Providers Can Delegate Cyberattack Breach Notification Requirements to Change Healthcare
Last Friday evening, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) clarified that covered entities can delegate patient notification requirements from the Change Healthcare breach to Change Healthcare.
OCR Director Melanie Fontes Rainer says in the announcement, “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”
A strict interpretation of the HIPAA breach patient notification regulations would have required both Change Healthcare and medical practices to notify patients. This interpretation was reaffirmed in an OCR FAQ document earlier this month, prompting physician organizations nationwide to ask CMS to limit the notification burden to Change Healthcare. CMS ultimately updated its guidance accordingly.
During a recent Congressional hearing on the cyberattack, UnitedHealth Group (UHG) CEO Andrew Witty testified that UHG (which owns Change Healthcare) would be willing to facilitate patient notifications related to the breach but needed clarification from regulators to allow it to take that burden away from providers. Last Friday’s announcement provided this clarification.
However, each practice/business’s contract with Change Healthcare is different. Contracts might include language about how each party is responsible for patient privacy breach notifications.
The new and updated FAQs on the Change Healthcare Cybersecurity Incident may be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.