This audio is automatically generated. Please let us know if you have back.
Diving brief:
- Providers are still considering whether they will need to report or notify patients about data breaches resulting from the cyberattack on Change Healthcare earlier this year.
- In a letter sent to HHS Secretary Xavier Becerra On Monday, more than 50 organizations – including the American Medical Association, the College of Healthcare Information Management Executives and the American Health Information Management Association – urged the federal government to publicly confirm that Change could handle the reporting and monitoring requirements. data breach notification, since the technology company and leading claims processor was a victim of the breach.
- UnitedHealth Group, Change's parent company, has previously stated would take care of reports for clients whose data may have been exposed – which could be a a large part of Americans.
Dive overview:
Under the HIPAA Privacy Actcovered entities and their business associates are required to notify affected individuals, HHS, and sometimes the media when unsecured protected health information is breached.
The attack on Change represents a potentially huge data breach. The company, which was acquired by healthcare conglomerate UnitedHealth two years ago, processes billions of claims every year and affects one in three medical records.
Last month, UnitedHealth said it found files involved in the February ransomware attack containing protected health information or personally identifiable information that “may affect a substantial proportion of people in America.”
In testimony before Congress earlier this month, UnitedHealth CEO Andrew Witty said the company was still working to determine the extent of the exposure, but that the attack may have compromised the data of as many as a third of individuals in the United States.
Some hospital groups have already urged the HHS Office for Civil Rights to clarify who should provide breach notifications after the Change attack. In March, the American Hospital Association and the Federation of American Hospitals asked providers to send the letters could result in duplicate notificationswhich could confuse patients.
In their latest letter, the supplier groups said the number of suppliers affected by the breach was “so numerous that a precise number is not readily available.”
“Given the well-documented state of chaos in the vendor community following this breach, OCR's silence on this issue is disappointing,” the groups wrote.
In a frequently asked questions pageOCR wrote that covered entities are ultimately responsible for ensuring that affected individuals are notified after a breach at a business associate, but they may delegate the process to the business associate.
THE OCR added that HIPAA entities should contact Change and UnitedHealth with any questions about how breach notifications will be handled.
However, Provider groups said they needed more clarity from regulators beyond FAQs and sought confirmation that UnitedHealth would ultimately handle reporting violations.