Last week, the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) clarified that providers can delegate the responsibility for informing people about privacy breaches resulting from the February ransomware cyberattack to Change Healthcare and its parent company UnitedHealth Group (UHG).

UnitedHealth Group previously said that the cyberattack exposed personal information about a “substantial proportion" of Americans and offered to make notifications and undertake related administrative requirements on behalf of any provider or customer. It was unclear, however, whether, under the Health Insurance Portability and Accountability Act (HIPAA), covered entities were allowed to delegate their breach notification obligations to Change.

OCR published an update to its Change Healthcare Cybersecurity Incident Frequently Asked Questions (FAQs) to make clear that physicians and other affected entities may delegate the responsibility to notify their patients, customers and business partners as required under HIPAA to UnitedHealth Group.

OCR’s update comes after the California Medical Association and more than 100 health care organizations signed a joint letter asking the OCR to confirm that no entity other than Change Healthcare/UHG bears responsibility for the breach reporting and notification requirements under HIPAA.

According to UHG, due to the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.

CMA will publish an update once additional information is available about how the HIPAA-breach notifications will occur, and what physicians need to do to delegate the responsibility for such notifications to Change.