Advanced Search

Home Health & Hospice Week

Health IT:

New Directions On NOA/NOE Delays, Medicaid Aim To Help Home Health, Hospice Providers Affected By Ransomware Attack

Published on Thu Mar 21, 2024

UnitedHealth Group continues to implement damage control.

UnitedHealth Group may be on the brink of restoring its claims-related services through its Change Healthcare division, but providers continue to see major ongoing cash flow crises.

Recap: On Feb. 21, Nashville-based Change Healthcare, which is owned and operated by UHG, reported it had been targeted in a ransomware attack. As the cyber incident evolved and disruptions to the healthcare industry multiplied, the feds got involved in the response (see HHHW by AAPC, Vol. XXXIII, Nos. 8-10).

The latest: UHG issued a March 18 press release and held a March 19 webinar with affected healthcare providers on the issue. And the Centers for Medicare & Medicaid Services issued Medicaid guidance on March 15 related to the cyberattack and resulting outage.

The disruption has severely impacted healthcare providers. A recent poll of 10,000 AAPC members shows that more than 80 percent of respondents have been impacted by the attack. The largest group of respondents — 36 percent — rated the severity of the attack’s impact at a 10, on a scale of 1 to 10.

The most impacted area was claims submission at 82 percent, the poll indicates. But payment of prior submitted claims (68 percent) and eligibility (58 percent) also head up the list.

Even worse: The American Hospital Association reports that 94 percent of hospitals “are experiencing a financial impact from the cyberattack with more than half reporting ‘significant or serious’ impact, according to new results from an AHA survey. “Nearly 60 percent report that the impact to revenue is $1 million per day or more,” the trade group relates.

Medicare is already offering accelerated and advance payments, and urging its Medicare Advantage and Medicaid plans to also relax requirements like prior authorization and offer plans to restore cash flow.

UHG has also offered its own “Temporary Funding Assistance Program.” And “to assist care providers whose finances have been disrupted by the cyberattack, the company has advanced more than $2 billion thus far through multiple initiatives,” it says in a March 18 release. “The company recognizes the high level of fragmentation of the U.S. health system can result in uneven experiences, therefore it continues to enhance and expand funding support to make it easier for care providers to access funding help at no cost.”

Meanwhile, in a March 14 U.S. Senate hearing, the Department of Health and Human Services took a dressing down from senators about its response to the incident.

“While your Department has recently taken steps to issue guidance and flexibilities to insurers, providers and contractors to mitigate the effects of the hack, the over two-week delay resulted in avoidable uncertainty,” Ways and Means Committee Ranking Member Mike Crapo (R-Idaho) said to HHS Secretary Xavier Becerra in a prepared statement. “Already financially vulnerable rural hospitals and providers, with little to no cash reserves, required immediate action by the Administration to ensure payrolls could be met and services could continue without interruption,” Crapo admonished.

Chair Ron Wyden (D-Ore.) urged Becerra to have HHS adopt cybersecurity standards for healthcare providers. “Private-sector opposition to effective cybersecurity rules is the number one reason our critical infrastructure, particularly in the healthcare sector, is so woefully unprepared for even unsophisticated cyberattacks,” Wyden also told Politico. “As these companies have become so large, it is creating a systemic cybersecurity risk.”

CMS has distributed $3 billion to affected providers, Becerra indicated in the hearing, according to press reports.

Home health and hospice agencies may not have been as severely impacted as other provider sectors, but they also aren’t off scot free.

For example: System disruptions have led to delays in submitting some Notices of Admission (NOAs) and Notices of Election (NOEs). On March 19, HHH Medicare Administrative Contractor Palmetto GBA updated its website to indicate the NOE and NOA exception process would be available for such instances.

“If this event caused a late NOA/NOE submission, you may follow the exception request process,” Palmetto tells providers. “Please indicate ‘Change Healthcare cyberattack’ in the Remarks section of the associated claim,” the MAC instructs.

CMS has also issued a Center Informational Bulletin reminding states “that there is broad flexibility within Medicaid managed care to make interim payments to providers and leverage other flexibilities without additional authority from CMS.” The agency will temporarily loosen up some requirements “to permit states to rapidly implement interim payments to fee-for-service (FFS) Medicaid providers affected by the cybersecurity incident,” it adds in the 13-page bulletin.

All involved hope systems will get back on track quickly with UHG ramping up resumption of services. On March 18, the company said it was “releasing medical claims preparation software,” which would “be made available to thousands of customers over the next several days,” according to the release.

Watch for: Nevertheless, watch for legal troubles and investigations to wallop Change Healthcare before all is said and done, say attorneys Mark Swearingen, Amy Mackin, and David Honig with law firm Hall Render. “Anticipate the possibility that Change Healthcare will go through bankruptcy, lawsuits from providers and lawsuits from patients as a result of this breach,” Swearingen, Mackin, and Honig say in online analysis of the case. “Identify alternatives, either to act immediately or as contingency planning,” they recommend. v

Note: The Medicaid bulletin is at www.medicaid.gov/sites/ default/files/2024-03/cib031524.pdf.

Other Articles in this issue of

Home Health & Hospice Week

View All