chevron-down Created with Sketch Beta.
May 24, 2024

AMA and Others Request Confirmation from HHS that Providers Are Not Responsible for HIPAA Notification Requirements Due to the Change Healthcare Cybersecurity Incident

In a letter dated May 20, 2024, the American Medical Association (AMA) and other medical organizations requested clarification from the Department of Health and Human Services (HHS) about how HHS's Office for Civil Rights (OCR) intends to enforce the Health Insurance Portability and Accountability Act (HIPAA) reporting and breach notification obligations arising out of the Change Healthcare cybersecurity incident. The letter requests an assurance from HHS that all reporting and notice obligations will be the responsibility of Change Healthcare. 

OCR issued a set of frequently asked questions (FAQs) about the Change Healthcare cybersecurity incident on April 19, 2024, but the medical organizations seek official confirmation from HHS that providers are not responsible for those HIPAA obligations.

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.