UnitedHealth Group Offers Financial Assistance Program and Change Healthcare’s HIPAA Compliance Investigation

UnitedHealth Group Increases Financial Assistance Program and Gives Schedule for Recovery

On March 8, 2024, around 2 weeks after the ransomware attack on Change Healthcare, UnitedHealth Group gave a time frame on when it wants to have its programs and services accessible. UnitedHealth Group mentioned its electronic prescribing program is now completely functional since March 7, 2024; nonetheless, electronic payments won’t be offered until March 15, 2024. Testing of the claims system and application will start on March 18, and services will be accessible all through that week.

UnitedHealth Group has additionally stated that its financial assistance program, made available through Optum, was improved to include companies that have explored all connection choices and even those that work with payers who won’t advance finances at the time of the outage. With the financial assistance program, advance payments shall be made weekly based on providers’ historic payment values and those after the cyberattack. UnitedHealth Group was questioned for the tedious conditions of its financial assistance program which was offered one week following the attack, but affirmed that the money won’t necessarily be repaid until claims flows have fully continued. When that takes place, providers will be given an invoice and will get 30 days to settle the money.

Prior permissions are being halted for almost all outpatient services for Medicare Advantage plans, operation assessments for inpatient admissions are held up until March 31, 2024, and drug formulary exception assessment is stopped for Medicare Part D pharmacy benefits. Optum Rx informed the pharmacies impacted by the attack that the pharmacy benefit manager would repay them for claims submitted at the time of the attack.

CEO Andrew Witty of UnitedHealth Group mentioned that they are determined to provide help to individuals affected by this malicious attack on the U.S. health system. UnitedHealth Group is working continuously to recover and ensure that companies can look after their patients and operate their practices and that patients can receive their medicines.

The supplemental measures are good, yet the American Medical Association (AMA) has notified that physician practices may still deal with big obstacles. The AMA concurs with UnitedHealth’s demand that all payers should advance finances to doctors since the most beneficial way to maintain medical practice viability while in financial trouble, specifically for practices that were not able to create workarounds to connect the claims flow gap before the Change Healthcare network is re-organized. While giving required details on timelines and new financial actions is valuable, UnitedHealth Group needs to do far more to deal with doctor problems. Complete transparency and security guarantees will be crucial before relationships are re-started with the Change Healthcare network.

HIPAA Compliance Investigation of Change Healthcare

The HHS’ Office for Civil Rights has launched an investigation of Change Healthcare of its cyberattack on February 21, 2024, only three weeks after the attack took place. Normally, OCR’s inspections of cyberattacks and data breaches begin a few months after the breach report, which might even be years after the happening of a breach. In this scenario, the breach report was not yet sent to OCR because it is still being investigated. Change Healthcare’s systems are now restored – 99% of payment and pharmacy platforms are already available as per the latest statement. The HIPAA Breach Notification Rule’s due date for reporting security breaches is still five weeks away.

The immediately begun investigation is a reaction to the magnitude of the incident, which is interrupting medical care and billing data systems throughout the country and has been projected to cost providers over a billion in payment losses every day as a result of Change Healthcare’s systems being unavailable. The interruption caused to companies using Change Healthcare’s systems equates to financial challenges and some providers had to make tough decisions about whether they could keep operating. Consequently, the incident presents an immediate threat to critical patient care and functions of the healthcare sector.

OCR Director Melanie Fontes Rainer stated in a “Dear Colleague” letter published on the HHS website that OCR is starting an investigation of this occurrence given the unmatched size of this cyberattack. OCR’s audit of Change Healthcare and UHG will check if a breach of PHI happened and the HIPAA compliance of Change Healthcare and UHG.

OCR likewise stated in the letter that other organizations that work with Change Healthcare and UnitedHealth Group are not prioritized in the investigation. Nonetheless, OCR informed that healthcare providers, business associates, and health plans that have worked with Change Healthcare or UnitedHealth Group are accountable under HIPAA to make sure that they have business associate agreements in place and that they provide prompt notifications to the HHS and impacted persons. The OCR Director additionally provided resources to support HIPAA-covered entities with securing systems, data, and patients from attacks.

This is an uncommon action by OCR but considering the massive effect of the cyberattack on healthcare companies that depend on Change Healthcare’s services, the breach must be quickly investigated to find out whether Change Healthcare and its parent company were wholly compliant with the HIPAA Regulations.