Hospitals and medical groups can require Change to notify patients of stolen information

0
Hospitals and medical groups can require Change to notify patients of stolen information

Photo: Erik Isakson/Getty Images

The Department of Health and Human Services Office of Civil Rights has determined that hospitals and other providers can require UnitedHealth Group to notify patients if their data was stolen during the Change Healthcare cyberattack.

“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,” said HHS’ Office for Civil Rights Director Melanie Fontes Rainer. “All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”

WHY THIS MATTERS

Hospitals, physician groups and other healthcare organizations have been pushing for such clarification so as not to bear the cost and administrative burden of sending out HIPAA notifications for a cyberattack for which they were not responsible but which affected them. 

Earlier this month, in a letter to HHS, the American Medical Association and more than 100 other medical organizations also asked for official affirmation that providers are not responsible for HIPAA reporting requirements due to the Change Healthcare cyberattack.

The American Hospital Association responded to the HHS OCR clarification with a statement from Chad Golder, AHA general counsel and secretary: “The AHA is pleased by the Office for Civil Rights’ announcement that it will permit UnitedHealth Group to make breach notifications on behalf of hospitals and health systems affected by the cyberattack on Change Healthcare,” Golder said. “This is exactly what the AHA asked OCR to do in March. As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack. Today’s decision recognizes this and is a clear example of smart, practical government action.”  

The OCR posted on Friday, “Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf. Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media. If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.”

THE LARGER TREND

Along with the May 20 letter from medical organizations to HHS, on May 8, the AHA and other hospital groups had urged UnitedHealth Group to formally issue breach notifications on behalf of providers or customers following cyberattacks if protected health information or personally identifiable information is stolen. UHG CEO Andrew Witty agreed to do so May 1 during hearings with Senate and House committees, according to the AHA. 

UnitedHealth Group confirmed that the February 22 cyberattack was ransomware, and Witty told congressional leaders during those committee hearings that $22 million was paid by bitcoin.

The cyberattack affected the majority of health systems in the United States and potentially millions of Americans.

Not clear as yet is the extent of compromised patient information from the cyberattack. Witty has said he paid the ransomware to protect patient information.

OCR enforces the Health Insurance Portability and Accountability Act, or HIPAA, Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities such as health plans, healthcare clearinghouses and most providers and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.

Email the writer: [email protected]

link

Leave a Reply

Your email address will not be published. Required fields are marked *