Guidance Sought on Notification Requirements Related to the Change Healthcare Data Breach

By Daniel Lopez

CHIME and some healthcare provider organizations wrote to Melanie Fontes Rainer, the Office for Civil Rights (OCR) Director, for clarity and information for physicians and healthcare providers concerning the reporting requirements associated with the Change Healthcare data breach.

The HHS replied immediately to CHIME’s letter and stated that concerning the breach response, the affected HIPAA-covered entities may assign the task of issuing breach notifications to Change Healthcare. According to OCR, if the impacted covered entities collaborated with Change Healthcare, they don’t have to do the HIPAA breach notification obligations themselves. Still, they need to make sure that Change Healthcare delivers its commitments.

CHIME is clarifying the responsibility of the impacted covered entities concerning the outsourcing of notifications and ensuring that Change Healthcare does its responsibilities and what that means. Upon task delegation, the notification responsibilities will be Change Healthcare/UHG’s. Covered entities need to provide Change Healthcare/UHG with the necessary data to complete the task.

CHIME additionally asked if a formal process for assigning the responsibility to Change Healthcare is necessary. If no form needs to be filled up, what are the required actions from covered entities to assign the task to Change Healthcare/UHG as a business associate? Guidance is also needed when the covered entity assigns the notification requirements to a business associate, who also assigns the task to Change Healthcare/UHG.

CHIME also wants to know the process for giving the names of the impacted individuals to Change Healthcare/UHG. What is the guarantee that Change Healthcare/UHG will do the breach notifications on behalf of clinicians and providers and report them to OCR?

OCR has given responses to some queries on its FAQ page, however, they only pertain to the notification requirements of the government HIPAA Breach Notification Rule. State laws also have breach reporting requirements, which CHIME wants to know. Additionally, CHIME would like to know if OCR and Change Healthcare/UHG are working with state regulators and if both will make sure that Change Healthcare/UHG complies with state legislation.

Some doctors and healthcare providers have indicated concern that their patients’ PHI was uploaded on the dark web. They are asking CHIME what OCR will do in their situation since they are not in a contract agreement with Change Healthcare/UHG, now and some for years.

One problem that needs to be addressed in a big data breach such as this (possibly affecting 1 in 3 Americans) is that many impacted patients might not have just one payer. Therefore some affected persons may get several breach notification letters, one from each impacted payer. The affected patients may feel undue stress and anxiety. CHIME already inquired from OCR about the process for notifying such individuals so that they only get one notification.

CHIME expects to receive responses from OCR regarding all these concerns without delay.

Photo credits: JHVEPhoto, AdobeStock
Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA