April 25, 2024
Melanie Fontes Rainer
Director
Office for Civil Rights
Department of Health and Human Services
Room 509F, HHH Building
200 Independence Avenue, SW
Washington, DC 20201
Re: Change Healthcare and Breach Notifications
Dear Director Rainer:
I write seeking your immediate assistance on a matter of utmost urgency to America’s medical group practices. With a membership of more than 60,000 medical practice administrators, executives, and leaders, the Medical Group Management Association (MGMA) represents more than 15,000 medical group practices ranging from small private medical practices to large national health systems, representing more than 350,000 physicians.
These practices have been drastically impacted by the cyberattack on Change Healthcare. Disruption to the daily operations of medical groups has been severe and is ongoing. While MGMA appreciates the steps the Department has taken, along with the efforts of Change and its parent, UnitedHealth Group, many challenges remain. Of immediate concern is confusion surrounding the extent to which protected health information (“PHI”) and personally identifiable information (“PII”) have been improperly disclosed, to whom, and on whom the burden of providing HIPAA-required breach notifications to both your office and affected patients will fall.
MGMA is encouraged by recent public statements from United committing to “provide appropriate notifications” and stating that it “has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.” (United Press Release April 22, 2024). At the same time, no prudent medical group can rely on vague promises in a press release containing no specifics with respect to either timing or implementation. To our knowledge, no MGMA member has actually received from Change or United the promised “offer,” in writing or otherwise.