Change Healthcare roundup: UHG pays out $2B, while feds mull cyber compliance rules

Also: Availity clarifies reports that it has cut ties with the clearinghouse and says it "fully expects" to reconnect to Change Healthcare.
By Andrea Fox
05:00 PM

Credit: Yuichiro Chino/Getty Images

As the fallout from the Change Healthcare ransomware attack heads into a second month, UnitedHealth Group said Monday that it's paid $2 billion so far in financial advances for struggling providers and is testing medical claims software to resume payments.

Meanwhile, federal leaders – including the White House, lawmakers and HHS, are discussing potential cybersecurity rules that would impose financial consequences for healthcare organizations that don't have a certain baseline of cybersecurity readiness in place.

And nearly four weeks since the Feb. 21 cyberattack, the effects of the massive payment processing shutdown continue to snowball, with scammers impersonating providers to get patient credit card numbers – and a rumor that Availity, a major claims-processing affiliate, is "cutting ties" with Change Healthcare.

UHG to resume service

Change Healthcare parent company UnitedHealth Group said Monday it is testing software for submitting medical claims. Previously, the company said it restored certain systems affected in the attack, such as its electronic payments platform, and announced that it would restore service throughout this week.

UHG said in the online statement that Change Healthcare would begin releasing medical claims preparation software to resume services to thousands of customers over the next several days.

"The company expects to have third-party attestations available prior to services becoming operational," UHG said, noting that following this initial phase, service restoration will continue "until all customers have been connected.

"We continue to make significant progress in restoring the services impacted by this cyberattack," said Andrew Witty, CEO of UHG, in the statement.

The for-profit healthcare behemoth also said that it expanded temporary funding to support doctors and other care providers affected by the attack to include no-cost support.

Previously, affected providers had to pay a fee to access funding support.

"What United is doing in terms of offering advanced funds is just an insult," Ted Okon, executive director of the Community Oncology Alliance, told Healthcare IT News on March 6.

As of yesterday's statement, the healthcare payer giant said it has paid $2 billion in advances to pharmacies and providers who could not receive payer reimbursements during the post-attack outage.

Federal support and investigation

While providers have initiated at least a handful of class-action lawsuits, the U.S. Health and Human Services' Office for Civil Rights announced on March 13 that it has opened an investigation into the hack to determine if protected health information was breached and to assess Change Healthcare's and UHG's compliance with HIPAA rules.

"Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and healthcare providers, OCR is initiating an investigation into this incident," said OCR Director Melanie Fontes Rainer in a letter to colleagues.

Meanwhile, the American Hospital Association has called upon the U.S. government to aid a healthcare system struggling to provide medical care and submit insurance claims.

The inability to get paid has providers small and large scrambling to pay bills and payroll.

The federal government is offering advance payments for Medicare claims, according to a readout from a March 12 White House meeting on the Change Healthcare cyberattack with leaders from across the healthcare ecosystem.

On March 5, HHS announced hospitals paid under Medicare Part A may submit accelerated payment requests and on March 9 the Centers for Medicare and Medicaid Services announced that applications are being considered for advance payments for Part B suppliers.

CMS also provided instructions to Medicare Administrative Contractors about how to consider applications for accelerated payments from Medicare Part A providers and for advance payments from Part B providers and suppliers, the Biden-Harris Administration said.

The AHA said while it appreciates these federal actions, it is concerned that the actions are limited in impact due to certain statutory constraints, including the repayment time line and interest rates.

Push for mandatory cybersecurity rules

While many cyberattacks are committed through third-party bad actors, some politicians are continuing to push for penalties on healthcare organizations that don't have sufficient levels of prevention and preparedness in place.

Sen. Ron Wyden, D-Ore., told The Washington Post Tuesday that the government needs to prevent cyberattacks, and that the way to do that is mandatory requirements.

"I want to work with the Biden administration to ensure there are mandatory, specific cybersecurity rules in place as soon as possible, and to ensure accountability for CEOs," he said in the story.

Deputy National Security Adviser Anne Neuberger also said that the White House is looking at how to impose standards on healthcare organizations while imploring immediate adherence to voluntary guidelines.

"The Hill has not passed any legislation providing authorities to mandate minimum standards, which is why we have been using sector emergency authorities or rulemaking," Neuberger said in the story, indicating that requirements are coming for providers that submit Medicare and Medicaid claims.

When the White House summoned industry leaders to discuss what could be done immediately to mitigate harm to patients and providers caused by the Change Healthcare cyberattack on March 12, HHS Secretary Xavier Becerra and Deputy Secretary Andrea Palm convened a broad list of healthcare stakeholders to meet with Neuberger, White House Domestic Policy Advisor Neera Tanden, and other federal executives.

"HHS continues to urge everyone to implement the [Healthcare and Public Health Cyber Performance Goals] designed to help health care organizations strengthen cyber preparedness, improve cyber resiliency and ultimately protect patient health information and safety," the administration said in the meeting readout.

The Post noted it also contacted Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, and he explained that more than half of all healthcare cyberattacks come in through third parties.

In a 2022 HIMSS Cybersecurity Forum presentation about improving cyber preparedness collaboratively, Garcia cited third-party service providers and vendors as a major vector in healthcare cyberattacks that required collaboration by the sector to defend against.

Availity not cutting ties with Change

Availity, a vendor of revenue cycle management products for healthcare and a competing data clearinghouse, offered a slimmed-down version of its payment-processing software with no contract to providers that have been unable to process payments due to the Change outage.

An Availity spokesperson told Healthcare IT News Tuesday that it's processed more than $10 billion across 5.7 million backlogged claims through the system and is supporting more than 50 health plans and 300,000 providers across 120 organizations with the stand-up "Lifeline" service.

Availity has had an ongoing business relationship with Change, as do other processors, servicing some of its transactions. These companies have been helping Change set up alternative payment processing systems, the Availity spokesperson explained previously.

According to Catherine Montgomery, cofounder and CEO of workers compensation revenue-cycle software vendor daisyBill, Availity severed ties with Change on Saturday.

She said that the company told its trading partners via email on March 14 that it intends to return an unspecified number of e-bills to providers and their billing vendors and that it has "no current alternative pathway for electronic submission," she wrote in a post on Workcompcentral.com on Monday. 

"The fact that e-bills passed through two clearinghouses – both Availity and Change's systems – exemplifies how unnecessarily convoluted medical e-billing has become, even before the cyberattack," Montgomery wrote.

Availity responded that it does not intend to permanently disconnect from Change, and that it was standard operating procedure to disengage on Feb. 21 when the attack was announced – and to remain disengaged until the safety and security of its environment can be assured.

"Once Change provides appropriate attestations regarding its recovery, we fully expect to reconnect to Change," the spokesperson said via email.

Further, the spokesperson noted that Montgomery erred in her analysis and presented several inaccuracies.

Availity provided Healthcare IT News with a March 11 notice it sent to providers to address why error messages began appearing in its software on March 8 when "impacted payers who have not established EDI connections with Availity."

"Returning claims that cannot be sent to a payer empowers the provider to make decisions regarding its claims, including the opportunity to find an alternative route for processing," the spokesperson explained, noting that the company added 326 payer IDs to date.

Though Availity said it stepped up to relieve the pressure experienced by payers and providers since the outage, "providers need to understand payer deadlines like timely filing, and to make informed decisions about dropping a claim to paper, delivering via a portal or continuing to hold the claim," and that's why it released the notice, he said.

"Availity has marshaled significant resources to establish new and alternative electronic data interchange connections for health plans, trading partners and providers."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.