Technology

Change Healthcare disruption update

Learn the latest developments related to the network interruption and efforts to assist physicians and practices with claims, ERAs and payments.

Editor’s note: This article will be updated frequently as new information becomes available.
June 3 update:

On May 31, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance, in the form of an FAQ, regarding health information privacy and covered entities’ obligations under the Health Insurance Portability and Accountability Act (HIPAA). OCR confirmed that it has opened and prioritized investigations of Change Healthcare and UnitedHealth Group (UHG), focused on whether a breach of protected health information (PHI) occurred and, if so, whether the entities complied with HIPAA requirements. To date, these organizations have not filed a breach report with HHS – notifying the agency of a breach of unsecured PHI.

The updated HHS guidance clarified the responsibilities of both HIPAA covered entities and business associates in notifying patients. When a covered entity discovers a breach, including when notified of a breach by their business associate, the entity “must comply with the applicable breach notification requirements, including notification to affected individuals without unreasonable delay, to the HHS Secretary, and to the media.” HHS has clarified that it allows this responsibility to be delegated to a single entity, which in this case would be UHG. HHS encourages HIPAA covered entities to coordinate with Change Healthcare and UHG on who will be providing breach notifications. The Department notes that, to help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer. However, business associate notification to affected covered entities has not yet taken place. UHG’s website still states that they “are not announcing an official breach notification at this time.”

While physician practices should coordinate with contacts at UHG regarding breach notification requirements, AOA will continue to advocate for UHG to assume full burden and responsibility for all required notifications, and for greater clarity on how HHS will treat physician practices in this process.

April 29 update:

Earlier this week, UnitedHealth Group (UHG) announced that patient data had been compromised in the Change Healthcare cyberattack that occurred on Feb. 21. UHG has found files containing protected health information (PHI) and personally identifiable information (PII), which could cover a substantial proportion of people in America. The company is making resources available to individuals who are concerned about their personal data being compromised. UHG has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data involved in the breach and is monitoring the internet and dark web for any data that may be published. UHG has offered to undertake notifications and administrative requirements on behalf of providers or other clients whose data may have been compromised.

In response to this announcement the HHS Office of Civil Rights (OCR) issued an FAQ regarding the breach and HIPAA implications. The FAQ discusses OCR’s ongoing investigation into UHG, whether a breach of PHI occurred, and the organization’s compliance with HIPAA. The FAQ also outlined covered entities and business associates breach notification obligations. To date, UHG has not filed a formal breach report with OCR, as the organization claims that its assessment of the scope of the breach is still ongoing.

March 27 update:

On March 25, HHS, CMS, and ASPR compiled health plan contact information (PDF) for providers seeking answers about flexibility and prospective payment. It is important to note that the document only includes national contacts, and HHS recommends that if practices have a regional point of contact for their health plan, to reach out to them first. In addition to contact information for payment questions, the document includes tools and links from health plans and payers for physicians monitoring the impact of the cyberattack on payment.

During a service disruption update call on March 27, UHG reported that the largest clearinghouse, Relay Exchange, is back online and claims have begun to flow. After receiving a claim, the remittance timeline will depend on the payer.

UHG will provide payer activity updates on the website as payers reconnect. UHG has made progress in adding payer routes throughout the day and reestablishing connections directly with payers. When asked about a timeline for fully reestablishing connections with payers, UHG noted that the process to recertify credentials for a payer is relatively quick, but getting through all the payers will take time.

With the help of a third-party team, UHG is still determining what data was compromised in the attack; no conclusion has been reached on protected health information (PHI) or personally identifiable information (PII) that may have been involved in the attack.

March 18 update:

CMS announced that it is reopening applications for the 2023 MIPS Extreme and Uncontrollable Circumstances (EUC) hardship exemption due to the Change Healthcare cyberattack. The deadline to apply for an exemption is April 15, 2024. The 2023 MIPS EUC hardship exemption is not automatic and requires physicians to apply. CMS will only approve applications citing the Change Healthcare cyberattack as the basis for requesting reweighting under the MIPS EUC Exception. If a physician or practice has already submitted data and would like to take advantage of this flexibility, they may log into the CMS portal and update their submission. Detailed information is available on the Quality Payment Program website.

Additionally, the agency is continuing to establish flexibilities to ensure physicians can receive payment for services. On March 15, CMS announced flexibilities to ensure that states can start making interim payments to Medicaid providers affected by the Change Healthcare disruption. CMS is encouraging states to submit Medicaid state plan amendments (SPAs) for authority to make certain interim payments for services providers have rendered but for which the provider cannot submit claims.

On March 15, AOA met with Margaret-Mary Wilson, MD, chief medical officer (CMO) for United Health Group (UHG) to discuss the organization’s response to the Change Healthcare cyberattack and what it is doing to support physicians. Kathleen Creason, MBA, AOA CEO, raised questions regarding the organization’s timeline for having an alternative clearinghouse solution ready for providers to connect to, and raised concerns regarding the need for additional financial and technical assistance for practices that are expending tremendous resources trying to utilize workarounds to submit claims and receive payment.

During the discussion, Dr. Wilson noted that UHG has two advance payment programs that physicians may apply for, plans to provide technical support for physicians connecting to their temporary clearinghouse solution being brought online this week, and is currently waiving most prior authorization. AOA will provide additional details regarding any other forms of assistance as they are made available and can be reached for assistance at physicianservices@osteopathic.org.

March 14 update:

On March 13, CMS issued guidance in the form of an FAQ for physicians seeking advance payment for services provided under Medicare Part B. The FAQs go into detail on eligibility criteria, repayment, financial concerns, and other general questions. Practices whose Medicare claims submission and/or payment has been disrupted may apply for funds through their Medicare Administrative Contractor (MAC).

Additionally, in recognition of the burden physicians are currently facing navigating the Change Healthcare disruption, CMS has extended the deadline for 2023 Merit Based Incentive Payment System (MIPS) data submission to April 15, 2024. The extension is intended to aid physicians in light of the time, staff, and resource limitations caused by the Change disruption. However, this two-week extension is insufficient, and AOA will advocate for additional flexibility.

March 11 update:

CMS has announced that it will begin considering applications for advance payments to physicians in response to the disruptions created by the Change Healthcare outage. While the agency initially limited advance payments to Part A providers as it explored its authority to do the same under Part B, it has now expanded the Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments program.

The CHOPD accelerated and advance payments may be granted in amounts representative of up to thirty days (30) of claims payments to eligible providers and suppliers. The average 30-day payment is based on the total claims paid to the provider/supplier between Aug. 1, 2023, and Oct. 31, 2023, divided by three. These payments will be repaid through automatic recoupment from Medicare claims for a period of 90 days.

CMS outlines a detailed list of requirements providers must meet in order to qualify for advanced payments and directs them to work directly with the Medicare Administrative Contractor (MAC) to apply.

March 8 update:

The Department of Health and Human Services (HHS) has announced that it is taking several steps to support hospitals, physician practices and other providers as a result of the disruption to Change Healthcare’s network.

The Centers for Medicare & Medicaid Services (CMS) is issuing guidance to Medicare Advantage and Part D plans urging them to waive or relax prior authorization and other utilization management (UM) for the duration of the disruption. CMS is also encouraging Medicaid and CHIP plans to similarly waive UM. CMS will also make accelerated payments available to hospitals to address their cashflow needs while payment is disrupted. However, more action is necessary to support the continued operation of small and independent practices that are threatened by this disruption. The agency has also directed providers to reach out to their Medicare Administrative Contractor (MAC) if they need to change clearinghouses and request a new electronic data interchange (EDI) enrollment.

The AOA will continue to engage with United Health Group, federal agencies and other stakeholders and share resources with members as they become available.

March 4 update:

On Feb. 21, 2024, Change Healthcare reported network interruption related to a cyber security issue. When they were alerted to the threat, they took action and disconnected their systems to prevent further impact. They are working to bring systems back online as soon as it is safe to do so. This disruption to Change Healthcare’s network has significant implications across the health care ecosystem for activities including e-prescribing, provider claims submission and processing, pharmacy claims transactions, and payment.

AOA staff, across teams, are participating in conference calls with UnitedHealth Group key leaders to provide updates on service disruptions. Daily updates which include applications currently experiencing connectivity issues are posted on Optum Solutions Status webpage or you can subscribe to receive daily email updates. Change Healthcare launched a new webpage with Q&A, which details work arounds and progress they have made. AOA staff have also put together a Q&A document.

The AOA continues to assist private practices through the Change Healthcare service disruptions with alternative work arounds until the issues are resolved. For additional information, please visit AOA’s newly created webpage. We will continue to investigate all possible solutions and provide as much information as possible.

Below are immediate steps physicians can take to minimize disruption to your practice for key impacted applications.

Electronic Remittance Advice (ERAs)

  • If you receive ACH for payments, you may not have access to ERAs. Alternatively, you can download the ERA from payer portals and upload them to your Practice Management system. Some ERAs still will not be available until services are operational again.

Payment

  • Optum established a short-term bridge payment system for providers whose payment is impacted. Providers with an OptumPay account will be able to enroll and verify eligibility for the program via the website. The funding will be provided week-to-week to eligible providers based on their claim’s history. Change Healthcare has stated that payments will be issued for the duration of the disruption, and they expect payments will need to be repaid after normal operations resume.

Claims

  • Discuss with your Practice Management system provider the feasibility of working with other clearinghouse partners such as Availity to upload your 5010 claim files.  Change Healthcare suggests that workarounds will support the flow of nearly 85% of claims. While there are various clearinghouse alternatives, such as Trizetto, Waystar, Navinet, or Office Ally, Availity is currently allowing Change customers to make connections to payers at no cost during the disruption. Additional details can be found in this Availity Q&A. We recommend providers use the applicable payer’s portal to check claim status, verify eligibility and prior authorizations.
  • For Change-exclusive payers, Change and UnitedHealth are mobilizing a new solution to move from the Change gateway claims connection to an Optum EDI connection beginning with the largest payers then working toward the others.
  • Currently, practices are advised not to drop claims to paper due to delays anticipated as a result of the spillover of practices experiencing electronic submission issues. Some payers do not accept paper claims.

One comment

  1. Valerie Laurence

    Is there any update to the cyber security issue that happened last month? Their payment portal is still down. I can make payment via a new website, but I am unable to view my invoice and the detail of charges.

Leave a comment Please see our comment policy