Banner

News

Article

MGMA seeks clarity on responsibility for breach notifications following Change Healthcare attack

Author(s):

It says medical practices can’t rely on “vague” promises from company

Cyberattack text on computer screen ©Elena Uve-stock.adobe.com

©Elena Uve-stock.adobe.com

The Medical Group Management Association (MGMA) wants clarification from the government as to who is responsible for reporting breaches of data protected under the Health Insurance Portability and Accountability Act (HIPAA) following the February cyberattack on Change Healthcare.

In an April 25th letter to the director of the U.S. Department of Health and Human Service’s Office for Civil Rights (OCR), MGMA senior vice president for government affairs Anders Gilberg cites “confusion” over how much protected data the attack has disclosed, to whom, and who will be responsible for providing breach notifications to OCR and to patients.

Gilberg acknowledges that Change Health’s parent company UnitedHealth Group’s offer in an April 22nd news release to notify and “undertake related administrative requirements on behalf of any provider or customer” affected by the cyberattack.

“At the same time, no prudent medical group can rely on vague promises on a press release containing no specifics with respect to either timing or implementation,” Gilberg wrote, adding that no MGMA member has yet received an offer of assistance from either Change or United.

In United’s press release, its CEO Andrew Witty admitted it will likely be several more months until enough information is available to identify and notify those affected by the attack on Change. He said United is “committed to doing everything possible to help and provide support to anyone who may need it.”

Gilberg warned that as more patients learn of possible disclosures of their protected health information and personally identifiable information, “they will turn to their providers for information and assurances, neither of which can currently be provided.” With that in mind, he asked for “a clear statement” from OCR that:

  • responsibility for breach notifications rests solely with Change and United;
  • providers will be spared any regulatory scrutiny; and
  • OCR will ensure that Change and United fulfill their promises in a “prompt and transparent manner.”

Witty is scheduled to appear at a May 1 Congressional committee meeting to discuss the attack on Change and its aftereffects.

Related Videos
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund