The U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) announced May 31 that covered entities – such as health plans, health care clearinghouses, and physicians – affected by privacy breaches stemming from the February cyberattack on Change Healthcare and its parent corporation UnitedHealth Group (UHG) may delegate breach notifications to both companies.
However, this delegation is only allowable if Change Healthcare or UHC are business associates of the covered entity. OCR made clear that the ultimate responsibility for ensuring such notifications occur remains with the covered entity, meaning physicians may still need to provide breach notifications under those circumstances.
The update comes after the Texas Medical Association and over 100 health care organizations signed a joint letter May 20 asking OCR to affirm that no entities other than Change Healthcare or UHG are responsible for breach reporting.
Although OCR denied this request, the organization did confirm that covered entities are allowed to delegate their breach notification obligations to business associates, including Change Healthcare and UHG, as applicable.
Since covered entities remain legally responsible for ensuring that proper breach notifications occur, physicians should request information from Change Healthcare or UHG regarding breach notifications to ensure compliance.
If a physician coordinates with Change Healthcare or UHG for those companies to provide breach notifications on the physician’s behalf, TMA experts recommend the physician:
- Determine the date by which the breach notifications must be provided; and
- Request copies of all notices – including Change Healthcare/UHG's mailed notice, OCR’s notice, any media notices, or substitute notices – to review their timing and content.
Moreover, OCR clarified in its Change Healthcare Cybersecurity Incident Frequently Asked Questions that only one entity needs to complete breach notifications to affected individuals, HHS, and where appropriate, the media.
This means that a physician affected by the breach will not need to take additional breach notification actions if the physician ensures that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule.
Change Healthcare recently announced that, following its data review to identify individuals affected by the breach, Change Healthcare plans to mail written letters to the affected individuals for whom it has a sufficient address. Affected physicians should coordinate with Change Healthcare to ensure the company provides proper breach notifications and to learn which, if any, of the physician’s patients are not being notified by Change Healthcare due to insufficient address.
UHG stated the cyberattack leaked the personal information of a “substantial proportion" of Americans. However, the group says breach notification will likely take several months of “continued analysis before enough information will be available to identify and notify impacted customers and individuals.”
OCR has stated it will not consider the 60-calendar day period for breach notification to start until the affected covered entity has received the information needed from Change Healthcare or UHG.
Texas law also requires data breach reporting. If an individual or entity who owns or licenses data – including sensitive personal information, such as health care information tied to an individual – experiences a data breach that affects 250 or more Texans, the individual or entity must report that breach to the Office of the Texas Attorney General as soon as possible and no later than 30 days after the discovery of the breach.
Additionally, Texas law requires the individual or entity to notify affected consumers of the breach no longer than the 60th day after the date on which the person determines that the breach occurred, unless an extended period is necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Whether a business associate that experiences a data breach is responsible for reporting and patient notification under Texas law may depend on whether the business associate owns or licenses the data. Regardless, this would not remove a covered entity’s responsibility under federal HIPAA regulations to ensure affected individuals are informed about the breach.
For more information about breach notification, visit TMA’s HIPAA Resource Center, TMA’s New Texas Law Shortens Data Breach Notification Period publication, and the Texas Attorney General’s webpage on Data Breach Reporting.
Alisa Pierce
Reporter, Division of Communications and Marketing
(512) 370-1469