91ÊÓƵ

Topics
Reimbursement
39 healthcare providers sue UnitedHealth Group over Change cyberattack
39 providers sue UHG over Change cyberattack
Revenue Cycle Management
RCM accelerates cash and secures financial healthÌý
RCM accelerates cash and secures financial healthÌý
Strategic Planning
MD Anderson forms oncology partnership with Zambia
MD Anderson forms oncology partnership with Zambia
Capital Finance
HCA Healthcare reaches $17.5 billion in revenue in Q2
HCA Healthcare reaches $17.5B in revenue in Q2
Supply Chain
FDA tells providers to prepare for supply chain disruptions
FDA to providers: Prepare for supply chain disruptions
Accounting & Financial Management
Elevance Health logs $2.3 billion profit in Q2
Elevance Health logs $2.3 billion profit in Q2
Budgeting
Insurers likely to pay $1.1 billion in rebates this fall
Insurers likely to pay $1.1 billion in rebates this fall
Quality and Safety
Hospitals making progress on combating workplace violence
Hospitals making progress on combating workplace violence
Billing and Collections
No Surprises Act implementation coincided with in-network claims growth
NSA implementation coincided with in-network claims growth
Claims Processing
Johns Hopkins Health Plans announces multi-payer portal
Johns Hopkins Health Plans announces multi-payer portal
Workforce
Social media deterring new nurses from entering the field
Social media deterring new nurses from entering the field
Operations
HHS overhauling its tech, cybersecurity and AI functions
HHS overhauling tech, cybersecurity and AI functions
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
UC Davis kicks off $3.74 billion expansion with new patient tower
UC Davis kicks off $3.74 billion expansion
Compliance & Legal
DaVita paying $34 million over kickback allegations
DaVita paying $34 million over kickback allegations
Policy and Legislation
Pair of bills seek to curb nursing shortage
Pair of bills seek to curb nursing shortage
Community Benefit
Nonprofit hospitals' charity care falling behind tax breaks, report shows
Report: Hospitals' charity care falling behind tax breaks
Accountable Care
Cone Health is second provider to join Risant Health
Cone Health is second provider to join Risant Health
Acute Care
ERs in limbo after Supreme Court ruling on emergency abortion care
ERs in limbo after Supreme Court ruling on emergency abortion care
Ambulatory Care
Walmart announces closing of clinics and virtual care
Walmart is closing clinics and virtual care
Analytics
Lightbeam Health announces partnership with AHIPÌý
Lightbeam Health announces partnership with AHIPÌý
Business Intelligence
Cigna targeting disparities with health equity impact fund
Cigna targeting disparities with health equity impact fund
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blockingÌý
Financial disincentives for providers who commit information blockingÌý
Medicare & Medicaid
Uninsured rate to rise to 8.9% by 2034, CBO finds
CBO: Uninsured rate to rise to 8.9% by 2034
Patient Engagement
Johns Hopkins offering free tuition for low-income earners
Johns Hopkins offering free tuition for low-income earners
Pharmacy
FTC reportedly to sue three largest pharmacy benefit managers
FTC reportedly to sue three largest pharmacy benefit managers
Population Health
White House to award $45.1 million for expanded mental health
White House to award $45.1M for expanded mental health
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Patients less likely to seek virtual behavioral care when paying out-of-pocket
Patients who pay cost-sharing less likely to seek virtual care
Mergers & Acquisitions
GE HealthCare nabs AI ultrasound company for $51 million
GE HealthCare nabs AI ultrasound company for $51 million
View more
May 21 More on Compliance & Legal

Over 100 medical organizations want clarity in Change cyberattack

91ÊÓƵ and others want HHS to affirm that UnitedHealth Group alone bears responsibility for notifying patients of potentially stolen PHI.

Susan Morse, Executive Editor

Photo: Reza Estakhrian/Getty Images

The American Medical AssociationÌýand more than 100 other medical organizations are asking for official affirmation that providers are not responsible for HIPAA reporting requirements due to the Change Healthcare cyberattack.

In aÌýÌýto Health and Human Services Secretary Xavier Becerra, the 91ÊÓƵ and other health groupsÌýwant Becerra and the Office of Civil Rights officials to confirm that no other entity other than Change or parent companies Optum and UnitedHealth Group bear responsibility for legal reporting, including notifying the countless number of patients who may have had their personal information stolen in the February ransomware attack.

While UnitedHealth Group has said it is responsible for ensuring individuals are notified, it also said it may delegate the responsibility, with an offer to help ease reporting obligations, the letter said.

Providers want federal officials to make clear that UHG alone is responsible for HIPAA notifications. Providers want the OCR to clarify that UnitedHealth Group is responsible for notifying each affected individual. Change has said the notifications could cover a substantial proportion of people in America, according to the letter.

The providers also want UHG to fulfill reporting obligations to the OCR, attorneys general and media outlets.Ìý

Providers want assurances that they will not be held responsible for HIPAA violations related to any personal health information potentially stolen in the ransomware attack.

"We are writing to request more clarity around reporting responsibilities and assure affected providers that reporting and notification obligations will be handled by Change Healthcare," said the letter dated May 20. "OCR should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare's breach."Ìý

WHY THIS MATTERS

The number of providers affected is so numerous that a specific number is not available, the letter said.Ìý

Despite Change's assurances that the company has seen no evidence of exfiltration of materials such as doctors' charges and full medical histories, the letter said, information from provider members indicate that certain data may have been compromised.

"Numerous providers continue to grapple with the far-reaching consequences of this incident, and financial recovery remains elusive as the situation continues to get fully resolved," the letter said. "This has been exacerbated by a lack of clarity and definitive information offered by UHG and Change Healthcare. Since the attack became known, concerns among our members have mounted related to what could – from all indications – amount to the largest breach of the healthcare sector. Change Healthcare processes claims on behalf of hundreds of thousands of clinicians and providers, and several terabytes of possibly protected health information are alleged to have been stolen and held for ransom."Ìý

THE LARGER TREND

A breach report is still forthcoming from UHG, according to the letter.

UHG has said, the groups stated, thatÌý"'while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may vary, depending on the circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.'"

The letter was signed by the 91ÊÓƵ, individual state medical associations and other groups representing physicians and related organizations,Ìý

Ìý

Email the writer: SMorse@himss.org

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.