HHS: Report Change Healthcare Breach; CMS Research Data Restriction Opposed

As the fallout from a February cyberattack against Change Healthcare continues, the HHS Office for Civil Rights (OCR) has created a dedicated website and reminded HIPAA covered entities (CEs) using the claims and prescription drug processor as their business associate (BA) that they are required to follow the Breach Notification Rule.

Yes, that generally means universities’ medical schools, teaching affiliates and hospitals that use Change Healthcare to process claims, prescriptions or other transactions that involve protected health information (PHI) must notify OCR, the media and affected patients within 60 calendar days of knowledge of the breach resulting from the Change Healthcare attack.

In other security-related news, the HHS Centers for Medicare & Medicaid Services (CMS) is facing pressure from the Association of American Medical Colleges (AAMC) and others about its plan to discontinue “delivery of physical data extracts in support of external research projects,” a change it announced in February.[1] Although it has revised the implementation timeline twice, CMS has not dropped its plans.

In what the American Hospital Association (AHA) termed “the most significant and consequential cyberattack on the U.S. health care system in American history,”[2] officials with UnitedHealthcare Group (UHG), Change Healthcare’s parent, confirmed in February they were “experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.”

Although the situation is evolving, as of RRC’s deadline, media reports indicate United Healthcare paid ALPHV $22 million for the return of what the group said was six terabytes of data—only to have a new group called RansomHub claim ALPHV stole the $22 million and that it has four terabytes of “highly selective data.”[3]

According to AHA, “Change Healthcare is the predominant source of more than 100 critical functions that keep the health care system operating. Among them, Change Healthcare manages the clinical criteria used to authorize a substantial portion of patient care and coverage, processes billions of claims, supports clinical information exchange, and processes drug prescriptions. Significant portions of Change Healthcare’s functionality have been crippled. As a result, patients have struggled to get timely access to care and billions of dollars have stopped flowing to providers, thereby threatening the financial viability of hospitals, health systems, physician offices and other providers.”

This document is only available to subscribers. Please log in or purchase access.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field