Provider Groups Wants OCE to Clarify Change Healthcare’s Breach Reporting Requirements

Over 100 provider groups, including the American Health Information Management Association (AHIMA), College of Healthcare Information Management Executives (CHIME), and American Medical Association (AMA), wrote to HHS Secretary Xavier Becerra and OCR Director Melanie Fontes Rainer to clarify the requirements of HIPAA breach reporting about the Change Healthcare ransomware attack and the way those requirements will be implemented.

On March 13, 2024, OCR stated in a Dear Colleague letter that it is investigating the Change Healthcare cyberattack to evaluate United Health Group’s (UHG) and Change Healthcare’s compliance with HIPAA Guidelines. OCR mentioned in the letter that Change Healthcare and UHG are the main targets of the investigation. Investigation of other entities that have partnerships with Change Healthcare and UHG is secondary.

Although it is not the priority of OCR to investigate health plans, healthcare providers, and business associates that were connected to or affected by this ransomware attack, OCR is reminding HIPAA-covered entities that are in partnership with UHG and Change Healthcare about their regulatory requirements and obligations, which include signing business associate agreements and sending breach notification letters promptly to HHS and impacted individuals as necessary under the HIPAA Guidelines.

In a FAQ posted on the HHS website, OCR mentioned that any time a breach of protected health information (PHI) occurs at a business associate, the covered entity must inform the impacted persons regarding the breach; however, the covered entity could assign that task to the business associate. OCR additionally explained that in case there is any uncertainty concerning how to handle breach notifications, the impacted companies must get in touch with Change Healthcare and UHG.

UHG released a report stating that they are dedicated to helping and giving assistance to any person who need help, including performing reporting requirements for other stakeholders whose information might have been exposed during this cyberattack. UnitedHealth Group offered to send the notifications and take on related admin requirements for any company or client.”

The provider groups would like OCR to address misunderstandings for providers and have asked OCR to make clear how it plans to implement the HIPAA reporting requirements with regard to the Change Healthcare data breach. They need reassurance for their members that UHG/Change Healthcare is going to handle the HIPAA requirements for reporting and notification, instead of the providers that were impacted by the data breach. That consists of informing OCR concerning the breach, providing notifications to media outlets, submitting breach reports to state Attorneys General, and sending individual breach notifications.

As mentioned in the letter, because UHG has offered to manage the breach reporting requirements, it will be simple for OCR to openly declare that UHG/Change Healthcare will be taking care of all things related to reporting and notification. OCR’s FAQ indicates that all impacted providers call UHG/Change Healthcare for details about how breach reporting is going to be managed; nevertheless, the providers impacted are too many that an actual number is not immediately available. The provider groups stated that considering the chaotic state of the provider community after this breach, OCR’s silence regarding this issue is frustrating.

The provider groups want to be ready to explain to their members that they could depend on UHG’s offer to take care of notifications and take on related admin requirements for any company or client, and ask OCR to make sure providers can depend on that statement and ensure that given that UHG is solely responsible for the incident, no breach notification requirements are applied to any impacted medical company.

They have additionally asked for clarification from OCR concerning its investigations. OCR ought to publicly say that their breach investigation and speedy remediation efforts will be centered on Change Healthcare and not the companies impacted by the cyberattack on Change Healthcare.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at