Change Healthcare Cyberattack: Impact on Medicare and Obligations to Safeguard PHI

Relevant to: PDP, PACE, Part D

Each week, we scan the latest CMS memos to find the most important ones that apply for PACE programs. Below is a summary of what you need to know.

Disclaimer: The content provided on this site is a summary for informational purposes only, and Grane PBM, Inc. assumes no liability for any errors or omissions in the site’s content. The information does not constitute legal or regulatory advice or replace the original CMS memo. Readers are advised to consult the CMS memo in its entirety and to verify information independently before making any decisions based on this information.

Click here to read the complete memo from CMS.

Introduction

In response to a major cyberattack on Change Healthcare, CMS has issued a critical memo for Medicare Advantage organizations, Cost Plans, and PACE organizations. The recent breach disrupted healthcare operations and put millions of Americans’ protected health information at risk. CMS emphasizes the legal and operational obligations for safeguarding patient information and maintaining business continuity during such incidents. This memo serves as a reminder to strengthen cybersecurity defenses and ensure compliance with privacy regulations to protect patient data effectively.

Key Dates and Deadlines

  • Date of Memo Issue: December 11, 2024
  • Cyberattack on Change Healthcare Reported: February 21, 2024
  • Critical Systems Restored: Mid-March to Early April 2024
  • Full Committee Hearing by U.S. Senate: May 1, 2024

PACE Compliance

This memorandum is of particular importance to PACE (Program of All-Inclusive Care for the Elderly) organizations because it outlines the critical obligations these healthcare providers have in terms of cyber resilience and safeguarding protected health information (PHI).

PACE organizations are required, under federal law, to protect the PHI of their enrollees. The Health Insurance Portability and Accountability Act (HIPAA) mandates that electronic PHI is secured to maintain its confidentiality, integrity, and availability. Any failure to comply with these standards can result in enforcement action from CMS (Centers for Medicare & Medicaid Services).

Additionally, CMS specifies the requirement for PACE organizations to have detailed business continuity plans in place. These plans must ensure the uninterrupted processing of healthcare benefits and services, even during cyberattacks or other emergencies, which includes:

  • Providing coverage and delivery of health benefits as required by specific parts of the Code of Federal Regulations (CFR).
  • Ensuring the payment of claims in a timely manner following the regulatory standards.
  • Complying with the conditions for processing enrollments and disenrollments.

These organizations must also monitor their vendors to ensure they align with CMS’s privacy and security requirements. Failure on the part of vendors would implicate the PACE organization itself.

CMS strongly suggests that PACE organizations adopt the HHS Cyber Performance Goals and consult the National Security Memorandum-22 to bolster their cybersecurity measures. Though currently voluntary, these initiatives provide guidelines to improve cybersecurity within healthcare operations.

Overall, for PACE organizations, the adoption of strong cybersecurity practices as suggested by CMS would not only ensure compliance but also enhance their resiliency against cyber threats, protecting both their operations and the sensitive data of their enrollees.

Required Actions

1. Review and enhance your organization’s cyber resiliency plans to include backup vendors or internal capacity for critical business operations at risk for cyberattacks. This is considered a best practice, although not explicitly required.

2. Ensure compliance with business continuity planning requirements as per 42 CFR §§ 422.504(o) & 423.505(p), including the continuous operation and timely restoration of IT systems supporting claims processing at point of service.

3. Maintain updated information about FDR vendors in the Part C/D Information section of the Basic Contract Management module in HPMS, and prepare to discuss cyber resiliency plans, including risks and business continuity measures with CMS Account Managers.

FAQs

Click here to read the complete memo from CMS.

Contact Us

Let's Discuss How We Can Support Your Business

Get real-time memo alerts in your inbox