The federal policy response to the Change Healthcare cyberattack
HHS's Office of Civil Rights has announced an investigation of UnitedHealth Group and Change Healthcare, while CMS is making accelerated and advance payments available to providers.
Note: This information is excerpted from HFMA’s running coverage of the cyberattack that disabled operations at Change Healthcare.
On March 10, HHS and the Department of Labor sent a letter encouraging commercial payers to do their part to help financially strained providers nearly three weeks after the cyberattack on Change Healthcare.
“Larger payers in particular have the balance sheet stability to advance payments,” the letter states. “Payers have the opportunity to stop-gap the cash flow concerns by stepping in with bridge payments.”
Medicaid managed care payers particularly should consider advancing funds, since providers in that program are more likely to be safety-net providers with less of a financial cushion.
Payers also should ease administrative burden “by simplifying electronic data interchange requirements and timelines and by accepting paper claims,” the letter states. They should be as flexible as possible with prior authorization and other requirements pertaining to utilization management.
The letter also calls on UnitedHealth Group (UHG) to step up its response to the attack, including by ensuring “expedited delivery of funds to impacted providers for all receiving advance payment from UnitedHealthcare.” UHG said March 8 that UnitedHealthcare would be advancing funds to its provider partners.
“While we believe payers have a unique responsibility and opportunity to address the challenge before us, we urge action on the part of any healthcare entity that can step up,” the letter states. “For example, we appreciate the actions taken by clearinghouses to enable switching from Change Healthcare systems, and we encourage them to offer easy-to-implement, standard terms for additional providers who want to switch, and [to] avoid cost-prohibitive pricing.”
The letter also reiterates steps being implemented by CMS to help Medicare and Medicaid providers, including streamlining the process for providers to change clearinghouses, encouraging Medicare Advantage and Medicaid managed care health plans to remove or relax prior authorization requirements, and directing Medicare administrative contractors (MACs) to be prepared to accept paper claims submissions.
Medicare payment relief
On March 9, CMS issued a notice that MACs would begin posting information as soon as that very day on how providers can apply for Medicare accelerated and advance payments.
CMS earlier that week had announced that hospitals and other Part A providers could apply for accelerated payments, but physician advocates had expressed disappointment that no relief was being offered for Part B providers. The March 9 announcement represented a course change, noting that Part B providers are invited to apply for advance payments.
The notice states that accelerated and advance payments are to be made in amounts reflecting a 30-day claims-payment window. The amount for each provider will be one-third of the total amount of claims paid to the provider from August 2023 through October 2023.
Providers can put in for a lesser payment amount if they choose. Repayment to Medicare will be in the form of automatic recoupment over a 90-day period, with a notice issued on day 91 for any remaining balance.
The announcement lists various attestations required of applicants for the payments, along with terms and conditions of the loan.
In a March 13 letter to the Senate Finance Committee, the American Hospital Association said the payments are welcome but insufficient due, in part, to the repayment timeline and interest rate. The letter calls for legislative support for affected providers.
The National Association of Medicaid Directors wrote March 6 that more should be done to help safety-net providers and that the federal response should mirror the early response to the COVID-19 pandemic (but without the declaration of a public health emergency, regulatory authorities are more limited in what they can do).
Specifically, state Medicaid programs should be authorized to:
- Make emergency supplemental payments that qualify for federal matching, can be instituted immediately and can be granted accommodations with respect to documentation of services
- Waive utilization management practices and co-payments that are embedded in their state plans
Scrutiny on the companies
HHS’s Office of Civil Rights announced March 13 it will investigate UHG and Change Healthcare, primarily examining whether the data breach violates the HIPAA Security Rule or Privacy Rule.
“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and healthcare providers, OCR is initiating an investigation into this incident,” the announcement states. The investigation “will focus on whether a breach of protected health information [PHI] occurred and Change Healthcare’s and UHG’s compliance with the HIPAA rules.”
The investigation will not focus on possible violations stemming from related breaches at other healthcare entities, such as the company’s payer and provider partners.
“While OCR is not prioritizing investigations of healthcare providers, health plans and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA rules,” the announcement states.
In 2018, OCR levied a record $16 million penalty on Anthem following what was described as the largest U.S. health data breach in history. The PHI of almost 79 million individuals was taken, OCR found.
The Change Healthcare breach potentially puts even more PHI at risk, since one out of every three U.S. patient records is said to pass through the company’s databases.
In addition to possibly incurring regulatory penalties, the company faces the prospect of having to defend itself against multiple class-action lawsuits that have been filed.