Highlights
- At long last, covered entities with protected health information affected by the February 2024 cyberattack on Change Healthcare now have some clarity regarding Health Insurance Portability and Accountability Act (HIPAA) breach notice obligations.
- Guidance, in the form of updated FAQs, indicate that all affected covered entities may delegate HIPAA notice obligations to Change Healthcare.
- This Holland & Knight alert is part of our continuing "OCR in Overdrive" series focused on emerging regulatory developments at the U.S. Department of Health and Human Service Office for Civil Rights (OCR) and the impact on patient privacy and data security requirements for healthcare providers and their business associates.
After months of uncertainty and multiple letters from industry associations advocating on behalf of the healthcare industry with the U.S. Department of Health and Human Service (HHS) Office for Civil Rights (OCR), covered entities with protected health information affected by the February 2024 cyberattack on Change Healthcare now have some clarity regarding Health Insurance Portability and Accountability Act (HIPAA) breach notice obligations.
OCR announced on May 31, 2024, that its Change Healthcare FAQs have been updated to indicate that all affected covered entities may delegate HIPAA notice obligations to Change Healthcare. (See Holland & Knight's previous alert, "What HIPAA Security Rule Surprises Await Healthcare Providers for the Second Half of 2024?," May 13, 2024.)
FAQ Highlights
OCR provided a summary of key FAQ updates:
- Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
- Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS and, where applicable, the media.
- If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the Health Information Technology for Economic and Clinical Health Act (HITECH) and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.
Although the OCR's position alleviates covered entities' obligations and costs associated with providing HIPAA breach notice, including notice to OCR, it does not remove all obligations. As noted in the FAQs, covered entities remain obligated to assure that notices issued by Change Healthcare comply with the Breach Notification Rule (45 C.F.R. 164.404 and 408) obligations with regard to timing, content and form. There has been some debate in the industry regarding when the "clock starts ticking" on the 60-day notice deadline. OCR has cleared up that question by stating in its FAQ, in bold, that "OCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG." (UHG refers to UnitedHealth Group, which acquired Change Healthcare in 2022.)
Business associates, such as electronic medical record vendors and other companies that contract with Change Healthcare for services that are then provided to a covered entity, also benefit from this OCR FAQ update. OCR has made it clear that only one entity is required to provide notice and that Change Healthcare's notice, to the extent delegated by covered entities, is sufficient.
What Now?
Covered entities and business associates affected by the Change Healthcare cyberattack should take the steps below following the publication of the updated FAQs:
- HIPAA-regulated entities that have relationships with Change Healthcare should contact their account administrators or other contacts to request information from Change Healthcare regarding notices.
- Covered entities should assess whether business associates serving the covered entity contracted with Change Healthcare for those services and, if so, contact those business associates to coordinate any breach response.
- Business associates that contract with Change Healthcare as HIPAA subcontractors should work with Change Healthcare to help ensure that Change Healthcare is providing any required notices.
- Covered entities should determine the dates by which Change Healthcare is required to provide notice beginning on the date that Change Healthcare (or a business associate contracting with Change Healthcare) provides notice of the breach to the covered entity.
- Covered entities should request copies of all notice drafts in order to review the timing, content and form, including Change Healthcare's mailed notice, OCR notice, media notice and substitute notice.
- State laws are NOT addressed in the OCR notice. Therefore, all affected organizations, both covered entities and business associates, should work with Change Healthcare to delegate state notice obligations, as applicable and permitted by state laws.
- Review business associate agreements with Change Healthcare and other suppliers to assess if amendment is warranted to assure that future breach notice and other obligations are clear.
- Privacy officers may consider registering for OCR's list-serv for email updates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.