CHIME-led Stakeholder Letter to HHS & OCR on Change Healthcare Breach Reporting Responsibilities

Download PDF

June 26, 2024

Melanie Fontes Rainer, Director

Office for Civil Rights

200 Independence Avenue, SW

Washington, DC 20201

Dear Director Rainer:

Thank you for the prompt response to the letter we sent to Secretary Becerra on May 20th concerning the Change Healthcare cyber incident and breach reporting responsibilities associated with this unprecedented attack likely involving millions of breach patient records.

The undersigned organizations, representing a broad range of clinicians and providers nationwide, continue to navigate the aftermath of this incident dating back to February 21st. We appreciate that your agency has updated the Frequently Asked Questions (FAQs) on your website. Upon reviewing your letter and the updated material, we have received a host of questions that our members simply cannot answer without further assistance and guidance from the Office for Civil Rights (OCR).

We understand that Change Healthcare and United Health Group (UHG) (Change Healthcare/UHG) have not yet reported the breach, and that OCR is conducting aninvestigation. Yet, clinicians and providers are committed to staying in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and want to be fully prepared to support their patients. We appreciate that OCR’s attention is directed primarily at Change Healthcare/UHG. However, given the complicated nature of this situation, our members have several outstanding questions and seek immediate guidance and resolution from your office. It is essential that OCR promptly outlines and communicates the “when, what, why, and how” in this situation, ensuring that the accountable party can act without delay.

Attached, you will find a set of questions where we seek clear, straightforward guidance to ensure that every clinician and provider has confidence that the responsibility for breach reporting continues to lie squarely with Change Healthcare/UHG. Additionally, any responsibilities borne by clinicians and providers are minimized, and there is no impact to patients.

The priority is for OCR to provide this needed clarity and guidance as soon as possible. We do, however, respectfully request a meeting to further discuss these concerns so that we can be assured we have a clear pathway forward surrounding these matters. Please do not hesitate to reach out to us by contacting Mari Savickis at [email protected].

Sincerely,

College of Healthcare Information Management Executives (CHIME)

American Academy of Family Physicians (AAFP)

American College of Physicians (ACP)

American Medical Association (AMA)

Medical Group Management Association (MGMA)

cc: The Honorable Xavier Becerra