• Change Healthcare cyberattack update: CMS to end payment relief program

    The Centers for Medicare & Medicaid Services (CMS) has announced that it will soon end the financial assistance program spurred by the Change Healthcare cyberattack.

    The agency plans to wrap up the Accelerated and Advance Payment (AAP) Program on July 12.

    “In the face of one of the most widespread cyberattacks on the U.S. health care industry, CMS promptly took action to get providers and suppliers access to the funds they needed to continue providing patients with vital care,” CMS Administrator Chiquita Brooks-LaSure said. “Our efforts helped minimize the disruptive fallout from this incident, and we will remain vigilant to be ready to address future events.” 

    Change Healthcare, a subsidiary of UnitedHealth Group’s Optum unit, is a clearinghouse for 15 billion medical claims per year, according to a Congressional report, and the February ransomware attack caused cash flow turmoil for thousands of clinicians.

    According to CMS, the AAP program issued more than 4,722 advanced payments totaling $717.18 million to Medicare Part-B providers affected by the cyberattack, and an additional $2.55 billion to Part-A providers, such as hospitals. The agency says clinicians should contact Change Healthcare directly if they’re still having trouble with billing or payment after the program stops taking applications on July 12.

    United HealthGroup’s cyberattack response page says Change Healthcare had either fully or partially restored most services by the end of April. As of June 20, Optum Financial Services was still offering its own temporary funding assistance program for those affected by the Change Healthcare service disruptions.

    UPDATE

    UnitedHealth Group (UHG) issued a public notification on June 20 about the ransomware attack on its Change Healthcare unit and is expected to begin mailing letters to potentially affected individuals in late July. HIPAA-covered entities (health plans, health care clearinghouses, and most health care providers) are required to notify their patients of any breach of protected health information, including reporting the breach to the U.S. Department of Health and Human Services (HHS) and issuing a notice to the public via media if the breach affects 500 or more patients. However, on May 20, the AAFP and other specialty societies sent a letter to HHS requesting clarification on physicians' breach-notification responsibilities in this case, and HHS clarified that physicians and other providers can delegate breach notification to a business associate. UHG has publicly announced it will perform these duties on behalf of all impacted covered entities. According to this FAQ page, UHG/Change Healthcare will make the required notifications unless a provider chooses to opt out and handle their own notices. On June 26, the AAFP and other specialty societies sent a follow-up letter to HHS requesting further clarification to ensure physician practices will not be held liable. The AAFP will continue to monitor the situation and post updates. Patient questions about the cybersecurity incident should be directed to UHG: changecybersupport.com or 866-262-5342.

    — FPM Editors

    Posted on June 20, 2024



    Other Blogs

    Feed

    Disclaimer: The opinions and views expressed here are those of the authors and do not necessarily represent or reflect the opinions and views of the American Academy of Family Physicians. This blog is not intended to provide medical, financial, or legal advice. Some payers may not agree with the advice given. This is not a substitute for current CPT and ICD-9 manuals and payer policies. All comments are moderated and will be removed if they violate our Terms of Use.