Transcript

[Transcript] Episode 421: What You Need to Know About Breach Reporting If Your Practice Was Impacted By The Change Healthcare Debacle

 

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to TherapyNotes.com and use promo code PCT.

 

Evan Dumas 

Hello, and welcome to Episode 421: What You Need to Know About Breach Reporting If Your Practice Was Impacted By The Change Healthcare Debacle.

 

Liath Dalton 

Hello, everybody and welcome. We know this is a topic that induces a lot of anxiety, understandably, and that’s exactly why we are talking about it though. Because there is some recent clarifying guidance from the good folks at the OCR, the Office of Civil Rights, who are the HIPAA administrators, that really should help dispel some of that anxiety and distress that a lot of you who have been in this kind of strange limbo state while waiting for further information from Change Healthcare, the breach notification on their part as business associates, et cetera, has has been the state that you’ve been having to exist in.

 

Liath Dalton 

So while we don’t yet have anywhere near what is sufficient or reasonable, let alone required, from Change Healthcare, we do have clarifying guidance from the OCR, who is very, very aware of all of the ways that Change Healthcare is failing to meet their obligations as a HIPAA Business Associate and as a HIPAA covered entity. And so not only are they investigating Change Healthcare, but they have provided clarification around covered entities, obligations around breach reporting.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So basically, the the lay of the land is that this massive cyber attack happened. The, or the discovery of it happened on or about February 21, 2024, at the at the time of recording. So that is oh, Evan, about how many days ago?

 

Evan Dumas 

Oh, more than 60.

 

Liath Dalton 

More than 60! Yes, bingo. And why is that 60 Day marker significant?

 

Evan Dumas 

Yeah. So you know, we talk about breaches, small breaches and large breaches. And we’re like, you know, generally don’t worry, you probably won’t have a large one. This is definitely a large one. And large breaches are you have 60 days. That’s the HHS limit. We’re going to talk about state ones other, later on. But it says if you have a large one, once you find out, you have 60 days to report it.

 

Liath Dalton 

Exactly. So that 60 days, and actually let me back up for a second, and say that a large breach is defined as a unauthorized use or disclosure of protected health information that impacts 500 or more individuals.

 

Evan Dumas 

Within one state, it turns out. I found out those 500 individuals, they need to be in one jurisdiction, which is interesting.

 

Liath Dalton 

So I don’t know, Evan, how many times over,

 

Evan Dumas 

Oh, man.

 

Liath Dalton 

is this?

 

Evan Dumas 

The, that’s the thing is, we don’t have numbers for it. We do know that Change Healthcare is involved in one out of every three healthcare transactions, billing transactions, and

 

Liath Dalton 

Massive.

 

Evan Dumas 

it’s quite a lot. Oh the central in 15 billion transactions, okay, annually. So,

 

Liath Dalton 

Billion. With a B.

 

Evan Dumas 

So it’s, it’s more than a couple more than a couple hundred.

 

Liath Dalton 

Yes.

 

Liath Dalton 

So then a sort of the waterfall from that is practices who, like the most typical example where the Change Healthcare breach and ransomware attack is impacting folks in our community is if Change Healthcare was one of the clearinghouses that you were utilizing, or that was connected to your EHR or practice management system.

 

Liath Dalton 

Right? And those of you running group practices, it is pretty easy to have more than 500 clients, and therefore more than 500 or more impacted or potentially impacted individuals. The challenge, though, is that Change Healthcare has not notified the covered entity customers to whom they are acting as a Business Associate,

 

Evan Dumas 

Mhm. Nope.

 

Liath Dalton 

of the breach itself, of the potential, of the information that was potentially exposed. Now, that’s normally part and parcel of what breach botification entails:

 

Liath Dalton 

here’s here is the information that was potentially exposed. Because that’s important information to know both to notify the potentially impacted individuals and for the mitigation and containment measures and sort of deployment of those mitigation protocols that most folks have in place. So in the absence of that, there has understandably been a lot of concern of, okay, the clock has been ticking. It’s ticked past, well past, the 60 day timeframe.

 

Evan Dumas 

Oh yeah.

 

Evan Dumas 

Oh, yeah.

 

Liath Dalton 

Change Healthcare hasn’t done breach notification. And the main question that I’ve been seeing is, am I, as a HIPAA covered entity, who’s potentially impacted by this or whose clients PHI, that I’m responsible for safeguarding is impacted by this,

 

Evan Dumas 

Yeah.

 

Liath Dalton 

do I now need to do the breach notification? And how do I do that, if I don’t even know if my clients information was impacted?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Or, if so, what of their information was potentially impacted or exposed.

 

Evan Dumas 

Right.

 

Liath Dalton 

So, so that’s setting the the scary scene, but fortunately, we have some good news.

 

Evan Dumas 

Oh, yeah.

 

Liath Dalton 

Evan in your role as like, consoler in chief,

 

Evan Dumas 

Haha, yeah, Good News Provider, exactly.

 

Evan Dumas 

Yes.

 

Evan Dumas 

So,

 

Liath Dalton 

What is it?

 

Evan Dumas 

the good news, the good news here is that your responsibilities tell your clients don’t kick in until you hear from your business associates. Also, okay, so that’s really good, basically, because they’ve dropped the ball. You gotta wait till they pick it up, and then say, oh, no, we messed up, tell your people, before you can tell your people.

 

Evan Dumas 

And another, I just want to add in another piece of good news, because why not? You can delegate to them. So you can delegate to your business associate, the responsibility of notifying the people affected. Now they actually, uh United Healthcare and Change Healthcare have actually or, United Health Group have, like, offered to notify people, etc. Upon request, of course, they haven’t actually,

 

Liath Dalton 

As well they bloody should.

 

Evan Dumas 

Oh, of course.

 

Evan Dumas 

But you can task them to do it. Saying, Hey, you come talk to all my clients. I actually wouldn’t do that, because I don’t know, it seems like they’ve lost a lot of trust in this. And I’m like

 

Liath Dalton 

Mhm.

 

Evan Dumas 

that involves giving them your client list. Oh, no, that would be awful.

 

Liath Dalton 

Right.

 

Evan Dumas 

But you don’t have to do anything until they get their act together. And it doesn’t seem like that’s happening anytime soon. Also on the good news, while we’re on it, there was a Senate, two different Senate hearings about this, about a month or so ago, where they had the CEO out and saying hey, what happened? This is bad. What are you doing about it? And they, you know, obviously were a little shamed and whatnot, but there’s, there is motion. There is there’s people looking into this.

 

Liath Dalton 

Yes. So I what I really want the main takeaway for everyone to be is that if you have any inkling that your clients data was potentially impacted by the Change Healthcare breach, like that your your practice has any connection with Change Healthcare or United Health Group, and you have been wondering how that therefore impacts your responsibilities and requirements for breach reporting, and how on earth can I possibly manage this appropriately, given the the lack of information etc, but the already past deadlines? Take a deep breath. You are good.

 

Evan Dumas 

Yeah. Go ahead and do nothing.

 

Liath Dalton 

You, you, you are covered. Now, of course, there’s there’s the other consideration of this has been something super kind of publicized in the in the media, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And so clients may be aware, you may have already fielded some questions, or a team member may have fielded some questions of, hey, I’ve been seen all these news stories about this big breach and ransomware attack, and is my information potentially, at risk or included in that? And if you’ve been trying to figure out how to navigate those and respond to those in a way that, you know, it has transparency and is supportive of maintaining a strong therapeutic alliance and and making your clientele feel that, that they have good reason to, you know, just trust that you are safeguarding their their info and doing everything within your power to do so. That is totally reasonable.

 

Liath Dalton 

And I don’t think, unfortunately, that there is a like template response for how to handle those. There are going to be a lot of particulars that’s going to depend kind of, on the population that you or your practice and your clinicians work with. But I’m hoping that basically, you’re being equipped with more knowledge about how the OCR and HHS are investigating this, and providing clarification to covered entities gives you a little bit of a, like one more tool in your toolbox for being able to respond to client concerns or questions as they arise.

 

Liath Dalton 

And, and if you are someone who has a really strong inclination towards being proactive, rather than reactive wherever possible, and you’re thinking, can I get out ahead of this in any way? And should I go ahead and try to file a breach report? Like, does that provide any degree of CYA? And we always say CYA is self care.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

I’ll say our kind of default position at this point is that there is no particular material benefit to doing a preemptive breach notification to the OCR or to clients, given the context of this whole situation, and given the very explicit clarifying guidance from from the OCR directly.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Right? Your, your not filing a breach report now is not going to result in any punitive consequences. Because that it just is is not within the, the realm of what the the OCR is looking for. And they are, you know, they have their eyes and attention focused on Change Healthcare, and how to, I think, use their scrutiny and investigation to try and move along the compliance actions of Change Healthcare in a way that is supportive of covered entities and ultimately, of the individuals whose information has been potentially compromised.

 

Liath Dalton 

So all that to say, just like take a deep breath, and if if you are thinking that there would be anything prudent about filing a breach report prior to receiving breach notification from Change Healthcare, I’d say take a beat, take a breath and and consult with a local, and by local I mean, licensed In your state of practice, HIPAA attorney.

 

Evan Dumas 

Yup, exactly.

 

Liath Dalton 

And, you know, maybe also just reach out to the local chapter of your professional association as well see if they’ve got any guidance on it. But our position and the attorneys that we collaborate with is: Yep, HHS, the OCR have provided what is totally reasonable and appropriate guidance.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And, and I actually want to take a step back to say that this highlights something about how HIPAA, as a regulatory framework that is administered by a government agency, actually functions in practice. Right? There is sort of, not a misconception, like but a reasonable concern, I would say, that that some folks have that because it is this clearly defined regulatory guideline that has specific timeframes defined that there is no flexibility that takes into account when things are just wonky.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Like they are now.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And I want to say that the way that the OCR has handled this, both in terms of opening the investigation, and then providing regular updates and FAQs to covered entities, and included in that being a yes, the timeframe has elapsed, but no, that does not result in any consequences for you, and you as a covered entity who is potentially impacted by this, are not in any way yet liable or responsible for what has occurred, highlights the fact that this is a reasonable and like practically applicable framework.

 

Evan Dumas 

Oh, yeah, definitely.

 

Liath Dalton 

Right?

 

Evan Dumas 

Yeah. Yeah, it works.

 

Liath Dalton 

Yeah, it works. And this is, is proof of that in action. So, you know, I wish that we had even more specificity to provide all of you with, an, okay, here’s the information that was potentially exposed, like the nature and extent of the breach and here’s when you need to do your part by or, but that is just not obtainable.

 

Liath Dalton 

And so, you didn’t, we didn’t, we didn’t want to delay addressing this, again, with this updated specificity and like, really valuable reassurance. So hopefully, this helps set some folks minds at ease and provides a little reassurance as you, I don’t know, hopefully are winding down for some summer travels or other other endeavors. So we will, we will keep you apprised of developments, but that is a really significant one for now.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And one that we’re glad to be making because it’s not an oh, shoot sort of situation. It’s an ah, okay.

 

Evan Dumas 

That’s nice. Yeah.

 

Liath Dalton 

Yeah, I mean, given given what a messed up situation it is. It it is a big sigh of relief still.

 

Evan Dumas 

Yeah, yep. Just keep on waiting.

 

Liath Dalton 

Keep on keepin on. All right. Alright, folks, we will see you next week. Thanks for joining us. And in the meantime, take good care.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech, you can find us at PersonCenteredTech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.

evan

Your Hosts:

PCT’s Director Liath Dalton

Senior Consultant Evan Dumas

Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.

In our latest episode, we’re updating group practice owners on the Change Healthcare breach. 

We discuss recent guidance from the OCR (the Office of Civil Rights); how Change Healthcare is failing to meet their obligations as a HIPAA Business Associate and as a HIPAA Covered Entity; breach reporting requirements; 3 important pieces of good new for practice owners; how you can talk to clients about this; and whether we recommend preemptively reporting this breach on your own. 

Resources are available for all Group Practice Tech listeners below:

Therapy Notes proudly sponsors Group Practice Tech!

TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.

*Please note that this offer only applies to brand-new TherapyNotes customers

Resources for Listeners

Resources & further information

Direct Resources:

PCT Resources:

  • PCT CE Training: HIPAA Security Incidents & Breaches: Investigation, Documentation, and Reporting (1.5 legal-ethical CE credit hour on-demand, self-study video course)
  • HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
  • Group Practice Care Premium
    • weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
    • + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
    • + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more 

Other Related & Relevant Resources:

 

Group Practices

Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.

Solo Practitioners

Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.


v2.1.12-beta

Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss