On May 31, 2024, the Office of Civil Rights (OCR) released “updates” to its HIPAA FAQs regarding the Change Healthcare cybersecurity incident. In its Press Release, OCR pointed out that it updated its FAQs to specifically address questions it has been receiving concerning who is responsible for performing breach notification to HHS, affected individuals and (where applicable) the media. ONC’s responses were summarized as follows:

  1. Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.

  1. Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media.

  1. If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.

Almost immediately, I received a barrage of emails asking if anything has changed about how a covered entity should be proceeding in response to the Change Healthcare incident. The short answer is “no.” But, this begs the question: What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? (see, OCR FAQ #3 indicating that, at last of May 31, 2024, Change Healthcare has not provided breach notification to HHS concerning the breach)(see also, UHG FAQs “We are not announcing an official breach notification at this time.”).  In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.

Despite OCR’s latest FAQs, there continues to be significant confusion in the industry about exactly who – Change Healthcare or impacted covered entities – should be performing breach notification to HHS, affected individuals and media (collectively, “Breach Notification”). It appears that at least some of this confusion might be due to the fact that Change Healthcare was apparently wearing what I refer to has “two hats” – one as a HIPAA Covered Entity and the other as a HIPAA Business Associate.

After speaking to many individuals who are familiar with the business operations of Change Healthcare, it is my understanding that Change was was operating as a HIPAA covered entity health care clearinghouse (CE Clearinghouse) by accepting nonstandard data formats from health care providers and converting those to standard formats for billing and other related purposes. In that role, Change Healthcare would have a direct responsibility under HIPAA to handle all HIPAA Breach Notification obligations, including to individuals, HHS, media etc. As for HIPAA covered entity health care providers that were submitting PHI to Change Healthcare in its capacity as a CE Clearinghouse, this is considered a permitted covered entity-to-covered entity disclosure under HIPAA and not a disclosure from a covered entity to a business associate. Therefore, under this scenario, HIPAA covered entity health care providers (e.g., hospitals, pharmacies, physician practices etc.) are NOT required under HIPAA to handle the Breach Notifications for compromised PHI handled by Change Healthcare even though the PHI originated from a health care provider. 

However, it appears that Change Healthcare was also functioning as a HIPAA business associate (BA) on behalf of covered entity health care providers. That is, Change Healthcare was also obtaining PHI from health care providers to perform one or more health care operations pursuant to a HIPAA business associate agreement (BAA). Where Change Healthcare was performing functions as a HIPAA BA pursuant to a HIPAA BAA, it is required under HIPAA and its HIPAA BAAs to notify each and every covered entity whose PHI was compromised by the data breach. Once the covered entity receives this Breach Notification from Change Healthcare, then IT (the covered entity health care provider) is required under HIPAA to fulfill all Breach Notification obligations. Although a covered entity health care provider is permitted to delegate its Breach Notification obligations to a HIPAA BA – i.e., Change Healthcare — it would have to affirmatively do so. Plus, I personally have not yet heard that any covered entity health care provider has received this notice of breach from Change Healthcare as its HIPAA BA. In its updated FAQs, OCR similarly suggests that its understanding also is that Change has not yet begun to notify any health care providers.

Because of the Two Hat issue I’ve described, it is very possible that Change Healthcare is having a difficult time untangling whether the PHI impacted by the security incident was being handled by it in its CE Clearinghouse capacity or its HIPAA BA capacity. Moreover, if the PHI was being used for both purposes, then unless Change Healthcare somehow “tagged” the PHI to allow it to know exactly how such PHI was being used, it will be unlikely to fully decipher its own Breach Notification obligations. That is, if the PHI was compromised while being used in its CE Clearinghouse capacity, Chage is required to notify HHS, individuals and mediadirectly, but has no obligation under HIPAA to notify the underlying covered entity health care provider that are the sources of that compromised PHI. However, if the PHI was compromised while being used in its HIPAA BA capacity, it would be required to notify the underlying covered entity health care providers but would have noobligation under HIPAA to notify HHS, individuals and the media. (note: its breach reporting obligations under state laws could differ). Given Change Healthcare apparent paralysis in notifying anyone so far, it seems fair to speculate that their delay may be a result of Change trying to hedge its exposure by carefully deciding who they legallymust report to. What’s the resulting consequence of this confusion? A classic case of “Who’s on First,” as once perfectly explained by the beloved Abbott & Costello.

In a recent letter from the American Hospital Association (AHA) to the CEO of UnitedHealth Group (UHG), the AHA urges UHG to notify HHS and state regulators that UHG/Change Healthcare will be solely responsible for all breach notifications required under law and provide them with a timeline of when those notifications will occur. Moreover, the group writes that UHC/Change Healthcare should also notify HHS and state regulators “that it is formally accepting a delegation from all covered entities to make a breach notification on their behalf.” AHA points out that UHC/Change Healthcare should issue all such notices because it is “in the best position” to handle those notices. OCR agrees that this is a fair consideration (see FAQ #9).  However, whether such “blanket delegation” is a good idea remains an open question, as I discuss more further below. In addition, a hospital should not make an erroneous assumption that the AHA’s letter has alleviated it of any and all Breach Notification obligations it might have. OCR purposefully points out in FAQ #6:

“A: A covered entity that discovers a breach, including when notified of a breach by their business associate, must comply with the applicable breach notification requirements, including notification to affected individuals without unreasonable delay, to the HHS Secretary, and to the media (for breaches affecting over 500 individuals). See 45 CFR 164.400-414….”

While OCR’s original FAQ may have suggested that learning about the Change Healthcare breach through pubic outlets could constitute “discovery” of the breach and be sufficient to trigger a covered entity’s Breach Notification obligations, in its March 31 FAQ updates OCR makes it clear that it will NOT consider the 60-day calendar period from discovery of a breach by a covered entity to start until the affected covered entity has received the information needed from Change Healthcare/UHG(see updated FAQ #6, bolded). 

In light of this update from OCR, AHA’s letter should not be construed as hospitals having receive any implied notice of the breach. This is critical because a covered entity’s HIPAA “clock” (i.e., 60 days) for meeting its Breach Notification obligations does not start until the date it formally receives notice from Change Healthcare that such covered entity’s PHI was compromised by the security incident. Until a health care provider receives such notification directly from Change Healthcare/UHG, it cannot know with certainty (1) if and how much of its own PHI was compromised by the incident and (2) whether its PHI was being handled by Change Healthcare in Change’s capacity as a CE Clearinghouse or as health care provider’s HIPAA BAA.

            The following reflects a list of action items that covered entities may wish to consider in light of the fact that many continue to be in “limbo” as they wait for Change Healthcare’s next step:

  1. Refrain from prospectively reporting the incident as a “breach,”, whether to HHS, patients, the media etc. (Note: depending on your state of operation, organizations should evaluate their own state’s data breach reporting obligations separately. Specifically, it is relevant to understand when reporting obligations trigger (i.e., when are they deemed “discovered.”) under state law).

  1. Do not delegate Change Healthcare with any responsibilities for making such reports until your organization receives specific notification from Change Healthcare that your its PHI has been compromised. AHA’s letter should not be construed as an implied delegation of this obligation by any hospital, particularly in light of OCRs updated FAQ #7 where it states:

“if covered entities affected by this breach ensure that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, those covered entities would not have additional HIPAA breach notification obligations.” (bold/emphasis is mine)

Thus, OCR has clearly indicated that covered entities would remain responsible for “ensuring” that Change Healthcare/UHG is handling HIPAA Breach Notification properly on the covered entity’s behalf. While Change Healthcare/UHG might have indicated its willingness to handle such notices on behalf of its customers (see www.unitedhealthgroup.com/ns/changehealthcare/faq.html), given the fact that a covered entity remains responsible for the actions taken by Change Healthcare/UHG on its behalf, each covered entity should carefully consider how and if it wishes to formally make this delegation

  1. IF and to the extent Change Healthcare/UHG notifies your organization that its PHI was indeed or is likely to have been affected by the incident, then your organization can discuss delegation of Breach Notification with Change Healthcare/UHG. Again, given OCR’s position that a covered entity would remain responsible for Breach Notification undertaken on its behalf, any delegation of this responsibility should be done carefully and thoughtfully. For example, covered entities may wish to retain authority to approve in advance all breach notices and related communications before they are made by Change Healthcare/UHG. If that is not feasible, a covered entity may wish to require Change Healthcare/UHG to indemnify it for any failure to complete all Breach Notification responsibilities in a manner that is fully compliant with HIPAA. If delegation to Change Healthcare/UHG cannot be made in a manner that provides adequate assurances to the covered entity, then it may have no choice but to complete HIPAA Breach Notification obligations itself. 

  1. For covered entities that have a direct agreements and HIPAA BAAs with Change, Change should be their first-tier Business Associate. However, for covered entities that do not have a direct agreement or HIPAA BAA with Change (i.e., Change was instead acting as a subcontractor Business Associate of its first-tier Business Associate, such as an EMR vendor), it would be unclear if any particular covered entity falls into the former or the latter without reviewing the specific contracts and facts of the situation for that entity. Nevertheless, this affects the provision of HIPAA Breach Notification and timing in the event the covered entity’s PHI was specifically affected in the Change breach incident.  For example, if Change is the covered entity’s direct BA, then Change would need to notify the covered entity once it determines (or reasonably believes that) the covered entity’s PHI was specifically affected. However, if Change is the subcontractor of another HIPAA Business Associate of the covered entity, then Change would need to notify its HIPAA Business Associate, that would in turn have to then notify the covered entity that PHI was compromised by Change in its capacity as its subcontractor.  In light of this, covered entities should consider producing a list of all of the systems that were affected when Change went offline. That will then allow it to determine which vendors to look to and seek clarification from what their process for Breach Notification will be if they receive notification from Change that their PHI was affected. It is also possible that Change could make arrangements with those vendors to make their notifications to affected customers on their behalf.   

  1. Finally, if your organization was utilizing Change Management (or whose business associates utilize Change Management as a subcontractor) and was affected by the widespread incident, put your insurance carrier(s) on notice that you may have experienced a potential breach of PHI as a result of the Change breach. 

It remains an open question whether Change Healthcare/UHG should be solely responsible for Breach Notification to the extent the breach occurred in its capacity as a CE Clearinghouse. Many in our circle brought this up months ago when the breach first happened in February. If Change Healthcare is a CE Clearinghouse and is independently responsible for complying with HIPAA, irrespective of any business associate arrangements it may also have, it would be directly and solely responsible for HIPAA Breach Notifications.  However, as discussed above under the “Two Hat” situation, many of its functions potentially overlap so it may be hard to determine whether the breach occurred in its capacity as a HIPAa Business Associate or as a CE Clearinghouse, or both.  The updated FAQs are not convincing that OCR is treating Change Healthcare/UHG solely as a covered entity with independent breach notification obligations at this point in its investigation.   

Additionally, OCR’s updated FAQ do not definitively place Breach Notification responsibility solely on Change Healthcare/UHG. The updated FAQ from OCR refers repeatedly to Change providing Breach Notification on behalf of affected covered entities. This strongly suggests that OCR is not ruling out the possibility that Change was acting as a HIPAA Business Associate with respect to PHI affected by the cybersecurity incident. If anything, the updated FAQ indicate that OCR is clarifying that it is up to the affected covered entities and Change Healthcare/UHG to determine which entity should be responsible for reporting, and that only one entity needs to report, which may be Change Healthcare. 

OCR states that it is still in the process of investigating Change Healthcare/UHG and its subsidiaries, according to the updated FAQ — so we may see additional clarification from OCR to the FAQs over the next few weeks. Any updates will be posted here:  Change Healthcare Cybersecurity Incident Frequently Asked Questions | HHS.gov