News
More than 100 medical organizations want clarity on Change cyberattack
Photo: Reza Estakhrian/Getty Images
O American Medical Association and more than 100 other medical organizations are requesting official affirmation that providers are not responsible for HIPAA reporting requirements due to the Change Healthcare cyberattack.
On a joint letter to Health and Human Services Secretary Xavier Becerra, the AMA and other health groups want Becerra and Office for Civil Rights officials to confirm that no entity other than Change or parent companies Optum and UnitedHealth Group is responsible for legal reporting , including notification of countless patients who may have had their personal information stolen in February ransomware attack.
While UnitedHealth Group said it is responsible for ensuring individuals are notified, it also said it can delegate the responsibility, with an offer to help ease notification obligations, the letter states.
Providers want federal authorities to make clear that UHG is solely responsible for HIPAA notifications. Providers want OCR to clarify that UnitedHealth Group is responsible for notifying each affected individual. Change said the notifications could cover a substantial proportion of people in the United States, according to the letter.
Suppliers also want UHG to comply with reporting obligations to OCR, attorneys general, and the media.
Providers want assurances that they will not be held liable for HIPAA violations related to any personal health information potentially stolen in the ransomware attack.
“We are writing to request more clarity on notification responsibilities and to assure affected providers that reporting and reporting obligations will be handled by Change Healthcare,” the letter dated May 20 said. “The OCR must publicly state that its breach investigation and immediate remediation efforts will be focused on Change Healthcare, and not the providers affected by the Change Healthcare breach.”
WHY DOES IT MATTER
The number of affected providers is so large that a specific number is not available, the letter said.
Despite Change’s assurances that the company saw no evidence of exfiltration of materials such as doctor’s fees and complete medical histories, the letter said, information from provider members indicates that certain data may have been compromised.
“Multiple vendors continue to grapple with the far-reaching consequences of this incident, and financial recovery remains elusive as the situation continues to be fully resolved,” the letter states. “This has been compounded by the lack of clarity and definitive information provided by UHG and Change Healthcare. Since the attack became known, concerns have increased among our members regarding what could – by all appearances – constitute the industry’s largest breach Change Healthcare processes claims on behalf of hundreds of thousands of doctors and providers, and several terabytes of potentially protected health information were allegedly stolen and held for ransom.
THE BIGGEST TREND
A violation report will still be sent by UHG, according to the letter.
UHG said, the groups stated, that “‘although the covered entity is ultimately responsible for ensuring that individuals are notified, the covered entity may delegate the responsibility for providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to notify the individual, which may vary depending on the circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has a relationship with the individual.'”
The letter was signed by the AMA, individual state medical associations, and other groups representing physicians and related organizations,
Send an email to the writer: SMorse@himss.org