HHS: Providers can delegate privacy breach reporting to Change Healthcare

, | June 3, 2024

HHS: Providers can delegate privacy breach reporting to Change Healthcare

On the evening of May 31, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) clarified that covered entities can delegate patient notifications required as a result of the Feb. 21 Change Healthcare breach to Change Healthcare to implement. Last week, the College signed onto a coalition letter  that was sent to OCR asking for this exact clarification.

OCR Director Melanie Fontes Rainer says in the announcement, “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”

This is welcome news for allergy practices. Strict interpretation of the HIPAA privacy breach patient notification regulations requires both Change Healthcare and medical practices to notify patients. This interpretation was reasserted in an OCR FAQ document earlier this month. This FAQ prompted College advocacy, as part of a large coalition of specialty societies and state medical associations, to urge HHS to limit the notification burden to Change Healthcare.

During a recent Congressional hearing on the cyberattack, UnitedHealth Group (UHG) CEO Andrew Witty testified that UHG (which owns Change Healthcare) is willing to facilitate all of the patient notifications related to the breach but needed clarification from regulators to allow it to take that burden away from providers. This announcement provides clarification that practices will not need to issue breach notifications to patients if they choose to delegate that responsibility to Change Healthcare.

More specifically:

  • Covered entities affected by the Change Healthcare breach may delegate – to Change Healthcare – the tasks of providing the required HIPAA breach notifications on their behalf.
  • Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable, the media.
  • If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they will not have additional HIPAA breach notification obligations.

View the new and updated FAQs on the Change Healthcare Cybersecurity Incident.

More information is available on the HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.