Hospitals and health systems have the option to require UnitedHealth Group to notify patients if their data was stolen during the Change Healthcare cyberattack on Feb. 22, as announced by the Department of Health and Human Services on May 31. According to HHS’ Office for Civil Rights Director Melanie Fontes Rainer, affected covered entities seeking breach notifications should contact Change Healthcare so that all necessary HIPAA notifications can be handled by them.
The American Hospital Association (AHA) expressed their approval of this decision made by OCR, stating that practical government action is needed in this matter. The AHA had previously requested OCR in March to permit UHG to handle breach notifications, citing the legal authority and practicality of such a decision.
OCR’s update on its FAQ webpage confirmed that if covered entities affected by the breach have Change Healthcare perform the required notifications in compliance with the HITECH Act and HIPAA Breach Notification Rule, they do not need to fulfill additional HIPAA breach notification obligations. Hospital groups like AHA had advocated for UHG to issue formal breach notifications in cases where protected health information or personally identifiable information is compromised.
UHG CEO Andrew Witty agreed to this approach during recent hearings with Senate and House committees on May 1.
