MGMA Asks OCR: Hold UHG Accountable for HIPAA Breach Notifications
In yet another wave of the Change Healthcare cyberattack, the Medical Group Management Association has sought assurances from HHS’ Office for Civil Rights that the responsibility for sending HIPAA breach notices to affected patients would rest entirely with Change and its parent company – and not at doctor’s offices. and other providers.
WHY IT MATTERS
UnitedHealth Group has a press release this week where, among other updates, it pledged that it would “help alleviate reporting obligations for other stakeholders whose data may have been compromised as part of this cyberattack” and offered to “provide notices and undertake related administrative requirements on behalf any provider or customer.”
While MGMA says it appreciated this gesture, it is asking HHS to intervene – ensuring that Change Healthcare and UHG will honor this commitment and take on the significant burden of sending out breach notices, such as required by HIPAA.
The association also asks HHS to provide clarity that healthcare providers “are completely innocent and will be spared any oversight in this unique situation.”
In a Letter dated April 25 Speaking to Melanie Fontes Rainer, director of HHS’ Office for Civil Rights, MGMA’s Senior VP for Government Affairs Anders Gilberg said the 15,000 medical group practices it represents have been “dramatically affected by the cyberattack” on Change Healthcare.
“The disruption to the daily operations of medical groups has been severe and continues,” Gilberg said. “While MGMA appreciates the steps that (HHS) has taken, along with the efforts of Change and its parent company, UnitedHealth Group, many challenges remain.
“Of immediate concern is the confusion over the extent to which protected health information and personally identifiable information have been improperly disclosed,” he added, “to whom and on whom the burden of providing HIPAA-required breach notifications to both your office and the affected patients. will fall.”
While MGMA is “encouraged by recent public statements from United” about its offer to handle the work of breach notifications, he said, “no prudent medical group can rely on vague promises in a press release that contains no details regarding timing or implementation. “
THE BIG TREND
More than two months after it first occurred, the fallout from the Change Healthcare breach continues to ripple across the healthcare industry and pose fundamental challenges for providers and other healthcare organizations.
OCR is already investigating the privacy implications for patients affected by the “unprecedented scale” breach, as Fontes Rainer described in March.
But the attack also created much more fundamental problems for many providers, especially small practices. A recent report from the American Medical Association found that 31% of small practices said they have been unable to earn wages since the clearinghouse attack — and more than half of respondents said they had used personal money to cover costs to cover.
“This survey data shows in stark terms that practices will close because of this incident and patients will lose access to their doctors,” said AMA President Dr. Jesse M. Ehrenfeld said in a statement.
The additional burden associated with the administrative work of patient contacts and regulatory investigations would be more than many can handle, MGMA says.
ON THE RECORD
“To our knowledge, no MGMA member actually received the promised ‘offer’ from Change or United, in writing or otherwise,” Gilberg said in the letter to OCR about HIPAA notices. “Physician practices are currently facing increasing concerns about their own regulatory exposure should United fail to deliver on these commitments to your office’s satisfaction.
“Additionally, as more patients become aware of the potential disclosure of their sensitive PHI and PII, they will turn to their providers for information and assurances, neither of which can be provided at this time,” he added.
“What the healthcare industry needs, and what we are asking for on behalf of our members, is a clear statement from your office that: 1) responsibility for breach reporting rests solely with Change and United; 2) providers who are completely innocent in this unique situation will be spared from any regulatory scrutiny; and 3) Your office will ensure that Change and United deliver on the promises they have made in a prompt and transparent manner.
Mike Miliard is editor-in-chief of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.