Multiple hospital groups are urging the U.S. Department of Health and Human Services to hold UnitedHealth's subsidiary Change Healthcare accountable for providing breach notifications regarding its February cyberattack.
Groups such as the American Medical Association, CHIME, Texas Medical Association and more wrote a letter May 20 to Xavier Becerra, secretary of the HHS, asking to clarify how it intends to enforce HIPAA-related reporting requirements when it comes to the Change Healthcare incident.
"We are writing to request more clarity around reporting responsibilities and assure affected providers that reporting and notification obligations will be handled by Change Healthcare," the letter reads. "OCR should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare's breach."
Additionally the groups wrote that clinicians and providers have not received sufficient confirmation from OCR that HIPAA breach reporting and notification requirements related to this incident are the responsibility of UnitedHealthcare and Change Healthcare.
In an April 22 news release from UnitedHealth Group, the company said it would provide a breach notification once it learned what kind of information was compromised. The company also said it would handle notifications and associated administrative tasks for any provider or customer that was affected by the breach.