HHS Responds to Change Healthcare Cyberattack with New Flexibilities for Affected Providers
The Department of Health and Human Services (HHS) has issued a statement about the February 2024 Blackcat ransomware attack on UnitedHealth Group-owned Change Healthcare. The attack took more than 100 of Change Healthcare’s systems out of action, which has had far-reaching consequences for the providers that rely on those systems for checking insurance coverage, submitting claims, and getting paid.
Several industry groups wrote to the HHS requesting assistance for their members, who are experiencing severe cash flow problems as they have been unable to receive payments without Change Healthcare’s systems. UnitedHealth Group has set up a temporary financial assistance program to help providers who have been unable to receive payments, but the move has been criticized by industry groups due to the limited eligibility and onerous terms.
The HHS said it recognized the impact the cyberattack has had on healthcare operations nationwide and that its first priority is to help coordinate efforts to avoid disruptions to care. The HHS is in regular contact with UnitedHealth Group leadership and has made it clear that it expects UnitedHealth Group to do everything in its power to ensure the continuity of operations for all healthcare providers.
The HHS said it has received multiple communications about the cash flow problems that have been caused by the cyberattack due to the inability of providers to submit claims and receive payments, and said action is being taken to support the needs of the healthcare community. The HHS is rolling out new flexibilities and the Centers for Medicare and Medicaid Services (CMS) is taking the lead in the response and will be communicating with the healthcare community and providing assistance, as appropriate.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HHS said all affected providers should be aware of the following flexibilities:
- Medicare providers that need to change the clearinghouses they use for claims processing due to the outages should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment for the switch. The MAC will provide instructions to expedite the new EDI enrollment. The CMS has instructed MACs to expedite the process of new EDI enrollment and move all provider and facility requests into production to ensure they can bill claims quickly.
- The CMS will be issuing guidance to Medicare Advantage (MA) organizations and Part D sponsors asking them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages, and is encouraging MA plans to offer advance funding to the providers most affected by the Change Healthcare cyberattack. Medicaid and CHIP managed care plans are also being encouraged to adopt a similar strategy to the extent permitted by the State.
- Medicare providers should contact their MAC for details on exceptions, waivers, or extensions, or contact CMS regarding quality reporting programs if they are experiencing difficulty filing claims or other necessary notices or other submissions.
- The CMS has contacted all MACs and told them that they must accept paper submissions if a provider needs to file claims in that method due to the outages.
Providers have contacted the CMS regarding the availability of accelerated payments such as those issued during the COVID-19 pandemic. Many payers have made funds available while billing systems are offline, and the CMS urges providers to take advantage of those opportunities; however, the HHS said hospitals may submit accelerated payment requests to their respective servicing MACs for individual consideration.
The HHS stressed that the cyberattack on Change Healthcare serves as a reminder of the importance of strengthening cybersecurity resilience across the healthcare ecosystem. In December 2023, the HHS issued a concept paper explaining some of the actions the HHS plans to take to strengthen cybersecurity resilience. Those measures include voluntary cybersecurity performance goals, working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity, increasing accountability, and enhancing communication through a one-stop shop. The HHS took the opportunity to encourage all members of the healthcare ecosystem to double down on cybersecurity with urgency, as Americans can ill afford further disruptions to care.
While the HHS response has been welcomed by providers and industry groups, the overwhelming response is that the new flexibilities do not go far enough. Jesse Ehrenfeld, M.D., president of the American Medical Association, said the new flexibilities announced by the HHS are a welcome first step, but said the CMS needs to recognize that the financial problems many providers are experiencing are threatening the viability of their practices. “Many physician practices operate on thin margins, and we are especially concerned about the impact on small and/or rural practices, as well as those that care for the underserved,” said Ehrenfeld. “The AMA urges federal officials to go above and beyond what has been put in place and include financial assistance such as advanced payments for physicians.”
