The Department of Health and Human Services May 31 announced that hospitals and health systems can require UnitedHealth Group to notify patients if their data was stolen during the Change Healthcare cyberattack Feb. 22.
"Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare," said HHS' Office for Civil Rights Director Melanie Fontes Rainer. "All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized."
“The AHA is pleased by the Office for Civil Rights’ announcement that it will permit UnitedHealth Group to make breach notifications on behalf of hospitals and health systems affected by the cyberattack on Change Healthcare,” said Chad Golder, AHA general counsel and secretary. “This is exactly what the AHA asked OCR to do in March. As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack. Today’s decision recognizes this and is a clear example of smart, practical government action.”
OCR posted Friday's update on its FAQ webpage, adding, "… if covered entities affected by this breach ensure that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, those covered entities would not have additional HIPAA breach notification obligations."
AHA and other hospital groups had urged UHG in a letter May 8 to formally issue breach notifications on behalf of providers or customers following cyberattacks if protected health information or personally identifiable information is stolen. UHG CEO Andrew Witty agreed to do so May 1 during hearings with Senate and House committees.
Cybersecurity
Related News Articles
Headline
AHA discusses impact of Change Healthcare cyberattack at Wall Street Journal event
The AHA June 6 participated in a Wall Street Journal Tech Live Cybersecurity event to discuss the historic Feb. 21 cyberattack on Change Healthcare. Stacey…
Headline
Scripps Health discusses need for cybersecurity standards, federal protections in part 2 of AHA podcast
Hospitals and health systems have their hands full coping with the scary reality of a ransomware attack, but there are also civil liability concerns that arise…
Headline
AHA podcast: How to Survive a Cyberattack with Scripps Health
In response to the alarming rise of ransomware attacks, hospitals and health systems must stay vigilant by playing defense, having a mitigation plan and…
Headline
ARPA-H launches new program to enhance, automate cybersecurity for health care facilities
The Department of Health and Human Services' Advanced Research Projects Agency for Health May 20 announced the launch of a $50 million cybersecurity program…
Headline
Agencies issue guidance on mitigating cyberthreats with limited resources
The Cybersecurity and Infrastructure Security Agency along with international agencies May 14 released guidance for high-risk nonprofit and other resource-…
Headline
Report: Delayed or missing payments increased for hospitals in first quarter
Hospitals and health systems nationwide saw a sizable increase in delayed or missing payments in first quarter 2024, according to a report released May 10 by…