Associations Ask OCR for Clarity on Change Healthcare Breach Reporting

May 20, 2024
Office for Civil Rights should publicly state that United Health Group is responsible for all breach reporting obligations related to the ransomware attack, letter states

CHIME, AHIMA, the American Medical Association, and most state medical associations have penned a letter to the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) to request more clarity around reporting responsibilities related to the Change Healthcare data breach.

The ransomware attack on Change Healthcare, first reported on Feb. 21, has been disruptive throughout the healthcare sector. UnitedHealth, parent company of Change, estimated that the breach’s costs could reach $1.6 billion.

In their letter to OCR, the provider organizations stressed that OCR should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare’s breach. 

The organizations said they want OCR to reassure the provider community regarding breach reporting obligations under HIPAA, and to clarify that is the responsibility of the covered entity that experienced the breach — United Health Group (UHG) — to fulfill its obligations in regard to reporting the breach to OCR, notifying each affected individual, as well as any further HIPAA breach reporting requirements that may be applicable, such as notifying state Attorneys General and media outlets. 

“Numerous providers continue to grapple with the far-reaching consequences of this incident, and financial recovery remains elusive as the situation continues to get fully resolved,” the letter states. “This has been exacerbated by a lack of clarity and definitive information offered by UHG and Change Healthcare.”

UHG has stated they “are committed to doing everything possible to help and provide support to anyone who may need it. The company has also said that “to help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.” 

The organizations wrote that while they appreciate these statements, they are concerned that without further guidance from OCR, clinicians and providers have not received sufficient confirmation from OCR that HIPAA breach reporting and notification requirements related to this incident are the responsibility of UHG/Change Healthcare as the HIPAA covered entity that experienced the breach of unsecured PHI. 

The provider organizations want OCR to affirm that the breach was perpetrated upon Change Healthcare, whose status as a healthcare clearinghouse makes it a covered entity under HIPAA and thus responsible for the breach of any PHI which it processes or facilitates the processing of. “Because Change Healthcare experienced impermissible access to unsecured PHI that it processed on behalf of other covered entities, no entity other than Change Healthcare, its parent company, UnitedHealth Group, and their corporate affiliates such as Optum, bears responsibility for this breach and is under any legal reporting or notification obligation as a result of it,” the letter stated.

In addition to most state medical societies, other organizations that co-signed the letter include: 
College of Healthcare Information Management Executives (CHIME)
American Health Information Management Association (AHIMA)
American Medical Association

American Academy of Allergy, Asthma & Immunology

American Academy of Dermatology 
American Academy of Emergency Medicine

American Academy of Facial Plastic and Reconstructive Surgery
American Academy of Family Physicians 


Sponsored Recommendations

Clinical Evaluation: An AI Assistant for Primary Care

The AAFP's clinical evaluation offers a detailed analysis of how an innovative AI solution can help relieve physicians' administrative burden and aid them in improving health ...

From Chaos to Clarity: How AI Is Making Sense of Clinical Documentation

From Chaos to Clarity dives deep into how AI Is making sense of disorganized patient data and turning it into evidence-based diagnosis suggestions that physicians can trust, leading...

Bridging the Health Plan/Provider Gap: Data-Driven Collaboration for a Value-Based Future

Download the findings report to understand the current perspective of provider and health plan leaders’ shift to value-based care—with a focus on the gaps holding them back and...

Exploring the future of healthcare with Advanced Practice Providers

Discover how Advanced Practice Providers are transforming healthcare: boosting efficiency, cutting wait times and enhancing patient care through strategic integration and digital...