Industry associations are urging the federal government to place the regulatory responsibility on Change Healthcare in the aftermath of a massive data breach affecting millions of patients. Change Healthcare, a healthcare software firm, recently began notifying thousands of medical practices about the breach, but industry groups are concerned about potential costs and resource burdens on small medical practices, hospitals, and other providers. These concerns come after many healthcare entities already faced financial struggles due to a previous cyberattack and subsequent service disruptions in February.

In a letter dated June 26, the College of Healthcare Information Management Executives, the American Medical Association, and three other prominent industry groups appealed to the Department of Health and Human Services’ Office for Civil Rights for further guidance on breach notification responsibilities in light of the Change Healthcare incident. The groups specifically want clarification on whether entities can delegate breach notification duties to Change Healthcare and expect the government to support this approach. They emphasize the need for clear guidelines on when, what, why, and how breach notifications should occur.

The industry groups, including CHIME and the AMA, are seeking confirmation from HHS OCR that if entities opt to delegate breach notification responsibilities to Change Healthcare, the onus will be on Change Healthcare/UHG to handle the notifications. This approach aims to reduce the burden on affected clinicians and providers who have already been grappling with the aftermath of the breach. The request for clarity and support from HHS OCR is further endorsed by the American Academy of Family Physicians, the American College of Physicians, and the Medical Group Management Association.

Change Healthcare has defended its practice of delegating breach notification, calling it an industry standard. The company has offered to notify regulators, draft and send notice letters to affected individuals, and manage the overall notification process to alleviate the impact on healthcare providers. This approach has received support from dozens of other healthcare industry groups, who previously urged HHS OCR to designate Change Healthcare as the responsible party for breach notifications.

In response to previous requests, HHS OCR issued updated guidance on May 31, affirming that HIPAA-covered entities can delegate breach notification responsibilities to Change Healthcare and its parent company, UnitedHealth Group. However, the agency reiterated that covered entities are ultimately accountable for ensuring that the notifications are carried out, as mandated by the HITECH Act. The latest letter from industry associations underscores the need for more detailed guidance on various aspects of breach notification, including the process for delegating responsibilities and the obligations of covered entities.

UnitedHealth Group CEO Andrew Witty disclosed to Congress that the Change Healthcare breach potentially impacts a significant portion of the American population, with an estimated one-third of Americans affected. The company expects to begin notifying affected individuals by late July, following the discovery of the breach in February, which disrupted critical healthcare processes for several weeks. Additionally, UnitedHealth Group admitted to paying a $22 million ransom to the cybercrime group BlackCat to obtain a decryptor key and prevent a data leak.

The evolving situation surrounding the Change Healthcare breach underscores the complexity and challenges faced by healthcare organizations in managing cybersecurity incidents and breach notifications. As industry groups continue to advocate for clear guidance and support from regulatory agencies, the focus remains on addressing the fallout from the breach and ensuring that affected entities receive the necessary assistance to navigate the aftermath.

Извор линк