In yet another ripple from the Change Healthcare cyberattack, the Medical Group Management Association has sought assurances from HHS' Office for Civil Rights that the onus for sending HIPAA breach notifications to affected patients would fall squarely on Change and its parent company – and not physician practices and other providers.

WHY IT MATTERS
UnitedHealth Group issued a press release this week where, in addition to other updates, it pledged that it would "help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack," and offered "make notifications and undertake related administrative requirements on behalf of any provider or customer."

While MGMA says it appreciated that gesture, it is asking HHS to weigh in – ensuring that Change Healthcare and UHG will follow through on that promise, taking on the significant burden of sending breach notices as required by HIPAA.

The association is also asking HHS to offer clarity that healthcare providers are "completely innocent in this unique situation will be spared any regulatory scrutiny."

In an April 25 letter to Melanie Fontes Rainer, director of HHS' Office for Civil Rights, MGMA's SVP for government affairs, Anders Gilberg, said the 15,000 medical group practices it represents "have been drastically impacted by the cyberattack" on Change Healthcare.

"Disruption to the daily operations of medical groups has been severe and is ongoing," said Gilberg. "While MGMA appreciates the steps [HHS] has taken, along with the efforts of Change and its parent, UnitedHealth Group, many challenges remain.

"Of immediate concern is confusion surrounding the extent to which protected health information and personally identifiable information have been improperly disclosed," he added, "to whom, and on whom the burden of providing HIPAA-required breach notifications to both your office and affected patients will fall."

While MGMA "encouraged by recent public statements from United" about its offer to handle the work of breach notifications, he said, "no prudent medical group can rely on vague promises in a press release containing no specifics with respect to either timing or implementation."

THE LARGER TREND
More than two months since it first occurred, the aftereffects of the Change Healthcare breach continue to reverberate across the healthcare industry and pose fundamental challenges for providers and other health organizations.

OCR is already probing the privacy implications for patients affected by the breach of "unprecedented magnitude," as Fontes Rainer described in in March.

But the attack also posed much more fundamental problems for many providers, especially small practices. A recent report from the American Medical Association found that 31% of small practices said they could not make payroll since the clearinghouse attack – and more than half of respondents said they'd used personal funds to cover expenses.

"These survey data show, in stark terms, that practices will close because of this incident, and patients will lose access to their physicians," said AMA president Dr. Jesse M. Ehrenfeld, in a statement.

The added burden of having to deal with the administrative work of patient outreach and regulatory probes would be more than many could handle, says MGMA.

ON THE RECORD
"To our knowledge, no MGMA member has actually received from Change or United the promised 'offer,' in writing or otherwise," said Gilberg in the letter to OCR about HIPAA notifications. "Physician practices currently face mounting concerns about their own regulatory exposure should United not fulfill these promises to the satisfaction of your office.

"Further, as more patients become aware of the possible disclosures of their sensitive PHI and PII, they will turn to their providers for information and assurances, neither of which can currently be provided," he added.

"What the health sector needs, and for which we ask on behalf of our members, is a clear statement from your office that: 1) Responsibility for breach notifications rests solely with Change and United; 2) Providers that are completely innocent in this unique situation will be spared any regulatory scrutiny; and 3) Your office will ensure that Change and United fulfill the promises they have made in a prompt and transparent manner."

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.