The Department of Health and Human Services (HHS) shared the latest version of their frequently asked questions released by their Office of Civil Rights(OCR) regarding the February 2024 Change Healthcare Cybersecurity attack. Of note, the FAQs indicate OCR has initiated an investigation and that UnitedHealth has 60 calendar days from the date of discovery of the breach of unsecured protected health information(PHI) to file breach reports, which means there may be more information coming soon.

The FAQs provide explanation of breach notification obligations by covered entities and business associates including the timing of these submissions. HHS reminds providers to email them at HHSCyber@hhs.gov with specific issues they are encountering and can’t resolve related to the cybersecurity incident.

Andrew Witty, CEO of United Health Group, is appearing as the only witness in two upcoming hearings on the Change Healthcare cyberattack. The first hearing is on April 30, 10 a.m. ET, in the Senate Finance Committee; and the second hearing is on May 1, 2 p.m. ET, in the House Energy and Commerce Committee.

It is no surprise that the lawsuits have already started against UnitedHealth Group (UHG) and Change Healthcare related to the February 21 cyberattack, data breach, and corresponding outage impacting patient data, and providers’ ability to process claims and receive payments. As reported in Modern Healthcare, to date, there are reportedly more than two dozen lawsuits filed by providers and patients regarding payment delay issues and identity theft risk resulting from the ransomware attack. On April 3, UHG filed a brief requesting these lawsuits to be combined into a single case that would be heard by the US District Court of the Middle District of Tennessee in Nashville.

In the brief, UHG disagrees with the assertion that Change Healthcare’s security was deficient, that the plaintiffs in the various lawsuits were harmed, or that they should be held accountable for the criminal actions of ALPHAV/Blackcat who hacked their system.

UnitedHealth Group (UHG) reports that medical claims have returned through its Change Healthcare network, noting its Assurance started up the week of March 18 and its largest clearinghouse, Relay Exchange, returned the weekend of March 23. With this last step it began work to reconnect its commercial and government payers.

UHG is updating the list of reconnected payers several times a day but is encouraging other payers to return. (Make sure to scroll all the way through as it is in alphabetical order by day restored.) UHG indicates that their next stage related to claims network is increase connectivity with payers, trading partners and submitters. Members can find the timeline for anticipated restoration of other products here over at least the next three weeks.

On March 25, the Department of Health and Human Services (HHS) shared a list of national payer contact information that providers can use to get answers from health care plans about the availability of prospective payments or flexibilities for providers while the Change Healthcare platform is unavailable.

The resource and accompanying letter, from HHS Deputy Secretary Andrea Palm, Administrator and Assistant Secretary Dawn O’Connell of the Administration for Strategic Preparedness and Response (ASPR), and Administrator Chiquita Brooks-LaSure of the Centers for Medicare & Medicaid Services, urges providers to first reach out to any regional points of contacts they have for the health care plan. If providers reach out to the payer contacts and do not receive a response, the letter urges them to send an email to HHScyber@hhs.gov. Read the March 25 letter and access the accompanying 36-page list of payer resources and contact information here.

LeadingAge’s March 21 members-only town hall covered the latest information on the fallout from the cyberattack on the Change Healthcare platform. LeadingAge staff answered member questions and offered updates on sources of interim funding assistance, cybersecurity tools, and more.

Read our members-only bulletin offering more detail, a link to our recording of the event, and a link to the member survey, which we encourage all affected members to take.

The U.S. Dept of Health and Human Services (HHS) held a briefing on March 19 for providers, including updates on actions the Administration and UnitedHealth Group are taking to remedy the impacts caused by Change Healthcare’s payment, claims, and pharmacy systems being disconnected from providers and payers. The recording can be found here.

HHS also shared an email address where health care organizations can send general questions for HHS regarding the Change Healthcare cyber incident or seek access to HHS resources and support to enhance their cybersecurity posture. These inquiries can be sent to hhscyber@hhs.gov or providers can go to the department’s new website (https://hphcyber.hhs.gov/), which serves as a centralized platform connecting health care organizations to a wealth of cybersecurity resources from HHS and other federal agencies.

The Centers for Medicare and Medicaid Services (CMS) issued a fact sheet outlining how its new Change Healthcare/Optum Payment Disruption (CHOPD) accelerated and advance payments will be evaluated and shared this information with the Medicare Administrative Contractors (MACs) on March 8. The fact sheet notes that both Part A and B providers are eligible but must certify that they meet several criteria. CMS makes it clear not all providers will receive funds through CHOPD but it will follow the normal recoupment policies. LeadingAge provides a breakdown for providers here.

The Department of Health and Human Services (HHS) on March 19 hosted a webinar to update providers on the current status of the Change Healthcare cyberattacks. Staff from the Centers for Medicare and Medicaid Services (CMS) discussed current accelerated payment options for Medicare fee-for-service providers. Additional information on these advanced payment options is available in a March 13 FAQ.  CMS staff also discussed flexibilities issued last week to Medicaid programs to create advanced payments to Medicaid providers.

On the topic accessing support, CMS recommended Medicaid providers to first apply to UnitedHealthCare Group (UHG) assistance programs, then reach out to contracted Medicaid managed care plans for assistance; and if no response or needed support is forthcoming, email hhscyber@hhs.gov.

The CEO of UHG joined HHS and CMS during the call to discuss the funding assistance available to providers through UHG. Both HHS and UHG staff expressed confidence that nearly 99% of claims should be flowing in the coming week, however, UHG has suspended prior authorizations on outpatient services until March 31 and will not recoup any funding assistance until all systems are backed up and running.

LeadingAge will host a members-only town hall on Thursday, March 21 at 2 p.m. ET to provide the latest information and insight on the February 21 cyberattack on Change Healthcare.

As of March 18,  UnitedHealth Group (UHG), parent company of Change Healthcare, has restored its electronic payment platform, which will allow payers to process and disburse payments to providers using ACH and virtual credit cards; and it began releasing medical claims preparation software with the goal of restoring the claims processing functionality within the week. UHG also updated repayment terms for its Temporary Assistance Funding Program. Specifically, UHG has lengthened the repayment timeline from 30 days to 45 business days following a provider’s receipt of a repayment notice. In addition, the repayment notice will not be sent until the Change claims or payment processing services are back in operation and impacted payments are processed. In other words, payments have to be going out to providers before a repayment notice will be sent. UHG also retracted other previous requirements for receiving the funds such as arbitration, indemnification, limitation of liability, and its ability to change the terms. It also rescinded the provision that said UHG’s Optum Financial Services could debit owed funds directly from a provider’s account.  Once assistance is approved, UHG reports that providers can expect ACH payments within 3-5 days. For some providers, for which UHG has visibility into their claims and payment history, UHG is “preloading funds into these providers’ Optum accounts. The provider only needs to log in and accept the funds.” For providers that already have an OptumPay account, it might be beneficial to log in to see if such funds have been preloaded.

For more information on the UHG Temporary Funding Assistance program, click here and expand the various FAQs for further details and updates.

LeadingAge members are encouraged to recheck their eligibility status for funds through UHG. For other payers and plans, providers should see if interim funding assistance is being offered, if they are working with an alternative clearinghouse, or if they are accepting paper claims. Eligibility for and availability of funds has continued to evolve in recent days. For example, Highmark is offering interim financial assistance as of March 12. Providers can find more details in the Highmark provider portal on how to apply. Modern Healthcare reports other insurers like Centene, Humana, MetroPlusHealth, Oscar Health, and Ucare have focused on temporarily shifting their clearinghouse work to Availity,  a UHG competitor, to process claims.

LeadingAge will host a members-only town hall on Thursday, March 21 at 2 p.m. ET to provide the latest information and insight on the February 21 cyberattack on Change Healthcare. Members will have the opportunity to ask questions and hear from the LeadingAge policy team experts. Keep up on the latest developments on the cyberattack at our Change Healthcare serial post.

The Centers for Medicare & Medicaid Services (CMS) announced important flexibilities on March 15 that will help state Medicaid agencies provide needed relief to Medicaid providers and protect access to health care coverage. Specifically, CMS is focused on making interim payments more easily accessible to providers affected by the Change Healthcare cybersecurity incident. CMS is encouraging states to submit Medicaid state plan amendments (SPAs) for authority to make certain interim payments for services providers have rendered but for which the provider cannot submit claims.

CMS released guidance on March 15 on related flexibilities, including the option for states to start making interim payments retroactively to the date when claims payment processing was disrupted due to the cybersecurity incident (February 21, 2024).

Providers who checked to see if they were eligible for the UnitedHealth Group Temporary Funding Assistance Program may want to take a second look. Since March 7, UHG has expanded the list of providers eligible for funds. Eligible providers under this program include:

• UnitedHealthcare medical, dental and vision providers (New)
• Providers who receive payments from payers that are processed by Change Healthcare (Note: This may now include Medicaid payers in addition to Medicare.)
• Providers who have exhausted all available connection options or maybe in the process of implementing technical workaround solutions and who work with a payer who has opted not to advance funds to providers during the period when Change Healthcare systems remain down. (Note the underlined language is new and expands which providers may qualify.)

There are also new tools to look up your eligibility and determine the amounts. All details on the TFAP can be found here.

For those interested in the timeline for claims and payment processing to resume, UHG outlines the steps to resuming these services and still indicate that these systems will be back online sometime the week of March 18. The details of bringing these systems back online can be found here by expanding the sections on “Claims Network” and “Payment.”

Department of Health and Human Services (HHS) Secretary Xavier Becerra and Department of Labor (DOL) Acting Secretary Julie Su sent a letter on March 10 to health care leaders, including health insurance companies, regarding the Change Healthcare cyberattack. Becerra and Su are calling on UnitedHealth Group and other payers to “meet the moment,” and  urging actions to complement those taken by the Biden-Harris Administration to ensure patients’ access to care and support providers.

The Centers for Medicare & Medicaid Services (CMS) continues to monitor and assess the impact that the cyberattack had on all provider and supplier types. CMS announced on March 9 that, in addition to considering applications for accelerated payments for Medicare Part A providers, it will also consider applications for advance payments for Part B suppliers.

UnitedHealth Group updated providers on available programs and the status of its Change Healthcare products on March 8. Its electronic payment platform is expected to be restored by March 15. UHG  will begin testing its medical claims network the week of March 18 and expects it to be fully operational sometime later that week.

In the interim, providers are strongly encouraged to continue to use their iEDI claim submission system and alternative clearinghouse until there is confirmation that the Change Healthcare systems are again fully functional. UHG also announced it is expanding eligibility for its Temporary Funding Assistance Program (TFAP) to those providers who have “exhausted all available connection options and who work with a payer that has opted not to advance funds while the CHC systems remain down.” This suggests UHG would like their TFAP to also be considered a payer of last resort like CMS has said for its CHOPD funding.

LeadingAge is seeking clarity about which program is the actual payer of last resort. UHG also extended its repayment timeframe for providers who receive TFAP funds to 30 days from receipt of an invoice from UHG and its Optum Financial Services. These invoices will be sent once “standard payment operations resume.” While this is longer than the previous terms for these funds, LeadingAge will be expressing its concern about this short timeline and on other key issues to HHS at a March 12 meeting.

Finally, UHG says it is suspending prior authorizations for outpatient services and pausing utilization review for inpatient admissions but there is no clarity on whether these temporary changes will have any impact on skilled nursing facilities, home health agencies, or hospice providers. Providers are encouraged to check with the Medicare and Medicaid plans with which they work to see what flexibilities they may be deploying related to prior authorizations, timely filings, and other utilization management items.

CMS issued a fact sheet outlining how its new Change Healthcare/Optum Payment Disruption (CHOPD) accelerated and advance payments will be evaluated and shared this information with the Medicare Administrative Contractors (MACs) on March 8.  The fact sheet notes that both Part A and B providers are eligible but must certify that they meet several criteria. CMS makes it clear not all providers will receive funds through CHOPD but it will follow the normal recoupment policies where CMS automatically recoups funds to offset the advance payments as providers submit Medicare claims. This occurs over 90 days with any remaining balance being collected on day 91. Providers will be eligible for an amount equal to their 30-day claims average and will be based on data from August 1 – October 31, 2023.  Providers interested in applying should contact their MAC.

LeadingAge President and CEO Katie Smith Sloan sent a letter to Secretary of the Department of Health and Human Services (HHS), Xavier Becerra, and staff at the Centers for Medicare and Medicaid Services (CMS) on March 8 outlining ongoing concerns about the Change Healthcare cyberattack and ensuing outage and its impact on aging services providers.

LeadingAge requested additional actions to support these providers, that included encouraging Medicare Advantage plans and Medicaid and CHIP Managed Care Plans to accept paper claims, issue paper checks when necessary, offer advance funding to providers most impacted, and follow a similar process to the Medicare Administrative Contractors. In addition to immediate requests for action, LeadingAge outlines actions to protect beneficiaries who utilize aging service providers in the event of future cyberattacks.

Pharmacies are up and running to receive electronic payments via the e-Prescribe system and UnitedHealth Group (UHG) expects the Change Healthcare pharmacy network to be back online for “the vast majority” of submitters by Thursday, March 7. The medical claims story is a bit different. UHG reports that their data shows 90% of claims are “flowing uninterrupted” and they expect this to be 95% by the week of March 11. However, they also note that fixing or recovering the “medical network will take longer than the pharmacy network.” UHG encourages payers and providers to use the temporary solutions they’ve offered “to get claims flowing again.” This includes setting up a new Optum electronic data interchange (EDI) for payers who are exclusive to the Change clearinghouse and began implementation March 5 with its 25 largest exclusive payers. Providers are also encouraged to use the Optum EDI to submit claims but there will be a small subset of providers for whom it won’t work. Providers should connect with their account teams to set up the EDI process and learn about available webinars. For the subset of providers for which the EDI will not work, UHG is “implementing a supplemental custom funding program,” in addition to the Temporary Funding Assistance program. Account teams will proactively reach out to these providers. More details will be available Friday, March 8. Providers can monitor the latest updates from UHG here.

The Centers for Medicare and Medicaid, as promised, issued guidance to the Medicare Advantage and Part plans on Wed., March 7 reminding them that they have the flexibility, “to remove or relax plan prior authorization requirements at any time in order to facilitate access to services with less burden on beneficiaries, plans and providers.” They note these policies must be applied uniformly and can be undertaken without the usual 30-day notice requirement. The memo also encourages, “MA organizations to offer advance funding to providers most affected by this cyberattack.”  The complete CMS memo to plans can be reviewed here.

The U.S. Department of Health and Human Services issued a statement on what actions it is taking related to the cyberattack. The memo addresses cash flow and other flexibilities that may be available to providers. This is the first statement from the Department of Health and Human Services offering providers guidance on how to address the challenges they face resulting from the Change Healthcare cyberattack. Read more here.

Majority Leader Senator Charles E. Schumer, (D-NY), on called on the Centers for Medicare and Medicaid Services (CMS) on March 4 to help medical providers affected by the Change Healthcare cyberattack. This is the first major congressional action on addressing the fallout from one of the largest, and potentially furthest reaching, cyberattacks in the health care industry.

Schumer specifically called on CMS Administrator Brooks-LaSure to speed advance payments to affected providers through Medicare, as well as to use simplified billing procedures. He also asked the FBI to prioritize its investigation into the attack.

Due to cashflow issues that providers are anticipating they may face as a result of the February 21 Change Healthcare cyberattack and ongoing outage, the UnitedHealth Group (UHG) announced it will be offering a Temporary Assistance Funding Program (TAFP) for providers who receive payments from payers that use the Change Healthcare system.

LeadingAge provides more details about the assistance—and notes it may be limited in scope and requires a close look at the terms and conditions before enrolling.

In a February 29 update, Optum Insights reports they have identified the perpetrator of the February 21 cyberattack: ALPHV/Blackcat. They have engaged outside assistance to evaluate the attack and its impacts, and indicate they have “multiple workarounds to ensure people have access to the medications and care they need.”

No link to or details about the workarounds are provided in the notice. Interestingly, the 10:50 a.m. ET update no longer contains the once-omnipresent line, “The disruption is expected to last at least through the day.” Instead, it includes no information about how long the Change Healthcare platform and tools will be offline.

Given Change Healthcare’s role in processing claims, some LeadingAge members have reported they are unable to submit claims for payment or services at this time.  Read more about how hospices and home health providers can request exceptions for the late submission of a Notice of Election due to these issues.

LeadingAge has learned that Change Healthcare, a subsidiary of UnitedHealth Group, was the victim of a cyberattack on February 21. The attack is impacting the ability of some providers to submit claims for payments and services. Read more.