More on Compliance & Legal

Over 100 medical organizations want clarity in Change cyberattack

91Ƶ and others want HHS to affirm that UnitedHealth Group alone bears responsibility for notifying patients of potentially stolen PHI.

Susan Morse, Executive Editor

Photo: Reza Estakhrian/Getty Images

The American Medical Associationand more than 100 other medical organizations are asking for official affirmation that providers are not responsible for HIPAA reporting requirements due to the Change Healthcare cyberattack.

In ato Health and Human Services Secretary Xavier Becerra, the 91Ƶ and other health groupswant Becerra and the Office of Civil Rights officials to confirm that no other entity other than Change or parent companies Optum and UnitedHealth Group bear responsibility for legal reporting, including notifying the countless number of patients who may have had their personal information stolen in the February ransomware attack.

While UnitedHealth Group has said it is responsible for ensuring individuals are notified, it also said it may delegate the responsibility, with an offer to help ease reporting obligations, the letter said.

Providers want federal officials to make clear that UHG alone is responsible for HIPAA notifications. Providers want the OCR to clarify that UnitedHealth Group is responsible for notifying each affected individual. Change has said the notifications could cover a substantial proportion of people in America, according to the letter.

The providers also want UHG to fulfill reporting obligations to the OCR, attorneys general and media outlets.

Providers want assurances that they will not be held responsible for HIPAA violations related to any personal health information potentially stolen in the ransomware attack.

"We are writing to request more clarity around reporting responsibilities and assure affected providers that reporting and notification obligations will be handled by Change Healthcare," said the letter dated May 20. "OCR should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare's breach."


The number of providers affected is so numerous that a specific number is not available, the letter said.

Despite Change's assurances that the company has seen no evidence of exfiltration of materials such as doctors' charges and full medical histories, the letter said, information from provider members indicate that certain data may have been compromised.

"Numerous providers continue to grapple with the far-reaching consequences of this incident, and financial recovery remains elusive as the situation continues to get fully resolved," the letter said. "This has been exacerbated by a lack of clarity and definitive information offered by UHG and Change Healthcare. Since the attack became known, concerns among our members have mounted related to what could – from all indications – amount to the largest breach of the healthcare sector. Change Healthcare processes claims on behalf of hundreds of thousands of clinicians and providers, and several terabytes of possibly protected health information are alleged to have been stolen and held for ransom."


A breach report is still forthcoming from UHG, according to the letter.

UHG has said, the groups stated, that"'while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may vary, depending on the circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.'"

The letter was signed by the 91Ƶ, individual state medical associations and other groups representing physicians and related organizations,

Email the writer: SMorse@himss.org