On May 31, 2024, the Office of Civil Rights (OCR) released “updates” to its HIPAA FAQs regarding the Change Healthcare cybersecurity incident. In its Press Release, OCR pointed out that it updated its FAQs to specifically address questions it has been receiving concerning who is responsible for performing breach notification to HHS, affected individuals, and (where applicable) the media. ONC’s responses were summarized as follows:
- Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
- Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media.
- If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.
I immediately received a barrage of emails asking if anything had changed (excuse the unavoidable pun) about how a covered entity should be proceeding in response to the Change Healthcare incident. The short answer is “no.” But this begs the question: What should covered entities be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? (See, OCR FAQ #3 indicating that (at least as of May 31, 2024) Change Healthcare has not provided breach notification to HHS concerning the breach) (See also UHG FAQs: “We are not announcing an official breach notification at this time.”). In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.
Despite OCR’s latest FAQs, there continues to be significant confusion in the industry about exactly who – Change Healthcare or impacted covered entities – should be performing breach notification to HHS, affected individuals, and media (collectively, “Breach Notification”). It appears that at least some of this confusion might be because Change Healthcare was apparently wearing what I call “two hats” – one as a HIPAA Covered Entity and the other as a HIPAA Business Associate.
After speaking to many individuals who are familiar with the business operations of Change Healthcare, it’s my understanding that Change was operating as a HIPAA covered entity. Specifically, it functioned as a covered entity healthcare clearinghouse (CE Clearinghouse) that accepted nonstandard data formats from other covered entities (i.e., health care providers and health plans) and converted those to standard formats for billing and other related purposes. In that role, Change Healthcare would have a direct responsibility under HIPAA to handle all HIPAA Breach Notification obligations, including to individuals, HHS, media etc. As for HIPAA covered entities that were submitting PHI to Change Healthcare in its capacity as a CE Clearinghouse, this is considered a permitted covered entity-to-covered entity disclosure under HIPAA and not a disclosure from a covered entity to a business associate. Therefore, under this scenario, HIPAA covered entities (e.g., hospitals, pharmacies, physician practices, payors etc.) are NOT required under HIPAA to complete Breach Notifications for compromised PHI handled by Change Healthcare even though the PHI originated from such other covered entity. Notably, this is not a well-known exception under HIPAA. Therefore, I would bet that many well-intentioned healthcare providers and health plans erroneously slapped HIPAA business associate agreements onto Change’s CE Clearinghouse activities, which has muddied the waters even more.
However, it appears that Change Healthcare also performs functions as a HIPAA business associate (BA) on behalf of HIPAA covered entities. That is, Change Healthcare was also obtaining PHI from covered entity health care providers and health plans to perform one or more allowable HIPAA health care operations (HCO) pursuant to a HIPAA business associate agreement (BAA), which would be proper. Where Change Healthcare was performing functions as a HIPAA BA pursuant to a HIPAA BAA, it is required under HIPAA and its HIPAA BAAs to notify each and every covered entity whose PHI was compromised by the data breach. Once the covered entity receives this Breach Notification from Change Healthcare, then IT (the covered entity healthcare provider or health plan, as applicable) is required under HIPAA to fulfill all Breach Notification obligations. Although a HIPAA covered entity healthcare provider and health plan is permitted to delegate its Breach Notification obligations to a HIPAA BA – i.e., Change Healthcare — it would have to affirmatively do so. I personally have not yet heard of any covered entity healthcare provider or health plan that has received this notice of breach from Change Healthcare as its HIPAA BA. In its updated FAQs, OCR similarly suggests that its understanding also is that Change has not yet begun to notify any affected parties. As of the date of this post, United Health Group (UHG) also says on its FAQ page dedicated to the Change incident that it has not announced any official breach notices.
Because of the “two hats” issue I’ve described, it is very possible that Change Healthcare is having a difficult time untangling whether the PHI impacted by the cybersecurity incident was being handled by it in its CE Clearinghouse capacity or its HIPAA BA capacity. Unless Change Healthcare somehow “tagged” the PHI to allow it to know exactly how such PHI was being used, it might never be able to fully decipher its own Breach Notification obligations. That is, if the PHI was compromised while being used in its CE Clearinghouse capacity, Change is required to notify HHS, individuals, and media directly but has no obligation under HIPAA to notify the underlying covered entity healthcare providers and health plans that are sources of that compromised PHI. However, if the PHI was compromised while being used in its HIPAA BA capacity, it would be required to notify the underlying covered entity healthcare providers and health plans but would have no obligation under HIPAA to notify HHS, individuals, and the media. (Note: Its breach reporting obligations under state laws could differ.) Given Change Healthcare’s apparent paralysis in notifying anyone at all so far, it seems fair to speculate that their delay may be a result of Change trying to hedge its exposure by carefully deciding who they legally must report to. What’s the resulting consequence of this confusion? A classic case of “Who’s on First?” as once perfectly explained by the beloved Abbott & Costello.
In a recent letter from the American Hospital Association (AHA) to the CEO of UnitedHealth Group (UHG), the AHA urges UHG to notify HHS and state regulators that UHG/Change Healthcare will be solely responsible for all breach notifications required under law and provide them with a timeline of when those notifications will occur. Moreover, the group writes that UHG/Change Healthcare should also notify HHS and state regulators “that it is formally accepting a delegation from all covered entities to make a breach notification on their behalf.” AHA points out that UHG/Change Healthcare should issue all such notices because it is “in the best position” to handle them. OCR agrees that this is a fair consideration (see FAQ #9). However, whether such “blanket delegation” is a good idea remains an open question, as I discuss further below. In addition, a hospital should not make an erroneous assumption that the AHA’s letter has alleviated any and all Breach Notification obligations it might have. OCR purposefully points out in FAQ #6:
“A: A covered entity that discovers a breach, including when notified of a breach by their business associate, must comply with the applicable breach notification requirements, including notification to affected individuals without unreasonable delay, to the HHS Secretary, and to the media (for breaches affecting over 500 individuals). See 45 CFR 164.400-414….”
While OCR’s original FAQ may have suggested that learning about the Change Healthcare breach through pubic outlets could constitute “discovery” of the breach and be sufficient to trigger a covered entity’s Breach Notification obligations, in its March 31st FAQ updates OCR makes it clear that it will NOT consider the 60-day calendar period from discovery of a breach by a covered entity to start until the affected covered entity has received the information needed from Change Healthcare/UHG (see updated FAQ #6, bolded).
In light of this update from OCR, AHA’s letter should not be construed as hospitals having received any implied notice of the Change breach. This is critical because a covered entity’s HIPAA “clock” (i.e., 60 days) for meeting its Breach Notification obligations does not start until the date it formally receives notice from Change Healthcare that such covered entity’s PHI was compromised. Until a healthcare provider (or health plan) receives such notification directly from Change Healthcare/UHG, it cannot know with certainty (1) if and how much of its own PHI was compromised by the incident and (2) whether its PHI was being handled by Change Healthcare in Change’s capacity as a CE Clearinghouse or its HIPAA Business Associate.
The following reflects a list of action items that covered entities may wish to consider in light of the fact that many continue to be in “limbo” as they wait for Change Healthcare’s next step (DISCLAIMER! THIS IS NOT LEGAL ADVICE. THESE ARE ISSUES FOR CONSIDERATION. YOU SHOULD CONSULT WITH YOUR ORGANIZATION’S ATTORNEY WHEN DECIDING WHAT STEPS TO TAKE OR NOT TAKE IN RESPONSE TO THE CHANGE INCIDENT):
- Refrain from prospectively reporting the incident as a “breach,” whether to HHS, patients, the media, etc. (Note: depending on your state of operation, organizations should evaluate their own state’s data breach reporting obligations separately. Specifically, it is relevant to understand when reporting obligations trigger (i.e., when they are deemed “discovered.”) under state law).
- Do not delegate Change Healthcare with any responsibilities for making such reports until your organization receives specific notification from Change Healthcare that your PHI has been compromised. AHA’s letter should not be construed as an implied delegation of this obligation by any hospital, particularly in light of OCRs updated FAQ #7 where it states:
“If covered entities are affected by this breach, ensure that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, and those covered entities will not have additional HIPAA breach notification obligations.” (bold/emphasis is mine)
Thus, OCR has clearly indicated that covered entities would remain responsible for “ensuring” that Change Healthcare/UHG is handling HIPAA Breach Notification properly on the covered entity’s behalf. While Change Healthcare/UHG might have indicated its willingness to handle such notices on behalf of its customers (see www.unitedhealthgroup.com/ns/changehealthcare/faq.html), given the fact that a covered entity remains responsible for the actions taken by Change Healthcare/UHG on its behalf, each covered entity should carefully consider how and if it wishes to formally make this delegation.
- IF, and to the extent, Change Healthcare/UHG notifies your organization that its PHI was or is likely to have been affected by the cybersecurity incident, then your organization can discuss delegation of Breach Notification with Change Healthcare/UHG. Again, given OCR’s position that a covered entity would remain responsible for Breach Notification undertaken on its behalf, any delegation of this responsibility should be done carefully and thoughtfully. For example, covered entities may wish to retain authority to approve in advance all breach notices and related communications before they are made by Change Healthcare/UHG. If that is not feasible, a covered entity may wish to require Change Healthcare/UHG to indemnify it for any failure to complete all Breach Notification responsibilities in a manner that is fully compliant with HIPAA. If delegation to Change Healthcare/UHG cannot be made in a manner that provides adequate assurances to the covered entity, then it may have no choice but to complete HIPAA Breach Notifications itself. Of course, underlying contracts between your organization and Change Healthcare, or between your organization and a vendor with an underlying contract with Change Healthcare, may already address issues concerning the parties’ respective obligations and liability in the event of a breach and, therefore, should be reviewed.
- For covered entities that have direct agreements and HIPAA BAAs with Change, Change should be their first-tier Business Associate. However, for covered entities that do not have a direct agreement or HIPAA BAA with Change (i.e., Change was instead acting as a subcontractor Business Associate of its first-tier Business Associate, such as an EMR vendor), it would be unclear if any particular covered entity falls into the former or the latter without reviewing the specific contracts and facts of the situation for that entity. Nevertheless, this affects the provision of HIPAA Breach Notification and timing in the event the covered entity’s PHI was specifically affected in the Change breach incident. For example, if Change is the covered entity’s direct BA, then Change would need to notify the covered entity once it determines (or reasonably believes that) the covered entity’s PHI was specifically affected. However, if Change is the subcontractor of another HIPAA Business Associate of the covered entity, then Change would need to notify its upstream HIPAA Business Associate, which would, in turn, have to notify the covered entity that PHI was compromised by Change in its capacity as its subcontractor. In light of this, covered entities should consider producing a list of all the systems affected when Change went offline. That will then allow it to determine which vendors to look to and seek clarification on their process for Breach Notification if they receive notification from Change that their PHI was affected. It is also possible that Change could make arrangements with those vendors to make their notifications to affected customers on their behalf.
- Finally, if your organization was utilizing Change Management (or whose business associates utilize Change Management as a subcontractor) and was affected by the widespread incident, you should consider putting your insurance carrier(s) on notice that you may have experienced a potential breach of PHI as a result of the Change Healthcare incident.
It remains an open question whether Change Healthcare/UHG should be solely responsible for HIPAA Breach Notifications to the extent the breach occurred in its capacity as a CE Clearinghouse. Many in our circle brought this up months ago when the breach first happened in February. If Change Healthcare is a CE Clearinghouse and is independently responsible for complying with HIPAA, irrespective of any business associate arrangements it may also have, it would be directly and solely responsible (at least under HIPAA) for completing Breach Notifications. However, as discussed above, under the “two hats” situation, many of its functions potentially overlap, so it may be hard to determine whether the breach occurred in its capacity as a HIPAA Business Associate or as a CE Clearinghouse, or both. The OCR’s updated FAQs are not convincing that OCR is treating Change Healthcare/UHG solely as a covered entity with independent breach notification obligations at this point in its investigation. Additionally, OCR’s updated FAQ do not definitively place Breach Notification responsibility solely on Change Healthcare/UHG. The updated FAQ from OCR refers repeatedly to Change providing Breach Notification on behalf of affected covered entities. This strongly suggests that OCR is not ruling out the possibility that Change was acting as a HIPAA Business Associate with respect to PHI affected by the cybersecurity incident. If anything, the updated FAQ indicates that OCR is clarifying that it is up to the affected covered entities and Change Healthcare/UHG to determine which entity should be responsible for reporting and that only one entity needs to report, which may be Change Healthcare.
OCR states that it is still in the process of investigating Change Healthcare/UHG and its subsidiaries, according to the updated FAQ, so we may see additional clarification from OCR to the FAQs over the next few weeks. Any updates will be posted here: Change Healthcare Cybersecurity Incident Frequently Asked Questions | HHS.gov.
Until then, we’ll all just have to keep asking, “Who’s on First?”
###