The near-universal impact to healthcare providers from outages stemming from the Change Healthcare cyberattack in February continues today. As of last week, Change’s parent company UnitedHealth Group noted that 80% of functionality for various services affected by the cyberattack had been restored.
In countless cases over the past two months, what was previously digital, outsourced and/or automated, has been replaced by several manual and sometimes offline processes. As Health IT Security reported, many organizations put their runbooks — playbooks for cyber incident response — into action.
The unique nature of the Change cyberattack outages likely created situations that many practices and revenue cycle leaders never anticipated, prompting a fresh look at their runbooks. Thankfully, many medical groups (82%) have a plan for EHR or PM system downtime, according to a July 2021 MGMA Stat poll.
An April 22, 2024, MGMA Stat poll found that 29% of medical groups reported making updates to the EHR or revenue cycle system downtime protocols in the past year, compared to 61% who have not and another 9% who were unsure. [Figures do not equal 100% due to rounding.] The poll had 326 applicable responses.
Additional resources
- MGMA Incident Response Plan Checklist (member tool)
- Payer Lists (Change Healthcare)
- Unplanned information technology downtime toolkit (Mass General)
- Contingency Planning SAFER Guide (ONC for HIT)
Understanding the impacts
During their recent MGMA member-exclusive webinar, “Crisis Averted: Effective Downtime Protocols for Your Revenue Cycle Operations,” MGMA consultants Kem Tolliver, FACMPE, CPC, CMOM, president and CEO, Medical Revenue Cycle Specialists LLC, and Taya Gordon, MBA, FACMPE, CMOM, chief revenue officer, H4 Technology LLC, discussed strategies for managing revenue cycle downtime protocols during crises.
“For the most part, a lot of us were completely unprepared for something like this to happen. … We're still trying to figure out where we go from here,” Tolliver said, as they detailed concepts for taking the theory of clinical downtime protocols and applying it to revenue cycles so that healthcare leaders can create best practices to mitigate impacts from future revenue cycle disruptions.
To understand how impactful the outages from the Change Healthcare cyberattack were, it’s important to start with a comprehension of a clearinghouse interface flow, as illustrated in Tolliver and Gordon’s book, Revenue Cycle Management: Don’t Get Lose in the Financial Maze:
“The clearinghouse is that intermediary between a healthcare organization and the insurance companies,” Tolliver said. “Our funding sources and all of these lines — it really gets complicated … [and it’s] supposed to be secure.”
However, the role of the clearinghouse continues to be somewhat opaque for many, Gordon said. “It’s not just for 837 [claim form] and 835 [electronic remittance advice] transactions. … Its primary goal is to act as a facilitator in a conversation between you, as the practice or hospital, and the payers.
“When that conversation is broken or we can’t contact the clearinghouse, that’s a critical problem,” Gordon added, especially when relationships with clearinghouses are sometimes minimal and sometimes driven by preferred options for the PM system being used.
Revenue cycle operations can be broken into four quadrants, each with their own impacts from using a clearinghouse: pre-visit services (eligibility), claims preparation (835 and 837 transmissions), receiving payments (patient and insurance A/R and follow-up) and essential value-adds (quality and value-based metric reporting).
“You really have to make sure that every department in your organization is aware of this and they understand any potential workarounds,” Gordon said. “We have been really relying upon the clearinghouse to handle so much of our electronic transactions without necessarily realizing the vulnerability that that created.”
- For a broader examination of the impacts from the Change Healthcare outage, see the AMA’s recent informal survey results (PDF).
Downtime protocol suggestions and action steps
- Confirm disconnection to breached entity and notify ransomware insurer and any other must-notify entities. Document event details, communications, workflow transitions and key performance indicators (KPIs) from the beginning of any revenue cycle disruption.
- Discuss connectivity status and capabilities with PM system vendor.
- Identify potential alternative solutions to supplement the services interrupted (e.g. claim submission, obtaining remittances, verifying eligibility and benefits, critical reports). These may include:
- A secondary and/or tertiary clearinghouse
- Payer portal transmission capabilities
- Manual transmission
- Forecast potential financial and operational impacts of a revenue cycle disruption and confirm days cash on hand and backup revenue strategies (for example: pre-established line of credit).
- Establish the strategy to use during the downtime and communicate widely through the organization. Document decisions made and changes to processes.
- Communicate workaround strategies as widely as possible within the practice.
- Review your clearinghouse contract(s), their roles and responsibilities to your organization, and your organization’s responsibilities as a client to send accurate, timely information.
- Explore stackable technologies to enhance overall clearinghouse functions, including:
- Coverage verification at the claim level
- Pre-claim submission edits
- Proof of timely filing
- Analysis of claims data (e.g., denial/non-payment trends, payment trends)
- Provide timely status updates and ensure all stakeholders within the practice are informed of changes.
- Participate in MGMA advocacy efforts at the national and state levels (including subscribing to the Washington Connection newsletter) to gain on-the-ground experience to inform legislators and policy drafters.
Learn more
- “How Health First navigated incident response for Change Healthcare cyberattack” (Health IT Security)