UnitedHealth Group must take responsibility for informing people about privacy breaches resulting from the Change Healthcare cyberattack, the Health and Human Services Department announced Friday.
Providers, health insurance companies and other affected entities may direct UnitedHealth Group, which operates Change Healthcare through its Optum subsidiary, to notify their patients, customers and business partners under the Health Insurance Portability and Accountability Act of 1996, the HHS Office for Civil Rights, or OCR, said in a news release and an FAQ webpage.
Related: Why Change Healthcare's restoration process has taken so long
“Ensuring patient privacy is one of the pillars of HIPAA,” OCR Director Melanie Fontes Rainer said in the news release. “We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”
UnitedHealth Group previously disclosed that the February ransomware attack exposed personal information about a “substantial proportion" Americans and volunteered to notify affected people on behalf of other parties.
"We appreciate OCR clarifying that providers and other HIPAA covered entities can delegate their notice obligations to Change, which reiterates our previously stated preference to ease the reporting obligations of our customers," a UnitedHealth Group spokesperson wrote in an email.
Providers had sought clarification from HHS about how HIPAA notification rules applied in these circumstances.
"OCR must affirm its position that the breach was perpetrated upon Change Healthcare, whose status as a healthcare clearinghouse makes them a covered entity under HIPAA and thus responsible for the breach of any [protected health information] which it processes or facilitates the processing of," the American Medical Association and dozens of physician groups wrote to HHS Secretary Xavier Becerra on May 20.
The American Hospital Association welcomed the HHS announcement. "Not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack," AHA General Counsel Chad Golder said in a news release.
Under HIPAA, UnitedHealth Group must provide affected individuals with descriptions of the incident, what data were compromised, how the company responded to the attack, how the company can be reached and what individuals can do to protect themselves.
In March, the Office for Civil Rights launched a probe into whether UnitedHealth Group complied with HIPAA and whether protected health information was compromised.