In a letter dated May 20, 2024, the American Medical Association (AMA) and other medical organizations requested clarification from the Department of Health and Human Services (HHS) about how HHS's Office for Civil Rights (OCR) intends to enforce the Health Insurance Portability and Accountability Act (HIPAA) reporting and breach notification obligations arising out of the Change Healthcare cybersecurity incident. The letter requests an assurance from HHS that all reporting and notice obligations will be the responsibility of Change Healthcare.
OCR issued a set of frequently asked questions (FAQs) about the Change Healthcare cybersecurity incident on April 19, 2024, but the medical organizations seek official confirmation from HHS that providers are not responsible for those HIPAA obligations.