HHS Steps Up, Addresses Change Healthcare Attack

Federal officials are taking action in the wake of a devastating cybersecurity incident that has disrupted the industry for more than two weeks

The federal government is stepping in to make sure healthcare organizations affected by the Change Healthcare cybersecurity attack get some relief.

Following pleas this week from both the American Hospital Association and American Medical Association, the Health and Human Services Department issued a statement on Tuesday outlining its strategy for dealing with the outage.

“HHS is in regular contact with [UnitedHealth Group] leadership, state partners, and with numerous external stakeholders to better understand the nature of the impacts and to ensure the effectiveness of UHG’s response,” the statement reads. “HHS has made clear its expectation that UHG does everything in its power to ensure continuity of operations for all healthcare providers impacted and HHS appreciates UHG’s continuous efforts to do so.”

“HHS is also leading interagency coordination of the federal government’s related activities, including working closely with the Federal Bureau of Investigations (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the White House, and other agencies to provide credible, actionable threat intelligence to industry wherever possible,” the agency continued.

For providers affected by the attack, which has all but shut down UHG’s nationwide network for more than two weeks, HHS outlined five steps being coordinated by the Centers for Medicare & Medicaid Services (CMS):

• Medicare providers needing to change clearinghouses that they use for claims processing during these outages should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment for the switch. The MAC will provide instructions based on the specific request to expedite the new EDI enrollment. CMS has instructed the MACs to expedite this process and move all provider and facility requests into production and ready to bill claims quickly. CMS is strongly encouraging other payers, including state Medicaid and Children’s Health Insurance Program (CHIP) agencies and Medicaid and CHIP managed care plans, to waive or expedite solutions for this requirement.
• CMS will issue guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages. CMS is also encouraging MA plans to offer advance funding to providers most affected by this cyberattack.
• CMS strongly encourages Medicaid and CHIP managed care plans to adopt the same strategies of removing or relaxing prior authorization and utilization management requirements, and consider offering advance funding to providers, on behalf of Medicaid and CHIP managed care enrollees to the extent permitted by the State. 
• If Medicare providers are having trouble filing claims or other necessary notices or other submissions, they should contact their MAC for details on exceptions, waivers, or extensions, or contact CMS regarding quality reporting programs.
• CMS has contacted all of the MACs to make sure they are prepared to accept paper claims from providers who need to file them. While we recognize that electronic billing is preferable for everyone, the MACs must accept paper submissions if a provider needs to file claims in that method.

The agency also announced that it is working with MACs to address requests from providers seeking accelerated payments, similar to those issued during the pandemic.

Finally, HHS said the incident should spur the healthcare industry to take a serious look at its cybersecurity practices. The agency pointed out that it released a concept paper late last year outlining cybersecurity strategies, and that followed a National Cybersecurity Strategy unveiled a few months prior by the Biden Administration.

“HHS will continue to communicate with the healthcare sector and encourage continued dialogue among affected parties,” the agency concluded. “We will continue to communicate with UHG, closely monitor their ongoing response to this cyberattack, and promote transparent, robust response while working with the industry to close any gaps that remain.”