On May 20, 2024, the American Medical Association and more than 100 other organizations issued a joint letter to Health and Human Services (HHS) Secretary Xavier Becerra concerning the February 21, 2024 reported cyber incident involving Change Healthcare. The letter requested clarity from the HHS Office of Civil Rights (OCR) “around reporting responsibilities and [to] assure affected providers that reporting and notification obligations will be handled by Change Healthcare.” Further, the letter asked OCR to “publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare’s breach.”

The groups who authored the letter have concerns that the required HIPAA breach reporting and notification requirements following this incident could fall upon providers rather than being the sole obligation of Change Healthcare or its parent companies, Optum and UnitedHealth Group. Thus, these groups are seeking further clarification and guidance for the provider community.

As the OCR continues its ongoing investigation, it is anticipated that additional information and clarification will be provided by the government. We will keep you advised accordingly.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John W. Kaveney John W. Kaveney

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service…

Partner, Healthcare and Litigation Departments

Mr. Kaveney focuses his practice in the area of healthcare law, representing a range of clients that includes for-profit and non-profit hospitals and health systems, academic medical centers, individual physicians and physician groups, ambulatory surgery centers, ancillary service providers, medical billing companies, skilled nursing and rehabilitation facilities, behavioral health centers and pharmacies.

His practice in the healthcare field encompasses advising healthcare clients on corporate compliance matters, including the implementation of new, and the assessment of existing, corporate compliance programs. He also assists healthcare clients with compliance audits and investigations, as well as guiding clients through the self-disclosure and repayment processes. Finally, he provides general legal advice concerning compliance and regulatory matters under state and federal healthcare laws.

In the area of information privacy and data security, Mr. Kaveney advises healthcare clients on issues arising under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). This includes the implementation and assessment of privacy and security policies and procedures to ensure the proper protection and utilization of protected health information both by healthcare providers and the business associates with which they contract. In addition, he represents healthcare clients in investigating, reporting, and remediating information breaches and the liability such breaches create under various information privacy and security laws.

Additionally, Mr. Kaveney provides counsel on Medicaid and Medicare reimbursement matters before the Division of Medical Assistance and Health Services and the Provider Reimbursement Review Board, as well as assisting clients in civil litigation and with professional licensing and medical staffing concerns.

Contact information:

jkaveney@greenbaumlaw.com | 973.577.1796 | vCard | LinkedIn

For more information visit the Greenbaum, Rowe, Smith & Davis LLP website.