UnitedHealth Group’s Financial Assistance Program and HIPAA Compliance Investigation of Change Healthcare

by | Mar 15, 2024

Financial Assistance Program Offered by UnitedHealth Group

On March 8, 2024, about 2 weeks after the ransomware attack on Change Healthcare, UnitedHealth Group presented a schedule on when it is trying to have its systems and services available. UnitedHealth Group stated its electronic prescribing service is now fully working since March 7, 2024; nevertheless, electronic payments will not be available until March 15, 2024. Testing of the claims network and software program will begin on March 18, and services are to be available throughout that week.

UnitedHealth Group has additionally mentioned that its financial assistance program, offered through Optum, was broadened to include providers that have exhausted all available connection solutions and those that work with payers who do not advance finances throughout the outage. With the financial assistance program, advance payments will be made every week according to providers’ historic payment amounts and those right after the cyberattack. UnitedHealth Group was criticized for the burdensome requirements of its financial assistance program which was offered a week after the cyberattack, but confirmed that the finances will not need to be repaid until claims flows have started again. When that occurs, companies will be provided an invoice and will have 30 days to pay off the funds.

Prior authorizations are being revoked for the majority of outpatient services for Medicare Advantage plans, usage evaluations for inpatient admissions are on hold until March 31, 2024, and drug formulary exception evaluation is halted for Medicare Part D pharmacy benefits. Optum Rx sent notifications to pharmacies impacted by the breakdown that the pharmacy benefit manager would compensate them for claims filed during the outage with the understanding that medicine would be covered.

CEO Andrew Witty of UnitedHealth Group stated that they are dedicated to providing aid to people impacted by this malicious cyberattack on the U.S. health system. UnitedHealth Group is working tirelessly to recover and make sure that providers can take care of their patients and manage their practices, and that patients will acquire their prescription drugs.

The extra measures have been welcomed, however, the American Medical Association (AMA) has cautioned that physician practices may still face big issues. The AMA agrees with UnitedHealth’s requirement that all payers must advance funds to physicians because the most helpful way to conserve medical practice viability at the time of financial difficulty, particularly for practices that were unable to set up workarounds to link the claims flow gap until the Change Healthcare network is re-started. While giving necessary data on timelines and new financial steps is beneficial, UnitedHealth Group needs to do more to address doctor issues. Full transparency and security assurances will be important before partnerships are re-established with the Change Healthcare network.

OCR Starts HIPAA Compliance Investigation of Change Healthcare

The HHS’ Office for Civil Rights started an investigation of Change Healthcare’s cyberattack on February 21, 2024, just three weeks after the attack happened. Usually, OCR’s investigations of cyberattacks and data breaches are started a couple of months after the breach is reported, which might even be years after the occurrence of a breach. In this instance, the incident report was not yet submitted to OCR since it is still under investigation. Change Healthcare’s systems are already back online – 99% of pharmacy and payment systems are already working based on a new statement. The HIPAA Breach Notification Rule’s deadline for reporting data breaches is still 5 weeks away.

The fast-initiated investigation is a reaction to the magnitude of the incident, which is disrupting healthcare and billing information systems across the country and has been approximated to be costing companies more than a billion in reimbursement losses daily because of Change Healthcare’s systems being inaccessible. The disruption affected the providers that utilize Change Healthcare’s systems is producing serious financial problems and some companies need to make hard decisions about whether they can still operate. As a result, the incident affected the critically needed patient care and important operations of the healthcare market.

OCR Director Melanie Fontes Rainer said in a “Dear Colleague” letter posted on the HHS website that OCR is starting an investigation of this occurrence given the unparalleled size of this cyberattack. OCR’s investigation of Change Healthcare and UHG will look at whether a breach of PHI occurred and the HIPAA compliance of Change Healthcare and UHG.

OCR likewise mentioned in the letter that other entities that associate with Change Healthcare and UnitedHealth Group are not a priority in the investigation. Nevertheless, OCR reminded that healthcare providers, health plans, and business associates that have associated with Change Healthcare or UnitedHealth Group are responsible under HIPAA to ensure that they have signed business associate agreements and that they give timely notifications to the HHS and affected people. The OCR Director also provided resources to help HIPAA-regulated entities with safeguarding systems, files, and patients from cyberattacks.

This is a strange move by OCR but considering the big impact of the cyberattack on healthcare providers that use Change Healthcare’s services and systems, the breach must be immediately investigated to determine if Change Healthcare and its parent company were completely HIPAA certified.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy