05/21/2025

OSMA Joins Effort to Clarify Change Healthcare Cyberattack Patient Notification is NOT a Physician Responsibility

OSMA has joined the AMA, the College of Healthcare Information Management Executives (CHIME), and numerous other state and national medical associations asking that the U.S. Department of Health and Human Services explicitly target Change Healthcare and hold them ultimately responsible.

The Change Healthcare cyberattack has disrupted thousands of medical practices, delayed patient care, and is still causing problems. The lack of consistent payments and administrative burden is causing many practices to close their doors. The cyberattack is being investigated by the Office for Civil Rights (OCR) and will likely be the largest breach of patient and physician information ever.

While UnitedHealth Group (UHG)—of which Change Healthcare is a business unit—has publicly offered to notify effected patients and undertake related administrative requirements on behalf of physicians, OCR has stated its focus is on UHG, as it is still unclear if physicians could still be held responsible for notifying their patients about the breach.

Given this possibility, and the remote possibility that OCR could also investigate medical practices due to the breach, we are asking that OCR clarify its policies and state that it will not hold physicians responsible for reporting or the notification requirements to the breach, nor require undue administrative burdens related to the breach.