- Home
- Advocacy
- Latest News and Practice Data
- CAP, AMA, and over 50 Health Care Organizations Urge HHS to Hold Change Healthcare Responsible for Reporting Requirements in Wake of Cyberattack
On May 20, the CAP, the American Medical Association (AMA) and more than 50 provider groups asked the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) to enforce the Health Insurance Portability and Accountability Act (HIPAA) reporting requirements involving the Change Healthcare cyber incident announced on February 21st.
In a letter, the groups asked for clarification around reporting responsibilities to assure affected providers that reporting, and notification obligations will be handled by Change Healthcare. They also asked OCR to publicly state that remediation after the breach will be focused on Change Healthcare, not the providers.
Under the HIPPA Breach Notification Rule covered entities and their business associates are required to notify affected individuals, the HHS and sometimes the media when unsecured protected health information is breached. UnitedHealth Group, Change’s parent company, previously said it would handle reporting to customers whose data may have been exposed.