MGMA wants Change to take responsibility for HIPAA breach notifications

 MGMA wants Change to take responsibility for HIPAA breach notifications

Photo: FS Productions/Getty Images

MGMA has sent a letter to the Department of Health and Human Services’ Office for Civil Rights seeking clarity on whether providers or Change Healthcare will be responsible for alerting affected patients that their personal health information may have been compromised. 

The burden of HIPAA-required breach notifications should fall to Change, MGMA said.

“We are encouraged by UHG’s press release from Monday where they state they will make breach notifications and ‘undertake related administrative requirements on behalf of any provider or customer’ however, medical groups cannot rely on vague promises in a press release that contains no specifics,” MGMA said. “Our members are currently facing mounting concerns about their regulatory exposure should UHG not fulfill their promises to the satisfaction of OCR.”

MGMA is asking the OCR to make a clear statement that responsibility for breach notifications rests solely with Change and its parent company, UnitedHealth Group, and that providers that are completely innocent in this unique situation and will be spared any regulatory scrutiny, and to ensure that Change and United fulfill the promises they have made in a prompt and transparent manner.


On Monday, UnitedHealth made clear it had paid a ransom in efforts to protect patient information. It also confirmed on its status update page that files containing personal health information and personally identifiable information were posted on the dark web for about a week.

The files “could cover a substantial proportion of people in America,” the company said.

“Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals,” UnitedHealth said.


Change Healthcare discovered it was hit by the cyberattack on February 21. Change, which is owned by UnitedHealth subsidiary Optum, disconnected its claims processing services.

The subsequent disruption continues to affect the claims processing and revenue for hospitals and physician practices.

Email the writer:

Source link

Related post

Leave a Reply

Your email address will not be published. Required fields are marked *