HHS Announces Some Flexibilities for Hospitals Following Cyberattack on Change Healthcare

AHA Special Bulletin
March 5, 2024

The Department of Health and Human Services today announced some flexibilities from the Centers for Medicare & Medicaid Services to assist providers in continuing to serve patients in the wake of the unprecedented cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group.


In a statement following today’s announcement, AHA President and CEO Rick Pollack said, “We cannot say this more clearly — the Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. health care system in history. For nearly two weeks, this attack has made it harder for hospitals to provide patient care, fill prescriptions, submit insurance claims, and receive payment for the essential health care services they provide.

“The magnitude of this moment deserves the same level of urgency and leadership our government has deployed to any national event of this scale before it. The measures announced today do not do that and are not an adequate whole of government response.

“Rest assured, the AHA will continue to work with Congress on meaningful solutions to preserve 24/7 access to care. If limitations exist for an appropriate government response, it is incumbent upon the executive branch to propose the necessary legislation and authorities to ensure the provider network in this nation is not further compromised.”

The AHA Feb. 26 asked HHS to take a number of actions to minimize the fallout from the cyberattack, and March 4 urged Congress to take action to support hospitals and health systems. Today’s actions are narrow in scope and do not adequately address the complex reverberations of this cyber incident.


The following flexibilities are effective immediately, according to HHS.

  • “Medicare providers needing to change clearinghouses that they use for claims processing during these outages should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment for the switch. The MAC will provide instructions based on the specific request to expedite the new EDI enrollment. CMS has instructed the MACs to expedite this process and move all provider and facility requests into production and ready to bill claims quickly. CMS is strongly encouraging other payers, including state Medicaid and Children’s Health Insurance Program (CHIP) agencies and Medicaid and CHIP managed care plans, to waive or expedite solutions for this requirement.
  • “CMS will issue guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages. CMS is also encouraging MA plans to offer advance funding to providers most affected by this cyberattack.
  • “CMS strongly encourages Medicaid and CHIP managed care plans to adopt the same strategies of removing or relaxing prior authorization and utilization management requirements, and consider offering advance funding to providers, on behalf of Medicaid and CHIP managed care enrollees to the extent permitted by the State.
  • “If Medicare providers are having trouble filing claims or other necessary notices or other submissions, they should contact their MAC for details on exceptions, waivers, or extensions, or contact CMS regarding quality reporting programs.
  • “CMS has contacted all of the MACs to make sure they are prepared to accept paper claims from providers who need to file them. While we recognize that electronic billing is preferable for everyone, the MACs must accept paper submissions if a provider needs to file claims in that method.”

In addition, HHS acknowledges hospitals are facing potentially significant cash flow disruptions while Change Healthcare systems continue with service interruptions due to the cyberattack. The agency recommends hospitals submit accelerated payment requests to the MAC.


Change Healthcare announced Feb. 21 it was experiencing a cyberattack and recently acknowledged the attack was perpetrated by threat actor ALPHV Blackcat. See the AHA Change Healthcare cyberattack update webpage for details.


If you have further questions, please contact AHA at 800-424-4301.