The HHS’ Office for Civil Rights (OCR) has refreshed its Change Healthcare Cyberattack Frequently Asked Questions (FAQs) to give more information regarding the requirements of breach reporting related to the Change Healthcare ransomware attack. OCR has stated that Change Healthcare is authorized to send breach notifications for all impacted HIPAA-covered entities.
At first, OCR stated that each covered entity is responsible for issuing breach notification letters should there be a breach of unsecured protected health information (PHI) at a business associate. A covered entity could assign the business associate to send the breach notifications on its behalf. Change Healthcare is classified as a healthcare clearinghouse, but it is also a business associate providing services to some HIPAA-covered entities. Although UnitedHealth Group (UHG), Change Healthcare’s parent firm, confirmed to the public that it was ready to help its clients handle the breach reporting requirements, numerous Change Healthcare clients were confused about whether UHG would manage the breach notifications. Some company groups wrote to OCR asking if UHG/Change Healthcare could manage all breach notifications.
On May 31, 2024, OCR repeated that the Change Healthcare ransomware attack led to the compromise of electronic protected health information (ePHI), consequently under HIPAA, individual notices should be sent to the impacted people. OCR mentioned in the current FAQs that in case a covered entity impacted by the breach would like UHG/Change Healthcare to send notifications, then they need to speak to Change Healthcare to look at the situation. So far, OCR has confirmed that Change Healthcare can release the notifications for all impacted clients.
OCR Director Melanie Fontes Rainer said that impacted covered entities can contact Change Healthcare to produce breach notifications on their behalf if they want to. All necessary HIPAA breach notifications can be done by Change Healthcare. All parties should take action to prioritize the HIPAA breach notifications. Several industry groups have lauded OCR for giving clear information and confirming the permission for Change Healthcare/UHG to issue breach notifications. The FAQs likewise say that when the impacted covered entities outsource the need to send breach notifications to Change Healthcare or UHG and it fails to issue the notifications, the responsibility of sending notifications will be on the impacted covered entities.
Concerning the time frame for sending notifications, the HIPAA Breach Notification Rule dictates that notifications must be sent within 60 days of discovering a breach. Since the ransomware attack on Change Healthcare was identified on February 21, 2024, breach notifications are already due. Although numerous covered entities and business associates have released notifications within 60 days of discovering a cyberattack, more breached entities equate the date of discovery to the date when the PHI breach was confirmed, or the date when the document review was completed, when the precise types of data affected and the total number of impacted people are confirmed. In these instances, notifications are released months after the cyberattack was first discovered.
UHG stated that around 1 in 3 Americans might have been impacted by the ransomware attack yet UHG has not verified the exact number of people impacted nor the kinds of data affected. No schedule is given for the completion of those processes. Based on the OCR FAQ, OCR won’t accept the 60-calendar day period from the day a covered entity discovered a breach to start until impacted covered entities have gotten the details required from UHG or Change Healthcare.
