The Department of Health and Human Services (HHS) has reversed its decision and granted Change Healthcare the authority to file breach notifications on behalf of organizations affected by a ransomware attack. Previously, HHS had mandated that each impacted organization must file its own breach notices, leading to frustration among thousands of healthcare facilities still grappling with financial repercussions from the attack. Change Healthcare, a major player in medical records processing, will now manage the HIPAA breach notifications, offering relief to the overwhelmed healthcare sector.
With Change Healthcare responsible for approximately one-third of medical records and half of medical claims in the U.S., the breach’s magnitude is significant. The CEO of UnitedHealth, Change Healthcare’s parent company, testified to Congress that about one-third of Americans had their information accessed by the hackers. HHS aims to ensure that all individuals affected by the breach are notified promptly, emphasizing the importance of informing millions of Americans about the breach’s impact on their health data.
The announcement by HHS resolves confusion and dissatisfaction among healthcare entities nationwide, as hundreds of organizations had urged for clarification on notification responsibilities. Industry associations have welcomed HHS’s decision, emphasizing its practicality and effectiveness in alleviating burdens on healthcare providers. The decision aligns with calls from healthcare stakeholders to streamline the notification process and minimize additional costs and complexities for organizations already struggling with the aftermath of the cyberattack.
