In response to the Feb. 21 cyberattack on Change Healthcare, the American Hospital Association (AHA) has petitioned the HHS for guidance on breach reporting requirements for hospitals and health systems. In a letter addressed to Melanie Fontes Rainer, acting director of the Office for Civil Rights at the HHS, the AHA seeks clarification on whether hospitals are obligated to notify patients if protected health information is compromised as a result of the cyberattack on Change Healthcare. Expressing concerns over potential duplicative breach notifications, the AHA emphasizes the need for a unified notification process to avoid confusion and unnecessary costs for hospitals and patients alike.
The AHA asserts that Change Healthcare, as a covered entity, holds the responsibility for notifying both the OCR and affected individuals in the event of a breach. Emphasizing the importance of a streamlined approach to breach notification, the AHA underscores HIPAA’s authorization for Change Healthcare to issue notifications, even when acting as a business associate. While awaiting clarification from the HHS, the AHA advocates for a consolidated notification process to ensure patients receive coherent and concise information regarding any potential breaches, alleviating the burden on hospitals already grappling with the aftermath of the cyberattack on Change Healthcare.
