Following the Change Healthcare cyberattack in February, questions remain around what data may have been stolen and how patients would be notified if needed — the issue is top of mind for hospitals nationwide.
On March 13, HHS launched an investigation into UnitedHealth Group and Change over the cyberattack within the context of HIPAA compliance. The agency noted that it is not investigating providers or payers that work with Change Healthcare, but it reminded organizations "of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules."
On March 21, the American Hospital Association wrote to HHS, urging it to clarify whether that statement meant hospitals and health systems should be notifying patients that protected health information may have been compromised.
"We remain concerned, however, that OCR may require hospitals to make breach notifications to HHS and affected individuals, if it is later determined that a breach occurred," the letter reads. "We are seeking additional clarification that hospitals and other providers do not have to make additional notifications if UnitedHealth Group and Change Healthcare are doing so already."
The AHA stated that Change Healthcare should be responsible for notifying individuals if their protected health information has been compromised due to the attack.
"As a covered entity, Change Healthcare has the duty to notify OCR and the impacted individuals. Even where Change Healthcare acts as a business associate, HIPAA authorizes Change Healthcare to issue these notifications for a more streamlined approach," the letter said.
The AHA is seeking a "unified notification process" so that patients don't receive multiple notifications regarding the same breach.
"Our concern is simply that requiring breach notifications in these circumstances will confuse patients and impose unnecessary costs on hospitals, particularly when they have already suffered so greatly from this attack," the AHA said.
In Washington state, the hospital association reminded facilities of state-level data breach notification laws and said March 21 that hospitals "can get ahead of this issue by reviewing now the various sets of obligations on both their part and the part of Change contained in the BAAs they have in place. Examples of these obligations include breach notification timing and who provides the notice, indemnification, and insurance requirements."
Change Healthcare confirmed ALPHV/BlackCat has represented itself as the group behind the attack. The ransomware group claims it stole 6 terabytes worth of data, including medical records, patient Social Security numbers, and information on active military personnel. Ransomware groups are known to exaggerate the amount of data they have to demand higher payments.
Change has not said if protected health information has been compromised due to the cyberattack.