Skip To Navigation Skip To Content Skip To Footer
    Advocacy Letter
    Home > Press Statements & Advocacy Letters > Advocacy Letters

    May 31, 2024

    Anders Gilberg, Sr. Vice President, Government Affairs
    Medical Group Management Association
    1717 Pennsylvania Ave NW #600
    Washington, DC 20006

    Dear Anders Gilberg:

    Thank you for your letter regarding the cyberattack on UnitedHealth Group's (UHG) subsidiary Change Healthcare. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) takes this issue very seriously. We recognize the impact the Change Healthcare cyberattack has had on healthcare providers, health plans, and individuals and are working expeditiously to do our part to ease the impact of the cyberattack. We are prioritizing our investigations of Change Healthcare and United Health Group (UHG) and continue to provide guidance and assistance across the health care industry. I appreciate hearing from you on this important issue.

    The Health Information Technology for Economic and Clinical Health (HITECH) Act of 20091 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification Rule2 require HIPAA covered entities3 (health plans, health care clearinghouses, and most health care providers) to provide breach notification to affected individuals (patients, beneficiaries, and others) following a breach of unsecured protected health information (PHI). Breach notification is essential for patient privacy because it provides transparency about what caused the breach, when the breach occurred, what PHI was disclosed, what steps affected individuals should take to protect themselves, and information about what the HIPAA covered entity is doing to investigate the breach, mitigate harm to affected individuals, and protect against further breaches.

    View the full letter


    More Advocacy Letters

    Ask MGMA
    An error has occurred. The page may no longer respond until reloaded. Reload 🗙