On March 15, the Centers for Medicare & Medicaid Services (CMS) issued an informational bulletin outlining actions states can take to support Medicaid providers affected by the recent cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group. The cyberattack, which occurred on Feb. 21, 2024, prompted Change Healthcare to shut down many of its services, impacting both health care providers and payers by limiting revenue cycle capabilities, including the ability to submit claims and payments.
CMS is encouraging states to implement the following policy actions:
- Temporarily suspend cost-sharing requirements, pending the submission and approval of state plan amendments (SPAs) by CMS.
- Encourage Medicaid managed care organizations to make interim payments to providers.
- Collaborate with Medicaid managed care organizations to suspend or modify prior authorization requirements, allow early prescription refills, extend the length of refills, suspend out-of-network requirements, and adjust existing cost-sharing requirements to align with any changes made to the Medicaid state plan.
While changes to Medicaid managed care programs typically do not require SPAs, they may necessitate contract amendments. CMS reminds states to submit contract amendments for CMS review and approval and to work with their actuaries to assess any impact on actuarial soundness or the need for rate certification.
For more details, refer to the full CMS informational bulletin here.
