In the most recent press release on the Change Healthcare cyberattack, parent company UnitedHealth Group (UHG) acknowledged that, “Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.” While UHG states that the press release “is not an official breach notification,” details in the press release raised concerns among covered entities about their HIPAA-related obligations.

The UHG press release came just days after the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) updated its Change Healthcare Cybersecurity Incident FAQs (FAQ). OCR announced in March that, given the “unprecedented magnitude of the cyberattack,” it would initiate an investigation into both Change Healthcare and UHG, instead of waiting for a breach report to be submitted. In the updated FAQ, OCR clarified:

1. OCR has not received any breach reports from Change Healthcare, UHG or any affected health care entities.
2. If the Change Healthcare cyberattack meets the definition of a breach under 45 CFR 164.402, breach notifications will be required for individuals, the Secretary of HHS and the media (for breaches affecting over 500 individuals).
3. Covered entities may delegate the responsibility of providing required breach notifications to a business associate.

UHG stated that it will likely take “several months” to identify and notify impacted customers and individuals. While awaiting such notice, covered entities should assess whether to delegate their HIPAA-related notification requirements to Change Healthcare, should breach notification be required and should Change Healthcare offer to make the breach notifications. While evaluating whether to continue to contract with Change Healthcare and/or with other entities that contract with Change Healthcare, covered entities should take into consideration Change Healthcare’s HIPAA-related responses, including how updates are communicated, whether they offer to make any required breach notifications and the outcome of the investigation by OCR.

To learn more about what covered entities should do when their business associate experiences a cyberattack, join Feldesman Partner Dianne K. Pledgie on May 21 for the webinar, What to Do When Your Business Associate Experiences a Breach.

For questions regarding the Change Healthcare cyberattack or other cybersecurity matters, please contact Dianne K. Pledgie at dpledgie@feldesman.com or 202.466.8960.