What’s happening: CHA has analyzed public information to help hospitals better understand privacy implications stemming from the Change Healthcare cyberattack in late February.
What else to know: The cyberattack raises the question of whether affected hospitals must report a breach to patients or to government officials under the Health Insurance Portability and Accountability Act (HIPAA) or state breach reporting laws.
This analysis is based upon publicly available information. Hospitals with additional information about a potential breach incident should consult experienced privacy counsel about possible reporting obligations.
OCR
At this time, Change Healthcare has not reported a breach to the Department of Health and Human Services Office of Civil Rights (OCR). Because the HIPAA deadline for reporting a breach may not yet have passed, the lack of a report could mean:
- Change Healthcare believes there was no reportable breach of unsecured protected heath information under HIPAA.
- Change Healthcare believes there was a reportable breach but is waiting until closer to the deadline to report.
- Change Healthcare has not completed its internal investigation and does not yet know whether there was a reportable breach.
- Law enforcement has asked Change Healthcare to delay making a report.
OCR has opened an investigation even without a report, stating:
“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident. OCR’s investigation of Change Healthcare and UHG (UnitedHealth Group) will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules. OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”
HIPAA
Hospitals that work with Change Healthcare likely have a business associate agreement (BAA) with it. Under HIPAA, the BAA must include a clause requiring Change Healthcare (the business associate) to notify the hospital (the covered entity) of a breach within 60 days of discovery (which could have been around Feb. 21). California hospitals should have included a clause in the BAA requiring a quicker reporting time frame so that the hospital could , if necessary, report to the California Department of Public Health (CDPH) within 15 business days, as required by state law.
The preamble to the HIPAA breach notification interim final rule states that business associates and covered entities have the flexibility to include in the BAA specific obligations for each party, such as who will provide notice to patients and when the notification from the business associate to the covered entity is required following a breach. In fact, the preamble encourages parties to a BAA to ensure that patients do not receive notifications from both the covered entity and the business associate, as duplicate notifications about the same breach may confuse patients [74 Fed. Reg. 42740, 42754-42755 (Aug. 24, 2009)]. However, the covered entity is ultimately responsible for ensuring the breach notification is provided. If the business associate fails to do so for any reason, the covered entity must do so.
If it is determined that a breach of unsecured protected health information has occurred, the hospital community will work with Change Healthcare to encourage it to make necessary notifications.
California Law
Hospitals are subject to two state breach reporting laws. Health and Safety Code Section 1280.15 requires hospitals to notify CDPH and affected patients within 15 business days of discovery of the breach by the business associate. If there was a reportable breach as defined in state law, the deadline could have passed as early as March 13 — although it may not yet have passed. Whether it has passed depends upon Change Healthcare’s knowledge about, and analysis of, the cyberattack. CHA is keeping CDPH apprised of the Change Healthcare situation.
Civil Code Section 1798.82, which also applies to California hospitals, requires businesses to notify California residents of a “breach of the security of the system,” which means an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the business. This law does not require businesses report when a business partner has experienced a breach, so California hospitals will not need to make any notifications under this law.
