March 06, 2024
Area(s) of Interest:
Cyber Security
CMA is urging HHS to make physician practices a top priority for emergency assistance
On Feb. 21, 2024, Change Healthcare, a subsidiary of the UnitedHealth Group (UHG) Optum unit, experienced a cyberattack that resulted in nationwide outages affecting payors, physician practices and other providers and pharmacies. The outage has caused interruption of numerous administrative and billing processes, including electronic claims submission, provider payments, pharmacies, prior authorizations, payor chart retrieval, etc.
According to an estimate from First Health Advisory, a digital health risk assurance firm, the outage is costing health care providers over $100 million daily, posing severe financial challenges for already strained medical practices.
Organized Medicine Demands Action
As the cyberattack has forced medical practices to go without revenue for nearly two weeks, the California Medical Association (CMA), American Medical Association (AMA) and other health care organizations have urged the U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra to use all available authorities to ensure that physician practices can continue to function, and patients can continue to receive the care that they need.
CMA has also been working with the California Department of Managed Health Care (DMHC) to request flexibilities for physician practices when submitting claims, relaxation of prior authorization requirements and enforcement of health plans’ timely payment requirements.
“Physician practices nationwide are reeling from the fallout of this cyberattack, severely hindering physicians’ ability to maintain operations, care for their patients and prescribe necessary medications," said CMA President Tanya W. Spirtos, M.D. " Physicians are the backbone of our health care system. The disruption caused by this unprecedented cyber assault jeopardizes the very existence of many practices, especially smaller ones and those serving rural and underserved communities. This is an urgent crisis that requires immediate action."
HHS Announces Flexibilities
On March 5, HHS announced immediate steps that the Centers for Medicare and Medicaid Services (CMS) is taking to assist providers to continue to serve patients, including:
- Medicare contractors have been instructed to expedite EDI enrollments and move all provider and facility requests into production and ready to bill claims quickly.
- Medicare Advantage organizations and Part D sponsors have been encouraged to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages.
- Medicare Advantage plans have been encouraged to offer advance funding to providers most affected by this cyberattack.
- Medicaid managed care plans have been strongly encouraged to adopt similar strategies.
- Medicare contractors have been contacted to make sure they are prepared to accept paper claims from providers if needed.
CMA has reached out to CMS and Noridian, California’s Medicare contractor, urging them to grant automatic waivers to submit paper claims, rather than require that practices request waivers, noting the extra burden coupled with delays to process a request. We will continue to monitor the situation and provide additional details as they become available.
What Practices Need to Do
For claim submission, affected practices are being encouraged to utilize workarounds such as alternate clearinghouses. UHG reports about 90% of claims are flowing through these workarounds, and reports it is working to address the remaining 10% where there may have been an exclusive relationship with Change Healthcare as a clearinghouse. Many payors are steering practices to Availity for access to electronic claim submission, ACH electronic payments and other electronic functions, which can be utilized at no cost to physician practices.
Practices will also need to identify which claims they were unable to submit electronically due to the outage, so they can resubmit via an alternative method. Change Healthcare is recommending that physicians use the applicable payor’s portal to confirm receipt of the claim, as well as complete eligibility verifications and prior authorizations.
For the small percentage of providers who are unable to utilize a workaround solution to submit claims, Change Healthcare is working to implement a supplemental custom funding program, and plans to provide more specifics on eligibility, funding limits and timing later this week.
Change Healthcare also processes payments for many payors and those systems are also impacted. For providers who receive payments via Change Healthcare, but are unable to do so due to the outage, Optum has already established no cost temporary funding assistance. According to the UHG website, interested practices must apply at optum.com/temporaryfunding. Payments will be based on the practice’s historical average weekly payments through Change Healthcare.
CMA has prepared a grid that lists a summary of known impacts, workarounds and guidance from payors. This resource is available free to members. We will provide updates as additional information becomes available.
For more updates on the Change Healthcare cyber response, click here.
Steps to Protect Your Network
Cybersecurity experts and the HHS Administration for Strategic Preparedness and Response (ASPR) are urging health care organizations to conduct risk evaluations and take steps to protect their networks. Specifically, ASPR recommends:
- With consideration of the written attestation from UHG that the Optum network is safe, organizations should evaluate their risk of using Optum, UnitedHealthcare and UHG systems.
- While UHG asserts that any system that is currently live and available is safe to use, organizations should evaluate their risks and make determinations if connections to Change Healthcare are appropriate at this time.
- As part of your risk evaluation, health care organizations should consider the impacts of severing connectivity to Optum, which includes but is not limited to loss of prior procedure authorizations, electronic prescribing and other patient care functions. Ultimately, your organization should make its own determination on whether or not to block Optum specifically while considering all the risks and consequences of doing so.
Additional Resources
Return