Cyberattack on Change Healthcare: HIPAA Breach Notification

Following a major cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group (UHG), confusion arose regarding who would handle the Change Healthcare cyberattack HIPAA breach notification for potentially millions of affected individuals. HIPAA regulations govern such notifications, but the situation presented unique challenges.

In May 2024, the Department of Health and Human Services (HHS) issued guidance clarifying that Change Healthcare was the covered entity responsible for the HIPAA breach notification. HHS further clarified that affected covered entities could delegate the notification tasks to Change Healthcare.

 HIPAA Guidance Issued by HHS:

To clarify healthcare providers’ obligations under HIPAA, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance on May 31st. This guidance confirmed that Change Healthcare could send breach notifications to affected individuals on behalf of healthcare providers (covered entities) whose patients’ data may have been compromised.

Uncertainties Remain About the Breach Scope:

While the guidance offered some relief, the extent of the data breach remained unclear. The unprecedented nature of the attack prompted OCR to announce an investigation in March, even though Change hadn’t confirmed a HIPAA violation at that point.

Focus on Change and UHG Compliance:

OCR’s investigation focused on Change and UHG’s adherence to HIPAA rules. “Partner entities” such as business associates were considered secondary concerns. However, OCR emphasized the importance of business associate agreements and timely breach notifications for these entities.

Responsibility for Notifications:

While Change could handle notifications for some, covered entities remain ultimately responsible for ensuring timely notification to affected individuals, OCR, and potentially the media, as mandated by HIPAA regulations.

Healthcare Providers Seek Clarity on Breach Notification Duties After Change Incident:

Following the cyberattack on Change Healthcare, confusion persists among some healthcare providers regarding breach notification responsibilities. Despite guidance from the Office for Civil Rights (OCR), uncertainty remains about whether Change handles all notifications.

This ambiguity stems from Change’s dual status under HIPAA. It functions as both a covered entity (a healthcare clearinghouse facilitating information exchange) and a business associate to other covered entities. Some providers argue that Change’s status as a covered entity makes them solely responsible for all notifications due to their “ultimate responsibility” for PHI security.

Over 100 provider groups, including the College of Healthcare Information Management Executives and the American Medical Association, echoed this sentiment in a May 22nd letter to HHS Secretary Becerra and OCR Director Rainer. They urged HHS and OCR to confirm that UHG/Change Healthcare, as the covered entity experiencing the unsecured PHI breach, shoulders “the responsibility of all reporting and notification requirements.”

While Change hasn’t officially declared a breach, the provider organizations’ letter anticipates a breach determination. They reference a UHG press release from April 22nd acknowledging initial data sampling revealed files containing PHI for “a substantial proportion of people in America.” While UHG reported no evidence of “exfiltration of materials such as doctors’ charts or full medical histories,” the providers believe “certain data may indeed have been compromised.”

New OCR Guidance Clarifies Breach Notification Responsibilities:

Following concerns from healthcare providers, the Office for Civil Rights (OCR) updated its FAQ on the Change cyberattack.

The update clarifies that only one entity, either Change or the healthcare provider (covered entity) using Change’s services, needs to handle HIPPA breach notifications. The decision depends on factors like the type of services Change provided and the relationship with affected patients.

Uncertainties Remain:

The timeframe for notification is still unclear. In April, UnitedHealth Group (UHG), Change’s parent company, estimated it could take several months to determine if a reportable breach occurred.

What’s Next?

If Change and UHG determine a breach happened, they must notify affected healthcare providers within 60 days after the review. The providers then have 60 days to notify impacted patients. Providers can also delegate HIPAA Breach notification to Change or UHG.

The specific notification timelines for OCR and the media depend on the number of patients affected at each healthcare provider.

Change Healthcare Cyberattack: Key Points for Healthcare Providers

The Impact of the Change Cyberattack:

The recent cyberattack on Change Healthcare highlights the confusion surrounding HIPAA breach notification responsibilities when a business associate of a covered entity experiences a potential data breach.

Notification Options for Providers:

As healthcare providers recover from this attack, many may choose to delegate HIPPA breach notification tasks to Change Healthcare and UnitedHealth Group (UHG). If you choose this option, clearly communicate your decision to delegate notification duties to Change and UHG.

Action Steps for Providers:

While Change and UHG continue their investigation, all potentially impacted providers should take the following steps:

  • Review Business Associate Agreements: Carefully examine your agreements with Change, UHG, or any subcontractors associated with them. This will help you understand your rights and potential remedies.
  • Evaluate HIPAA Security Rule Compliance: Assess your adherence to HIPAA Security Rule standards, particularly those related to:
    • Risk analysis and management
    • Information system activity review
    • Audit controls
    • Incident response and reporting
    • User authentication
    • A recent report by the Office for Civil Rights (OCR) indicates that many covered entities and business associates fall short in these areas.
  • Stay Informed: Closely monitor updates from Change and UHG regarding their breach assessment. Additionally, keep an eye out for further compliance guidance from OCR.

Reduce Denials, Boost Revenue: How RCM Benefits Physicians

Physicians can benefit greatly from implementing an RCM (Revenue Cycle Management) solution for several reasons:

  • Reduced claim denials: RCM solutions ensure accurate coding and billing, minimizing errors that lead to claim rejections and delays in reimbursement.
  • Improved collections: RCM streamlines the billing and collections process, helping capture missed charges and following up on outstanding payments efficiently.
  • Lower administrative costs: Outsourcing RCM tasks frees up staff time for patient care, reducing the need for additional in-house billing personnel.
  • Streamlined workflows: RCM automates many manual tasks, such as coding, claims submission, and denial management, freeing up staff for higher-value activities.
  • Faster turnaround times: Claims are submitted and processed more quickly, leading to faster reimbursements.
  • Improved data management: RCM systems provide centralized data storage and reporting, allowing for better tracking of key metrics and identification of areas for improvement.
  • Reduced billing errors: Accurate billing leads to fewer patient disputes and improves overall patient satisfaction.
  • Faster patient billing: Patients can receive and understand their bills more quickly, simplifying the payment process.
  • More time for patient care: By reducing administrative burden, physicians can spend more time focusing on patients.

 Overall, RCM solutions offer a comprehensive approach to managing the revenue cycle for physicians, resulting in increased revenue, improved efficiency, and a better patient experience.