Breach Notification Responsibility

By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

When the likely inevitable data breach occurs, who is responsible for sending the notice? Does the answer change when a breach is bigger? Does the answer change because a business associate is involved? Understanding ahead of time is informative, especially since the issue has been thrown into the spotlight by the big breach at Change Healthcare.

What Does HIPAA Say?

The starting point is the Breach Notification Rule. The Breach Notification Rule sets the specific requirements for sending out notices about a data breach. The requirement is clear in the rule. The covered entity is responsible for sending the notification as written in the rule.

“A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been accessed, acquired, used, or disclosed as a result of such breach.” 45 C.F.R. 164.404(a)(1)

The language is clear. However, just because the Breach Notification Rule says the covered entity shall provide the notice, the words don’t necessarily mean that the covered entity needs to be the actual entity providing the notice.

Business Associate Breaches

The question of which entity bears responsibility for providing the data breach notice becomes a more frequent topic of discussion when a breach occurs at the business associate level. Unfortunately, that is also a more frequent occurrence as cyberattacks and other intrusion attempts turn to business associates.

As noted above, the Breach Notification Rule is clear that the covered entity needs to provide the notice. However, Business Associate Agreements will often include provisions around the breach notification. Depending on which party drafts the Business Associate Agreement and/or has more leverage in negotiations, the obligations could be shifted around a bit.

Specifically, Business Associate Agreements can include variations on some of these themes:

  • Require the business associate to pay for the costs of notification incurred by the covered entity;
  • Require the business associate to send the breach notification to affected individuals (usually subject to review and approval by the covered entity); or
  • Give the covered entity the option of choosing who will provide the notice and pay for it.

The variable terms underscore that just because the Breach Notification Rule requires the covered entity to give notice, the rule doesn’t mean the covered entity is prohibited from contractually obtaining assistance from another entity or just assigning the responsibility altogether.

The Change Healthcare Situation

In light of that background, the still relatively recent massive data breach that impacted Change Healthcare offers a more public view of the entire data breach process. The biggest issue in the Change Healthcare scenario has been the public calls from various covered entities and trade associations for Change Healthcare to be solely responsible for providing the data breach notification. Another issue causing concern among covered entities was a statement from the Office for Civil Rights (OCR) that OCR would look not just at Change Healthcare but covered entities too for broader HIPAA issues.

Leaving aside the potential investigation issue, the biggest outcry was to make Change Healthcare bear the cost of providing all of the breach notifications for what many viewed as its issue. Since Change Healthcare is a large entity, there is a fairly safe guess that not many of the Business Associate Agreements executed with Change Healthcare included language to shift responsibility away from each applicable covered entity. Absent the shifting of responsibility either in the Business Associate Agreement or another agreement, then the covered entity would retain the obligation. The size and scope of the Change Healthcare incident threw the issue into a different light.

After all of the public calls for action, OCR updated its position about responding to the Change Healthcare breach on May 31, 2024. In the update, OCR specifically stated that covered entities can delegate the breach notification obligation in this instance to Change Healthcare. It is a welcome development that arguably bows to the practical reality of the situation.

However, what is the regulatory basis for OCR allowing the delegation? As OCR points out in the rest of its Frequently Asked Questions around the Change Healthcare incident, the Breach Notification Rule is clear on the covered entity have the responsibility to send the notices without a regulatory basis for assigning or delegating the responsibility. While there should be no expectation that Change Healthcare would object to the requirement, the question still exists of how OCR could announce this modification. It is not an “emergency” situation similar to a natural disaster or other incident where OCR does have the authority to waive HIPAA compliance obligations.

What Happens Next Time?

If OCR pushed for the change in this instance, will it do so again in the future? It is an open question and one that could invite a challenge if it happens again. It is also an important issue to sort out given the increased targeting of business associates to inappropriately get to patient information. From a different perspective, could this spur a call to just modify the Breach Notification Rule? All good questions and ones to not let slide away.

This article was originally published on The Pulse blog and is republished here with permission.