AHA, other hospital groups demand UHG formalize breach notification plans following Change Healthcare cyberattack

The AHA and other national hospital groups May 8 sent a letter to UnitedHealth Group, urging the organization to formally accept responsibility for issuing breach notifications on behalf of providers or customers following cyberattacks if protected health information or personally identifiable information is stolen. UHG CEO Andrew Witty agreed to do so May 1 during hearings with Senate and House committees but has yet to notify the Department of Health and Human Services' Office for Civil Rights of this plan.

The letter refers to an April 19 OCR statement in which the agency said, "...with respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate." The letter urges UHG to formally accept this delegation, and notify OCR, state regulators, Congress, media and other stakeholders.