OCR response to MGMA on Change Healthcare breach notifications (May 31, 2024)

May 31, 2024

Anders Gilberg, Sr. Vice President, Government Affairs
Medical Group Management Association
1717 Pennsylvania Ave NW #600
Washington, DC 20006

Dear Anders Gilberg:

Thank you for your letter regarding the cyberattack on UnitedHealth Group's (UHG) subsidiary Change Healthcare. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) takes this issue very seriously. We recognize the impact the Change Healthcare cyberattack has had on healthcare providers, health plans, and individuals and are working expeditiously to do our part to ease the impact of the cyberattack. We are prioritizing our investigations of Change Healthcare and United Health Group (UHG) and continue to provide guidance and assistance across the health care industry. I appreciate hearing from you on this important issue.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 20091 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification Rule2 require HIPAA covered entities3 (health plans, health care clearinghouses, and most health care providers) to provide breach notification to affected individuals (patients, beneficiaries, and others) following a breach of unsecured protected health information (PHI). Breach notification is essential for patient privacy because it provides transparency about what caused the breach, when the breach occurred, what PHI was disclosed, what steps affected individuals should take to protect themselves, and information about what the HIPAA covered entity is doing to investigate the breach, mitigate harm to affected individuals, and protect against further breaches.

View the full letter