As the healthcare industry deals with the fallout of the Change Healthcare data breach, providers are urgently seeking clarity from the U.S. Department of Health and Human Services (HHS) on their obligations regarding breach reporting and patient notification. 

What happened 

In the wake of the Change Healthcare breach, more than 50 healthcare organizations, including the American Medical Association, the College of Healthcare Information Management Executives, and the American Health Information Management Association, have collectively urged the HHS to provide clear guidance on breach reporting and notification requirements.

One of the primary concerns raised by provider groups is the potential for duplicate notifications, which could confuse and overwhelm patients. They argue that requiring individual healthcare providers to send breach notifications, in addition to any notifications from Change Healthcare or UnitedHealth, could result in a deluge of communications that may ultimately prove more detrimental than beneficial to patients.

The provider organizations have expressed disappointment in the HHS's silence on this issue, stating that the lack of clear guidance has left the healthcare community in a state of chaos. They have requested that the HHS's Office for Civil Rights (OCR) provide definitive confirmation that Change Healthcare and UnitedHealth will handle the breach reporting and notification process, relieving individual providers of this responsibility.

The backstory 

Change Healthcare, a prominent healthcare technology firm, fell victim to a massive ransomware attack in February 2024. This cyberattack had far-reaching implications, as Change Healthcare processes billions of medical claims annually and maintains records for one in three individuals in the United States. The breach potentially exposed a vast trove of protected health information (PHI) and personally identifiable information (PII) belonging to a substantial proportion of the US population.

Going deeper 

The full extent of the data exposure remains uncertain, as UnitedHealth Group, Change Healthcare's parent company, continues to investigate the incident. However, in testimony before Congress, UnitedHealth CEO Andrew Witty acknowledged that the attack may have compromised the data of up to one-third of individuals in the U.S. This statistic proves the magnitude of the breach and the potential far-reaching consequences for patients and healthcare providers alike.

In the know 

The OCR has previously addressed breach reporting requirements in its HIPAA FAQs, stating that covered entities are responsible for ensuring affected individuals are notified after a breach at a business associate. However, the FAQs also indicate that the covered entity can delegate the breach notification process to the business associate.

While the existing HIPAA guidance provides a framework for breach reporting, the sheer scale of the Change Healthcare incident presents unique challenges. The provider groups have noted that the number of affected providers is so numerous that a specific count is not readily available, further complicating the implementation of the HIPAA requirements.

The bottom line

The Change Healthcare data breach has proven the need for clear and decisive guidance from the HHS regarding breach reporting and patient notification requirements. As providers find their way in the aftermath of this major cybersecurity incident, they require unambiguous directives to fulfill their HIPAA obligations while minimizing patient distress and protecting sensitive information. The HHS's response to this call for guidance will have far-reaching implications for the healthcare industry, shaping the way organizations approach cybersecurity preparedness and incident response.