OCR Clarifies Who is Responsible for Issuing Notifications About the Change Healthcare Cyberattack
The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has updated its Change Healthcare Cyberattack Frequently Asked Questions page to clarify the breach reporting requirements for the Change Healthcare cyberattack.
More than 100 industry groups wrote to OCR requesting greater clarity about who will be responsible for issuing individual notifications about the data breach. OCR had previously stated in the FAQs that under the HITECH Act and the HIPAA Breach Notification Rule, the covered entity is ultimately responsible for ensuring that notifications about a data breach are issued, including when a data breach occurs at a business associate. When there is a business associate suffers a data breach, the covered entity may delegate the responsibility for issuing notifications to the business associate.
UnitedHealth Group (UHG), the parent company of Change Healthcare said, โTo help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.โ The industry groups wanted OCR to publicly confirm that UHG will be issuing notifications on behalf of all affected covered entities.
OCRโs updated FAQs do not include a declaration that UHG will be issuing notifications; however, they do now confirm that notifications can legally be issued by either UHG or the affected covered entities.ย OCR also said that the affected covered entities should coordinate with Change Healthcare and UHG on who will be providing breach notifications. Should UHG fail to issue notifications, the burden for issuing notifications would fall on the affected covered entities.
At this moment in time, neither Change Healthcare nor UHG has confirmed which individuals need to be notified. UHG issued a press release confirming a breach stating that โBased on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.โ UHG CEO Andrew Witty also said that the breach could potentially affect 1 in 3 Americans.
Until the investigation has been completed and the individuals affected have been confirmed, notifications cannot be issued and the countdown for issuing notifications has not yet started for the affected covered entities.ย โOCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG,โ explained OCR.