HHS Responds To Change Healthcare Attack (3/5/24)
Thursday, March 14, 2024
HHS Responds To Change Healthcare Attack (3/5/24)
The Department of Health and Human Services is taking steps to mitigate fallout from the crippling cyberattack on Change Healthcare that shut down billing functions across the country, following pleas from industry groups.
On March 5, HHS said it is working to address cash flow concerns as claims processing remains frozen for many doctors, hospitals and pharmacies nationwide. The department is directing regional Medicare operational contractors to expedite requests for providers to switch data and claims processors, as well as process requests for accelerated payments.
HHS is also planning to issue federal guidance to Medicare plans on relaxing prior authorization requirements, and encouraged Medicare and Medicaid plans to grant providers advance funding as well. The actions follow a call from Senate Majority Leader Chuck Schumer (D-NY) for the administration to aid providers affected by the outage.
UnitedHealth Group acquired Change Healthcare in 2022 after federal regulators failed to block the deal on anti-competitive grounds. HHS indicated it was working to ensure that UnitedHealth Group was responding sufficiently after the American Hospital Association published a searing letter to UnitedHealth on alleged shortcomings in its assistance program.
“HHS is in regular contact with UHG leadership, state partners, and with numerous external stakeholders to better understand the nature of the impacts and to ensure the effectiveness of UHG’s response,” the department said. “HHS has made clear its expectation that UHG does everything in its power to ensure continuity of operations for all health care providers impacted and HHS appreciates UHG’s continuous efforts to do so.”
Additionally, the department is working with the White House, the FBI, the Cybersecurity and Infrastructure Security Agency and others to “provide credible, actionable threat intelligence to industry wherever possible.”
Affected parties should be aware of the following flexibilities in place:
- Medicare providers needing to change clearinghouses that they use for claims processing during these outages should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment for the switch. The MAC will provide instructions based on the specific request to expedite the new EDI enrollment. CMS has instructed the MACs to expedite this process and move all provider and facility requests into production and ready to bill claims quickly. CMS is strongly encouraging other payers, including state Medicaid and Children’s Health Insurance Program (CHIP) agencies and Medicaid and CHIP managed care plans, to waive or expedite solutions for this requirement.
- CMS will issue guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages. CMS is also encouraging MA plans to offer advance funding to providers most affected by this cyberattack.
- CMS strongly encourages Medicaid and CHIP managed care plans to adopt the same strategies of removing or relaxing prior authorization and utilization management requirements, and consider offering advance funding to providers, on behalf of Medicaid and CHIP managed care enrollees to the extent permitted by the State.
- If Medicare providers are having trouble filing claims or other necessary notices or other submissions, they should contact their MAC for details on exceptions, waivers, or extensions, or contact CMS regarding quality reporting programs.
- CMS has contacted all of the MACs to make sure they are prepared to accept paper claims from providers who need to file them. While we recognize that electronic billing is preferable for everyone, the MACs must accept paper submissions if a provider needs to file claims in that method.
Learn more at HHS: LINK
UnitedHealth Group Provides Updates and Resources In Response To Healthcare Cyberattack (3/8/24)
UnitedHealth Group announced a series of updates on its response to the unprecedented cyberattack against its subsidiary Change Healthcare. In the announcement, UHG outlines anticipated timelines for restoring Change Healthcare’s affected systems for pharmacy services, payments and medical claims.
In addition, UHG provided new details about funding support for providers affected by the outage and said that for Medicare Advantage plans it is temporarily suspending prior authorizations for most outpatient services and utilization review for MA inpatient admissions.
CMS Announces Accelerated and Advance Payment Program for Providers and Suppliers Affected by Change Healthcare Cyberattack (3/10/24)
The Centers for Medicare & Medicaid Services (CMS) March 9 issued a notice formally announcing terms for hospitals, physicians and other providers impacted by the Change Healthcare cyberattack to apply for accelerated and advance payments (AAPs). CMS stated that hospitals, health systems and others should contact their Medicare Administrative Contractors (MACs) for more information and to apply.
CMS made available Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments to Part A providers and advance payments to Part B suppliers experiencing claims disruptions as a result of the Incident. The CHOPD accelerated and advance payments may be granted in amounts representative of up to thirty days (30) of claims payments to eligible providers and suppliers. The average 30-day payment is based on the total claims paid to the provider/supplier between August 1, 2023 and October 31, 2023, divided by three. These payments will be repaid through automatic recoupment from Medicare claims for a period of 90 days. A demand will be issued for any remaining balance on day 91 following the issuance of the accelerated or advance payment.
CMS Fact Sheet: LINK
HHS Letter to Health Care Leaders on Cyberattack on Change Healthcare (3/10/24): LINK
As you know, last month Change Healthcare was the target of a cyberattack that has had significant impacts on much of the nation’s health care system. The effects of this attack are far-reaching; Change Healthcare, owned by UnitedHealth Group (UHG), processes 15 billion health care transactions annually and is involved in one in every three patient records. The attack has impacted payments to hospitals, physicians, pharmacists, and other health care providers across the country. Many of these providers are concerned about their ability to offer care in the absence of timely payments, but providers persist despite the need for numerous onerous workarounds and cash flow uncertainty.
In a situation such as this, the government and private sector must work together to help providers make payroll and deliver timely care to the American people. The Biden-Harris Administration has taken action by removing challenges for health care providers and addressing this cyberattack head on. Now, we are asking private sector leaders across the health care industry – especially other payers – to meet the moment.
The Biden-Harris Administration remains committed to ensuring that all Americans can access needed care in spite of this cyberattack. We urge the private sector to quickly identify and carry out solutions. Specifically, we call on UHG, other insurance companies, clearinghouses, and health care entities to take additional actions to mitigate the harms this attack places on patients and providers, particularly our safety net providers.
We urge UnitedHealth Group to:
- Take responsibility to ensure no provider is compromised by their cash flow challenges stemming from this cyberattack on Change Healthcare.
- Ensure expedited delivery of funds to impacted providers for all receiving advanced payment from UnitedHealth Care.
- Communicate more frequently and more transparently, both within the health care community and with state Medicaid agencies.
- Ensure ease of access to UHG programs, both by providing less restrictive terms and by addressing providers’ concerns regarding indemnification and arbitration requirements.
- Provide Medicaid agencies with a list of providers impacted in their states.
- Expedite activation and ensure effectiveness of all programs UHG announces to serve as a financial backstop, and prioritize under-resourced, lower margin providers.
We urge insurance companies and other payers to:
- Make interim payments to impacted providers. Larger payers in particular have the balance sheet stability to advance payments. Payers have the opportunity to stop-gap the cash flow concerns by stepping in with bridge payments.
- In particular, for Medicaid plans, consider making interim payments to impacted providers.
- Ease the administrative burden on providers by simplifying electronic data interchange requirements and timelines and by accepting paper claims.
- Pause prior authorizations and other utilization management requirements; use all available leeway on deadlines.
While we believe payers have a unique responsibility and opportunity to address the challenge before us, we urge action on the part of any health care entity that can step up. For example, we appreciate the actions taken by clearinghouses to enable switching from Change Healthcare systems, and we encourage them to offer easy-to-implement, standard terms for additional providers who want to switch, and avoid cost-prohibitive pricing.
In addition to the actions outlined above, earlier this week, the U.S. Department of Health and Human Services (HHS) announced steps that the Centers for Medicare & Medicaid Services (CMS) is taking to assist states and health care providers to continue to serve patients and avoid disruptions. Specifically, CMS has streamlined the process for providers to change clearinghouses to ensure continuity of payments, encouraged insurance plans to remove or relax prior authorization requirements in both Medicare and Medicaid, and directed Medicare Administrative Contractors (MACs) to be prepared to accept paper claims submissions during the course of the outage. Just yesterday, CMS provided instructions to MACs about how to consider applications for accelerated payments from Medicare Part A providers and for advance payments from Part B providers and suppliers.
Overall, this incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem. That’s why, in 2023, HHS released a concept paper that outlines HHS’ cybersecurity strategy. The concept paper builds on the National Cybersecurity Strategy that President Biden released in 2023, focusing specifically on strengthening resilience for hospitals, patients, and communities threatened by cyberattacks. Also, in 2021, the Department of Labor released Cybersecurity Program Best Practices to assist plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks. We urge you to visit the HPH Cyber Performance Goals website and implement these steps to stay protected.
Sincerely,
Xavier Becerra
Secretary, U.S. Department of Health and Human Services
Julie A. Su
Acting Secretary, U.S. Department of Labor