The AOA's House of Delegates is in session | LEARN MORE

AOA

Navigating your practice through the Change Healthcare disruption

Cybersecurity threat has implications for e-prescribing, claims submission and processing, pharmacy transactions and payment.

By AOA Staff

03.04.24

NOTE: This article will be updated frequently as new information becomes available.

June 18 update

On June 17, 2024, the Centers for Medicare & Medicaid Services (CMS) announced that payments under the Accelerated and Advance Payment Program for the Change Healthcare/Optum Payment Disruption (CHOPD) will conclude on July 12, 2024. CMS will not accept new applications or provide funds after this date. The CHOPD payments were announced by the agency in March 2024 to address cash flow challenges faced by Medicare Part A and B providers when claims and payments were not flowing due to the Change network disruption. CMS directs physicians who continue to face challenges submitting claims or receiving payment to reach out to United Health Group or their Medicare Administrative Contractor.

HHS has also issued guidance to health care organizations on voluntary cybersecurity practices to ensure health care organizations are taking critical steps to strengthen cyber preparedness and improve cyber resiliency.


June 3 update

On May 31, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance, in the form of an FAQ, regarding health information privacy and covered entities’ obligations under the Health Information Portability and Accountability Act (HIPAA). OCR confirmed that it has opened and prioritized investigations of Change Healthcare and UnitedHealth Group (UHG), focused on whether a breach of protected health information (PHI) occurred and, if so, whether the entities complied with HIPAA requirements. To date, these organizations have not filed a breach report with HHS – notifying the agency of a breach of unsecured PHI.

The updated HHS guidance clarified the responsibilities of both HIPAA covered entities and business associates in notifying patients. When a covered entity discovers a breach, including when notified of a breach by their business associate, the entity “must comply with the applicable breach notification requirements, including notification to affected individuals without unreasonable delay, to the HHS Secretary, and to the media.” HHS has clarified that it allows this responsibility to be delegated to a single entity, which in this case would be UHG. HHS encourages HIPAA covered entities to coordinate with Change Healthcare and UHG on who will be providing breach notifications. The Department notes that, to help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer. However, business associate notification to affected covered entities has not yet taken place. UHG’s website still states that they “are not announcing an official breach notification at this time.

While physician practices should coordinate with contacts at UHG regarding breach notification requirements, AOA will continue to advocate for UHG to assume full burden and responsibility for all required notifications, and for greater clarity on how HHS will treat physician practices in this process.


April 29 update

Earlier this week, UnitedHealth Group (UHG) announced that patient data had been compromised in the Change Healthcare cyberattack that occurred on Feb. 21. UHG has found files containing protected health information (PHI) and personally identifiable information (PII), which could cover a substantial proportion of people in America. The company is making resources available to individuals who are concerned about their personal data being compromised. UHG has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data involved in the breach and is monitoring the internet and dark web for any data that may be published. UHG has offered to undertake notifications and administrative requirements on behalf of providers or other clients whose data may have been compromised.

In response to this announcement the HHS Office of Civil Rights (OCR) issued an FAQ regarding the breach and HIPAA implications. The FAQ discusses OCRs ongoing investigation into UHG, whether a breach of PHI occurred, and the organization’s compliance with HIPAA. The FAQ also outlined covered entities and business associates breach notification obligations. To date, UHG has not filed a formal breach report with OCR, as the organization claims that its assessment of the scope of the breach is still ongoing.


March 27 update

On March 25, HHS, CMS and ASPR compiled health plan contact information for providers seeking answers about flexibility and prospective payment. It is important to note that the document only includes national contacts, and HHS recommends that if practices have a regional point of contact for their health plan, to reach out to them first. In addition to contact information for payment questions, the document includes tools and links from health plans and payers for physicians monitoring the impact of the cyberattack on payment.

During a service disruption update call on March 27, UHG reported that the largest clearinghouse, Relay Exchange, is back online and claims have begun to flow. After receiving a claim, the remittance timeline will depend on the payer.

UHG will provide payer activity updates on the website as payers reconnect. UHG has made progress in adding payer routes throughout the day and reestablishing connections directly with payers. When asked about a timeline for fully reestablishing connections with payers, UHG noted that the process to recertify credentials for a payer is relatively quick, but getting through all the payers will take time.

With the help of a third-party team, UHG is still determining what data was compromised in the attack; no conclusion has been reached on protected health information (PHI) or personally identifiable information (PII) that may have been involved in the attack.


March 18 update

CMS announced that it is reopening applications for the 2023 MIPS Extreme and Uncontrollable Circumstances (EUC) hardship exemption due to the Change Healthcare cyberattack. The deadline to apply for an exemption is April 15, 2024. The 2023 MIPS EUC hardship exemption is not automatic and requires physicians to apply. CMS will only approve applications citing the Change Healthcare cyberattack as the basis for requesting reweighting under the MIPS EUC Exception. If a physician or practice has already submitted data and would like to take advantage of this flexibility, they may log into the CMS portal and update their submission. Detailed information is available on the Quality Payment Program website.

Additionally, the agency is continuing to establish flexibilities to ensure physicians can receive payment for services. On March 15, CMS announced flexibilities to ensure that states can start making interim payments to Medicaid providers affected by the Change Healthcare disruption. CMS is encouraging states to submit Medicaid state plan amendments (SPAs) for authority to make certain interim payments for services providers have rendered but for which the provider cannot submit claims.

On March 15, AOA met with Margaret-Mary Wilson, MD, chief medical officer for United Health Group (UHG), to discuss the organization’s response to the Change Healthcare cyberattack and what it is doing to support physicians. Kathleen Creason, MBA, AOA chief executive officer, raised questions regarding the organization’s timeline for having an alternative clearinghouse solution ready for provider to connect to, and raised concerns regarding the need for additional financial and technical assistance for practices that are expending tremendous resources trying to utilize workarounds to submit claims and receive payment.

During the discussion, Dr. Wilson noted that UHG has two advance payment programs that physicians may apply for, plans to provide technical support for physicians connecting to their temporary clearinghouse solution being brought online this week, and is currently waiving most prior authorization. AOA will provide additional details regarding any other forms of assistance as they are made available and can be reached for assistance at [email protected].


March 14 update

On March 13, CMS issued guidance in the form of an FAQ for physicians seeking advance payment for services provided under Medicare Part B. The FAQs go into detail on eligibility criteria, repayment, financial concerns and other general questions. Practices whose Medicare claims submission and/or payment has been disrupted may apply for funds through their Medicare Administrative Contractor (MAC).

Additionally, in recognition of the burden physicians are currently facing navigating the Change Healthcare disruption, CMS has extended the deadline for 2023 Merit Based Incentive Payment System (MIPS) data submission to April 15, 2024. The extension is intended to aid physicians in light of the time, staff and resource limitations caused by the Change disruption. However, this two-week extension is insufficient, and AOA will advocate for additional flexibility.


March 12 update

On March 12, the AOA participated in a roundtable convened by the Biden Administration to discuss the steps the Department of Health and Human Services (HHS), Biden-Harris Administration and health care stakeholders are taking in response to the cyberattack on Change Healthcare. Meeting participants included leadership from the White House and HHS, as well as chief executives from major health plans, select physician societies and associations representing hospitals, pharmacies and other providers. During the meeting, AOA chief executive officer Kathleen Creason, MBA, emphasized the challenges osteopathic physicians across the country are experiencing as they try to maintain their practices and provide care to their patients.

The AOA asked the Biden Administration to require plans to:

  1. Waive utilization management (UM) measures to prevent disruptions to patient care
  2. Prohibit plans from retroactively denying claims based on eligibility or lack of UM approval
  3. Require that plans extend claims submission deadlines to ensure payment for services rendered during the disruption

Change Healthcare provides clearinghouse services to support a broad range of electronic transactions in health care. As noted by an HHS letter to stakeholders, “Change Healthcare, owned by UnitedHealth Group (UHG), processes 15 billion health care transactions annually and is involved in one in every three patient records.” The disruption has significant implications across the health care ecosystem for activities including e-prescribing, provider claims submission and processing, pharmacy claims transactions and payment. While solutions have been developed to largely restore some activities, such as e-prescribing and pharmacy claims, claims and payment transactions for physicians and other providers continue to be significantly disrupted.

Many physician practices continue to go without or with very limited revenue, and the outage will have disproportionate impacts on small and independent practices, as well as those in rural and underserved communities, who are already grappling with limited resources, thin margins and payment challenges.

HHS has taken several steps to support physicians and other providers during the Change Healthcare disruption, including making advanced payments available to Medicare Part A and B providers via the Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments program; issuing guidance to Medicare Advantage, Medicare Part D, Medicaid and CHIP plans urging them to grant flexibilities to providers for utilization management and claims submission; and coordinating with other federal agencies to take additional appropriate responses. However, more must be done to ensure the survival of physician practices who are entering a fourth week of limited revenue.

During the roundtable, HHS made clear that all health plans accepting federal funds, including MA, Part D, Medicaid managed care and CHIP plans, should be providing flexibility and advanced payments to providers. The AOA will continue to advocate with the Biden Administration and health plans and share resources with members.


March 11 update

CMS has announced that it will begin considering applications for advance payments to physicians in response to the disruptions created by the Change Healthcare outage. While the agency initially limited advance payments to Part A providers as it explored its authority to do the same under Part B, it has now expanded the Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments program.

The CHOPD accelerated and advance payments may be granted in amounts representative of up to thirty days (30) of claims payments to eligible providers and suppliers. The average 30-day payment is based on the total claims paid to the provider/supplier between Aug. 1, 2023, and Oct. 31, 2023, divided by three. These payments will be repaid through automatic recoupment from Medicare claims for a period of 90 days.

CMS outlines a detailed list of requirements providers must meet in order to qualify for advanced payments and directs them to work directly with the Medicare Administrative Contractor (MAC) to apply.


March 8 update

The Department of Health and Human Services (HHS) has announced that it is taking several steps to support hospitals, physician practices and other providers as a result of the disruption to Change Healthcare’s network.

The Centers for Medicare & Medicaid Services (CMS) is issuing guidance to Medicare Advantage and Part D plans urging them to waive or relax prior authorization and other utilization management (UM) for the duration of the disruption. CMS is also encouraging Medicaid and CHIP plans to similarly waive UM. CMS will also make accelerated payments available to hospitals to address their cashflow needs while payment is disrupted. However, more action is necessary to support the continued operation of small and independent practices that are threatened by this disruption. The agency has also directed providers to reach out to their Medicare Administrative Contractor (MAC) if they need to change clearinghouses and request a new electronic data interchange (EDI) enrollment.

The AOA will continue to engage with United Health Group, federal agencies and other stakeholders and share resources with members as they become available.


On Feb. 21, Change Healthcare reported a network interruption related to a cybersecurity issue. Once alerted to the threat, they took action by disconnecting their systems to prevent further impact. The company is working to bring systems back online as soon as it is safe to do so. This disruption to Change Healthcare’s network has significant implications across the health care ecosystem for activities including e-prescribing, provider claims submission and processing, pharmacy claims transactions and payment.

View Q&A

AOA staff are participating in update calls with leaders from UnitedHealth Group to stay informed of the latest developments. Daily updates, which include applications currently experiencing connectivity issues, are posted on the Optum Solutions Status webpage or you can subscribe to receive daily email updates. Change Healthcare launched a new webpage with a Q&A, which details workarounds and progress updates.

The AOA will continue to assist private practices through the Change Healthcare service disruptions with alternative workarounds until the issues are resolved. We will continue to investigate all possible solutions and provide as much information as possible.

Below are immediate steps you can take to minimize disruption to your practice for key impacted applications:

Claims

  • Discuss with your Practice Management system provider the feasibility of working with other clearinghouse partners such as Availity to upload your 5010 claim files. Change Healthcare suggests that workarounds will support the flow of nearly 85% of claims. While there are various clearinghouse alternatives, such as Trizetto, Waystar, Navinet or Office Ally, Availity is currently allowing Change customers to make connections to payers at no cost during the disruption. Additional details can be found in this Availity Q&A. We recommend providers use the applicable payer’s portal to check claim status, verify eligibility and prior authorizations.
  • For Change-exclusive payers, Change and UnitedHealth are mobilizing a new solution to move from the Change gateway claims connection to an Optum EDI connection beginning with the largest payers then working toward the others.
  • Currently, practices are advised not to drop claims to paper due to delays anticipated as a result of the spillover of practices experiencing electronic submission issues. Some payers do not accept paper claims.

Electronic Remittance Advice (ERAs)

  • If you receive ACH for payments, you may not have access to ERAs. Alternatively, you can download the ERA from payer portals and upload them to your Practice Management system. Some ERAs still will not be available until services are operational again.

Payment

  • Optum established a short-term bridge payment system for providers whose payment is impacted. Providers with an OptumPay account will be able to enroll and verify eligibility for the program via the website. The funding will be provided week-to-week to eligible providers based on their claim’s history. Change Healthcare has stated that payments will be issued for the duration of the disruption, and they expect payments will need to be repaid after normal operations resume.