The American Hospital Association sent a letter to the HHS urging them to clarify whether hospitals and health systems should be providing breach notification to patients if protected health information is compromised due to the Feb. 21 cyberattack on Change Healthcare.
The March 21 letter, penned to Melanie Fontes Rainer, acting director of the Office for Civil Rights at the HHS, asks the agency to provide clarification to hospitals and other providers regarding breach reporting when it comes to the Change Healthcare hack.
"We remain concerned, however, that OCR may require hospitals to make breach notifications to HHS and affected individuals, if it is later determined that a breach occurred," the letter reads. "We are seeking additional clarification that hospitals and other providers do not have to make additional notifications if UnitedHealth Group and Change Healthcare are doing so already."
The AHA stated that Change Healthcare should be responsible for notifying individuals if their protected health information has been compromised due to the attack.
"As a covered entity, Change Healthcare has the duty to notify OCR and the impacted individuals. Even where Change Healthcare acts as a business associate, HIPAA authorizes Change Healthcare to issue these notifications for a more streamlined approach," the letter reads.
The AHA is seeking a "unified notification process" so that patients don't receive multiple notifications regarding the same breach.
"Our concern is simply that requiring breach notifications in these circumstances will confuse patients and impose unnecessary costs on hospitals, particularly when they have already suffered so greatly from this attack," the letter reads.
UnitedHealth Group's Change Healthcare has not stated if protected health information has been compromised due to the cyberattack.