HHS Releases Statement on Change Healthcare Cyberattack

March 05, 2024 - HHS released a statement regarding the Change Healthcare cyberattack and shed light on immediate steps that CMS is taking to assist providers during this time. The announcement follows multiple requests from industry groups urging HHS to offer guidance and enforcement discretion to healthcare organizations as the Change Healthcare cyberattack continues to impact provider workflows.

HHS said that it is in regular contact with UnitedHealth Group (UHG) leadership and key stakeholders to understand the impact of this cyberattack and ensure the effectiveness of UHG’s response.

While HHS said it would continue to refer directly to UHG for updates on incident response and recovery planning, it acknowledged the concerns of providers who are experiencing cash flow problems as they remain unable to submit claims.

As a result, HHS announced steps that CMS is actively taking to assist providers and directed providers to maintain contact with their Medicare Administrative Contractor (MAC) as this event continues to unfold.

First, HHS directed Medicare providers who need to change clearinghouses to contact their MAC to request a new electronic data interchange (EDI) enrollment. The MAC will be able to expedite the new EDI enrollment so that providers will be able to bill claims quickly.

CMS also encouraged other payers to waive or expedite solutions, including state Medicaid and Children’s Health Insurance Program (CHIP) agencies.

Second, CMS plans to issue guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization and utilization management requirements amid system outages. Medicaid and CHIP managed care plans will also be encouraged to relax these requirements. What’s more, CMS will also push MA plans to offer advance funding to providers.

CMS contacted all MACs to ensure that they are prepared to accept an influx of paper claims from providers who must file them.

HHS also acknowledged that some providers are wondering about the availability of accelerated payments, like those issued during the COVID-19 pandemic.

“We understand that many payers are making funds available while billing systems are offline, and providers should take advantage of those opportunities. However, CMS recognizes that hospitals may face significant cash flow problems from the unusual circumstances impacting hospitals’ operations, and – during outages arising from this event – facilities may submit accelerated payment requests to their respective servicing MACs for individual consideration,” HHS stated.

“We are working to provide additional information to the MACs about the specific items and information a provider’s request should contain. Specific information will be available from the MACs later this week.”

HHS also leveraged the announcement to direct providers to its December 2023 concept paper, which outlined the department’s goals for improving cybersecurity across the sector. Additionally, HHS encouraged providers to take this opportunity to “double down on cybersecurity, with urgency,” directing them to the HPH cybersecurity performance goals (CPGs).

“The system and the American people can ill afford further disruptions in care,” HHS said, adding that it will continue to monitor UHG’s response to the attack and work with the industry to close remaining gaps.