In another wave from the Change Healthcare cyberattack, the Healthcare Group Management Association sought assurances from HHS’s Office for Civil Rights that it is responsible for sending HIPAA violation notices to affected patients. will belong to Change and its parent company — not the physician practices. and other suppliers.
WHY IS IT IMPORTANT?
UnitedHealth Group issued a press release this week that, among other updates, pledged that it would “help reduce reporting obligations for other stakeholders whose data may have compromised as part of this cyber attack” and to “make announcements and make related commitments”. administrative request on behalf of any supplier or customer.”
While MGMA said it appreciated the gesture, it asked HHS to weigh in — ensuring that Change Healthcare and UHG deliver on that promise, while shouldering the significant burden of sending violation notices according to HIPAA requirements.
The association also asked HHS to provide clarity that health care providers “who are completely innocent in this unique situation will not be subject to any regulatory oversight.”
In an April 25 letter to Melanie Fontes Rainer, director of HHS’ Office of Civil Rights, MGMA’s SVP of Government Affairs Anders Gilberg said the 15,000 medical group practices they represent “ was hit hard by the cyberattack” on Change Healthcare.
“The disruption to the day-to-day operations of medical teams is severe and ongoing,” Gilberg said. “While MGMA appreciates the steps [HHS] has overcome, along with the efforts of Change and its parent company, UnitedHealth Group, many challenges remain.
“The immediate concern is confusion around the extent to which protected health information and personally identifiable information has been improperly disclosed,” he added, “to whom and to whom responsible for providing breach notification as required by HIPAA to both your office and affected patients.” will decrease.”
While MGMA “is encouraged by United’s recent public statements” about its offer to handle breach notification work, he said, “no prudent medical group can rely on vague promises in a press release there was no specific information about timing or implementation. “
THE TREND IS GREATER
More than two months since it first occurred, the consequences of the Change Healthcare breach continue to impact the entire healthcare industry and pose fundamental challenges for providers and healthcare organizations other.
OCR probed the privacy implications for patients affected by the breach of “unprecedented magnitude,” as Fontes Rainer described it in March.
But the attack also raises more fundamental problems for many providers, especially small operations. A recent report by the American Medical Association found that 31% of small practices said they were unable to pay salaries since the attack on the clearinghouse — and more than half of respondents said they used personal funds to cover expenses.
AMA President Dr. Jesse M. Ehrenfeld said in a statement: “These survey data clearly show that clinics will close as a result of this incident and patients will lose access to contact their doctor”.
The added burden of having to deal with the administrative work of patient outreach and regulatory exploration will be more than many people can handle, MGMA said.
ON PROFILE
“To our knowledge, no MGMA member has actually received from Change or United the promised ‘offer’ in writing or otherwise,” Gilberg said in a letter to OCR about the HIPAA announcement. . “Physician practices are now facing increasing concerns about their own regulatory exposure if United fails to deliver on these promises to your office’s satisfaction.
“Furthermore, as more patients become aware of the potential exposure of their sensitive PHI and PII, they will turn to their providers for information and assurance, both of which are currently cannot be provided”.
“What the healthcare industry needs, and what we are demanding on behalf of our members, is a clear statement from your office that: 1) Responsibility for violation notifications rests solely with Change and United ; 2) The completely innocent suppliers in this particular situation will not be subject to regulatory scrutiny; and 3) Your office will ensure that Change and United fulfill the promises they have made issued quickly and transparently.”
Mike Miliard is the executive editor of Healthcare IT News
Email the writer: [email protected]
Healthcare IT News is a HIMSS publication.
