The U.S. Department of Health and Human Services and U.S. Department of Labor issued the following letter on March 10, 2024, concerning the cyberattack targeting Change Healthcare. The AHA response appears below it.
Dear Health Care Leaders,
As you know, last month Change Healthcare was the target of a cyberattack that has had significant impacts on much of the nation’s health care system. The effects of this attack are far-reaching; Change Healthcare, owned by UnitedHealth Group (UHG), processes 15 billion health care transactions annually and is involved in one in every three patient records. The attack has impacted payments to hospitals, physicians, pharmacists, and other health care providers across the country. Many of these providers are concerned about their ability to offer care in the absence of timely payments, but providers persist despite the need for numerous onerous workarounds and cash flow uncertainty.
In a situation such as this, the government and private sector must work together to help providers make payroll and deliver timely care to the American people. The Biden-Harris Administration has taken action by removing challenges for health care providers and addressing this cyberattack head on. Now, we are asking private sector leaders across the health care industry — especially other payers — to meet the moment.
The Biden-Harris Administration remains committed to ensuring that all Americans can access needed care in spite of this cyberattack. We urge the private sector to quickly identify and carry out solutions. Specifically, we call on UHG, other insurance companies, clearinghouses, and health care entities to take additional actions to mitigate the harms this attack places on patients and providers, particularly our safety net providers.
We urge UnitedHealth Group to:
- Take responsibility to ensure no provider is compromised by their cash flow challenges stemming from this cyberattack on Change Healthcare.
- Ensure expedited delivery of funds to impacted providers for all receiving advanced payment from UnitedHealth Care.
- Communicate more frequently and more transparently, both within the health care community and with state Medicaid agencies.
- Ensure ease of access to UHG programs, both by providing less restrictive terms and by addressing providers’ concerns regarding indemnification and arbitration requirements.
- Provide Medicaid agencies with a list of providers impacted in their states.
- Expedite activation and ensure effectiveness of all programs UHG announces to serve as a financial backstop, and prioritize under-resourced, lower margin providers.
We urge insurance companies and other payers to:
- Make interim payments to impacted providers. Larger payers in particular have the balance sheet stability to advance payments. Payers have the opportunity to stop-gap the cash flow concerns by stepping in with bridge payments.
- In particular, for Medicaid plans, consider making interim payments to impacted providers.
- Ease the administrative burden on providers by simplifying electronic data interchange requirements and timelines and by accepting paper claims.
- Pause prior authorizations and other utilization management requirements; use all available leeway on deadlines.
While we believe payers have a unique responsibility and opportunity to address the challenge before us, we urge action on the part of any health care entity that can step up. For example, we appreciate the actions taken by clearinghouses to enable switching from Change Healthcare systems, and we encourage them to offer easy-to-implement, standard terms for additional providers who want to switch, and avoid cost-prohibitive pricing.
In addition to the actions outlined above, earlier this week, the U.S. Department of Health and Human Services (HHS) announced steps that the Centers for Medicare & Medicaid Services (CMS) is taking to assist states and health care providers to continue to serve patients and avoid disruptions. Specifically, CMS has streamlined the process for providers to change clearinghouses to ensure continuity of payments, encouraged insurance plans to remove or relax prior authorization requirements in both Medicare and Medicaid, and directed Medicare Administrative Contractors (MACs) to be prepared to accept paper claims submissions during the course of the outage. Just yesterday, CMS provided instructions to MACs about how to consider applications for accelerated payments from Medicare Part A providers and for advance payments from Part B providers and suppliers.
Overall, this incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem. That’s why, in 2023, HHS released a concept paper that outlines HHS’ cybersecurity strategy. The concept paper builds on the National Cybersecurity Strategy that President Biden released in 2023, focusing specifically on strengthening resilience for hospitals, patients, and communities threatened by cyberattacks. Also, in 2021, the Department of Labor released Cybersecurity Program Best Practices to assist plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks. We urge you to visit the HPH Cyber Performance Goals website and implement these steps to stay protected.
Sincerely,
Xavier Becerra,
Secretary, U.S. Department of Health and Human Services
Julie A. Su
Acting Secretary, U.S. Department of Labor
Rick Pollack, president and CEO of the American Hospital Association, published the following letter the same day.
We welcome today’s letter from the Department of Health and Human Services and Department of Labor that recognizes the unprecedented nature of the Change Healthcare cyberattack and its far-reaching impacts on hospitals, physicians and the health care sector. We particularly appreciate the federal government’s call on UnitedHealth Group for increased transparency about this incident and urging the company to step up to take needed actions to provide meaningful payments to hospitals, physicians and other providers so that they can continue timely care for patients.
It’s critical that all payers help providers during this incident to ensure patient care is not compromised. That includes easing administrative burdens, pausing prior authorizations and requirements on timely billing, and providing advanced payments to hospitals and physicians, among other things, until this issue is fully resolved. Just like the impacted providers, these payers are not responsible for the cyberattack; however, as hospitals and doctors have not wavered from their responsibility to care for their patients despite significant hardship, all payers must too honor their responsibility to support hospitals, physicians and patients for care delivered without delay.
We recognize that the federal government does have statutory limitations to require private payers to take all the actions that may be needed, and Congress may need to take specific steps to ensure the health care system is not disrupted for patients. We will continue to work with Congress and policymakers as the impacts from the cyberattack persist.
The concept paper that outlines the Department of Health and Human Services’ cybersecurity strategy for the health care sector, Healthcare Sector Cybersecurity, is available from HHS.