HHS In US Must Clarify Change Data Breach Reporting Rules


Providers happen to be still looking out for clarity on whether they will have to go ahead and report or even notify patients of data breaches that have stemmed from the cyberattack against Change Healthcare that took place earlier in 2024.

In one of the letters sent to HHS Secretary Xavier Becerra, over 50 organizations, including the American Medical Association, the American Health Information Management Association, and the College of Healthcare Information Management Executives, have gone on to urge the federal government to go ahead and publicly confirm that Change could manage data breach reporting as well as notification requirements ever since the tech firms as well as the major claims processors went on to experience the breach.

Change’s parent company, the UnitedHealth Group, has gone on to previously say that it would be handling the reporting of customers whose data may as well have been leaked, which could, by the way, be many Americans. As per the HIPAA privacy law, covered entities as well as business associates are needed to notify the affected individuals, the HHS, as well as at times the media when protected health information that’s unsecured gets breached. Apparently, the attack against Change goes on to represent a massive data breach. This company, which was acquired by UnitedHealth almost a couple of years ago, happens to process over billions of claims every year and, as a matter of fact, touches one in every three medical records.

In April 2024, UnitedHealth said that it found files that were involved in the February ransomware attack having protected health information or even personally identifiable information that can as well cover a major proportion of America’s population.

Andrew Witty, the CEO of UnitedHealth, said in his testimony to Congress earlier in May 2024 that the company still happens to be working to gauge the exposure extent; however, the attack may as well have compromised one-third of individuals’ data in the US.

There are some hospital groups that have already gone on to urge the HHS office for civil rights to give a clarification on who would be required to give out the breach notification post the Change attack. In March 2024, the AHA as well as the Federation of American Hospitals had gone on to argue that needing providers to send the letters could very well result in certain duplicate notifications that could as well result in confusing the patients.

In the latest letter, the provider groups remarked that the number of providers who have gone on to get affected by the breach is so large that a certain number is not available as of now.

The groups mentioned that the well-documented state of chaos within the provider community in this breach and the silence of the OCR on this point are quite disappointing. As per the OCR, the covered entities are responsible for making sure that the affected individuals get notified after a data breach at a business associate, however, they can also delegate this process of intimation to the business associate.

The OCR went on to add that HIPAA entities must contact Change as well as UnitedHealth with regards to any queries on how breach notification should as well be looked into. Although the provider groups are of the opinion that they require more clarity from the regulators and that too stretching beyond the regular FAQs, they have requested confirmation that UnitedHealth would be the one handling the part of breach reporting.