HHS Announces Medicaid and Medicare Flexibilities, Investigations post-Change Healthcare Cyberattack

Health Highlights

Since becoming aware of the cyberattack on Change Healthcare in late February, the Centers for Medicare & Medicaid Services (CMS) has announced a number of flexibilities to support affected providers that have experienced disruptions to prior authorization, claim processing, and data submissions.

This newsletter describes the significant new guidance for state Medicaid agencies released by CMS on March 15, as well as various CMS actions this month taken to support Medicare providers. Notably, some of these flexibilities require action from states or providers in the immediate term. The newsletter concludes with a discussion of the Department of Health & Human Services’ (HHS) ongoing investigations into this cyberattack and its implications for the health care sector.

New Options for States to Advance Payments to Medicaid Providers

On March 15, CMS issued an Informational Bulletin (CIB) detailing new flexibilities that state Medicaid agencies may leverage to provide relief to Medicaid providers, in addition to outlining other mitigation strategies available under existing law.

Most notably, the Bulletin outlines a temporary option for states to make interim Medicaid fee-for-service (FFS) payments to providers affected by the cyberattack, effective from the date claims processing was disrupted until June 30, 2024. These interim payments are intended to address short-term cashflow problems due to disrupted claims processing, a problem that is particularly challenging for the safety-net providers that predominantly serve Medicaid enrollees, and that typically operate with slim (or negative) margins.

To obtain approval for their interim payment methodologies, states must submit a state plan amendment (SPA), which CMS will approve if they meet certain clearly defined conditions spelled out in the Bulletin, including:

  • The SPA must be submitted by March 31, 2024 (or as late as April 10, 2024, if the state contacts CMS for an exception);
  • The state’s interim payment methodology for affected providers must use rates approved in the state plan, based on actual claims data from a period prior to the cyberattack-related disruptions. These interim payments must be specific to each provider’s claims history (as opposed to a uniform payment methodology that applies across all impacted providers); and
  • The state must include a process for reconciling interim payments with final payments based on actual services delivered during the period of claims processing disruption.

CMS will also permit states to delay certain public notice and tribal consultation requirements until after the SPA is submitted. And importantly, states are permitted to begin claiming federal financial participation (FFP) for the interim payments upon SPA submission, rather than waiting for CMS approval as is normally required. In addition, states can draw FFP retroactively for payments made with state-only funds prior to the SPA submission, if the payments were consistent with CMS conditions listed in the Bulletin.

Recognizing the threat of future cybersecurity incidents, CMS further encourages states to consider submitting standard SPAs that would permanently authorize interim payments and other temporary flexibilities for providers impacted by future cybersecurity incidents. 

CMS also highlights several additional options available to states in Medicaid FFS, including suspending beneficiary cost-sharing and increasing the pharmacy dispensing fee for affected pharmacy providers.

With respect to managed care delivery systems—which now cover the vast majority of Medicaid enrollees—the CIB notes that states can amend managed care contracts to support access to care during the period of disruption, including suspending or modifying prior authorization requirements, modifying the parameters for prescription refills, and suspending restrictions on out-of-network access. Importantly, while CMS encourages managed care plans to voluntarily make interim payments to providers, the CIB does not provide states with an expedited pathway to require any such interim or enhanced payments, as CMS did during the COVID-19 Public Health Emergency.    

Flexibilities for Medicare Providers

CMS has also taken several steps to provide financial support and regulatory flexibility to Medicare providers, including:

  • Accelerated and Advanced Payments. On March 9—almost a week before CMS announced a similar flexibility for state Medicaid programs—CMS announced the availability of Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments to Medicare Part A providers and advance payments to Part B suppliers in the Medicare FFS program experiencing claims disruptions stemming from the cyberattack. Eligible providers and suppliers can receive a CHOPD payment representing up to 30 days of claims, which CMS will calculate based on an average of claims paid to the provider or supplier over the course of 30 days between August 1, 2023, and October 31, 2023. On March 13, CMS released a frequently asked questions document on the accelerated and advance payments.
  • Flexibility for Claims Processing. CMS has instructed Medicare Administrative Contractors (MAC) to expedite the process of granting new electronic data interchange enrollment so that Medicare FFS providers who need to can change clearinghouses for claims processing during this period of disruption. CMS has also directed MACs to move all provider and facility requests into production and to be ready to bill claims quickly.
  • Guidance on Medicare Advantage Prior Authorization. Mimicking the CIB’s guidance for Medicaid managed care, CMS issued guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages and encouraged MA plans to offer advance funding to providers most affected by the cyberattack.
  • Flexibility for MIPS-Eligible Providers. On March 15, CMS announced the reopening of Medicare’s 2023 Merit-based Incentive Payment System (MIPS) Extreme and Uncontrollable Circumstances (EUC) Exception Application in order to “provide relief to MIPS eligible clinicians impacted by this cybersecurity incident.” This will enable requests for relief by providers who participate in MIPS quality reporting programs (including individual clinicians, groups, virtual groups, and Alternative Payment Model participants) and are concerned that the data to assess the 2023 performance year will be impacted by the cyberattack, with corresponding impacts on potential bonus payments. Entities that wish to submit a MIPS EUC application must do so by April 15, 2024. CMS provides two examples of entities that would qualify for this exception:
    • A practice that does its own billing and submits its own MIPS data that has had to redirect administrative resources to workarounds required to get current claims submitted; and 
    • A practice that uses a third-party intermediary to support MIPS data submission, but the third-party is now occupied redirecting claims through other avenues to make sure that providers receive payments. 

Heightened Scrutiny and Broader Implications

As HHS noted in a March 5 statement, “[t]his incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem.” The widespread impact of this cyberattack emphasizes this point. It has also heightened HHS’ already-mounting sense of urgency to strengthen the health care sector’s cybersecurity infrastructure, recently illustrated in the December 2023 release of the HHS Cybersecurity Strategy.

As relief starts to reach providers, policymakers are beginning to refocus their energies on understanding how the attack happened and preventing similar breaches in the future. The HHS Office for Civil Rights (OCR) announced in a March 13 “Dear Colleague” letter that it was launching an investigation into the Change Healthcare incident. Further, a number of Congressional stakeholders have made several inquiries to the Administration requesting additional information on a broad range of topics, including:

  • Clarity on the timeline during which HHS received information on the attack and to what degree HHS is coordinating with other federal agencies to respond to the attack (see the March letter from Senate Health, Education, Labor, and Pensions (HELP) Committee Ranking Member Bill Cassidy (R-LA) and Senator Tommy Tuberville (R-AL));
  • Whether CMS has the appropriate authority to modify repayment terms for providers who receive advance payments, and actions the Administration will take on compromised patient data (see the March 19 letter from more than 100 members of Congress); and
  • How HHS is working with UnitedHealth Group and law enforcement to identify stolen patient data and what technology can be leveraged at the federal level and in the private sector to avoid future attacks (see the March 21 letter from 20 House Ways and Means Committee Republican members).

As the true scope of those affected by this attack continues to be unveiled, additional inquiries about the attack and the Administration’s response are likely forthcoming.



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved