Change Healthcare Cyberattack

Updated 6/21/2024
Change Healthcare (CHC) reported they experienced a cyberattack on February 21, 2024, which resulted in their systems being taken offline. As a result of the attack, Optum disconnected from CHC to safeguard their systems. Both are a unit of United Health Group (UHG) and the attack impacted physicians and patients nationwide as claims submissions, claims payments, and other services have been disrupted.

Entities involved:

CHC: A clearinghouse and other healthcare transactions vendor processes 15 billion healthcare transactions annually and provides the technology for revenue cycle and payment management to multiple sectors within the healthcare industry. CHC purportedly touches a third of U.S. patients, according to the company's website.
Optum: A a major healthcare sector organization and the largest processor of claims payments in the nation processing, and a vendor for a multitude of healthcare transactions and other services to the healthcare sector.

Claim submission impacts:

•  CHC began the testing and reconnection process on March 18 per the UHG cyber response team. At that time physicians could begin submitting claims, however, not all payors have reestablished connections with the Change clearinghouse. Claims for these payors will continue to reject until they reestablish their connections. Review frequently the current list of connected payors. If claims continue to reject for payors on this list, contact your EMR vendor and/or your clearinghouse. Health plans that have not reconnected have developed workarounds for claims submission while others have advised practices to find another clearinghouse. Information and a list of clearinghouses can be found at Clearinghouses.org. See the links below for health plan notices regarding the cyberattack.
 •  If unsure if a payor's claims submission process has been affected, and no notice from the payor has been provided, the best course of action is to continue to submit claims as usual, assuming that your clearinghouse is not CHC. If claims are not rejected, spot check a few claims for each payor to verify they were received by the payor. If so, that payor's claims process has not been affected by the cyberattack. 
•  HHS has instructed CMS to require MACs (Novitas) to allow for paper claims submission. An ASCA waiver must be submitted to Novitas. Physicians are not required to include all supporting documentation, but simply indicate on the form that the waiver request is being made due to the Change Healthcare cybersecurity incident. Novitas reports as of 4/9/24 that electronic claims submissions can be resumed as connection has been established via Optum.
•  To be exempt from timely filing deadlines for fully-insured plans only, a letter to the Texas Department of Insurance (TD) to request a waiver from the timely filing rules must be sent. The letter should state the practice cannot meet the deadlines because of a catastrophic event, and include an estimated time frame for the resolution. 
•  UHG has established a claims submission workaround using their iEDI platform, however this may not be a solution for all payors affected by the attack. Enrollment is required and practices’ billing platforms would require reconfiguration to reroute claims to iEDI. As this may be time-consuming, may incur a cost by your billing platform’s vendor, and as not all affected payors are connected to iEDI (see the iEDI payor list), the benefits of rerouting claims through iEDI should be carefully considered. Email Optum at client_assistance@optum.com for questions.
•  Availity is offering Availity Essentials at no-cost for a limited time to process claims and conduct other transactions. 
•  Waystar is offering accelerated onboarding.
•  Should you decide to change clearinghouses, be cognizant of the terms and conditions, contract term, termination provisions, and other contract requirements.

Claims payments:

•  UHG restored electronic payment systems March 15. However, not all payors have reestablished connections with Change and/or Optum. Payments from these payors will continue to be delayed until they reestablish their connections.
•  Some affected payors may send paper checks.
•  Because of the payment delays, Optum is offering temporary funding for practices that qualify. In some circumstances, UHG has prefunded certain physicians' Optum Pay accounts if they have visibility into a practice's pre-attack average weekly claims payment. The amount to be funded will be the difference from the weekly average pre-attack payments to post-attack payments. Funds are available on a week-by-week basis, again based on the disruption in the average weekly payment activity. No application is needed; physicians need only to open their Optum Pay accounts and choose to accept the available funds. All others will need to apply for the funds.
•  CMS has made available Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments to Part A providers and advance payments to Part B suppliers experiencing claims disruptions as a result of the incident. More information can be found on the CMS Fact Sheet. Providers should use the CHOPD form to submit a request. CMS announced on 6/17/24 that payments under the Accelerated and Advance Payment (AAP) Program for the Change Healthcare/Optum Payment Disruption (CHOPD) will conclude on July 12, 2024. After July 12, 2024, CMS will no longer accept new applications for CHOPD accelerated or advance payments. 

HIPAA/HITECH breach notification:

UHG announced they will take responsibility for notifying individuals whose PHI or PII has been breached in compliance with HIPAA regulations. Support will also be made available for people who may be concerned about their personal data potentially being impacted by the cyberattack on Change Healthcare. A dedicated website has been established to provide more information and details on the available resources. The AMA, TMA, and other stakeholders asked the U.S. Department of Health and Human Services to clarify that physicians would not be responsible for the breach notifications and reporting per HIPAA rules as UHG's announcement does not absolve them of this responsibility. As such, on May 31 the OCR provided the requested clarifications making clear that: 

     •  Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
     •  Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media.
     •  If covered entities work with Change Healthcare to perform the required breach notifications consistent with the HITECH and HIPAA, they would not have additional HIPAA breach notification obligations.

On 6/20/24 CHC started notifying providers and insurers as to whether their patients’ or members’ data was compromised in the February cyberattack. In a June 20 press release, CHC said “CHC is assuming responsibility for making individual notifications on behalf of those  impacted customers which do not opt out of CHC’s notifications process, as outlined in the customer notice”. This statement clarifies that the delegation of notification responsibilities will be an opt-out process. As such, physicians do not need to submit a request to CHC to delegate these responsibilities. Additional information is available in the CHC Substitute Notice



Payor resources:

Aetna
Ambetter
BCBSTX
Cigna
Community Health Choice
Humana
Molina
Scan Health
Texas Children's Health Plan
UHG
Wellcare
Wellpoint

Other resources:

AMA
ASPR
CMS
HHS
MGMA
Novitas (Medicare) - claims submissionadvanced payments
TMA

*Please note that the content provided herein is informational only, and should NOT, in any way, be considered legal, professional, business, practice, or other advice.  Nor should any information found below be considered a referral or promotion for any specific option. Consult your own practice adviser or attorney before taking any action or inaction based on this information, and as always, be sure you read, understand, and are willing to agree to any terms, conditions, and/or contracts accompanying any option you consider pursuing.

 

This situation is very fluid. Refer back to this page frequently as updates will be provided as they are made available.