The Medical Group Management Association is seeking clarity from the HHS' Office for Civil Rights regarding who carries the burden of providing HIPAA-required breach notifications to both the federal government and affected patients following the Change Healthcare cyberattack.
The MGMA said in an April 25 letter to the office that is encouraged by recent public statements from Change's parent company UnitedHealth Group committing to "provide appropriate notifications" and stating it "has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer."
"At the same time, no prudent medical group can rely on vague promises in a press release containing no specifics with respect to either timing or implementation. To our knowledge, no MGMA member has actually received from Change or United the promised 'offer,' in writing or otherwise," MGMA said in the letter.
MGMA added that physician practices are facing mounting concerns about their own regulatory exposure should UnitedHealth Group not fulfill their promises "to the satisfaction" of the Office of Civil Rights.
"Further, as more patients become aware of the possible disclosures of their sensitive PHI and PII, they will turn to their providers for information and assurances, neither of which can currently be provided," the letter said.
MGMA is seeking a clear statement from the Office of Civil Rights that:
- The responsibility of breach notifications "rests solely with Change and United."
- Providers that are "completely innocent in this unique situation will be spared any regulatory scrutiny."
- The HHS Office for Civil Rights "will ensure that Change and United fulfill the promises they have made in a prompt and transparent manner."
Read the full letter here.