The cyberattack on Change Healthcare in February significantly disrupted administrative healthcare processes around the country, including some hospitals' ability to track the effects of a new Medicare Advantage policy from CMS that rolled out earlier this year.
In 2024, Medicare Advantage plans must provide coverage for an inpatient admission when the admitting physician expects the patient to require hospital care for at least two midnights, otherwise known as the two-midnight rule.
"Whether the admission actually crossed two midnights is not a factor in the inpatient admission criteria," CMS wrote in February guidance. "An MA organization may evaluate whether the admitting physician’s expectation that the patient would require hospital care that crosses two-midnights was reasonable based on complex medical factors documented in the medical record."
CMS' expansion of the two-midnight rule, which could affect more than 20% of Medicare Advantage patients this year, has led to increased inpatient volumes and revenue growth for hospitals in the first quarter, according to a May report by Strata Decision Technology.
Health systems have been cautiously optimistic about the effects of the new rule so far, but also say it's still too early to see a full picture because it takes time for claims to complete the adjudication process.
"What has further complicated things is the Change Healthcare cyberattack because it put everything at a standstill," Ethel Hoffman, vice president of payer contracts and relationships at West Reading, Pa.-based Tower Health, told Becker's during a virtual event in June. "We don't have the history of the last few month's fully nailed down yet and we're waiting until that all settles down."
St. Christopher's Hospital for Children in Philadelphia, which is jointly owned by Tower Health and Drexel University, said in June it is limiting hiring and suspending discretionary spending as a result of the Change breach, which has led to delays in insurance collections at the hospital.
Change processes about 15 billion healthcare transactions annually, handling 1 in 3 patient records. In April, UnitedHealth said the data stolen by hackers likely covers a "substantial proportion of people in America."
"No matter how well your train was running, and regardless of whether you were directly impacted by the breach, there were residual effects of it with all payers being affected by it," Robert Boos, vice president of revenue cycle at Lynchburg, Va.-based Centra Health, told Becker's. He noted that Centra does not use Change as a claims clearinghouse.
"Anything we were doing with looking at MA and lessening our issues there was certainly impacted and still is impacted by the Change breach," Mr. Boos said.
Change plans to begin contacting patients whose data was breached during the ransomware attack in late July.