UnitedHealth needs to be solely responsible for HIPAA notifications after Change Healthcare breach, letters demand

On May 31, HHS’s Office of Civil Rights (OCR) clarified that UnitedHealth Group can send out HIPAA-required notifications to patients whose data was leaked during the February hack on its subsidiary Change Healthcare. However, OCR stopped short of saying the insurer was responsible, leaving providers in regulatory limbo. 

UnitedHealth has agreed to take responsibility for notifications, since it was a breach of their systems that exposed patient data. However, should they fail to follow through, the ONC’s latest update to its FAQ document about the incident still places the liability onto providers. 

Now, both members of the Senate and the Medical Group Management Association (MGMA) have published their own statements, demanding UnitedHealth be held solely responsible for distributing notifications.

“UnitedHealth claims to have been undertaking a comprehensive analysis to identify and notify impacted individuals and has committed that the company will ‘make notifications and undertake related administrative requirements on behalf of any provider or customer.’ However, as of June 6, UnitedHealth continues to be in violation of HIPAA, which requires covered entities to notify individuals of a known or suspected data breach within 60 days of discovering the breach. UHG must also formally notify impacted business partners, including health care providers, in accordance with HIPAA and state law,” the June 7 letter signed by senators Margaret Wood Hassan (D-NH) and Marsha Blackburn (R-TN) stated. 

In their message addressed to UnitedHealth CEO Andrew Witty, Hassan and Blackburn also request the company comply by sending out the notifications before June 21, a deadline that is fast approaching without any timeline being given by the insurer.

In its own communication, MGMA stated plainly that the insurer needs to be held “fully and solely responsible for all HIPAA breach notification requirements.” In its June 12 letter addressed to the ONC, MGMA cited its concerns with the ambiguity in the FAQ document, and asked the regulatory agency to definitively state that “no action needs to be taken by providers to ensure [UnitedHealth] fulfill these obligations,” and that “providers are protected from regulatory scrutiny in connection with breach notifications” that are rightfully the responsibility of UnitedHealth.

“To make thousands of individual providers guarantors of [UnitedHealth’s] compliance is neither reasonable nor practical, especially in these unique circumstances. It also undermines the supposed advantage of making [UnitedHealth] primarily responsible,” MGMA said. 

MGMA acknowledges a breach of this magnitude is unprecedented and challenges the boundaries of HIPAA regulations—which is why clarity from regulators is the only thing that can ease the anxiety of providers.

A follow-up from the ONC will likely come via an update to its FAQ document, which can be found here.

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

When regulating AI-equipped medical devices, the FDA might take a page from the Department of Transportation’s playbook for overseeing AI-equipped vehicles. These run the gamut from assisting human drivers to fully taking the wheel. 

Kit Crancer, RBMA board member, speaks with Radiology Business about key legislative developments on the Hill that will affect the specialty. 

California-based Acutus Medical has said its ongoing agreement to manufacture and distribute left-heart access devices for Medtronic is the company's only source of revenue.