On May 20, 2024, the American Medical Association and more than 100 other organizations issued a joint letter to Health and Human Services (HHS) Secretary Xavier Becerra concerning the February 21, 2024 reported cyber incident involving Change Healthcare. The letter requested clarity from the HHS Office of Civil Rights (OCR) “around reporting responsibilities and [to] assure affected providers that reporting and notification obligations will be handled by Change Healthcare.” Further, the letter asked OCR to “publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare’s breach.”

The groups who authored the letter have concerns that the required HIPAA breach reporting and notification requirements following this incident could fall upon providers rather than being the sole obligation of Change Healthcare or its parent companies, Optum and UnitedHealth Group. Thus, these groups are seeking further clarification and guidance for the provider community.

As the OCR continues its ongoing investigation, it is anticipated that additional information and clarification will be provided by the government. We will keep you advised accordingly.