In the June 2024 issue of the Advisor®, we published a brief article about the attack, and a link to the FAQ page that the Department of Health and Human Services (HHS) had put in place to help answer questions about the incident. Since then, additional questions and answers have been added to that page.
You can view the page here: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html
Many practices have been unsure of their responsibilities with regard to this incident, and some have received communications from Change Healthcare that have led to more confusion. In general, Change Healthcare has taken responsibility to notify patients affected by the breach, so no further action is required on the part of most practices. See the following statement: “To help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.” In addition, note that only one entity is responsible to make notification. In this case, Change Healthcare/UnitedHealth Group is taking on the responsibility so that you are then freed from the obligation.
In a couple cases, Change didn’t have sufficient information to notify the patients directly, so Change sent a letter to the practice whose patients were affected. Eagle Associates advises such practices to reach out to Change to see if they at least have the names or other identifiers of the affected patients so that a substitute notice need not be made by your practice to all patients. If identifying information were provided, you as the covered entity could make a notification to the few patients that Change could not reach. This would help to avoid you making a general notification to all patients, which could lead to more questions, alarm, etc.
