Congressional hearings on the Change Healthcare cyberattack bring attention to providers’ continuing predicament

Two congressional hearings involving the CEO of UnitedHealth Group offered few concrete solutions to the issues surrounding the Change Healthcare cyberattack but did highlight the ongoing pressures facing healthcare stakeholders.

Andrew Witty, the CEO, was questioned May 1 by the Senate Finance Committee in the morning and a House subcommittee in the afternoon.

For providers that are hurting financially as a result of the outage, which started Feb. 21 and began to be alleviated in mid-March, Witty acknowledged the strain they are experiencing. He said he hopes all providers will be made whole financially within the next month to six weeks.

The primary mechanism for shoring up providers is Optum’s Temporary Funding Assistance Program, Witty reiterated several times. The loan is interest-free and does not need to be repaid until 45 business days after the provider determines that its cash flow is back to normal. Terms and conditions were modified in March to ensure more providers would be eligible and could access funds that were more representative of the impact they had incurred.

Such a loan should “bridge the gap in the cash flow that you describe,” Witty said in response to a question. He added that a third of the $6.5 billion loaned out so far has gone to financially vulnerable providers.

UnitedHealth is “more than willing to engage with individual providers on their circumstances as well,” he said.

Many hospitals are struggling

In a letter submitted ahead of the hearings, the American Hospital Association (AHA) emphasized that hospitals continue to be hampered by the fallout from the outage.

“The staggering loss of revenue has meant that some hospitals and health systems had to seek alternate ways to ensure they could pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies and pay for mission-critical contract work in areas such as physical security, dietary and environmental services,” the letter states.

“In addition, replacing previously electronic processes with manual processes has often proved ineffective and is adding considerable administrative costs for providers, as well as diverting team members from other tasks.”

Sen. John Barrasso (R-Wy.) described a hospital in his state for which the 26-day delay created a backlog of 17,000 claims, resulting in $20 million in unpaid services.

For vulnerable hospitals such as many of those in Wyoming and other rural areas, “This breach may send some of them into a financial spiral from which they can’t come back,” Barrasso said.

While UnitedHealthcare has made a point of paying claims instantly since functionality was restored in March, Witty said, other insurers may still be waiting a month or more after a claim comes through Change Healthcare.

The situation has been compounded by a lack of access to electronic remittance, leaving payments to be processed manually, said Sen. Marsha Blackburn (R-Tenn.).

“That goes into labor costs,” she said. “[And] you’ve got error rates.”

A tough road ahead

Change Healthcare’s claims and payment functions may be restored, but many providers face a steep climb in returning to something approaching normal business operations.

“The disruption and delay in claims submission will inevitably lead to many denials, especially as most payers did not waive certain administrative requirements impacted by the Change Healthcare outage,” the AHA wrote.

Denials are cropping up due to issues with obtaining prior authorization, while the inability to meet contractual timely-filing deadlines looms as another problem.

“Providers will need to appeal these denials, which is a labor- and time-intensive process, to attempt to receive payment for the care provided,” the letter states.

The delay in claims could lead to a slew of retroactive denials. UnitedHealthcare will not go that route in any scenario where “people have acted in good faith,” Witty said, but he noted he cannot speak for other insurers.

Providers’ efforts to find alternatives to Change Healthcare perhaps have helped their operations remain viable, but they also bring a new set of concerns.

“The complexities of adjusting to a new clearinghouse have led to significantly higher rates of claim rejections and denials,” the Federation of American Hospitals (FAH) wrote in a May 1 statement on the hearings. “As rejections and denials proliferate, the burden falls on providers to identify for each claim the specific reason for the rejection or denial, communicate with the insurer, and rebill the claim and/or appeal it in a timely manner. These factors all amount to additional burdens on providers already struggling to adapt and already operating on strained resources.”

In response to any future large-scale attack on the industry, health plans should be required to suspend prior authorization and other “administrative requirements that are simply unworkable in the context of a widespread crisis,” FAH wrote.

Avoiding a repeat

Some of Change Healthcare’s legacy contracts included exclusivity clauses, hindering providers from establishing the type of system redundancy that could have mitigated the impact. UnitedHealth is eliminating those clauses, Witty said.

From a cybersecurity standpoint, members of Congress wanted to know why the server that was exploited in the attack did not have multifactor authentication (MFA). Witty said it was a legacy system of Change Healthcare but acknowledged there was no excuse for why MFA still was not installed more than a year after UnitedHealth’s acquisition of the revenue cycle vendor was consummated in October 2022.

He said he understands why some providers remain reluctant to reconnect with Change Healthcare despite security verifications and assurances from leading third-party cybersecurity vendors.

“That’s a natural and good concern for people to have after an attack like this,” Witty said. “We’ve literally built this platform back from scratch so that we can reassure people that there are not elements of the old, attacked environment within the new technical environment we’ve created.”

He hopes UnitedHealth can play a leading role in improving the nation’s healthcare cybersecurity infrastructure.

Hospital advocates say providers should not have to bear the brunt of strict new cybersecurity standards such as those recommended by the Biden administration. Proposed to take effect in FY29, the standards would carry significant Medicare payment penalties for noncompliance.

“Enforcing hospital adoption of these practices would have done nothing to prevent the Change Healthcare cyberattack or most other cyberattacks on the sector to date,” the AHA wrote.

 The association noted that compliance with the HIPAA Security Rule entails implementing safeguards around information access and data back-up plans, among other requirements. Penalties for noncompliance can be “severe,” the AHA wrote, thus rendering unnecessary the punitive aspects of the White House recommendations.