UnitedHealth Group's Change Healthcare is responsible for notifying affected individuals about data privacy breaches that occurred as a result of the cyberattack on the company in late February, HHS said May 31.
"Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare," HHS Office for Civil Rights Director Melanie Fontes Rainer said in a news release. "We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized."
In March, the agency launched an investigation into UnitedHealth regarding the company's compliance with HIPAA reporting requirements in relation to the data breach. HHS' new announcement will allow Change to file breach notifications on behalf of affected providers, payers and business associates. Entities only have to complete breach notifications once. If completed by Change, those entities will face no additional notification obligations.
The policy decision clears up confusion around which entities would be held responsible for notifying the millions of patients affected by the breach, which the American Hospital Association has called the "most significant cyberattack" on healthcare in U.S. history.
The AHA wrote to HHS in March, urging it to clarify whether hospitals and health systems should notify patients that protected health information may have been compromised. State hospital associations had also begun to warn facilities about the need to prepare for possible breach reporting requirements.
"As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack," AHA General Counsel and Secretary Chad Golder said May 31. "Today's decision recognizes this and is a clear example of smart, practical government action."
Change said in April that it couldn't offer specifics on individual-level data taken by hackers, but that it would send breach notifications. The company set up a website and hotline for more information on the breach and is offering two years of free credit monitoring and identity theft protection for anyone affected. The company also said the data stolen likely covers a "substantial proportion of people in America."
Change said it has no evidence that any physicians' charts or full medical histories were pilfered in the ransomware attack, but it acknowledged that cybercriminals posted 22 screenshots of health and personal data allegedly stolen in the hack for about a week on the dark web.
UnitedHealth previously said it expects to lose $1.6 billion total as a result of the hack and reported $872 million in direct impact from the attack in the first quarter.