COVID-Era Flexibilities Granted in Wake of Change Healthcare Cybersecurity Attack - McDermott+

COVID-Era Flexibilities Granted in Wake of Change Healthcare Cybersecurity Attack

COVID-Era Flexibilities Granted in Wake of Change Healthcare Cybersecurity Attack


McDermottPlus is pleased to bring you Regs & Eggs, a weekly Regulatory Affairs blog by Jeffrey DavisClick here to subscribe to future blog posts.

March 21, 2024 – Today marks one month since United Health Group’s (UHG) Change Healthcare reported that it had been hit by a cybersecurity attack. The attack has caused a major disruption to the US healthcare system, significantly impacting the cash flow of health systems and physician groups and in some cases impeding patients’ ability to access the care they need.

While I do not intend to compare this cybersecurity attack to the COVID-19 public health emergency (PHE), the federal government has finite tools and flexibilities at its disposal to handle large disruptions to the healthcare system – and therefore some of the steps the US Department of Health and Human Services (HHS) has taken to respond to this most recent crisis have been similar to those it took during the COVID-19 pandemic. Actually, the list of available tools is shorter since HHS hasn’t declared a PHE in this case.

When the cybersecurity attack hit in February, HHS spent the next several weeks gathering information about the extent of the attack and its overall impact on our healthcare system. While HHS had already developed resources to help health systems respond to cybersecurity attacks, many were caught off guard. The question I’ve heard repeatedly over the last month is, “how can a cybersecurity attack on one clearinghouse, Change Healthcare, have such a large effect on healthcare in our country?” Just as there was a lot of learning to do in response to the COVID-19 pandemic, there are many areas upon which to improve in our response to a cybersecurity attack.

HHS has taken some of the same steps it took during the COVID-19 PHE to provide financial assistance and flexibility to clinicians and health systems impacted by the cybersecurity attack. When similar actions were taken during the PHE, they raised some questions and had long-term ramifications that should not be ignored now.

Accelerated and Advanced Payments


As the Centers for Medicare & Medicaid Services (CMS) allowed during the COVID-19 PHE, clinicians and health systems under both Medicare Parts A and B have been able to request accelerated (or advanced) Medicare payments through their Medicare Administrative Contractors (MACs). These advanced payments act like loans, whereby MACs pay a certain proportion of a clinician or health system’s expected Medicare payments up front, and then that loan is recouped from future claims once normal operations resume. While the loans are interest-free initially, if the payments are not recouped over a certain period of time, the balance is subject to an extremely high interest rate (12.375%).

While Congress allowed for a more generous payment amount and repayment plan (including a much lower interest rate) during the PHE, CMS is using the full extent of its existing regulatory authority to make the accelerated (or advanced) Medicare payment program as flexible as possible. For example, under COVID-19 rules, Part A and Part B providers could request up to 100% of their Medicare payment amount for a six-month period. They could also pay back that loan over a multi-year period. Conversely, under the terms and conditions of the Change Healthcare/Optum Payment Disruption (CHOPD) accelerated and advanced payment program, a clinician or health system can only receive 30 days’ worth of funds. These payments will be repaid through automatic recoupment from Medicare claims for a period of 90 days. A demand will be issued for any remaining balance on day 91 following the issuance of the accelerated or advance payment.

Further, although most health systems and clinicians were eligible to apply for the funds during the COVID-19 PHE, only healthcare systems and clinicians that are not able to submit claims to Medicare are eligible for the CHOPD payments. This restriction could limit the eligibility pool significantly, since many healthcare systems and clinicians can still submit claims to Medicare even if they have been hit hard by the cybersecurity attack and are unable to receive payment from UHG and perhaps other private payors.

Although the CHOPD accelerated and advanced payment program is more limited than the COVID-19-era program, it may present some of the same benefits and overall challenges that the PHE program did. While health systems and clinicians appreciated receiving upfront Medicare payments during the COVID-19 PHE (as they do now), many had a hard time paying the money back. As noted, Congress provided an extremely long repayment window to take the financial pressure off of health systems and clinicians. It is unclear whether health systems and clinicians will be able to easily repay the CHOPD loan within 90 days as required. While this loan is much smaller, if these health systems and clinicians continue to have residual cash flow issues even when they return to normal operations, they may need longer than 90 days to fully repay the loan. The American Hospital Association has asked Congress to step in and remove some of the statutory limitations that have forced CMS to establish a relatively restrictive CHOPD accelerated and advanced payment program.

HHS also recognizes that the CHOPD accelerated and advanced payment program will not cover all of the financial losses borne by clinicians and health systems and is calling on private payors to provide their own accelerated payments to providers. Some stakeholders have argued that because UHG owns Change Healthcare, it is UHG’s full responsibility to help keep clinicians and health systems afloat. While UHG has launched a financial relief program, many providers have stated that the relief is insufficient and is tied to extremely restrictive terms and conditions.

To increase the flow of funds within Medicaid, CMS is providing flexibility to states to enable them to support providers through their Medicaid programs. CMS sent an informational bulletin last week that advises state Medicaid agencies that the agency does not “intent to take enforcement action with respect to certain Medicaid requirements … to enable critical Medicaid funds to continue to flow to providers and to prevent disruption of access to Medicaid services, prevent associated negative health outcomes, and avoid solvency issues for providers.”

Merit-Based Incentive Payment System (MIPS) Extreme and Uncontrollable Circumstances (EUC) Exception


Last week, CMS announced that it was reopening the 2023 MIPS EUC application “to provide relief to MIPS eligible clinicians impacted by this cybersecurity incident.” CMS extended the deadline for submitting 2023 data until 8 pm EDT on April 15, 2024, and the EUC application will be due at that same time. Clinicians can request a hardship exception due to the cybersecurity attack for one or more of the four performance categories of MIPS. CMS will only approve applications citing this cyberattack as the basis for requesting the MIPS EUC exception, and any data submitted to CMS will override the exception.

This MIPS EUC process and application may seem familiar, as it was a prominent tool that CMS used during the COVID-19 PHE to provide flexibility and relief to clinicians. From 2019 to 2021, CMS actually created an automatic exception for MIPS clinicians, and for the last two years (2022 and 2023), clinicians could manually apply for an EUC exception due to COVID-19. While many physicians have expressed appreciation for the relief and flexibility, the reopening of the EUC does create some issues, including the following:

  • Confusion about reporting data. If a clinician reports data for a performance category, that submission overrides the exception. However, what happens if a clinician rushed to report data before knowing of the EUC but wants to retract that submission now that the EUC is available? Is that possible? There could be situations where the clinician unknowingly reported data through a third party or wants to rescind a data submission but misses that opportunity.
  • Smaller bonuses for high performers. It is foreseeable that those clinicians who “waited until the last minute” to report 2023 data and may not be high performers will be more likely to apply for an EUC due to the Change Healthcare attack. MIPS is a budget neutral program, and CMS uses the pool of penalties to pay out bonuses. Since there may be fewer low performers reporting 2023 data overall, the pool of penalties may be smaller, thereby limiting the bonuses available to high performers. In other words, clinicians who performed well in MIPS may wind up having little to show for their high performance.

These issues may be worth it, and clinicians are likely still happy to have this additional flexibility. However, this does make it more difficult to predict what bonus or penalty clinicians may receive in 2025 based on their performance in 2023. It also means that barring another unforeseeable event (which is certainly not out of the question), 2025 could be the first time in five years that the vast majority of clinicians must report in MIPS and that many cannot claim a hardship exception.


We are definitely not out of the woods yet, and HHS may take additional actions in the wake of the cybersecurity attack. However, this response (similar to the response to COVID-19) raises certain questions that remain unanswered:

  • Are the tools available to HHS sufficient to handle a healthcare disruption? Should HHS be able to declare a PHE in the face of a cybersecurity attack?
  • Does HHS need to develop more tools or does Congress need to provide more leeway to HHS to handle emergencies (for example allowing CMS to institute a more comprehensive accelerated payment program with fewer restrictions and a more flexible repayment schedule)?
  • What are the long-term consequences of HHS’s use of these tools?
  • What is the responsibility of the federal government versus that of the private sector and/or states to deliver financial relief and support to providers during a crisis?

Unfortunately, there may be other pandemics, cybersecurity attacks and disasters that we will need to respond to in the coming months or years, so it is imperative that Congress, HHS and others attempt to answer these questions sooner rather than later!

Until next week, this is Jeffrey saying, enjoy reading regs with your eggs.


For more information, please contact Jeffrey Davis. To access the full archive of Regs & Eggs, visit the American College of Emergency Physicians.

To subscribe to Regs & Eggs, please CLICK HERE.