HHS Addresses Healthcare Cyberattack with New Flexibilities for Victim Healthcare Providers

The Department of Health and Human Services (HHS) has referred to the Blackcat ransomware attack on UnitedHealth Group that operated Change Healthcare in February 2024. The attack impacted more than 100 of Change Healthcare’s systems, which affected the providers that use those systems for monitoring insurance coverage, applying for claims, and getting paid.

Some industry groups requested HHS to support their members, who are encountering serious cash flow problems because they cannot get payments without Change Healthcare’s programs. UnitedHealth Group has created a temporary financial assistance program to aid companies who were unable to collect payments, but industry groups have criticized this action due to the limited eligibility and laborious terms.

The HHS stated it identified the effect the cyberattack has on healthcare operations countrywide and that its priority is to support in organizing efforts to stop interruptions to care. The HHS is regularly contacting UnitedHealth Group leadership and it has clearly expressed that it expects UnitedHealth Group to ensure the continuity of procedures for all healthcare providers.

The HHS mentioned it has obtained multiple communications concerning the cash flow issues that resulted from the cyberattack as companies cannot file claims and collect payments, and stated that it is taking action to assist the requirements of the medical community. The HHS is coming up with new flexibilities and the Centers for Medicare and Medicaid Services (CMS) is leading the response and will be interacting with the healthcare community and giving help, as appropriate.

The HHS reported all impacted providers must know about the following flexibilities:

Medicare companies that have to switch the clearinghouses they use for claims processing because of the outages must get in touch with their Medicare Administrative Contractor (MAC) to enroll in new electronic data interchange (EDI). The MAC will release instructions to hasten the new EDI enrollment. The CMS has directed MACs to speed up the new EDI enrollment procedure and transfer all provider and facility requests into production to make sure they can invoice claims immediately.

The CMS will be giving guidance to Medicare Advantage (MA) companies and Part D sponsors requesting them to remove or relax previous authorization, other utilization management, and prompt submission of requirements in these system blackouts, and is encouraging MA plans to provide advance money to the providers most affected by the cyberattack on Change Healthcare. CHIP and Medicaid-managed care plans are likewise being urged to use a strategy that is allowed by the State.

Medicare providers need to call their MAC to know the exceptions, waivers, or extensions, or speak to CMS concerning quality reporting programs if they are having problems filing claims or other required notices or other submissions. The CMS has called all MACs and advised them that they need to accept paper submissions in case a supplier has to file claims in that technique due to the outages.

Providers got in touch with the CMS concerning the availability of sped-up payments like those released during the COVID-19 pandemic. A lot of payers have paid money when billing systems are not available, and the CMS calls on companies to make use of those possibilities; nonetheless, the HHS stated hospitals may submit faster payment requests to their respected servicing MACs for consideration.

The HHS emphasized that the attack on Change Healthcare is a reminder of the value of boosting cybersecurity strength in the entire healthcare ecosystem. In December 2023, the HHS released a concept paper explaining some of the steps the HHS plans to take to improve cybersecurity resilience. Those steps include voluntary cybersecurity performance objectives, working with Congress to create support and rewards for domestic hospitals to enhance cybersecurity, escalating accountability, HIPAA compliance, and improving communication using a one-stop shop. The HHS is urging all members of the healthcare ecosystem to look at cybersecurity with desperation, as Americans cannot deal with more interruptions to care.

Although providers and industry organizations have accepted the HHS response, the response is that the new flexibilities do not go far enough. The president of the American Medical Association, Jesse Ehrenfeld, M.D., said the new flexibilities released by the HHS are a welcome first step, but mentioned the CMS needs to identify that the financial issues many companies are experiencing are threatening the existence of their practices, including those that take care of the underserved. The AMA urges federal authorities to beat what has been set up and include monetary support like advanced doctor payments.