November 15, 2024

Cyberattack Updates: Change Healthcare Payment Platform

November 15, 2024

Congressional Watchdog Highlights HHS’ Cybersecurity Leadership Challenges

The Government Accountability Office (GAO) released a report on November 13 highlighting the Department of Health and Human Services’ (HHS) ongoing challenges in carrying out its cybersecurity responsibilities. The report noted the increased incidents of cyberattacks across the healthcare sector, including the February 2024 Change Healthcare ransomware attack that had widespread impacts on healthcare providers and patient care. The GAO went on to highlight several recommendations that HHS has yet to fully implement to improve cybersecurity risk management.

Although much of HHS’s cybersecurity focus has been on hospitals, the Change Healthcare ransomware attack demonstrated the vulnerabilities that exist across the entire healthcare sector, including post-acute and long-term care providers. LeadingAge actively engaged with HHS to help members impacted by the Change Healthcare ransomware attack and is continuing to work with members, partners, and policymakers to strengthen and share cybersecurity best practices.

July 31, 2024

Change Healthcare Submits Initial Breach Report to HHS

The U.S. Health and Human Services Office for Civil Rights (OCR) has updated its “Change Healthcare Cybersecurity Incident Frequently Asked Questions” webpage (see Question #3) to reflect that, on July 19, Change Healthcare filed an initial breach notification report with OCR concerning its ransomware attack. According to the OCR: “Change Healthcare’s breach report to OCR identifies 500 individuals as the “approximate number of individuals affected.” This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal.

Change Healthcare is still determining the number of individuals affected. HIPAA breach reports filed on the HHS Breach Portal may be amended as the breach report form allows a filer to file an initial breach report or an addendum to a previous report.”

July 17, 2024

Senator Calls on HHS to Develop Mandatory Cybersecurity Standards

Spurred by the impact of the recent Change Healthcare cyberattack on the nation’s health care system, U.S. Senator Mark R. Warner (D-Va) wrote to U.S. Health and Human Services (HHS) Secretary Xavier Becerra and Deputy National Security Advisor Anne Neuberger in a July 12 letter, urging them to prioritize the development of mandatory minimum cybersecurity standards for health care.  In December 2023, HHS released a concept paper outlining the Department’s cybersecurity strategy for the health care sector and describing four pillars for action, including publishing new voluntary health care-specific cybersecurity performance goals, working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity, and proposing new enforceable cybersecurity standards that would be incorporated into existing programs, such as the HIPAA Security Rule.  While not calling out the concept paper specifically, Senator Warner’s letter urges HHS to propose standards as soon as possible, adding that the voluntary nature of the status quo is not working and that mandatory minimum cyber standards would ensure that all health care stakeholders prioritize cybersecurity in their work. LeadingAge will continue to follow policy developments relating to these important issues.

June 22, 2024

Change Healthcare Breach Notification Outreach Beginning

Change Healthcare started notifying providers and insurers on June 20 whether their patients’ or members’ data was compromised in the cyberattack. The breach notifications come after the Department of Health and Human Services’ Office for Civil Rights clarified last month that providers could delegate the burdensome requirement of notifying affected patients to Change Healthcare.

The company will provide patients with a link to a website to help them with any questions. According to the company’s review, more than 90% of affected files and found no evidence that doctors’ charts or full medical histories exposed. However, the compromised data taken likely includes individuals’ contact and health insurance information and billing claims and potentially even Social Security numbers. Andrew Witty, CEO of UnitedHealth Group—which owns Change Healthcare—told the House Energy & Commerce Committee in May he suspected the ransomware attack led to the leaking of sensitive health information of one-third of Americans.

June 19, 2024

Medicare Accelerated and Advanced Payments Related to Change Cyberattack Ending July 12

On June 17, CMS announced that it will cease to accept applications for funds from the Accelerated and Advance Payment Program for the Change Healthcare/Optum Payment Disruption (CHOPD) program on July 12, 2024. These payments were designed to assist providers with cash flow disruptions that followed the Change Healthcare cyberattack in February. CMS reports that providers are again successfully billing Medicare, so the program is no longer needed.

More than 4,200 Medicare Part A providers and 4,772 Part B suppliers have benefitted from the program, and 96% of the distributed payments have been recovered. CMS instructs providers who are still having billing or payment challenges due to the Change attack to reach out to UnitedHealth Group here or their Medicare Administrative Contractor (MAC).

June 04, 2024

HHS Says Providers can Delegate Breach Notification Requirement to Change Healthcare

The U.S. Department of Health and Human Service (HHS) Office for Civil Rights (OCR) updated its frequently asked questions on May 31 regarding the Change Healthcare cyberattack including addressing who is responsible for performing breach notification to HHS, affected individuals, and where applicable, the media. Specifically, the FAQs make clear that: covered entities affected by the Change Healthcare breach may delegate their HIPAA breach notification obligations to Change Healthcare.

UnitedHealth Group (UHG) CEO Andrew Witty noted in his Congressional testimony last month that UHG wanted to alleviate providers of this breach notification requirement related to the Change Healthcare cyberattack but was awaiting approval from OCR. The FAQ provides the necessary permission for this approach. The FAQs remind providers that only one entity, which could be the covered entity itself or Change Healthcare, needs to complete breach notifications to affected individuals, HHS, and where applicable the media. The FAQs also clarify that if covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations. This is one piece of good news for providers who have borne significant burden due to the cyberattack.

May 13, 2024

Biden Administration: Cybersecurity Requirements on Horizon

Policymakers have suggested that recent cybersecurity events at UnitedHealth Group’s Change Healthcare and Ascension hospital system have underscored the need for the imposition of minimum cybersecurity standards in the healthcare sector. Modern Healthcare reports that White House officials have said the Biden Administration intends to require hospitals to meet certain minimum cybersecurity standards in the near term. This line of thinking appears to be reinforced by a recently  updated version of the Administration’s Cybersecurity Strategy Implementation Plan, which outlines a series of federal initiatives that are designed to increase digital security and system resilience across sectors.

Two initiatives seem to suggest these actions will be taken by early 2025 though there is no specific reference to hospitals or any other provider type but instead speak about the health care sector more broadly. One such initiative suggests that the National Security Council and Sector Risk Management Agencies will analyze the current cyber risk in their respective industries and establish cyber requirements to mitigate the risk by second quarter of 2025. In addition, the Department of Health and Human Services is charged with ensuring “greater enforcement and accountability across the [healthcare] sector” with the adoption of cybersecurity best practices for healthcare by the first quarter of 2025.

This direction could change based upon the outcome of the November Presidential election. For now, recent Congressional hearings on Change Healthcare cyberattack would suggest that new cybersecurity requirements might be an issue where the current Administration and Congress align. LeadingAge will continue to monitor these developments.

May 01, 2024

Change Healthcare Failures on Display as UHG CEO Testifies on Cyberattack

UnitedHealth Group (UHG) CEO, Andrew Witty, endured more than four hours of testimony and questions from members of the  Senate Finance Committee and House Energy and Commerce subcommittee on oversight and investigations on May 1 regarding the February 21 cybersecurity attack on UHG subsidiary, Change Healthcare. View the key takeaways in the LeadingAge article

April 29, 2024

Resources for Individuals Impacted by Change Healthcare Cyberattack

UnitedHealth Group admitted it has found through a sampling of files that some individual’s’ personal health information (PHI) or personally identifiable information (PII) may have been impacted, but note it may take months more of analysis to determine the full extent of impacted individuals and notify them. They are offering support for impacted individuals through a call center that will offer free credit monitoring and identity theft protections for two years to anyone impacted.

The call center can be contacted at 1-866-262-5342 and further details on the resources can be found on the dedicated website. For providers, UHG said, “To help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.

April 26, 2024

New UHG Resources for Impacted Individuals and Providers

On April 22, UnitedHealth Group admitted it has found through a sampling of files that some individuals’ personal health information (PHI) or personally identifiable information (PII) may have been impacted but note it may take months more of analysis to determine the full extent of impacted individuals and notify them.

UHG is offering support for impacted individuals through a call center offering free credit monitoring and identity theft protections for two years to anyone impacted. The call center can be contacted at 1-866-262-5342 and further details on the resources can be found on the dedicated website.

UHG also offers assistance to providers noting, “To help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.”

April 26, 2024

HHS Updates FAQs on Change Healthcare Cybersecurity Incident

The Department of Health and Human Services (HHS) shared the latest version of their frequently asked questions released by their Office of Civil Rights(OCR) regarding the February 2024 Change Healthcare Cybersecurity attack. Of note, the FAQs indicate OCR has initiated an investigation and that UnitedHealth has 60 calendar days from the date of discovery of the breach of unsecured protected health information (PHI) to file breach reports, which means there may be more information coming soon.

The FAQs provide explanation of breach notification obligations by covered entities and business associates including the timing of these submissions. HHS reminds providers to email them at HHSCyber@hhs.gov with specific issues they are encountering and can’t resolve related to the cybersecurity incident.

April 25, 2024

Congressional Hearings to Begin for Change Healthcare Cyberattack

Andrew Witty, CEO of United Health Group, is appearing as the only witness in two upcoming hearings on the Change Healthcare cyberattack. The first hearing is on April 30, 10 a.m. ET, in the Senate Finance Committee; and the second hearing is on May 1, 2 p.m. ET, in the House Energy and Commerce Committee.

April 05, 2024

UHG Contests Claims and Asks to Combine 24 Lawsuits

It is no surprise that the lawsuits have already started against UnitedHealth Group (UHG) and Change Healthcare related to the February 21 cyberattack, data breach, and corresponding outage impacting patient data, and providers’ ability to process claims and receive payments. As reported in Modern Healthcare, to date, there are reportedly more than two dozen lawsuits filed by providers and patients regarding payment delay issues and identity theft risk resulting from the ransomware attack. On April 3, UHG filed a brief requesting these lawsuits to be combined into a single case that would be heard by the US District Court of the Middle District of Tennessee in Nashville.

In the brief, UHG disagrees with the assertion that Change Healthcare’s security was deficient, that the plaintiffs in the various lawsuits were harmed, or that they should be held accountable for the criminal actions of ALPHAV/Blackcat who hacked their system.

March 29, 2024

UHG reports Largest Clearinghouse Back Online

UnitedHealth Group (UHG) reports that medical claims have returned through its Change Healthcare network, noting its Assurance started up the week of March 18 and its largest clearinghouse, Relay Exchange, returned the weekend of March 23. With this last step it began work to reconnect its commercial and government payers.

UHG is updating the list of reconnected payers several times a day but is encouraging other payers to return. (Make sure to scroll all the way through as it is in alphabetical order by day restored.) UHG indicates that their next stage related to claims network is increase connectivity with payers, trading partners and submitters. Members can find the timeline for anticipated restoration of other products here over at least the next three weeks.

March 26, 2024

HHS Provides List of Payer Resources to Providers

On March 25, the Department of Health and Human Services (HHS) shared a list of national payer contact information that providers can use to get answers from health care plans about the availability of prospective payments or flexibilities for providers while the Change Healthcare platform is unavailable.

The resource and accompanying letter, from HHS Deputy Secretary Andrea Palm, Administrator and Assistant Secretary Dawn O’Connell of the Administration for Strategic Preparedness and Response (ASPR), and Administrator Chiquita Brooks-LaSure of the Centers for Medicare & Medicaid Services, urges providers to first reach out to any regional points of contacts they have for the health care plan. If providers reach out to the payer contacts and do not receive a response, the letter urges them to send an email to HHScyber@hhs.gov. Read the March 25 letter and access the accompanying 36-page list of payer resources and contact information here.

March 22, 2024

LeadingAge Change Healthcare Town Hall Recording, Member Survey Now Available

LeadingAge’s March 21 members-only town hall covered the latest information on the fallout from the cyberattack on the Change Healthcare platform. LeadingAge staff answered member questions and offered updates on sources of interim funding assistance, cybersecurity tools, and more.

Read our members-only bulletin offering more detail, a link to our recording of the event, and a link to the member survey, which we encourage all affected members to take.

March 22, 2024

HHS Shares Change Healthcare Briefing Recording and Resources

The U.S. Dept of Health and Human Services (HHS) held a briefing on March 19 for providers, including updates on actions the Administration and UnitedHealth Group are taking to remedy the impacts caused by Change Healthcare’s payment, claims, and pharmacy systems being disconnected from providers and payers. The recording can be found here.

HHS also shared an email address where health care organizations can send general questions for HHS regarding the Change Healthcare cyber incident or seek access to HHS resources and support to enhance their cybersecurity posture. These inquiries can be sent to hhscyber@hhs.gov or providers can go to the department’s new website (https://hphcyber.hhs.gov/), which serves as a centralized platform connecting health care organizations to a wealth of cybersecurity resources from HHS and other federal agencies.

March 21, 2024

What Providers Need to Know: Payment Disruption Accelerated Payments

The Centers for Medicare and Medicaid Services (CMS) issued a fact sheet outlining how its new Change Healthcare/Optum Payment Disruption (CHOPD) accelerated and advance payments will be evaluated and shared this information with the Medicare Administrative Contractors (MACs) on March 8. The fact sheet notes that both Part A and B providers are eligible but must certify that they meet several criteria. CMS makes it clear not all providers will receive funds through CHOPD but it will follow the normal recoupment policies. LeadingAge provides a breakdown for providers here.

March 20, 2024

HHS, CMS Update Providers on Medicare FFS Accelerated Payments, Medicaid Program Flexibilities

The Department of Health and Human Services (HHS) on March 19 hosted a webinar to update providers on the current status of the Change Healthcare cyberattacks. Staff from the Centers for Medicare and Medicaid Services (CMS) discussed current accelerated payment options for Medicare fee-for-service providers. Additional information on these advanced payment options is available in a March 13 FAQ.  CMS staff also discussed flexibilities issued last week to Medicaid programs to create advanced payments to Medicaid providers.

On the topic accessing support, CMS recommended Medicaid providers to first apply to UnitedHealthCare Group (UHG) assistance programs, then reach out to contracted Medicaid managed care plans for assistance; and if no response or needed support is forthcoming, email hhscyber@hhs.gov.

The CEO of UHG joined HHS and CMS during the call to discuss the funding assistance available to providers through UHG. Both HHS and UHG staff expressed confidence that nearly 99% of claims should be flowing in the coming week, however, UHG has suspended prior authorizations on outpatient services until March 31 and will not recoup any funding assistance until all systems are backed up and running.

LeadingAge will host a members-only town hall on Thursday, March 21 at 2 p.m. ET to provide the latest information and insight on the February 21 cyberattack on Change Healthcare.

March 18, 2024

UHG Updates Temporary Funding Terms and Fund Availability Information

As of March 18,  UnitedHealth Group (UHG), parent company of Change Healthcare, has restored its electronic payment platform, which will allow payers to process and disburse payments to providers using ACH and virtual credit cards; and it began releasing medical claims preparation software with the goal of restoring the claims processing functionality within the week. UHG also updated repayment terms for its Temporary Assistance Funding Program. Specifically, UHG has lengthened the repayment timeline from 30 days to 45 business days following a provider’s receipt of a repayment notice. In addition, the repayment notice will not be sent until the Change claims or payment processing services are back in operation and impacted payments are processed. In other words, payments have to be going out to providers before a repayment notice will be sent. UHG also retracted other previous requirements for receiving the funds such as arbitration, indemnification, limitation of liability, and its ability to change the terms. It also rescinded the provision that said UHG’s Optum Financial Services could debit owed funds directly from a provider’s account.  Once assistance is approved, UHG reports that providers can expect ACH payments within 3-5 days. For some providers, for which UHG has visibility into their claims and payment history, UHG is “preloading funds into these providers’ Optum accounts. The provider only needs to log in and accept the funds.” For providers that already have an OptumPay account, it might be beneficial to log in to see if such funds have been preloaded.

For more information on the UHG Temporary Funding Assistance program, click here and expand the various FAQs for further details and updates.

LeadingAge members are encouraged to recheck their eligibility status for funds through UHG. For other payers and plans, providers should see if interim funding assistance is being offered, if they are working with an alternative clearinghouse, or if they are accepting paper claims. Eligibility for and availability of funds has continued to evolve in recent days. For example, Highmark is offering interim financial assistance as of March 12. Providers can find more details in the Highmark provider portal on how to apply. Modern Healthcare reports other insurers like Centene, Humana, MetroPlusHealth, Oscar Health, and Ucare have focused on temporarily shifting their clearinghouse work to Availity,  a UHG competitor, to process claims.

March 15, 2024

Join the Members-Only Town Hall: Change Healthcare Cyberattack

LeadingAge will host a members-only town hall on Thursday, March 21 at 2 p.m. ET to provide the latest information and insight on the February 21 cyberattack on Change Healthcare. Members will have the opportunity to ask questions and hear from the LeadingAge policy team experts. Keep up on the latest developments on the cyberattack at our Change Healthcare serial post.

March 15, 2024

CMS Announces Flexibilities for Medicaid Response to Change Healthcare Outage

The Centers for Medicare & Medicaid Services (CMS) announced important flexibilities on March 15 that will help state Medicaid agencies provide needed relief to Medicaid providers and protect access to health care coverage. Specifically, CMS is focused on making interim payments more easily accessible to providers affected by the Change Healthcare cybersecurity incident. CMS is encouraging states to submit Medicaid state plan amendments (SPAs) for authority to make certain interim payments for services providers have rendered but for which the provider cannot submit claims.

CMS released guidance on March 15 on related flexibilities, including the option for states to start making interim payments retroactively to the date when claims payment processing was disrupted due to the cybersecurity incident (February 21, 2024).

March 14, 2024

HHS Investigates UHG on Change Healthcare Hack

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) opened an investigation on March 13 into UnitedHealth Group over the issues caused by the cyberattack on Change Healthcare. OCR Director Melanie Fontes Rainer announced the investigation in a public letter, writing that HHS was taking the step due to “the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers.”

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA-covered entities and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.

March 13, 2024

UHG Updates Eligibility for Temporary Assistance, Tools and Timelines

Providers who checked to see if they were eligible for the UnitedHealth Group Temporary Funding Assistance Program may want to take a second look. Since March 7, UHG has expanded the list of providers eligible for funds. Eligible providers under this program include:

  • UnitedHealthcare medical, dental and vision providers (New)
  • Providers who receive payments from payers that are processed by Change Healthcare (Note: This may now include Medicaid payers in addition to Medicare.)
  • Providers who have exhausted all available connection options or maybe in the process of implementing technical workaround solutions and who work with a payer who has opted not to advance funds to providers during the period when Change Healthcare systems remain down. (Note the underlined language is new and expands which providers may qualify.)

There are also new tools to look up your eligibility and determine the amounts. All details on the TFAP can be found here.

For those interested in the timeline for claims and payment processing to resume, UHG outlines the steps to resuming these services and still indicate that these systems will be back online sometime the week of March 18. The details of bringing these systems back online can be found here by expanding the sections on “Claims Network” and “Payment.”

March 11, 2024

HHS and DOL Urge Health Care Insurers, Other Payers to Find Solutions

Department of Health and Human Services (HHS) Secretary Xavier Becerra and Department of Labor (DOL) Acting Secretary Julie Su sent a letter on March 10 to health care leaders, including health insurance companies, regarding the Change Healthcare cyberattack. Becerra and Su are calling on UnitedHealth Group and other payers to “meet the moment,” and  urging actions to complement those taken by the Biden-Harris Administration to ensure patients’ access to care and support providers.

The Centers for Medicare & Medicaid Services (CMS) continues to monitor and assess the impact that the cyberattack had on all provider and supplier types. CMS announced on March 9 that, in addition to considering applications for accelerated payments for Medicare Part A providers, it will also consider applications for advance payments for Part B suppliers.

March 11, 2024

Change Healthcare Expected to Resume Week of March 18

UnitedHealth Group updated providers on available programs and the status of its Change Healthcare products on March 8. Its electronic payment platform is expected to be restored by March 15. UHG  will begin testing its medical claims network the week of March 18 and expects it to be fully operational sometime later that week.

In the interim, providers are strongly encouraged to continue to use their iEDI claim submission system and alternative clearinghouse until there is confirmation that the Change Healthcare systems are again fully functional. UHG also announced it is expanding eligibility for its Temporary Funding Assistance Program (TFAP) to those providers who have “exhausted all available connection options and who work with a payer that has opted not to advance funds while the CHC systems remain down.” This suggests UHG would like their TFAP to also be considered a payer of last resort like CMS has said for its CHOPD funding.

LeadingAge is seeking clarity about which program is the actual payer of last resort. UHG also extended its repayment timeframe for providers who receive TFAP funds to 30 days from receipt of an invoice from UHG and its Optum Financial Services. These invoices will be sent once “standard payment operations resume.” While this is longer than the previous terms for these funds, LeadingAge will be expressing its concern about this short timeline and on other key issues to HHS at a March 12 meeting.

Finally, UHG says it is suspending prior authorizations for outpatient services and pausing utilization review for inpatient admissions but there is no clarity on whether these temporary changes will have any impact on skilled nursing facilities, home health agencies, or hospice providers. Providers are encouraged to check with the Medicare and Medicaid plans with which they work to see what flexibilities they may be deploying related to prior authorizations, timely filings, and other utilization management items.

March 11, 2024

CMS Announces Terms of Accelerated and Advanced Payments

CMS issued a fact sheet outlining how its new Change Healthcare/Optum Payment Disruption (CHOPD) accelerated and advance payments will be evaluated and shared this information with the Medicare Administrative Contractors (MACs) on March 8.  The fact sheet notes that both Part A and B providers are eligible but must certify that they meet several criteria. CMS makes it clear not all providers will receive funds through CHOPD but it will follow the normal recoupment policies where CMS automatically recoups funds to offset the advance payments as providers submit Medicare claims. This occurs over 90 days with any remaining balance being collected on day 91. Providers will be eligible for an amount equal to their 30-day claims average and will be based on data from August 1 – October 31, 2023.  Providers interested in applying should contact their MAC.

March 08, 2024

LeadingAge to HHS: Support Providers Impacted by the Cyberattack

LeadingAge President and CEO Katie Smith Sloan sent a letter to Secretary of the Department of Health and Human Services (HHS), Xavier Becerra, and staff at the Centers for Medicare and Medicaid Services (CMS) on March 8 outlining ongoing concerns about the Change Healthcare cyberattack and ensuing outage and its impact on aging services providers.

LeadingAge requested additional actions to support these providers, that included encouraging Medicare Advantage plans and Medicaid and CHIP Managed Care Plans to accept paper claims, issue paper checks when necessary, offer advance funding to providers most impacted, and follow a similar process to the Medicare Administrative Contractors. In addition to immediate requests for action, LeadingAge outlines actions to protect beneficiaries who utilize aging service providers in the event of future cyberattacks.

March 07, 2024

Pharmacy Network E-payments Largely Restored, New EDI Available for Medical Claims

Pharmacies are up and running to receive electronic payments via the e-Prescribe system and UnitedHealth Group (UHG) expects the Change Healthcare pharmacy network to be back online for “the vast majority” of submitters by Thursday, March 7. The medical claims story is a bit different. UHG reports that their data shows 90% of claims are “flowing uninterrupted” and they expect this to be 95% by the week of March 11. However, they also note that fixing or recovering the “medical network will take longer than the pharmacy network.” UHG encourages payers and providers to use the temporary solutions they’ve offered “to get claims flowing again.” This includes setting up a new Optum electronic data interchange (EDI) for payers who are exclusive to the Change clearinghouse and began implementation March 5 with its 25 largest exclusive payers. Providers are also encouraged to use the Optum EDI to submit claims but there will be a small subset of providers for whom it won’t work. Providers should connect with their account teams to set up the EDI process and learn about available webinars. For the subset of providers for which the EDI will not work, UHG is “implementing a supplemental custom funding program,” in addition to the Temporary Funding Assistance program. Account teams will proactively reach out to these providers. More details will be available Friday, March 8. Providers can monitor the latest updates from UHG here.

March 07, 2024

CMS Issues Memo to MA and Part D Plans On Prior Authorizations and Advance Funding for Providers

The Centers for Medicare and Medicaid, as promised, issued guidance to the Medicare Advantage and Part plans on Wed., March 7 reminding them that they have the flexibility, “to remove or relax plan prior authorization requirements at any time in order to facilitate access to services with less burden on beneficiaries, plans and providers.” They note these policies must be applied uniformly and can be undertaken without the usual 30-day notice requirement. The memo also encourages, “MA organizations to offer advance funding to providers most affected by this cyberattack.”  The complete CMS memo to plans can be reviewed here.

March 05, 2024

HHS Issues Statement on Steps it is Taking Related to Cyberattack

The U.S. Department of Health and Human Services issued a statement on what actions it is taking related to the cyberattack. The memo addresses cash flow and other flexibilities that may be available to providers. This is the first statement from the Department of Health and Human Services offering providers guidance on how to address the challenges they face resulting from the Change Healthcare cyberattack. Read more here.

March 05, 2024

Change Healthcare Hack & Cybersecurity Resources for Members

Given the number of vendors that use Change Healthcare’s clearinghouse services, we suspect that many members’ February 2024 billing and payments are at risk—potentially leading to cash flow issues or even operational disruptions. LeadingAge has several tools to help if your organization is impacted or if you want to tighten your cybersecurity:

“Five Things You Can Do” Handout: If you are impacted by the Change Healthcare, here are five actions you can take now.

Implications for Cash Flow and Potential Provider Solutions: For providers that cannot process claims actions, this article details actions we strongly encourage you to take to avoid significant operational disruptions.

Cybersecurity: Pre-Breach Preparedness” On-Demand Training:  Featuring healthcare data security experts, this session addresses legal and regulatory considerations, provides strategies for mitigating risk, and answers member questions.

Cybersecurity: Q&A for Aging Services Providers: We asked the CEO of BlueOrange Compliance, John DiMaggio, to give an overview of what providers need to know.

CAST Cybersecurity Resources: These resources include a cybersecurity white paper, case studies and a benchmarking questionnaire that will help providers identify where they may be at risk, so that they can work to plug those vulnerabilities.

March 04, 2024

Senate Majority Leader Calls on CMS to Support Providers

Majority Leader Senator Charles E. Schumer, (D-NY), on called on the Centers for Medicare and Medicaid Services (CMS) on March 4 to help medical providers affected by the Change Healthcare cyberattack. This is the first major congressional action on addressing the fallout from one of the largest, and potentially furthest reaching, cyberattacks in the health care industry.

Schumer specifically called on CMS Administrator Brooks-LaSure to speed advance payments to affected providers through Medicare, as well as to use simplified billing procedures. He also asked the FBI to prioritize its investigation into the attack.

March 04, 2024

UHG Offers Limited Financial Assistance After Cyberattack

Due to cashflow issues that providers are anticipating they may face as a result of the February 21 Change Healthcare cyberattack and ongoing outage, the UnitedHealth Group (UHG) announced it will be offering a Temporary Assistance Funding Program (TAFP) for providers who receive payments from payers that use the Change Healthcare system.

LeadingAge provides more details about the assistance—and notes it may be limited in scope and requires a close look at the terms and conditions before enrolling.

March 01, 2024

Potential Provider Solutions and Things You Can Do Now

February 29, 2024

Optum Has Identified Workarounds

In a February 29 update, Optum Insights reports they have identified the perpetrator of the February 21 cyberattack: ALPHV/Blackcat. They have engaged outside assistance to evaluate the attack and its impacts, and indicate they have “multiple workarounds to ensure people have access to the medications and care they need.”

No link to or details about the workarounds are provided in the notice. Interestingly, the 10:50 a.m. ET update no longer contains the once-omnipresent line, “The disruption is expected to last at least through the day.” Instead, it includes no information about how long the Change Healthcare platform and tools will be offline.

February 27, 2024

Implications for Cash Flow and Potential Provider Solutions

Given Change Healthcare’s role in processing claims, some LeadingAge members have reported they are unable to submit claims for payment or services at this time.  Read more about how hospices and home health providers can request exceptions for the late submission of a Notice of Election due to these issues.

February 23, 2024

Change Healthcare Cyberattack Announcement

LeadingAge has learned that Change Healthcare, a subsidiary of UnitedHealth Group, was the victim of a cyberattack on February 21. The attack is impacting the ability of some providers to submit claims for payments and services. Read more.

Cyberattack Updates: Change Healthcare Payment Platform