WSHA members have expressed concern about state and federal breach notification requirements they may have in conjunction with the Change Healthcare Cyberattack, which was first reported on February 21, 2024. The purpose of this message is to provide information we can offer at this time. This information may be incomplete due to the rapidly evolving nature of this event. It should also not be relied upon as legal advice and hospitals are strongly encouraged to consult with their attorneys regarding steps to take.
Assess for breach. To date Change has not indicated whether any protected health information (PHI) has been compromised in conjunction with the attack. HIPAA covered entities like Change have 60 days after discovering a data breach to notify affected individuals that their personal information has been compromised. For breaches affecting more than 500 people, the company must notify federal regulators and prominent media. UnitedHealth has so far not given such a notice. Nonetheless, hospitals who do business with Change can also assess now whether there is any indication of breach, especially in the areas where they interface with change. They should continue to monitor and assess for breach as more information is revealed about the attack.
What constitutes a breach. According to the Office of Civil Rights (OCR), which enforces HIPAA privacy and security regulations, a breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
There are other steps hospitals can take now. WSHA would like to refer members to this Dear Colleague letter issued by the Office of Civil Rights in the Department of Health and Human Services, which is charged with HIPAA enforcement. It states, “While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.” This statement reminds hospitals they can get ahead of this issue by reviewing now the various sets of obligations on both their part and the part of Change contained in the BAAs they have in place. Examples of these obligations include breach notification timing and who provides the notice, indemnification, and insurance requirements.
Washington state has its own breach notification rules. Please see this WSHA bulletin for guidance on state law data breach reporting. State law aligns with HIPAA, but if notification is required under HIPAA for a breach involving PHI it must also be made to the Washington State Attorney General. Also, if there was a breach involving non-PHI, but data that qualifies as “Personal Information” under the law separate reporting requirements apply.
The American Hospital Association has released guidance in consultation with its attorneys at Jones Day. If you are an AHA member, we encourage you to review this guidance as well.
If you have questions please do not hesitate to reach out.