Medicare payments fronted by the federal government to providers affected by 2024’s sweeping Change Healthcare cyberattack outage appeared to be too large for the majority of recipient hospitals, according to a recently published University of Minnesota analysis.
The study also notes that funds from the government's Change Healthcare/Optum Payment Disruption (CHOPD) program—the $3.3 billion accelerated and advance payment program stood up by the Centers for Medicare & Medicaid Services (CMS)— didn’t reach hundreds of hospitals that experienced substantial revenue disruptions. These more often had characteristics reflecting greater financial strain or reliance on Medicare, such as rural location or critical access hospital designation, according to the study.
Specifically, researchers identified at least 312 hospitals that did not receive program funds but had revenue disruptions greater than the median CHOPD payment recipient. That said, the analysis did not address whether these hospitals or other that participated were recipients of the roughly $9 billion of interest-free loans Change's parent company, UnitedHealth Group, reportedly offered to providers as well.
About a third of the hospitals that tapped the program received $1 million or more in relief payments than the amount of their Medicare revenue losses during the disruption window. On the other hand, a separate third of recipient hospitals did not receive enough from the program to meet their Medicare revenue loss, sometimes to the extent of millions of dollars—though again, it is unclear whether those underpaid hospitals received liquidity support from UnitedHealth Group's larger fund or elsewhere.
These observations, published in December’s issue of Health Affairs, are among the first empirical analyses of the relief program launched by the CMS to provide financial support to providers whose revenue cycle capabilities were frozen by the attack on Change Healthcare, a widely used clearinghouse. The CHOPD was just the second time the CMS offered relief payments to a nationwide group of providers, after COVID-19 emergency funding.
The opt-in program offered Part A or Part B providers up to 30 days of funds at their average rate of Medicare reimbursement. Unlike the COVID-19 provider relief payments, CHOPD funds were recouped by the CMS in the following 90 days with zero interest and did not involve efforts to target relief toward the highest-need recipients.
The study’s authors said their findings outline areas for improvement the next time the CMS needs to step in and support providers amid unexpected disruption. To address the median $314,302 overpayment, they wrote, the CMS could adjust the relief amount downward from 30 days of average pay while also building in “outlier payments for providers experiencing unusually severe disruptions.”
Further, “our findings also indicate the importance of provider outreach if CMS continues with an opt-in approach to relief payments,” the study authors wrote. “This approach is appealing because of its ability to target relief payments to providers attesting to their need, but we found strong evidence that many hospitals experiencing revenue disruptions during the Change Healthcare cyberattack did not receive CHOPD program relief payments.”
The researchers’ analysis incorporated CHOPD payment data obtained from the CMS under a Freedom of Information Act request as well as other databases of hospital characteristics and Medicare claims.
These showed 8,538 total providers who received $3.3 billion in advanced payments through the program, 476 of which were hospitals that received about $2.2 billion. Recipient hospitals tended to have higher discharge volumes and smaller Medicare shares than the 3,866 analyzed hospitals that did not receive payments through the program, according to the study.
Editor's note: This story has been updated to reference the interest-free loans provided by UnitedHealth Group in response to the cyberattack.