Vitalii Gulenok/istock via Getty

Physician groups seek clarity on Change Healthcare breach notification requirements

In a letter to OCR, the MGMA expressed concerns about Change Healthcare breach notification obligations for the many physician practices impacted by the incident.

In a recent press release, UnitedHealth Group (UHG) confirmed that data was compromised during the Change Healthcare cyberattack. While UHG has yet to complete its data review, its initial investigation suggests that the breach “could cover a substantial proportion of people in America.”

In the same press release, UHG offered to make breach notifications to impacted patients on behalf of its customers in order to ease individual notification obligations. This news was encouraging to the Medical Group Management Association (MGMA), the group stated in letter to HHS Office for Civil Rights (OCR) Director Melanie Fontes Ranier following UHG’s press release.

“At the same time, no prudent medical group can rely on vague promises in a press release containing no specifics with respect to either timing or implementation,” MGMA acknowledged.

“To our knowledge, no MGMA member has actually received from Change or United the promised ‘offer,’ in writing or otherwise.”

MGMA noted that patients who learn about potential disclosures of their sensitive health data will likely look to their providers for answers. Currently, impacted providers are not able to deliver those answers.

MGMA is seeking clarity from OCR on the breach reporting and notification requirements for impacted physician practices. Specifically, the group is looking for confirmation that responsibility for breach notifications “rests solely with Change and United,” and that providers will be spared regulatory scrutiny by OCR.

MGMA also stressed its expectation that OCR will ensure that UHG fulfills the promises it has made to patients and healthcare customers.

OCR has not issued a public response to this letter specifically, but it recently launched an FAQ page for covered entities to consult regarding the Change Healthcare cyberattack.

In the FAQ guidance, OCR noted that covered entities have 60 calendar days from the date of discovery of a breach to file a breach report with OCR. Once that report is filed, OCR will verify the incident and post it on the HHS Breach Portal within about 14 days.

OCR also stated that covered entities that are affected by the Change Healthcare cyberattack will also be required to file breach notifications unless they can demonstrate that there is a “low probability that the PHI has been compromised.”

Given the magnitude of this breach, it is unlikely that many covered entities who used Change Healthcare as their primary clearinghouse would be exempt from filing a breach notification.

“HIPAA regulated entities affected by this incident should contact Change Healthcare and UHG with any questions on how HIPAA breach notification will occur,” the FAQ concluded.

OCR said it would update its FAQ page as needed.

Next Steps

Dig Deeper on HIPAA compliance and regulation