On March 5, the Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) said they would help providers and hospitals negatively impacted by the Change Healthcare cyberattack. In a statement, the HHS and CMS said they would provide the following flexibilities to affected parties:

• On March 9, CMS announced a new opportunity for physicians impacted by the cyberattack and resulting disruptions with Change Healthcare to request advanced Medicare payments to help with cash flow disruptions. The details of the program, terms, and the steps needed to apply can be found here.

• Medicare providers needing to change clearinghouses that they use for claims processing during these outages should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment for the switch.

• The CMS will issue guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages. The CMS is also encouraging MA plans to offer advance funding to providers most affected by this cyberattack.

• The CMS strongly encourages Medicaid and CHIP managed care plans to adopt the same strategies of removing or relaxing prior authorization and utilization management requirements, and consider offering advance funding to providers, on behalf of Medicaid and CHIP managed care enrollees to the extent permitted by the state.

• If Medicare providers are having trouble filing claims or other necessary notices or other submissions, they should contact their MAC for details on exceptions, waivers, or extensions, or contact the CMS regarding quality reporting programs.

• The CMS has contacted all MACs to make sure they are prepared to accept paper claims from providers who need to file them. Although electronic billing is preferable for everyone, the MACs must accept paper submissions if a provider needs to file claims in that method.

• HHS said hospitals facing cash-flow issues from the IT outage can submit accelerated payment requests, like those issued during the pandemic, to their MAC’s for "individual consideration."

In January, the HHS published voluntary health care specific Cybersecurity Performance Goals to help healthcare organizations prioritize the implementation of high-impact cybersecurity practices. These goals are voluntary cybersecurity practices that organizations can prioritize to strengthen cyber preparedness, improve resiliency, and protect patient health information and safety. The CAP is assessing the effects that these cybersecurity performance goals would have on pathologists and laboratories if they became mandatory in the future.