Industry groups seek clarity from HHS on Change Healthcare breach reporting

The providers affected by the Change Healthcare cyberattack and its aftermath sought answers from the HHS Office for Civil Rights (OCR) in a letter undersigned by more than 100 industry groups, including the American Medical Association, the College of Healthcare Information Management Executives, and state medical associations. Specifically, the groups requested more clarity about data breach reporting responsibilities.

In an April 22 press release, UnitedHealth Group (UHG) offered to “make notifications and undertake related administrative requirements on behalf of any provider or customer” in order to “help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack.”

However, OCR’s frequently asked questions webpage stressed that it is ultimately the responsibility of each affected covered entity to ensure that individuals are notified, even though they may delegate this responsibility to the business associate.

“While we appreciate these statements, we are concerned that without further guidance from OCR, clinicians and providers have not received sufficient confirmation from OCR that HIPAA breach reporting and notification requirements related to this incident are the responsibility of UHG/Change Healthcare as the HIPAA covered entity which experienced the breach of unsecured PHI,” the letter stated.

The authoring groups expressed frustration about the lack of clarity from OCR about breach notification obligations, as “appears that it would be a quick and straightforward matter for OCR to confirm publicly that the HIPAA breach notification and reporting requirements are applicable to UHG and not to the affected providers.”

“Given the well documented state of chaos in the provider community in the wake of this breach, OCR’s silence on this point is disappointing,” the groups continued.

OCR opened an investigation into the Change Healthcare attack in mid-March, following weeks of disruptions across the healthcare sector. The letter to OCR also sought clarity on the focus of this investigation, asking OCR to affirm that it will focus its investigation efforts on Change Healthcare, rather than the providers affected by the incident.

“For medical providers affected by the UHG ransomware attack, their chief responsibility patient care. These providers may lack clarity regarding what is required of them under HIPAA in this instance and so we call upon HHS-OCR to take the simple step of confirming the above, to publicly to ease concerns in the provider community,” the letter concluded.

“We appreciate the opportunity to bring this matter to your attention as we navigate the fallout from this assault on patient care and the privacy of their medical information.”