Posted by:
Lillian Anjargolian
On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group (UnitedHealth), experienced a cyberattack that crippled its systems, resulting in disruptions to Change Healthcare's operations. Change Healthcare provides many services that are critical to the financial aspects of healthcare in the United States. According to Change Healthcare, the company processes 15 billion health care transactions annually and touches 1 in every 3 patient records. These transactions include a range of services, like eligibility verifications and authorizations, claims processing, and pharmacy operations. As a result, healthcare providers at all levels are struggling to submit claims and be reimbursed for services, placing a significant financial strain on these organizations. Among other issues, patients are experiencing delays in obtaining prescriptions or confirming insurance statuses.
While the legislative response has largely been federal, including various actions by the U.S. Department of Health and Human Services to streamline processes related to claim submission and prior authorization requirements, states have also initiated actions to help with the recovery. On March 13, the California Department of Health Care Services (DHCS) issued a memo to its contracted Medi-Cal managed care plans (MCPs) reminding them of their legal and contractual obligations to timely pay claims submitted by providers for covered services to members. To address the impact of the Change Healthcare cyberattack on the MCPs' payment operations and the downstream impact on healthcare providers, the memo strongly encourages MCPs to take six steps to adopt "flexibilities" in their operations.
The six steps, in summary, are:
1. Waive requirements to submit claims electronically, and automatically accept paper claims from providers;
2. Temporarily remove or relax timely filing deadlines;
3. Establish workarounds to ensure the MCP, and any related parties that may have been impacted by the cyberattack, such as its subcontractors, continue to pay claims within the statutory timeframes of 30 or 45 working days from receipt of a claim;
4. Temporarily relax or remove prior authorization requirements or develop an efficient workaround for providers, in order to ensure members do not experience delays in receiving care;
5. Post information on their websites to ensure providers have up-to-date information, including contact information, about the extent to which the MCPs' systems are impacted by the Change Healthcare cyberattack;
6. Apply any flexibilities and/or workarounds developed to address the impact of the cyberattack to services the MCP has delegated to subcontractors and other third parties, to the extent that these third parties have also been impacted by the cyberattack; and
UnitedHealth has announced resumption of Change Healthcare's services, including "99% of [its] pharmacy network services," its electronic payments platform, and as of March 18, release of medical claims preparation software for healthcare providers to submit claims. Despite these developments, the timeline to full recovery, including processing the backlog of claims and transactions, will require healthcare organizations of all types, and at all levels, to independently develop mitigation strategies and implement workarounds. The extent of disruptions nationwide has exposed the vulnerability of the healthcare system to cyberattacks on critical infrastructure, and the dependence of clinical operations on financial transactions.