June 12, 2024
Melanie Fontes Rainer
Director
Office for Civil Rights
Department of Health and Human Services
Room 509F, HHH Building
200 Independence Avenue, SW
Washington, DC 20201
Re: Change Healthcare and Breach Notifications
Dear Director Rainer:
Thank you for your letter of May 31, 2024. MGMA and its members appreciate the priority that your office has placed on the Change Healthcare matter, and your clear statement that practices as covered entities under HIPAA may delegate responsibility for breach notifications, if and when required, to Change or its parent, UnitedHealth Group.
At the same time, we remain deeply troubled by the statement in your letter — also reflected in your office’s updated FAQ of May 31 — that even with such delegation, covered entities like MGMA members remain responsible for ensuring that Change/United provide breach notifications to the government, patients, and the media in compliance with the HIPAA and HITECH statutes. To make thousands of individual providers guarantors of Change/United’s compliance is neither reasonable nor practical, especially in these unique circumstances. It also undermines the supposed advantage of making Change/United primarily responsible.
Providers were not the source of these disclosures. They do not know the extent and scope of them. They have neither the resources, nor the access to underlying information surrounding the disclosures which would be necessary to investigate them. As a result, they have no realistic choice but to rely on Change/United to make the appropriate breach notifications. Only the federal government has the resources to ensure that Change/United does so in a fully compliant manner.