The Change Healthcare cyberattack in February disrupted normal business operations for just about every DME supplier in the country. Beyond that, the attack represents a huge, if not yet fully understood, unauthorized disclosure of protected health information, or PHI. As covered entities, DME suppliers are ultimately responsible to notify their affected customers, the Department for Health and Human Services (HHS), and in some cases, the media.

Next Episode: Thursday, August 22, 2024

DME Suppliers are Ultimately Responsible for Breach Notifications Related to the Change Healthcare Breach In a series of FAQs posted on May 31, 2024, HHS Office for Civil Rights (OCR) made it clear in #12 “… covered entities are responsible for ensuring that HHS, affected individuals, and, where applicable, the media, are timely notified of the breach of unsecured PHI.” As the covered entity using Change Healthcare’s services, directly or indirectly through billing software, DME suppliers are responsible for the reporting requirements even though the breach is wholly on their business associate. The good news is that covered entities can delegate the actual disclosure and reporting tasks. In FAQ #8, OCR wrote:
“A covered entity may delegate to its business associate the tasks of providing these required notifications on the covered entity’s behalf. Only one entity – which could be the covered entity itself or its business associate – needs to complete notifications to affected individuals, the HHS Secretary, and where applicable the media.”
Change Healthcare Will Handle Disclosures Unless the Covered Entity Opts Out In its own set of FAQs, Change Healthcare’s parent company UnitedHealth Group (UHG) indicated Change will send individual notices for its affected covered entity customers. In response to the question, “Will I have to do my own notifications?” UHG wrote:
“To reduce burdens on impacted customers, [Change Healthcare] will validate addresses and will draft and send direct notice letters to those individuals determined to be affected through data review attributable to specific customers, and for whom [Change Healthcare] has sufficient addresses, on behalf of impacted covered entity customers — unless those customers opt out by the specific deadline.”
Required Elements in Individual Notifications OCR FAQ #6 lays out the elements covered entities must include in required reports and individual notifications. They include:
  1. Brief description of the breach.
  2. Description of the types of information involved in the breach.
  3. Steps affected individuals should take to protect themselves from potential harm related to the breach.
  4. Brief description of what the covered entity or business associate is doing to investigate the breach, mitigate harm, and prevent further breaches.
  5. Contact information for the covered entity (or business associate, as applicable).
To satisfy their responsibilities, DME suppliers will need to personally complete the required notifications and reporting or delegate the tasks to Change Healthcare by not opting out of the vendor’s offer to issue notices. Delegating suppliers still need to verify that Change completes required tasks. Next week, we’ll explore the expected deadlines for the required reporting and disclosures.