HIPAA Breach Notice Can Be Delegated to Change Healthcare

Jul 18, 2024 at 11:49 am by kbarrettalley


By Beth Neal Pitman, Eddie Williams III and Shannon Britton Hartsfield

Holland & Knight

 

After months of uncertainty and multiple letters from industry associations advocating on behalf of the healthcare industry with the U.S. Department of Health and Human Service (HHS) Office for Civil Rights (OCR), covered entities with protected health information affected by the February 2024 cyberattack on Change Healthcare now have some clarity regarding Health Insurance Portability and Accountability Act (HIPAA) breach notice obligations.

OCR announced on May 31, 2024, that its Change Healthcare FAQs have been updated to indicate that all affected covered entities may delegate HIPAA notice obligations to Change Healthcare. Despite OCR’s updated FAQs establishing UnitedHealth Group’s (UHG) notice obligations and a renewed push by Congress on June 7, 2024, for UHG to acknowledge and assume notification responsibility, as of the third week in June, UHG continued to maintain on its website that it would not announce “an official breach notification at this time” but offered “to make notifications and undertake related administrative requirements on behalf of any provider or customer.” (UHG acquired Change Healthcare in 2022.)

FAQ Highlights

OCR provided a summary of key FAQ updates:

Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.

Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS and, where applicable, the media.

If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the Health Information Technology for Economic and Clinical Health Act (HITECH) and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.

Although the OCR’s position alleviates covered entities’ obligations and costs associated with providing HIPAA breach notice, including notice to OCR, it does not remove all obligations. As noted in the FAQs, covered entities remain obligated to assure that notices issued by Change Healthcare comply with the Breach Notification Rule (45 C.F.R. 164.404 and 408) obligations with regard to timing, content and form. There had been some debate in the industry regarding when the “clock starts ticking” on the 60-day notice deadline. OCR has cleared up that question by stating in its FAQ, in bold, that “OCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG.”

Business associates, such as electronic medical record vendors and other companies that contract with Change Healthcare for services that are then provided to a covered entity, also benefit from this OCR FAQ update. OCR has made it clear that only one entity is required to provide notice and that Change Healthcare’s notice, to the extent delegated by covered entities, is sufficient.

What Now?

Covered entities and business associates affected by the Change Healthcare cyberattack should take the steps below following the publication of the updated FAQs:

HIPAA-regulated entities that have relationships with Change Healthcare should contact their account administrators or other contacts to request information from Change Healthcare regarding notices.

Covered entities should assess whether business associates serving the covered entity contracted with Change Healthcare for those services and, if so, contact those business associates to coordinate any breach response.

Business associates that contract with Change Healthcare as HIPAA subcontractors should work with Change Healthcare to help ensure that Change Healthcare is providing any required notices.

Covered entities should determine the dates by which Change Healthcare is required to provide notice beginning on the date that Change Healthcare (or a business associate contracting with Change Healthcare) provides notice of the breach to the covered entity.

Covered entities should request copies of all notice drafts in order to review the timing, content and form, including Change Healthcare’s mailed notice, OCR notice, media notice and substitute notice.

State laws are NOT addressed in the OCR notice. Therefore, all affected organizations, both covered entities and business associates, should work with Change Healthcare to delegate state notice obligations, as applicable and permitted by state laws.

Review business associate agreements with Change Healthcare and other suppliers to assess if amendment is warranted to assure that future breach notice and other obligations are clear.

Privacy officers may consider registering for OCR’s list-serv for email updates.

 

Beth Neal Pitman is a partner in Holland & Knight’s Birmingham, Alabama, office. Eddie Williams III and Shannon Britton Hartsfield are partners in the firm’s Tallahassee, Florida, office.

Sections: Business