In yet one more ripple from the Change Healthcare cyberattack, the Medical Group Administration Affiliation has sought assurances from HHS’ Workplace for Civil Rights that the onus for sending HIPAA breach notifications to affected sufferers would fall squarely on Change and its mum or dad firm – and never doctor practices and different suppliers.
WHY IT MATTERS
UnitedHealth Group issued a press launch this week the place, along with different updates, it pledged that it will “assist ease reporting obligations on different stakeholders whose information could have been compromised as a part of this cyberattack,” and provided “make notifications and undertake associated administrative necessities on behalf of any supplier or buyer.”
Whereas MGMA says it appreciated that gesture, it’s asking HHS to weigh in – guaranteeing that Change Healthcare and UHG will comply with by means of on that promise, taking over the numerous burden of sending breach notices as required by HIPAA.
The affiliation can also be asking HHS to supply readability that healthcare suppliers are “fully harmless on this distinctive state of affairs will probably be spared any regulatory scrutiny.”
In an April 25 letter to Melanie Fontes Rainer, director of HHS’ Workplace for Civil Rights, MGMA’s SVP for presidency affairs, Anders Gilberg, mentioned the 15,000 medical group practices it represents “have been drastically impacted by the cyberattack” on Change Healthcare.
“Disruption to the day by day operations of medical teams has been extreme and is ongoing,” mentioned Gilberg. “Whereas MGMA appreciates the steps [HHS] has taken, together with the efforts of Change and its mum or dad, UnitedHealth Group, many challenges stay.
“Of instant concern is confusion surrounding the extent to which protected well being data and personally identifiable data have been improperly disclosed,” he added, “to whom, and on whom the burden of offering HIPAA-required breach notifications to each your workplace and affected sufferers will fall.”
Whereas MGMA “inspired by current public statements from United” about its provide to deal with the work of breach notifications, he mentioned, “no prudent medical group can depend on imprecise guarantees in a press launch containing no specifics with respect to both timing or implementation.”
THE LARGER TREND
Greater than two months because it first occurred, the aftereffects of the Change Healthcare breach proceed to reverberate throughout the healthcare trade and pose elementary challenges for suppliers and different well being organizations.
OCR is already probing the privateness implications for sufferers affected by the breach of “unprecedented magnitude,” as Fontes Rainer described in in March.
However the assault additionally posed way more elementary issues for a lot of suppliers, particularly small practices. A current report from the American Medical Affiliation discovered that 31% of small practices mentioned they might not make payroll because the clearinghouse assault – and greater than half of respondents mentioned they’d used private funds to cowl bills.
“These survey information present, in stark phrases, that practices will shut due to this incident, and sufferers will lose entry to their physicians,” mentioned AMA president Dr. Jesse M. Ehrenfeld, in a press release.
The added burden of getting to take care of the executive work of affected person outreach and regulatory probes could be greater than many may deal with, says MGMA.
ON THE RECORD
“To our information, no MGMA member has truly acquired from Change or United the promised ‘provide,’ in writing or in any other case,” mentioned Gilberg within the letter to OCR about HIPAA notifications. “Doctor practices presently face mounting issues about their very own regulatory publicity ought to United not fulfill these guarantees to the satisfaction of your workplace.
“Additional, as extra sufferers grow to be conscious of the attainable disclosures of their delicate PHI and PII, they are going to flip to their suppliers for data and assurances, neither of which may presently be offered,” he added.
“What the well being sector wants, and for which we ask on behalf of our members, is a transparent assertion out of your workplace that: 1) Duty for breach notifications rests solely with Change and United; 2) Suppliers which can be fully harmless on this distinctive state of affairs will probably be spared any regulatory scrutiny; and three) Your workplace will be sure that Change and United fulfill the guarantees they’ve made in a immediate and clear method.”
Mike Miliard is govt editor of Healthcare IT Information
E-mail the author: mike.miliard@himssmedia.com
Healthcare IT Information is a HIMSS publication.
