Medical Organizations Seek Clarity on HIPAA Reporting Responsibilities After Change Healthcare Cyberattack

The American Medical Association and over 100 medical organizations are seeking clarity on HIPAA reporting responsibilities in the wake of the Change Healthcare cyberattack. Providers are urging Health and Human Services Secretary Xavier Becerra to confirm that only Change Healthcare, Optum, and UnitedHealth Group are responsible for legal reporting, including notifying affected patients.

UnitedHealth Group has stated it will ensure individuals are notified but may delegate the responsibility. Providers are calling for federal officials to clarify that UHG alone is responsible for HIPAA notifications and reporting obligations to the OCR, attorneys general, and media outlets. They want assurances that they will not be held accountable for any HIPAA violations related to the cyberattack.

The number of affected providers is significant, with concerns about the potential compromise of protected health information. Providers are struggling with the aftermath of the attack and the lack of clarity from UHG and Change Healthcare. The breach is believed to be one of the largest in the healthcare sector, with terabytes of potentially stolen data.

A breach report from UHG is still pending, and providers are anxiously awaiting more information. The letter, signed by the AMA and other medical organizations, emphasizes the need for clear communication and accountability in the aftermath of the cyberattack.