The U.S. Department of Health and Human Services (HHS) has issued a comprehensive statement in response to the cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group (UHG), outlining immediate steps to alleviate the repercussions felt across the healthcare system. Acknowledging the severity of the situation, HHS is actively coordinating efforts with UHG, state partners, and external stakeholders to understand the extent of the impact and ensure an effective response. The Department highlights its expectation that UHG prioritizes the continuity of operations for all affected healthcare providers, emphasizing the responsibility they bear in delivering care. HHS is collaborating with various federal agencies, including the Federal Bureau of Investigations (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the White House, to provide credible threat intelligence to the industry. While direct updates on incident response progress are referred to UHG, HHS is responsive to the financial concerns raised by hospitals, doctors, and pharmacies grappling with claims and payments during the outage.
To address these concerns, the Centers for Medicare & Medicaid Services (CMS) is implementing immediate steps. Medicare providers experiencing system outages can request a change in clearinghouses for claims processing. CMS instructs Medicare Administrative Contractors (MACs) to expedite new Electronic Data Interchange (EDI) enrollments and move requests into production immediately. Other payers, including state Medicaid and Children’s Health Insurance Program (CHIP) agencies, are encouraged to waive or expedite solutions for similar requirements.
CMS will issue guidance encouraging MA organizations and Part D sponsors to relax prior authorization, utilization management, and timely filing requirements during system outages. MA plans are also urged to provide advance funding to the most affected providers. Medicaid and CHIP managed care plans are advised to adopt similar strategies of removing or relaxing prior authorization and utilization management requirements. Consideration of offering advance funding to providers, within the limits permitted by the state, is also encouraged. Medicare providers encountering difficulties in filing claims or submissions can contact their MACs for exceptions, waivers, or extensions. CMS emphasizes the readiness of MACs to accept paper claims if needed.
While acknowledging the availability of accelerated payments from certain payers, CMS recognizes the potential cash flow challenges faced by hospitals. Facilities impacted by the cyberattack can submit accelerated payment requests to their servicing MACs for individual consideration. The statement serves as a reminder of the interconnected nature of the healthcare system and emphasizes the urgency of improving cybersecurity resilience. HHS continues to engage with the healthcare sector, monitor UHG’s response, and promote collaborative efforts to address any remaining gaps. HHS urges all stakeholders in the healthcare system to prioritize cybersecurity measures to safeguard against potential disruptions in care as the incident continues to unfold.
