UPDATE
UnitedHealth Group (UHG) issued a public notification on June 20 about the ransomware attack on its Change Healthcare unit and is expected to begin mailing letters to potentially affected individuals in late July. HIPAA-covered entities (health plans, health care clearinghouses, and most health care providers) are required to notify their patients of any breach of protected health information, including reporting the breach to the U.S. Department of Health and Human Services (HHS) and issuing a notice to the public via media if the breach affects 500 or more patients. However, on May 20, the AAFP and other specialty societies sent a letter to HHS requesting clarification on physicians' breach-notification responsibilities in this case, and HHS clarified that physicians and other providers can delegate breach notification to a business associate. UHG has publicly announced it will perform these duties on behalf of all impacted covered entities. According to this FAQ page, UHG/Change Healthcare will make the required notifications unless a provider chooses to opt out and handle their own notices. On June 26, the AAFP and other specialty societies sent a follow-up letter to HHS requesting further clarification to ensure physician practices will not be held liable. The AAFP will continue to monitor the situation and post updates. Patient questions about the cybersecurity incident should be directed to UHG: changecybersupport.com or 866-262-5342.
Change Healthcare has issued more information about the cyberattack that paused many of its services (e.g., e-prescribing, claims submission, payments, eligibility, prior authorization) and is also offering some temporary assistance funds.
A subsidiary of UnitedHealth Group’s (UHG) Optum unit, Change Healthcare says it is working closely with law enforcement and third-party consultants to investigate the attack, restore systems, and understand the impact on members, patients, and customers. The American Academy of Family Physicians (AAFP) continues to communicate with UHG, monitor the situation, and direct members to resources to help them navigate the outage. The AAFP has also created a landing page with the latest updates on the situation, information on assistance funds, and a survey for members to share their experiences.
As of March 8, Change Healthcare said it expects key system functionality to be restored and available on the following timelines:
In the meantime, Optum Financial Services has established a temporary funding assistance support program to help physicians and other health care providers affected by the outage with short-term cash flow needs. Those eligible include United Healthcare medical providers, providers who receive payments from other payers that use Change Healthcare payment processing, and providers who have exhausted all connection options and work with payers that are not advancing funds while Change Healthcare's systems are down.
To access Optum's temporary funding, do the following:
If you find the temporary funds Optum provides don't cover the difference between your current claim payments and your pre-cyberattack payments you can submit a request through this temporary assistance inquiry form.
For more information on Optum's temporary assistance payments, see the program's FAQ page.
The Centers for Medicare & Medicaid Services (CMS) is also encouraging Medicare Advantage plans and Medicaid managed care plans to offer doctors and other providers relief during the outage. Specifically, CMS is recommending plans remove or relax prior authorization, other utilization management, and timely filing requirements, as well as offer financial relief.
A collection of information about specific private payers is available for download here. The downloadable document from the U.S. Department of Health and Human Services includes contact information to help practices connect with payers regarding impacts of the cyberattack, links to resources payers have set up (including guides to connect to alternate data clearinghouse services), information on advanced payments, and more.
On March 9, CMS announced an advanced payment program for those affected by the outage:
The following UHG/Optum webpages have more information about the company’s work to restore services:
The AAFP will continue to monitor UHG/Optum communications regarding Change Healthcare’s response to the cyberattack. If you have further questions, please reach out to customer service or your provider relations representative.
The American Medical Association is also surveying physicians about how the cyberattack has affected them, to inform the group's lobbying efforts. The survey is open until April 24.
— Brennan Cantrell, AAFP Commercial Health Insurance Strategist
Posted on March 5, 2024
Disclaimer: The opinions and views expressed here are those of the authors and do not necessarily represent or reflect the opinions and views of the American Academy of Family Physicians. This blog is not intended to provide medical, financial, or legal advice. Some payers may not agree with the advice given. This is not a substitute for current CPT and ICD-9 manuals and payer policies. All comments are moderated and will be removed if they violate our Terms of Use.