Skip To Navigation Skip To Content Skip To Footer
    Advocacy Letter
    Home > Press Statements & Advocacy Letters > Advocacy Letters

    June 12, 2024 

    Melanie Fontes Rainer
    Office for Civil Rights
    Department of Health and Human Services
    Room 509F, HHH Building
    200 Independence Avenue, SW
    Washington, DC 20201

    Re: Change Healthcare and Breach Notifications

    Dear Director Rainer:

    Thank you for your letter of May 31, 2024. MGMA and its members appreciate the priority that your office has placed on the Change Healthcare matter, and your clear statement that practices as covered entities under HIPAA may delegate responsibility for breach notifications, if and when required, to Change or its parent, UnitedHealth Group.

    At the same time, we remain deeply troubled by the statement in your letter — also reflected in your office’s updated FAQ of May 31 — that even with such delegation, covered entities like MGMA members remain responsible for ensuring that Change/United provide breach notifications to the government, patients, and the media in compliance with the HIPAA and HITECH statutes. To make thousands of individual providers guarantors of Change/United’s compliance is neither reasonable nor practical, especially in these unique circumstances. It also undermines the supposed advantage of making Change/United primarily responsible.

    Providers were not the source of these disclosures. They do not know the extent and scope of them. They have neither the resources, nor the access to underlying information surrounding the disclosures which would be necessary to investigate them. As a result, they have no realistic choice but to rely on Change/United to make the appropriate breach notifications. Only the federal government has the resources to ensure that Change/United does so in a fully compliant manner.

    View the full letter

    More Advocacy Letters

    Ask MGMA
    An error has occurred. The page may no longer respond until reloaded. Reload 🗙