Who will notify the potentially millions of individuals whose information might have been jeopardized by the massive cyberattack on Change Healthcare? Since the affiliate of UnitedHealth Group (UHG) first reported the cyberattack in February, health care providers have been uncertain about their notification responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

To alleviate this uncertainty, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which enforces the HIPAA Privacy, Security, and Breach Notification Rules, published updated guidance on May 31, confirming that Change may issue notifications of a breach of unsecured protected health information (PHI) for all affected covered entities. While the guidance should reassure HIPAA-covered health care providers that they can rely on Change to provide such notifications, the extent to which a reportable breach occurred is still unclear.

OCR Launches Investigation and Provides Guidance Regarding Change Cyberattack

Stressing the “unprecedented magnitude” of the ransomware attack against Change, OCR announced an investigation of the incident in a “Dear Colleagues” letter on March 13. The announcement was notable because Change had not by then determined whether a HIPAA-defined breach had occurred. Usually, OCR’s investigations of largescale breaches of PHI affecting 500 or more individuals do not begin until after it receives notification of a breach.

In the letter, OCR explained that its focus is on Change’s and UHG’s compliance with the HIPAA Rules. Its interest in other entities that “partnered with” Change and UHG, including covered entities that contract with Change or UHG to provide services as a business associate, is “secondary.” However, OCR reminded these entities of their HIPAA obligations to have business associate agreements and to make timely breach notifications to OCR and affected individuals.

On April 19, OCR published a set of frequently asked questions (FAQs) about the Change cyberattack. The FAQs note that under the HIPAA Breach Notification Rule a business associate is required only to notify the covered entity of a discovered breach, after which the covered entity must notify affected individuals, OCR, and, in certain circumstances, the media. While a covered entity may delegate to its business associate the task of providing breach notifications, the covered entity is “ultimately responsible” for ensuring timely notification. 

Providers Question Their Breach Notification Responsibilities

Despite OCR’s attempt at guidance, some health care providers were left unsure whether OCR expects Change to handle all breach notifications. Change has the HIPAA designation of both a covered entity — specifically, a health care clearinghouse, which facilitates the exchange of health care information between providers and payers — and a business associate to other covered entities. Because of Change’s status as a covered entity, some providers have argued that Change alone should bear “ultimate responsibility” for all notifications.

In a letter dated May 22, more than 100 provider-affiliated groups, including the College of Healthcare Information Management Executives, American Health Information Management Association, and American Medical Association, made this argument to HHS Secretary Xavier Becerra and OCR Director Melanie Fontes Rainer. The letter implored HHS and OCR to confirm that all reporting and notification requirements related to the cyberattack are “the responsibility of UHG/Change Healthcare as the HIPAA covered entity which experienced the breach of unsecured PHI.”

Although Change has not yet formally declared a breach, the provider organizations’ letter suggests that a determination that a HIPAA breach occurred is inevitable. It references an April 22 press release in which UHG acknowledged that initial targeted data sampling had uncovered files containing PHI or personally identifiable information for potentially a “substantial proportion of people in America.” UHG reported that it had “not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data,” but the provider organizations noted that they have reason to believe “certain data may indeed have been compromised . . . .”

OCR Clarifies Providers’ Obligations in Updated Guidance

Following the provider organizations’ letter, OCR published an update to the Change cyberattack FAQs on May 31. Although OCR did not adopt the position that Change is solely responsible for breach notifications, the updated FAQs make clear that only one entity, either Change or the covered entity that engages Change as a business associate, must complete the notifications. The decision as to which party will do that is a matter for the covered entity to determine, considering factors such as the functions Change performs on its behalf and which entity has the relationship with the individual whose PHI has been breached.

What Happens Next?

When will health care providers know if the Change cyberattack resulted in a reportable breach of their patients’ PHI? That question remains unanswered. In its April 22 press release, UHG estimated that “it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.”

If, after the ongoing data review, Change and UHG conclude that a breach occurred, they must notify their covered entity clients no later than 60 days after the review. The covered entities will then have up to 60 more days to notify individuals whose PHI was affected. Alternatively, the covered entities may delegate notification to Change or UHG, which offered in its April 22 press release to “make notifications and undertake related administrative requirements on behalf of any provider or customer.” The timing of notification to OCR and the obligation to notify the media will depend on whether, for each affected covered entity client, the breach involves 500 or more of the covered entity’s patients.

Key Takeaways

The Change cyberattack illustrates the confusion and uncertainty over HIPAA breach notification responsibilities that can arise when a covered entity’s business associate potentially experiences a breach. As health care providers recover financially and operationally from the cyberattack, many will opt to offload breach notifications to Change and UHG. Those that choose this option should clearly communicate to Change and UHG their decision to delegate that obligation.

As Change and UHG continue their data review, all providers potentially impacted by the cyberattack should:

• Business Associate Agreements – Review their business associate agreements and other contracts with Change or UHG (or with other business associates that have subcontractor business associate agreements with Change or UHG) to assess their rights and remedies.
• Security Rule Compliance – Evaluate their compliance with HIPAA Security Rule standards and implementation specifications of risk analysis, risk management, information system activity review, audit controls, incident response and reporting, and authentication — all of which are areas where many covered entities and their business associates are deficient, according to OCR’s most recent report on breach statistics from calendar year 2022.
• Future Updates – Monitor communications from Change and UHG about its breach assessment, as well as further compliance guidance from OCR.

ArentFox Schiff continues to closely monitor developments relating to the Change cyberattack. Providers who have been or may be affected should contact Gayland Hethcoat or the ArentFox Schiff attorney who usually handles your matters.

Additional research and writing from Grace Song, a 2024 summer associate in ArentFox Schiff's Los Angeles office and a law student at the University of Southern California School of Law.