Memo to Ohio Health Insurers Regarding the Change Healthcare Cybersecurity Attack:
The Ohio Department of Insurance (ODI) continues to monitor the impact of the Change Healthcare cybersecurity attack that occurred on February 21, 2024. This cybersecurity attack has created significant operational and financial challenges for insurers, providers, and health plan members nationwide.
Based on information the Department has received from insurers and providers, and given the magnitude of the cybersecurity attack, the Department requests the following from each insurer offering health benefits in Ohio:
* Provide flexibility to providers for claims submission and editing, appeals, prior authorization, reimbursement, and other situations where the insurer and provider are unable to electronically share information. This may include suspending utilization review requirements, appeal timeframes, claim submission timeframes, eligibility verifications, and prior authorization requirements.
* Provide information on its website, in a prominent location, concerning the impacts of the cybersecurity attack on members and providers and information about alternative processes for impacted services and how to access them.
* Communicate directly with contracted providers to explain and assist with any alternative processes implemented in response to the cybersecurity attack.
* Establish and publish on its website a point of contact for contracted providers impacted by the cybersecurity attack disruptions.
* Work with providers in any other way necessary to avoid disruption of healthcare services.
The Department also reminds insurers of their obligations under Ohio insurance law and insurance policies issued to consumers. Accordingly, insurers must continue to comply with Ohio's Prompt Pay Law, R.C. 3901.381, which establishes strict timeframes for the processing and payment of claims. Insurers also must ensure that members are able to access accurate information concerning their explanation of benefits, accumulator amounts, cost share amounts, and any other information necessary to utilize policy benefits.
The Department is aware that many insurers have already taken the requested steps to address the challenges resulting from the cybersecurity attack. The Department greatly appreciates these efforts.