The March 21 letter, penned to Melanie Fontes Rainer, acting director of the Office for Civil Rights at the HHS, asks the agency to provide clarification to hospitals and other providers regarding breach reporting when it comes to the Change Healthcare hack.
“We remain concerned, however, that OCR may require hospitals to make breach notifications to HHS and affected individuals, if it is later determined that a breach occurred,” the letter reads. “We are seeking additional clarification that hospitals and other providers do not have to make additional notifications if UnitedHealth Group and Change Healthcare are doing so already.”
The AHA stated that Change Healthcare should be responsible for notifying individuals if their protected health information has been compromised due to the attack.
“As a covered entity, Change Healthcare has the duty to notify OCR and the impacted individuals. Even where Change Healthcare acts as a business associate, HIPAA authorizes Change Healthcare to issue these notifications for a more streamlined approach,” the letter reads.
The AHA is seeking a “unified notification process” so that patients don’t receive multiple notifications regarding the same breach.
“Our concern is simply that requiring breach notifications in these circumstances will confuse patients and impose unnecessary costs on hospitals, particularly when they have already suffered so greatly from this attack,” the letter reads.
UnitedHealth Group’s Change Healthcare has not stated if protected health information has been compromised due to the cyberattack.