CHA News

Hospitals Can Require Change Healthcare to Make Breach Notifications

What’s happening: The Department of Health and Human Services (HHS) announced that hospitals and health systems can require UnitedHealth Group to notify patients if their data was stolen during the Change Healthcare cyberattack on Feb. 22.  

What else to know: CHA is urging the California Department of Public Health to make a similar clarification under state law.  

The updated FAQs specifically make clear that:  

  • Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the task of providing the required Health Insurance Portability and Accountability Act (HIPAA) breach notifications on their behalf. 
  • Only one entity — which could be the covered entity itself or Change Healthcare — needs to complete breach notifications to affected individuals, HHS, and where applicable the media. 
  • If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the Health Information Technology for Economic and Clinical Health Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.