The Department of Health and Human Services May 31 announced that hospitals and health systems can require UnitedHealth Group to notify patients if their data was stolen during the Change Healthcare cyberattack Feb. 22.

"Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare," said HHS' Office for Civil Rights Director Melanie Fontes Rainer. "All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized."

“The AHA is pleased by the Office for Civil Rights’ announcement that it will permit UnitedHealth Group to make breach notifications on behalf of hospitals and health systems affected by the cyberattack on Change Healthcare,” said Chad Golder, AHA general counsel and secretary. “This is exactly what the AHA asked OCR to do in March. As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack. Today’s decision recognizes this and is a clear example of smart, practical government action.”  

OCR posted Friday's update on its FAQ webpage, adding, "… if covered entities affected by this breach ensure that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, those covered entities would not have additional HIPAA breach notification obligations."

AHA and other hospital groups had urged UHG in a letter May 8 to formally issue breach notifications on behalf of providers or customers following cyberattacks if protected health information or personally identifiable information is stolen. UHG CEO Andrew Witty agreed to do so May 1 during hearings with Senate and House committees. 

Related News Articles

Headline
The FBI and Department of Health and Human Services June 24 released an advisory about cyberthreat actors targeting health care organizations in attempts to…
Headline
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) this week released an advisory about Qilin, formerly "Agenda…
Headline
Change Healthcare June 20 began notifying health care providers and other customers with patient data stolen following February’s cyberattack, the company…
Headline
The Centers for Medicare & Medicaid Services June 17 announced it will close its accelerated and advance payment program July 12 for Medicare providers and…
Headline
The health care sector should swiftly implement patches or mitigations to address 14 new cyber vulnerabilities identified by the Cybersecurity and…
Headline
The Departments of Health and Human Services, Labor, and the Treasury June 14 announced a 120-day extension for parties impacted by the cyberattack on Change…