100+ groups ask OCR for clarification on HIPAA requirements after Change Healthcare hack
More than 100 healthcare associations have sent a letter to the Department of Health and Human Services Office of Civil Rights (OCR) requesting clarification on reporting responsibilities related to the Change Healthcare hack. Specifically, the groups want assurance the burden for notifying patients won’t fall on providers.
The letter, dated May 20, is signed by a number of medical associations and physicians groups, including the American Medical Association.
While Change Healthcare’s parent company UnitedHealth Group agreed during a Senate hearing to make notifications after they’ve completed their investigation, the signers want confirmation from the OCR that they will instruct UnitedHealth to follow through.
“Given UnitedHealth Group’s statement that it is prepared to fulfill these reporting and notification requirements, it appears that it would be a quick and straightforward matter for OCR to confirm publicly that the HIPAA breach notification and reporting requirements are applicable to UnitedHealth Group and not to the affected providers,” they wrote.
The medical associations added that “clinicians and providers have not received sufficient confirmation from OCR that HIPAA breach reporting and notification requirements” are in actuality UnitedHealth’s responsibility. The undersigned do not want to providers blindsided by having to send out data breach notifications, as Change Healthcare was ultimately “the HIPAA covered entity which experienced the breach of unsecured PHI.”
Despite the statement from UnitedHealth, HIPAA requirements still say the burden of notifying patients about their data being exposed to hackers falls on providers. However, given the unique magnitude of this breach—which impacted more than a third of all Americans but came from a single source—existing regulation on how to proceed is unclear.
The groups reminded the OCR that the Change breach has caused “chaos in the provider community” through no fault of their own and called the “silence on this point is disappointing.” They added that while they appreciate UnitedHealth taking responsibility, the insurer also has yet to release a plan or timetable for when it will send out the required notifications, leaving providers in limbo.
At the end of the letter, they told the OCR that the “chief responsibility” of provider groups is patient care, not administrative burdens.
The extent of the February data breach on Change Healthcare is still not clear. UnitedHealth previously said it will take months to learn exactly how many people were impacted.