June 1, 2024

Yesterday the NYS Council and CHCANYS met with Department of Financial Services (DFS) leads as follow up to the letter (attached) we sent numerous state leaders on April 24 where we requested (among other things) a broad timely filing waiver for Medicaid FFS, MMC and commercial claims that have been/will be caught up in the CHANGE Healthcare cyber attack chaos.  We spent a significant amount of time explaining the ongoing impact of the cyber attack on providers, noting that many agencies are struggling financially, they have gone out on their credit lines and are dealing with numerous health plans that are failing to provide electronic remittances leading and ignoring DFS guidance resulting in a massive amount of extra work for agencies that are already short staffed and do not have large departments filled with billing and coding experts at their disposal.  We reiterated our need for a broad timely filing waiver – one that goes beyond delay codes that are time limited.  And we again expressed our concern that insurers have failed or refused to send back (to the provider) the form DFS issued a while back that (if all went according to plan) would result in the plan granting a waiver to the provider on some of the claims pending.  But the DFS plan required the provider to fill out a form, send it to the plan for an approval signature, and then the plan was to send it back to the provider (certainly not a plan we would have suggested).  Again,  many plans are not following the guidance.

We asked DFS to increase their proactive surveillance of the plans including determining how many have granted waivers consistent with the circular letter. Also we asked them to coordinate with DOH and OMH to require plans to do electronic remittance and provide for an easy method for tolling timely payment requirements given this unprecedented situation. We wanted to let you know we have not by any means given up the fight to secure the additional time and relief you need to remain financially viable AND to ensure you are reimbursed for all services provided.  Rigid timely filing timeframes never anticipated events like a massive cyber attack on a national billing clearinghouse that processes 16 billion claims/year.  The state must understand the fallout is ongoing and in many instances increasing in negative impacts while health plans fail to follow DFS guidance. We will continue to work to achieve this outcome.  Again, the 4/24/24 letter is attached.And on a related note, this is from the 5/31 Modern Healthcare end of day summary:

UnitedHealth Group must take responsibility for informing people about privacy breaches resulting from the Change Healthcare cyberattack, the Health and Human Services Department announced Friday.

Providers, health insurance companies and other affected entities may direct UnitedHealth Group, which operates Change Healthcare through its Optum subsidiary, to notify their patients, customers and business partners under the Health Insurance Portability and Accountability Act of 1996, the HHS Office for Civil Rights, or OCR, said in a news release and an FAQ webpage.

“Ensuring patient privacy is one of the pillars of HIPAA,” OCR Director Melanie Fontes Rainer said in the news release. “We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”

UnitedHealth Group previously disclosed that the February ransomware attack exposed personal information about a “substantial proportion” Americans and volunteered to notify affected people on behalf of other parties.

“We appreciate OCR clarifying that providers and other HIPAA covered entities can delegate their notice obligations to Change, which reiterates our previously stated preference to ease the reporting obligations of our customers,” a UnitedHealth Group spokesperson wrote in an email.

Providers had sought clarification from HHS about how HIPAA notification rules applied in these circumstances.

“OCR must affirm its position that the breach was perpetrated upon Change Healthcare, whose status as a healthcare clearinghouse makes them a covered entity under HIPAA and thus responsible for the breach of any [protected health information] which it processes or facilitates the processing of,” the American Medical Association and dozens of physician groups wrote to HHS Secretary Xavier Becerra on May 20.

The American Hospital Association welcomed the HHS announcement. “Not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack,” AHA General Counsel Chad Golder said in a news release.

Under HIPAA, UnitedHealth Group must provide affected individuals with descriptions of the incident, what data were compromised, how the company responded to the attack, how the company can be reached and what individuals can do to protect themselves.

In March, the Office for Civil Rights launched a probe into whether UnitedHealth Group complied with HIPAA and whether protected health information was compromised.