• Help us advocate for you. Share how the cyber outage has affected your practice.

    Change Healthcare Cybersecurity Attack and Outage

    The Feb. 21 cyberattack on Change Healthcare continues to have a widespread negative impact on patients and practices. UnitedHealth Group is regularly sharing updated information on restoration timelines and resources.

    Since the attack and outage, the AAFP continues to closely monitor the situation and has:

    • Reached out to UnitedHealth Group and urged them to minimize disruptions to physicians, practices and patients and provide financial assistance. 
    • Shared the family physician perspective on the attack and its potential fallout with Congress and the White House. 
    • Continued working to ensure that disruptions to claims submission, payment processes and other Change Healthcare products do not hamper care delivery.

     

    HIPAA notices

    Physicians and health care providers who are HIPAA Covered Entities (CEs) are legally required to notify their patients of any breach of protected health information. Notification can be delegated to a CE's business associate (BA) and includes reporting the breach to HHS and issuing a notice to the public via media if the breach affects 500 or more patients. 

    Change Healthcare (CHC) has announced that it will issue breach notifications and complete reporting on behalf of all affected CEs. (See FAQ answer to “Will I have to do my own notifications?” for details.) Letters should start reaching potentially affected patients in late July 2024.

    The AAFP is engaged in ongoing advocacy on this topic and continues to seek additional clarifying guidance from HHS to ensure minimal impact to physicians and their patients.

    Legal Penalties

    Affected CEs can reasonably assume that the responsibility of notifying patients will be completed by CHC. If CHC unexpectedly does not fulfill this notification obligation, the CE would be liable for a HIPAA violation. However, the secretary of HHS has the authority to waive investigation, enforcement and penalties as long as a HIPAA violation was not “due to willful neglect.” 

    It's reasonable to believe that the secretary would exercise one or more of these discretions should CHC not complete the patient notifications it has publicly announced it will perform. 

    Patient resources

    The sample notice information Change Healthcare has provided includes information that answers patient questions about the breach, such as:

    • A list of things patients can do to protect their privacy
    • Details on obtaining free credit reporting and monitoring services
    • Call center support

    Funding assistance and MIPS relief

    Optum's Temporary Funding Assistance Program

    Follow these steps to potentially access temporary funding provided by Optum Financial Services:

    For answers to common questions about funding assistance, visit Optum's webpage for the program.

    HHS and CMS Announcements

    The U.S. Department of Health and Human Services is maintaining a list of information about private payers to help you connect with them for support and more.

    CMS advanced payment program will stop taking new applications for those affected by the outage on July 12, 2024:


    Practices can now cite the Change Healthcare outage when applying to CMS for a Merit-based Incentive Payment System (MIPS) Extreme and Uncontrollable Circumstances (EUC) exception for the 2024 performance year.

    FPM's Getting Paid blog entry on CMS' announcements summarizes the 2023 MIPS reporting relief available to physicians.

    Share your experience

    AAFP advocacy

    The AAFP is engaged in ongoing advoacy for family physicians on this cybersecurity issue.

    Copyright © 2024 American Academy of Family Physicians. All Rights Reserved.