identity theft protection for anyone affected. The company also said the data stolen likely covers a “substantial proportion of people in America.”

The hospitals and health systems that used Change’s services are all covered entities responsible for patient breach notifications. However, Change is also a covered entity because it is a healthcare clearinghouse that provides health payment processing services to healthcare providers. For weeks, there was uncertainty about who should notify patients, HHS, and the media, per the Breach Notification Rule.

On May 8, the American Hospital Association (AHA) urged UHG to take responsibility for the breach notifications, arguing that requiring hospitals to do so would confuse patients and impose unnecessary costs on providers who have already suffered greatly from the cyberattack.

HHS Answers the Question

Finally, on May 31, HHS announced that hospitals and health systems could require UnitedHealth Group to notify patients if their data was stolen during the Change Healthcare cyberattack on February 22. This announcement clears up uncertainty about who is responsible for complying with the Breach Notification Rule.

From the HHS announcement:

  • Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
  • Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and, where applicable, the media.
  • If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.

The HHS’ Office for Civil Rights Director Melanie Fontes Rainer said:

“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”

Cybersecurity Needs to be Prioritized

The massive repercussions of the Change Healthcare cyber incident underscores the need for the healthcare sector to improve its cybersecurity.

HHS began calling for improvements last year due to the rise in ransomware attacks and other cyber intrusions in healthcare. In December 2023, it issued a concept paper about improving cyber resiliency and protecting patient safety. The concept paper includes cybersecurity performance goals (CPGs), voluntary cybersecurity practices that healthcare organizations can prioritize to strengthen cyber preparedness.

The Change Healthcare incident may spur even more action to enforce existing laws to protect patient privacy and strengthen the healthcare sector’s resiliency. HHS and Congress are still investigating.

The HIPAA Security Rule is a Blueprint

The easiest way to get ahead of cyber attacks is to review the HIPAA Security Rule and be sure your organization follows its guidelines.

You can use the Security Rule Checklist to validate your current policies and procedures and identify areas for improvement. If Change Healthcare had been more careful, it might not have suffered this ransomware attack. The company admitted, for example, that it wasn’t using multi-factor authentication on the compromised server.

Prevent cyber attacks with strong HIPAA compliance to maintain operations and protect patient data.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU