HHS office explains UnitedHealth data breach notice responsibility
Brokers and other business associates should talk to the covered entities, not the people affected, officials say.
Federal regulators classify typical benefits brokers and consultants as “business associates” for Health Insurance Portability and Accountability Act privacy and data security purposes, not as the HIPAA “covered entities.”
Do HIPAA business associates have any responsibility for breach notifications when a HIPAA-covered entity they work with is affected by a cyberattack?
Officials at the U.S. Department of Health and Human Services Office for Civil Rights tackle that question in a new answer to a “frequently asked question” about the massive ransomware attack on UnitedHealth’s Change Healthcare health care data services unit. The officials added the answer last week to the bottom of an existing list of FAQ answers.
The conclusion: Business associates should start by giving the relevant information they have to the covered entity, not the clients, but the covered entities can delegate responsibility for notifications to the business associates.
“To the extent possible, a business associate is required to provide the covered entity with the identification of each individual affected by the breach,” officials say.
The HHS civil rights office has been handling HIPAA interpretations and compliance for years. It created a collection of data security resources along with the FAQs after UnitedHealth reported that its Change Healthcare health data services unit had been affected by a major ransomware attack.
The hackers may have stolen protected health information, or PHI, concerning a large percentage of the U.S. population, because about half of all U.S. health insurance claims have been flowing through the Change electronic health insurance claim clearinghouse, according to comments Minnesota officials made in 2022, when UnitedHealth was acquiring Change.
The civil rights office officials posted an answer to this question: “Who is responsible for ensuring that individuals affected by the Change Healthcare breach receive notification?”
Although a hospital, health insurer or other covered entity can choose to share the notification job with business associations, “covered entities are responsible for ensuring that HHS, affected individuals, and, where applicable, the media, are timely notified of the breach of unsecured PHI,” officials write in their answer.
The people personally affected by a breach need fast notification of the incident to take steps to protect themselves, officials say.
“Business associates are responsible for ensuring that HIPAA covered entities are timely notified of the breach of unsecured PHI,” officials say.
Related: HHS is investigating UnitedHealth after cyberattack, focusing on HIPAA rules
The business associates are also supposed to try to provide the covered entities with information they have about the affected individuals that’s supposed to go into the breach notices.
“Because we allow this information to be provided to a covered entity after the initial notification of the breach as it becomes available, a business associate should not delay the initial notification to the covered entity of the breach in order to collect information needed for the notification to the individual,” officials add.
Credit: ABCreative/Adobe Stock