Skip to main content

Tag: cybersecurity

CMS Announced Medicare Accelerated and Advance Payments in Response to Change Healthcare Cyberattack

On March 9, 2024, the Centers for Medicare and Medicaid Services (CMS) announced the creation of the Change Healthcare/Optum Payment Disruption (CHOPD) Program.  Under the CHOPD Program, CMS will make accelerated payments to Part A providers and advance payments to Part B suppliers that have experienced claims disruptions as a result of the Change Healthcare cyberattack.

Under the CHOPD Program, qualifying providers and suppliers will be eligible to apply for and receive Medicare advances of up to 30 days of their average Medicare payments.  Applications for payment advances must be made to the provider’s or supplier’s Medicare Administrative Contractor (MAC).  The 30-day payment advance will be based on the average Medicare payments to the provider or supplier between August 1, 2023 and October 31, 2023.  Specifically, CMS will compute the total amounts paid to the provider during this period, and then divide by 3 to arrive at the 30-day average amount.

Advance payments received through the CHOPD Program are considered a loan.  Therefore, these amounts must be repaid through offsets against future Medicare payments.  Recoupments will commence on the date the advance payments are received by the provider or supplier.  These recoupments will be equal to 100% of future payments, and will continue until the earlier to occur of: (1) the full repayment of the advance payment or (2) 90 days.  In the event a balance remains after 90 days, the MAC will generate a demand notice for the outstanding balance, which must be repaid within 30 days.  If the provider does not repay the outstanding balance within that period, interest will start to accrue on the outstanding balance.

Providers and suppliers with multiple National Provider Identifiers (NPIs) may be eligible for multiple advance payments.

Eligibility Requirements

To qualify for advance payments, a provider or supplier must meet the following requirements:

  1. Advance payments may be requested for individual providers or suppliers, i.e., a unique NPIs and Medicare ID (PTAN) combination.
  2. The provider or supplier must not currently be receiving Periodic Interim Payments.
  3. The provider or supplier must make the following certifications:
  4. The provider/supplier must certify that they have experienced a disruption in claims payment or submission due to a business relationship the provider/supplier has with Change Healthcare or another entity that uses Change Healthcare, or the provider’s/supplier’s third-party payers have with Change Healthcare or another entity that uses Change Healthcare.
  5. The provider/supplier must not be able to submit claims to receive claims payments from Medicare.
  6. The provider/supplier has been unable to obtain sufficient funding from other available sources to cover the disruption in claims payment, processing, or submission attributable to the cyberattack
  7. The provider/supplier does not intend to cease business operations and is presently not insolvent.
  8. The provider/supplier, if currently in bankruptcy, will alert CMS about this status and include case information.
  9. Based on its information, knowledge and belief, the provider/supplier is not aware that the provider/supplier or a parent, subsidiary, or related entity of the provider/supplier is under an active healthcare-related program integrity investigation in which the provider/supplier or a parent, subsidiary, or related entity of the provider/supplier: (1) is under investigation for potential False Claims Act violations related to a federal healthcare program; (2) is a defendant in state or federal civil or criminal action (including a qui tam False Claims Act action either filed by the Department of Justice or in which the Department of Justice has intervened; or (3) has been notified by a state or federal agency that it is a subject of a civil or criminal investigation or Medicare program integrity administrative action; or (3) has been notified that it is the subject of a program integrity investigation by a licensed health insurance issuer’s special investigative unit.
  10. The provider/supplier is enrolled in the Medicare program had has not been revoked, deactivated, precluded, or excluded by CMS or the HHS Office of the Inspector General.
  11. The provider/supplier does not have any delinquent Medicare debts.
  12. The provider/supplier is not on a Medicare payment hold or payment suspension.
  13. The provider/supplier will use the funds for the operations of the specific provider/supplier for which they were requested.

To the extent a provider or supplier is approved for an advance payment, they must then execute a Terms and Conditions document acknowledging the following:

  1. That the funds were advanced from the Medicare Trust Fund, and represent an advance on claims payments.
  2. The accelerated and advance payment is not a loan, and cannot be forgiven, indebtedness cannot be reduced, and there are no flexibilities regarding repayment timelines. CMSI will use its standard recoupment procedures to recover these amounts.
  3. Repayment will commence immediately via 100% recoupment of Medicare claims payment owed to the provider/supplier, as the provider/supplier submits claims and claims are processed, after the date on which the payment is granted. Recoupment will continue for a period of 90 days.
  4. A demand will be issued for any remaining balance on Day 91 following the issuance of the advance payment.
  5. Interest will start to accrue 30 days after a demand is issued consistent with the interest rate established under applicable interest authorities.
  6. CMS will proceed directly to demand the advance payments if any certifications or acknowledgements are found to be falsified.
  7. Grant of an advance payment is not guaranteed and payments will not be issued once the disruption to claims servicing is remediated, regardless of when a request is received. CMS may terminate the program at any time.
  8. CMS maintains the right to conduct post payment audits related to any advance payments issued under this program.

CMS Statement on Continued Action to Respond to the Cyberattack on Change Healthcare

From the Centers for Medicare & Medicaid Services on March 9

The Centers for Medicare & Medicaid Services (CMS) is continuing to monitor and assess the impact that the cyberattack on UnitedHealth Group’s subsidiary Change Healthcare has had on all provider and supplier types. Today, CMS is announcing that, in addition to considering applications for accelerated payments for Medicare Part A providers, we will also be considering applications for advance payments for Part B suppliers.

Over the last few days, we have continued to meet with health plans, providers and suppliers to hear about their most pressing concerns. As announced previously, we have directed our Medicare Administrative Contractors (MACs) to expedite actions needed for providers and suppliers to change the clearinghouse they use and to accept paper claims if providers need to use that method. We will continue to respond to provider and supplier inquiries regarding MAC processes.

CMS also recognizes that many Medicaid providers are deeply affected by the impact of the cyberattack. We are continuing to work closely with States and are urging Medicaid managed care plans to make prospective payments to impacted providers, as well.

All MACs will provide public information on how to submit a request for a Medicare accelerated or advance payment on their websites as early as today, Saturday, March 9.

CMS looks forward to continuing to support the provider community during this difficult situation. All affected providers should reach out to health plans and other payers for assistance with the disruption. CMS has encouraged Medicare Advantage (MA) organizations to offer advance funding to providers affected by this cyberattack. The rules governing CMS’s payments to MA organizations and Part D sponsors remain unchanged. Please note that nothing in this statement speaks to the arrangements between MA organizations or Part D sponsors and their contracted providers or facilities.

For more information view the Fact Sheet: https://www.cms.gov/newsroom/fact-sheets/change-healthcare/optum-payment-disruption-chopd-accelerated-payments-part-providers-and-advance

###

EMS.gov | HHS Announces New Performance Goals to Enhance Cybersecurity

EMS News

HHS Announces New Cybersecurity Performance Goals to Enhance Cybersecurity

The U.S. Department of Health and Human Services (HHS), through the Administration for Strategic Preparedness and Response (ASPR), announced on January 24, 2024, the release of new voluntary Cybersecurity Performance Goals (CPGs). These guidelines are specifically designed for the Health Care and Public Health (HPH) sector. Additionally, HHS launched a gateway website to streamline the implementation of these cybersecurity measures and facilitate access to extensive resources provided by HHS and its federal partners.

The HPH CPGs are designed to better protect the healthcare sector from cyberattacks, improve response when events occur and minimize residual risk. HPH CPGs include both essential goals to outline minimum foundational practices for cybersecurity performance and enhanced goals to encourage adoption of more advanced practices.

View Resource

As healthcare continues to embrace digital transformation, the importance of cybersecurity has never been more critical. We urge the EMS community to engage with this significant development. The new CPGs represent a proactive step by ASPR and HHS to fortify the healthcare sector’s defenses against cyber threats.

Sign up to receive the latest news from the Office of EMS, including webinars, newsletters and industry updates.

Contact Us

1200 New Jersey Avenue, SE
Washington, DC 20590
nhtsa.ems@dot.gov

Webinar | HHS Roadmap for Cybersecurity in Health Care

On Wednesday, December 6, 2023, the Department of Health and Human Services (HHS) Office of Intergovernmental Affairs (IEA) will host a webinar on healthcare sector cybersecurity from 4:30 p.m. to 5:00 p.m. EST.  HHS IEA stated speakers will discuss “the Department’s roadmap for cybersecurity in health care and answer questions on how HHS can help protect patient safety, secure our hospitals, and improve cyber resiliency in health care.”

HHS IEA indicated the event will feature the following speakers:

  • HHS Deputy Secretary Andrea Palm; and
  • Speakers from the Administration of Strategic Preparedness and Response (ASPR).

Registration for the event can be found at:  Webinar Registration.

HIPAA and Mobile Devices: What Your Service Needs to Know

For ambulance services, HIPAA compliance is a particularly sensitive issue. Because of the sensitive nature of the health data that EMS and EMT professionals deal with on a daily basis, HIPAA Privacy and Security standards must be carefully adhered to.

This issue becomes even more sensitive when you consider that most of the data collected during pre-hospital care will likely be collected, tracked, and documented on a mobile device. Laptops, smartphones, and tablets are indispensable tools for ambulance care. Most of these devices will have access to electronic health records (EHR) platforms, which will in turn be connected to the rest of a hospital’s EHR data.

While mobile devices can provide convenience in life-or-death situations, they are also particularly vulnerable to the risk of a data breach. A data breach of unsecured health information can lead to serious HIPAA violations and put patient privacy at risk.

The kind of health information that these devices have access to is called protected health information, or PHI. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, medical information, insurance ID numbers, addresses, full facial photos, and telephone numbers, to name a few.

The HIPAA Rules set specific standards for maintaining the privacy, security, and integrity of PHI. Though the regulation can seem complex, the standards are in place to safeguard PHI. As per HIPAA, ambulance services necessarily fall under the category of Covered Entities, meaning that they are responsible for maintaining compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule.

These two rules set limits for how and when PHI must be stored and accessed. Below, we list a few of the major components of the HIPAA Rules that all ambulance services can implement in order to keep PHI safe and secure on the go.

  • All mobile devices that can access PHI must have full-disc encryption. Additionally, all devices should be routinely backed-up on encrypted servers. In the event that a device is lost or stolen, full-disc encryption will keep hackers or thieves from accessing sensitive health data.
  • Your organization should have HIPAA policies and procedures in place pertaining to mobile devices taken “off-site.” This would necessarily include all laptops, tablets, and smartphones with access to PHI that are used in pre-hospital care in an ambulance. By outlining when devices are permitted to be used, who is permitted to use them, and how they are to be handled in off-site settings, your organization will mitigate the risk to PHI stored on these devices.
  • Keep a full inventory of all devices within your organization that can access or handle PHI in any way. Routine check-ups on the condition and location of devices listed in your inventory will help ensure that devices are not misplaced. And in the event that a device is misplaced or stolen, organization officials will notice as soon as the inventory is reviewed so that action can be taken to remedy the breach.
  • Access to PHI on mobile devices and in pre-hospital settings should be limited only to essential members of the organization’s workforce. This is known as the Minimum Necessary Standard. It’s a part of the HIPAA Privacy Rule that states that access to PHI must be limited based on employees’ roles, and that when access is granted, it should be limited to the minimum access necessary for each employee to perform their role.

These are just a few of the ways that ambulance services can protect PHI and comply with HIPAA mobile device standards.

In addition to the actions listed above, a total compliance program that addresses the full extent of the law must be in place in order to prevent HIPAA violations and data breaches.

Addressing HIPAA compliance can help ambulance services confidently treat their patients without worrying about the risk of data breaches or government fines.

Ransomware: A Ticking Time Bomb for Health Care

By Cindy Elbert
President, Cindy Elbert Insurance Services, Inc

If you’re doing business online, you need cyber-insurance. This fact was never made truer than on May 12, 2017 when 50,000 businesses in at least 74 countries were hit by a ransomware attack code named “WannaCry”. Hackers demanded companies to pay a $300 ransom fee or their files would be published on the Internet. The data thieves targeted mostly hospitals and other medical facilities because their data not only included names, home addresses, addiction histories, financial information and religious affiliations but also disclosed patients’ mental health and medical diagnoses, HIV statuses and sexual assault and domestic violence reports. A gold mine of personal information for those with dark purposes.

Two days earlier, a data breach at the Bronx Lebanon Hospital Center in New York compromised the medical records of at least 7,000 people. According to NBC News, “Leaks from the Rsync servers, which transfer and synchronize files across systems, are common. How many more nude photos of patients or ultrasound images will be exposed because of misconfigured Rsync backups?”

On May 4, 2017, a group calling themselves TheDarkOverload uploaded almost 180,000 stolen patient/medical records from three companies onto the Internet because they refused to pay a ransom. The databases stolen were in the .csv format and contained health information about cardiac diagnoses and psychiatric conditions such as depression, along with date of birth and social security numbers.

Most ransomware attacks are led by organized criminal groups utilizing a network of computers infected with malware that then poisons other computers once a spam message is opened. An example of a spam malware would be emails falsely marked as being from a co-worker or friend asking a recipient to open an attached file. Or, an email might come from a trusted institution, like a bank or merchant, asking you to perform a specific task. In other instances, hackers will use scare tactics such as claiming that a victim’s computer has been used for illegal activities to bully victims. When the malware is executed, it encrypts files and demands a ransom to unlock them.

Imagine the nightmare scenario of medical teams out on the field relying on electronic devices such as tablets, laptops, smartphones and PDAs to access patient care records suddenly discovering that their data has been locked, captured by malicious malware., held for ransom with lives in the balance.

Companies need the protection cyber liability insurance offers now more than ever.

Why Your Company Needs Cyber Liability Insurance

  • A single data breach could cost your company thousands of dollars, not to mention the hit to your reputation.
  • Hackers can be halfway across the world—or at the desk next to you.
  • An employee losing a company laptop or cell phone could result in a major security breach.
  • The more personal information your company collects opens your exposure to the likelihood of a data breach attack.
  • As of March 28, 2017, Internet providers can collect and sell your web browser history opening more opportunities for data to be stolen.
  • The average forensic investigation runs $25,000 per server.

Cyberthreats By the Numbers

  • Sixty percent of uninsured small businesses close their doors within six months following a cyber attack.
  • According to the 2016 NetDiligence Cyber Claims study, Healthcare data breaches made up 19% of all breach sectors.
  • The average cost for a breached healthcare company is $717,000.
  • According to the Identity Theft Resource Center’s 2017 Data Breach report, almost 2 million records have been stolen so far this year, making up 22 percent of all breaches – and this is before the “WannaCry” ransomware attack.
  • Forty-seven states mandate that your company take certain measures in the event of a security breach

Protect Your Company

Ransomware attacks and cyber theft will not be defeated any time soon. So now is the time to ask: How do you store sensitive information? How do you control access to sensitive information? Do you utilize a firewall and protection software? Do you allow employees and others remote access to your data bases? Do you have a written security policy? And, most importantly, do you have cyber liability insurance? Is it safe? If your company stores customer information, especially billing and medical data, then there is no question about it: You must protect yourself from the growing legion of cyber predators. You need cyber liability insurance.

About the Author

Cindy Elbert is President of Cindy Elbert Insurance Services, Inc. She is a licensed Property & Casualty Insurance broker/agent, and a proud member of the American Ambulance Association, California Ambulance Association, Arizona Ambulance Association, and The Independent Agents Association.

Cindy has been assisting ambulance providers with their insurance needs since 1982. She understands your questions and concerns and with her relationships with insurance underwriters she can provide you with coverage and service you deserve.
www.ambulanceinsurance.com
Visit the CEIS booth at the AAA Annual Conference & Trade Show!

Stay In Touch!

By signing up, you agree to the AAA Privacy Policy & Terms of Use