HHS reverses course, allows Change Healthcare to file breach notifications for others

The Department of Health and Human Services (HHS) changed course on Friday and announced that it will allow Change Healthcare to file breach notifications on behalf of the thousands of organizations impacted by February’s ransomware attack.

HHS updated a previously released FAQ page from April 19 that said every organization affected by the hack of Change Healthcare would have to file their own breach notices with federal and state regulators, enraging the thousands of hospitals, clinics and doctor’s offices that are still recovering financially from the outages caused by the attack. 

“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare,” said Melanie Fontes Rainer, director of HHS’s Office for Civil Rights (OCR).

Change Healthcare handled about 1 in 3 medical records and processed about half of all medical claims in the U.S. at the time of the breach. The CEO of UnitedHealth, Change Healthcare’s parent company, told Congress this month that about one-third of all Americans had information accessed by the hackers. 

HHS’s focus, she said, is that everyone who had information exposed during the ransomware attack be notified that their data was breached. 

“This ensures that the potentially millions of Americans, including the elderly, the disabled, those with limited English proficiency, those with limited access to technology, and more, will understand the impact of this breach on their private medical records and their health care,” she added. 

The statement ends mounting confusion over a situation that had enraged healthcare entities across the U.S. Hundreds of organizations sent a letter to HHS last week demanding more information on who would be responsible for notifying victims about the leak of their health data. 

The letter says that because the data was being processed by Change Healthcare on behalf of other organizations, “no entity other than Change Healthcare, its parent company, UnitedHealth Group, and their corporate affiliates such as Optum, bears responsibility for this breach and is under any legal reporting or notification obligation as a result of it.”

When contacted for comment last week, HHS directed Recorded Future News to the April 19 version of the FAQ. HHS did not respond to followup questions confirming whether that was still accurate. 

Friday’s announcement by HHS was met with praise by several associations that represent the healthcare industry. 

Chad Golder, American Hospital Association general counsel and secretary, said in a statement that the decision is what they asked of HHS in March. 

“As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack,” he said. 

“Today’s decision recognizes this and is a clear example of smart, practical government action.”