The Department of Health and Human Services (HHS), through the Centers for Medicare & Medicaid Services (CMS), announced on March 9 additional financial resources for providers affected by the Change Healthcare attack. In recognition of provider cash-flow challenges, the CMS stated that Medicare Part B practitioners and suppliers may submit requests for Medicare Advance payments to their Medicare administrative contractors. The CMS had previously announced the availability of accelerated payments for Part A institutional providers, including hospitals [refer to Washington Highlights, March 8]. The up-front payments will cover 30 days of Medicare claims payments, and providers have 90 days to repay the full amount before interest begins to accrue. The agency released an FAQ with more information on eligibility for advance and accelerated payments, application criteria, and repayment terms. The CMS also extended the data submission period for the Merit-based Incentive Payment System 2023 performance year to April 15.
Separately, the HHS Office for Civil Rights (OCR) said it is launching an investigation of Change Healthcare and its parent company, UnitedHealth Group, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA, P.L. 104-191) Privacy, Security, and Breach Notification Rules. The OCR noted that while it is not prioritizing investigations of providers and health plans that were affected by the attack, HIPAA covered entities that partnered with Change Healthcare and UnitedHealth Group should review their obligations under the HIPAA rules, including reviewing their business associate agreements and need to provide breach notification to HHS and affected individuals, where applicable. The OCR document also includes resources for providers on protecting patients and record systems from cyberattacks.
- Washington Highlights