After Change, Hospitals Question HHS Data Breach Reporting


In a March 21, 2024 letter to the HHS’ Office for Civil Rights, hospital lobbying organizations sought to go ahead and clarify who may be required to provide data breach notifications to patients after the cyberattack on UnitedHealth’s Change Healthcare- is it going to be the hospitals that contracted with Change, or will it be the organization directly attacked?

The letter, which happens to be penned by counsels for the American Hospital Association as well as the Federation of American Hospitals, said that the onus has to be on UnitedHealth and Change alone to go ahead and report a breach, should one be found.

Requiring hospitals to also go ahead and issue breach notifications could result in patients receiving duplicate notifications, thereby leading to unnecessary public confusion, misunderstandings, as well as added stress, the letter warned.

Change has yet to comment on whether protected health information happened to be compromised during the Feb. 21 cyberattack, which, as per the AHA, has called the most significant and consequential of its kind against the sector in its history.

The OCR happened to open an investigation into the attack on March 13 so as to determine whether protected health information may as well have been compromised and if UnitedHealth complied along with its legal requirements so as to safeguard health data.

Although OCR said that its primary investigative focus wasn’t on health care providers, health plans, or on the business associates, it reminded those parties of their respective legal obligations in order to report data breaches should they be found directly to the HHS and affected individuals.

In the letter, AHA asked the OCR to go ahead and clarify that Change and UnitedHealth would be needed to send breach notifications, not the hospitals or health systems.

The AHA said that Change happens to serve as a clearinghouse for hospitals or as a business associate, and in both capacities, it is indeed a covered entity under HIPAA’s privacy and security rules with an obligation to go ahead and report violations of privacy.

The letter went on to say that while hospitals have long honored HIPAA’s privacy objectives, in this particular instance, the health systems are indeed the downstream victims that have gone on to suffer in the wake of the outage.

It is well to be noted that the providers have gone on to report a slew of operational problems resulting from the cyberattack, such as difficulty in receiving payment from patients as well as insurers, verifying coverage, submitting advance authorization requests, and exchanging clinical records.

94% of the 1,000 hospitals recently surveyed by the AHA went on to report that the cyberattack happened to be impacting them financially.

The letter said that now is not the time to impose more costs on America’s health care providers as well as the patients they serve.

Concern pertaining to reporting requirements comes as the HHS considers revamping its cybersecurity reporting needs to potentially include higher penalties for HIPAA violations. In a December working paper, the HHS cited a requirement for bigger enforcement and accountability around cybersecurity as the attacks continue to vex the industry.

In March 2024, the Biden administration released its proposed budget for HHS for the fiscal year 2025, which laid out a plan to tie Medicare incentives to the hospitals’ adoption of cybersecurity protections. In the future, HHS could ahead and levy fines on hospitals that fail to comply with the cybersecurity standards, as per the proposed budget.

The HHS also released voluntary cybersecurity standards across the healthcare industry in January 2024, which include making use of multifactor authentication as well as offering basic cybersecurity training for employees.

The fact is that the AHA has been outspoken when it comes to mandatory cybersecurity requirements for hospitals, especially if fines are involved. In a December statement, the group went ahead and called possible fines counterproductive, noting that the hospitals spend billions of dollars and work closely with government agencies so as to prevent cyberattacks.

According to the president of the AHA, Rick Pollack, the AHA cannot support proposals for mandatory cybersecurity needs being levied on hospitals as if they happened to be at fault for the success of hackers in perpetrating crime. Imposing fines or cutting Medicare payments would go on to diminish hospital resources that are required so as to combat cybercrime and would indeed be counterproductive to the shared goal of preventing cyberattacks.