From the NAHC News Desk,

March 19, 2024

On March 15th, the Centers for Medicare & Medicaid Services (CMS) issued a Center Informational Bulletin (CIB) that provides guidance and flexibilities to mitigate the impacts on providers resulting from the Change Healthcare Hack. In the guidance, CMS advises state Medicaid agencies that certain requirements will not be enforced, until June 30th, to enable ongoing funds to flow to providers and to prevent disruption of access to Medicaid services, prevent associated negative health outcomes, and avoid solvency issues for providers.

The most important component of the guidance is the ability for states to make interim payments to providers to avoid operational disruptions. Federal law and regulation does not allow for “advance payments” in Medicaid fee-for-service systems, despite their availability in Medicaid managed care environments; however, states can make interim payments to providers subject to reconciliation with actual services delivered.

CMS stresses that such interim payments are not advanced payments or prepayments prior to services furnished by providers, but rather are payments for services furnished that are subject to final reconciliation once the state has access to individual claims data currently inaccessible due to the cybersecurity incident.

The flexibilities CMS discusses in the guidance include:

  • Modifying required timelines for public notice, public process, and Tribal consultation and to obtain an earlier effective date for certain kinds of SPAs than would otherwise be possible;
  • Use interim payment methodologies to pay providers without current period claims data, as long they are determined via current approved payment rates, limiting the interim payments to the amount expected for each specific provider based on recent history, and reconciling the interim payments with final payments based on the actual services provided once they can be properly identified. These could be effective retroactively to the date when claims payment processing was disrupted due to the cybersecurity incident and could last until June 30, 2024;
  • Suspend beneficiary cost sharing requirements described in their state plans when necessary to avoid service disruptions for Medicaid beneficiaries for services affected by the hack;

CMS also includes language urging Medicaid managed care plans to make prospective payments to impacted providers and reiterating that plans do not need prior CMS authority to make prospective payments to providers. CMS also indicates that plans can:

  • Suspend or modify prior authorization requirements;
  • Allow early prescription refills and/or extend the length of prescription refills;
  • Extend existing prior authorizations;
  • Suspend out-of-network requirements; and
  • Modify or update cost-sharing requirements to be consistent with any changes that are made in the Medicaid state plan.

The full guidance is available online at: