During the March 22, 2024, Episode of Deep Dive with Altum, CEO Elizabeth Richards engaged in a 30-minute discussion with attendees about the Change in Healthcare Breach and its ongoing repercussions on the Hospital Revenue Cycle. As you are likely aware, on February 21, 2024, Change Healthcare experienced the largest cyberattack in the history of United States healthcare. Because of their reach, processing 15 billion healthcare transactions annually, approximately one-third of healthcare transactions in the United States were affected. This breach instantly disrupted hospitals, doctors, insurance companies, and pharmacies, rendering them unable to access files, send bills, and receive payments.
The impact on Hospital Revenue Cycles, which rely on Change Healthcare for their clearinghouse services, has been severe. Even for hospitals or providers using alternative clearinghouses, there have been lingering effects due to the payers’ utilization of the Change Healthcare platform. Apart from the inability to submit claims, there have been significant delays in prior authorizations, payments, and remittances. Consequently, concerns have arisen about the delivery of care and the financial stability of providers who, in some cases, have gone unpaid for over 30 days.
This unfortunate situation underscores the necessity, as we learned in 2020 during the COVID-19 pandemic, for business leaders to anticipate and prepare Business Contingency Plans for such unprecedented threat scenarios. The term “Force Majeure,” which refers to unforeseeable circumstances that render contract performance impossible, became prevalent in discussions during the pandemic. Post-COVID, it became standard practice to include pandemic language in contract clauses, which were previously primarily reserved for natural disasters. This incident highlights the need to also incorporate Cyberattack language into these clauses, specifying that the attack may target the provider, the payer, and/or a third-party vendor.
Regrettably, payers have seemingly adopted the stance that clearinghouse delays are not their concern. The most effective way to address this is by including such issues in contract terms. Other considerations include outlining procedures for bulk submission of paper claims, extending timely filing and appeals deadlines, and establishing protocols for emergency claims management and approval.
Remember that the worst time to respond to a crisis is in the midst of it. Just as hospitals have Crisis Management Plans for various contingencies, there must also be fail-safe plans in place for the Revenue Cycle. Finance leaders must accurately assess and prepare for the potential scope of a Cyber Business Interruption and plan accordingly. Additionally, a system should be established to meticulously track and document all financial losses in such situations to facilitate claims with insurance carriers and/or legal action against third-party vendors.
A reoccurrence of another cyberattack is not a matter of if, but when. As we emerge from this crisis, let us heed these lessons and formulate a plan so that we may be proactive, not paralyzed, by the impact.
