100+ groups ask OCR for clarification on HIPAA requirements after Change Healthcare hack

Chad Van Alstin | May 22, 2024 | Health Exec | Cybersecurity

More than 100 healthcare associations have sent a letter to the Department of Health and Human Services Office of Civil Rights (OCR) requesting clarification on reporting responsibilities related to the Change Healthcare hack. Specifically, the groups want assurance the burden for notifying patients won’t fall on providers.

The letter, dated May 20, is signed by a number of medical associations and physicians groups, including the American Medical Association.

While Change Healthcare’s parent company UnitedHealth Group agreed during a Senate hearing to make notifications after they’ve completed their investigation, the signers want confirmation from the OCR that they will instruct UnitedHealth to follow through.

“Given UnitedHealth Group’s statement that it is prepared to fulfill these reporting and notification requirements, it appears that it would be a quick and straightforward matter for OCR to confirm publicly that the HIPAA breach notification and reporting requirements are applicable to UnitedHealth Group and not to the affected providers,” they wrote.

The medical associations added that “clinicians and providers have not received sufficient confirmation from OCR that HIPAA breach reporting and notification requirements” are in actuality UnitedHealth’s responsibility. The undersigned do not want to providers blindsided by having to send out data breach notifications, as Change Healthcare was ultimately “the HIPAA covered entity which experienced the breach of unsecured PHI.”

Despite the statement from UnitedHealth, HIPAA requirements still say the burden of notifying patients about their data being exposed to hackers falls on providers. However, given the unique magnitude of this breach—which impacted more than a third of all Americans but came from a single source—existing regulation on how to proceed is unclear.

The groups reminded the OCR that the Change breach has caused “chaos in the provider community” through no fault of their own and called the “silence on this point is disappointing.” They added that while they appreciate UnitedHealth taking responsibility, the insurer also has yet to release a plan or timetable for when it will send out the required notifications, leaving providers in limbo.

At the end of the letter, they told the OCR that the “chief responsibility” of provider groups is patient care, not administrative burdens.

The extent of the February data breach on Change Healthcare is still not clear. UnitedHealth previously said it will take months to learn exactly how many people were impacted.

Related Articles:

Breached Change Healthcare server lacked multifactor authentication, UnitedHealth CEO admits
Hackers were inside Change Healthcare’s systems 9 days before attack
Massive data trove from Change Healthcare hack now for sale on dark web
Change Healthcare faces second ransom as cybercriminals leak stolen data
HHS to investigate Change Healthcare cyberattack
Chad Van Alstin Health Imaging Health Exec
Chad Van Alstin

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Related Content

UnitedHealth needs to be solely responsible for HIPAA notifications after Change Healthcare breach, letters demand
HHS releases DDoS attack response plan
Q&A: Healthcare cybersecurity advocate fears damage from Change Healthcare breach has only begun
HHS: ‘Who is responsible for ensuring that individuals affected by the Change Healthcare breach receive notification?’
Private equity investment in healthcare down 20% as regulatory pressures mount
HHS launches $50M security initiative to thwart ransomware attacks at hospitals

Design by Adaptive Theme
Trimed Popup
Trimed Popup