On Wednesday, May 1^st, the Senate Finance Committee and the House Energy & Commerce Subcommittee on Investigation & Oversight held hearings with UnitedHealth Group (UHG) CEO Andrew Witty. The featured topic will cover these hearings and their implications.

This week the Senate Committee on Health, Education, Labor, and Pensions (HELP) held a hearing on the shortage of minority healthcare professionals and the maternal health crisis. Panelists, including two members of Congress, made statements, and answered questions from committee members on actions that can be taken to address these issues. The solutions mainly focused on expanding medical education opportunities for minority communities at colleges and universities, addressing unique health issues facing minority populations, and expanding prenatal and postpartum care as a way to achieve better health outcomes for new moms.

Congress has finally begun to hold hearings on the Change Healthcare Cyberattack. Two of these hearings, one with the Senate Finance Committee and the other with House Energy & Commerce Subcommittee on Investigation & Oversight, featured UnitedHealth Group (UHG) CEO Andrew Witty as a witness.

Importantly, the Energy & Commerce Committee’s Subcommittee on Health held a hearing on the Change Healthcare cyberattack on April 16^th, but Witty refused the invitation to attend as a witness. Lawmakers then threatened to subpoena Witty if he did not volunteer to testify which led to his participation in the other two hearings. 

The discussion themes were consistent across all three hearings. The committees pressed the CEO on several key points:

Payments to Providers & Claims Flow

Members of Congress repeatedly expressed their concern that providers were being forced to close their doors due to the cyberattack. Witty expressed his apologies and directed them to Optum’s Temporary Funding Assistance Program. According to UHG, while there were some major bumps in the early days of the assistance program, Witty insisted that the situation has improved. Providers can access interest-free loans if they can demonstrate revenue loss. He repeatedly emphasized UHG’s commitment to making payers whole and reimbursing physicians or pharmacists who were acting in good faith. Witty went on to share that claims are flowing at near-normal rates.

 For providers who still need to get reimbursed, Witty did not give an exact timeline as to when this would be fully addressed. He also said full restoration of Change Healthcare’s functionality is still weeks away.

UHG is “Too Big to Fail”

Members of Congress pressed Witty on whether the healthcare conglomerate was becoming too big to fail. They also wanted to ensure that UHG was not buying up struggling provider groups. The example given was when UHG acquired Corvallis Clinic in Oregon in March after the clinic requested emergency acquisition by Optum due to major cash flow disruption.

Witty emphasized that their size was no issue and pushed back against the suggestion that they should stop acquiring new companies once the dust from the cyberattack has settled. He said that acquisitions that closed after the attack were initiated before the attack.

Lawmakers also insisted that UHG’s size made them a particularly attractive target for cybercriminals. Witty repeatedly denied UHG’s size being a problem, but rather an asset for the healthcare giant.

Unrelated to the hearing, the Federal Trade Commission (FTC) opened an anti-trust investigation into UHG earlier this year.

A Lack of Cybersecurity Best Practices

According to Witty, approximately one-third of Americans likely had their Personal Health Information (PHI) compromised. A major focus of the hearing is that the cyberattack succeeded because the compromised servers did not require multifactor authentication for access. Multifactor authentication is a basic requirement of any cybersecurity risk management program. While technically not required by law (which could change with new cybersecurity legislation), the failure to implement simple best practices is unlikely to provide strong legal protection in the lawsuits stemming from this attack.

Witty said they would have a better idea of whose data was compromised in 4-6 weeks. Notably, for those who ultimately had their data stolen, UHG will offer two years of free credit monitoring and identify theft protection.

Looking Forward

It is clear from the hearings that Congress is going to continue its focus on cybersecurity in healthcare. Following the hearing, Senate Finance Committee Chair Ron Wyden (D-OR) began drafting legislation to respond to the cyberattack and prevent similar attacks in the future. Senators Mark Warner (D-VA) and Thom Tillis (R-NC) expressed the same level of interest and urgency.

 Specifically, Chairman Wyden seems interested in upgrading the HIPAA Security Rule to enhance minimum cybersecurity requirements in the health sector. Another more aspirational approach mentioned by Senator Tillis during the hearing was to adopt some sort of framework similar to the General Data Protection Regulation (GDPR), the massive data privacy and security regulation passed by the European Union in 2016.

In addition to advancing some kind of bipartisan cybersecurity legislation, expect Congress to continue putting pressure on UHG to clarify if Personal Health Information (PHI) was stolen during the attack. Lawmakers especially raised concerns about active-duty military and high-ranking government officials having their data stolen. This poses major consequences for United States National Security.

Thirdly, expect Congress to encourage the Federal Trade Commission (FTC) and Department of Justice (DOJ) to closely investigate if UHG is truly “too big to fail”.

 Financial assistance to providers was not discussed as widely as these other topics. While Medicare eventually made advanced and accelerated payments available to impacted clinicians, it took the agency many weeks to find the necessary legal authority to make this assistance available without a public health emergency declaration. Legislation to grant the Centers for Medicare and Medicaid Services (CMS) clearer authority to make such assistance available in the future was introduced in Congress.

The FTC issued a Final Rule that expands the scope of its Health Breach Notification Rule to personal health information collected through mobile apps and other digital technology that falls outside of HIPAA’s scope. There are expected to be lawsuits filed saying the rule expansion goes beyond the FTC’s jurisdiction.

This week HHS released its AI Plan. It focuses on positioning State, Tribal, Local, and/or Territorial Government Entities (STLTs) to effectively adapt AI in the next two to three years. The Plan features many important policy recommendations for implementing AI in a safe manner.

CMS and the Office for Civil Rights (OCR) issued a Final Rule under section 1556 of the Affordable Care Act (ACA) that furthers discrimination protections in health care. The Final Rule focuses on a myriad of areas, but highlights are protecting individuals who identify as LGBTQI+” and reducing language access barriers. It also covers discrimination within telehealth and artificial intelligence.

Lawmakers are asking the SEC to investigate UnitedHealth Group (UHG) executives’ stock sales occurring immediately after UHG was privately notified of an antitrust investigation before it went public.

The Justice Department officially recommended reclassifying cannabis from a Schedule I drug to a lower Schedule III drug. This would increase access to the drug for patients and researchers without decriminalizing it at the federal level.

The Departments of Health and Human Services, Labor, and the Treasury announced the release of a new process for resubmitting Independent Dispute Resolution (IDR) disputes that were originally improperly batched or bundled. 

CMS released draft guidance on the second round of the Medicare Drug Price Negotiation Program. Next year will feature up to 15 drugs to be negotiated, an increase from the 10 drugs being negotiated this year.

This week the Arizona Senate voted to repeal 1864 abortion ban after two Republicans sided with Democrats in voting to repeal it.

CMS released a Final Rule that allows DACA recipients to qualify for subsided Affordable Care Act (ACA) plans.

The FTC is targeting 300 drug “junk patient listings.” These include 20 branded drugs, one being Novo Nordisk’s Ozempic.