The California Medical Association (CMA) joined the American Medical Association (AMA) and more than 100 health care organizations in seeking clarification on Health Insurance Portability and Accountability Act (HIPAA)-related breach reporting and notification requirements involving the Change Healthcare cyberattack.  

CMA signed a joint letter urging the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) to confirm that no entity other than Change Healthcare, its parent company United Health Group and corporate affiliates such as Optum bear responsibility for the breach and are responsible for breach reporting and notification requirements under HIPAA.  

The letter notes that “there are indications that certain data may indeed have been compromised, resulting in a perplexing situation for providers tasked with ensuring the privacy and security of [patient health information] and [personally identifiable information].” 

“We are writing to request more clarity around reporting responsibilities and assure affected providers that reporting and notification obligations will be handled by Change Healthcare,” the letter states. “OCR should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare’s breach.” 

Providers are continuing to grapple with the fallout of the Change cyberattack,  CMA is committed to supporting physician practices during this difficult time. We have developed a grid that lists a summary of known impacts, workarounds and guidance from payors, available free to CMA members.  

Additional Resources 

• UnitedHealth Group: Information on the Change Healthcare Cyber Response 

• CMA Guide: Change Healthcare Cyberattack - Impacts, Workarounds and Summary 

• AMA Resource Page: Change Healthcare Cyber Outage 

• HPH Cybersecurity Performance Goals