HHS: Change Healthcare can make data breach notifications in lieu of hospitals

Change Healthcare can notify patients whose sensitive health information has been exposed as a result of the massive security breach at the health care payments clearinghouse in February, the Department of Health and Human Services said Friday.

This long-awaited update from the federal agency answers questions from hospitals and doctors around the country, who were worried they would have to track down the roughly 30% of Americans whose data may have been stolen. Federal law requires health care providers to inform patients when their data has been exposed.

Just last week, over 100 provider industry groups sent a letter to HHS secretary Xavier Becerra asking the agency’s Office of Civil Rights, which handles HIPAA data breaches, to clarify that Change Healthcare and its parent company UnitedHealth Group are responsible for finding and notifying affected customers, not individual hospitals, doctors’ offices, and other health care providers.

STAT+ Exclusive Story

Already have an account? Log in

This article is exclusive to STAT+ subscribers

Unlock this article — plus daily market-moving biopharma analysis — by subscribing to STAT+.

Already have an account? Log in

Already have an account? Log in

Individual plans

Group plans

Monthly

$39

Totals $468 per year

$39/month Get Started

Totals $468 per year

Starter

$30

for 3 months, then $39/month

$30 for 3 months Get Started

Then $39/month

Annual

$399

Save 15%

$399/year Get Started

Save 15%

11+ Users

Custom

Savings start at 25%!

Request A Quote Request A Quote

Savings start at 25%!

2-10 Users

$300

Annually per user

$300/year Get Started

$300 Annually per user

View All Plans

Get unlimited access to award-winning journalism and exclusive events.

Subscribe

Log In