The American Hospital Association is urging Congress to consider existing statutory limitations that could limit aid from CMS and HHS to hospitals and providers affected by the Change Healthcare cyberattacks in February.
In a March 13 letter, AHA President and CEO Richard Pollack addressed U.S. Sens. Ron Wyden and Mike Crapo about the cyberattack and the ongoing impact it is having on hospitals, health and patients across the country.
"The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime," the letter said. "Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks."
The letter suggested that the Biden administration's 2025 hospital budget proposal is "misguided" and will not improve the healthcare sector's overall cybersecurity posture.
Apart from looking into existing statutory limitations that could stall or prevent aid to hospitals and providers, the AHA encouraged Congress to offer solutions to help Medicare Advantage plans, state Medicaid programs and commercial insurers.
"Without relief from these payers in the form of waivers of prior authorization and timely filing requirements, not to mention additional advance payment, providers, including hospitals and health systems, will likely see significant denials of care as a result of the shutdown of Change Healthcare," the letter said.
The letter comes after the federal government shared that it is launching an investigation into UnitedHealth Group over the cyberattacks on its Change Healthcare subsidiary.
"Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident," HHS' Office for Civil Rights said in a March 13 letter. "OCR's investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare's and UHG's compliance with the HIPAA Rules."
A spokesperson for UnitedHealth told Becker's that the company will cooperate with the investigation and remains focused on restoring its system, supporting those whose data might have been affected, and protecting data.