CHIME, AHIMA, the American Medical Association, and most state medical associations have penned a letter to the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) to request more clarity around reporting responsibilities related to the Change Healthcare data breach.

The ransomware attack on Change Healthcare, first reported on Feb. 21, has been disruptive throughout the healthcare sector. UnitedHealth, parent company of Change, estimated that the breach’s costs could reach $1.6 billion.

In their letter to OCR, the provider organizations stressed that OCR should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare’s breach. 

The organizations said they want OCR to reassure the provider community regarding breach reporting obligations under HIPAA, and to clarify that is the responsibility of the covered entity that experienced the breach — United Health Group (UHG) — to fulfill its obligations in regard to reporting the breach to OCR, notifying each affected individual, as well as any further HIPAA breach reporting requirements that may be applicable, such as notifying state Attorneys General and media outlets. 

“Numerous providers continue to grapple with the far-reaching consequences of this incident, and financial recovery remains elusive as the situation continues to get fully resolved,” the letter states. “This has been exacerbated by a lack of clarity and definitive information offered by UHG and Change Healthcare.”

UHG has stated they “are committed to doing everything possible to help and provide support to anyone who may need it. The company has also said that “to help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.” 

The organizations wrote that while they appreciate these statements, they are concerned that without further guidance from OCR, clinicians and providers have not received sufficient confirmation from OCR that HIPAA breach reporting and notification requirements related to this incident are the responsibility of UHG/Change Healthcare as the HIPAA covered entity that experienced the breach of unsecured PHI. 

The provider organizations want OCR to affirm that the breach was perpetrated upon Change Healthcare, whose status as a healthcare clearinghouse makes it a covered entity under HIPAA and thus responsible for the breach of any PHI which it processes or facilitates the processing of. “Because Change Healthcare experienced impermissible access to unsecured PHI that it processed on behalf of other covered entities, no entity other than Change Healthcare, its parent company, UnitedHealth Group, and their corporate affiliates such as Optum, bears responsibility for this breach and is under any legal reporting or notification obligation as a result of it,” the letter stated.

In addition to most state medical societies, other organizations that co-signed the letter include: 
College of Healthcare Information Management Executives (CHIME)
American Health Information Management Association (AHIMA)
American Medical Association

American Academy of Allergy, Asthma & Immunology

American Academy of Dermatology 
American Academy of Emergency Medicine

American Academy of Facial Plastic and Reconstructive Surgery
American Academy of Family Physicians 



Please enter your comment!
Please enter your name here