CMS Releases Guidance on Medicaid Flexibilities and Response to Change Healthcare Cyberattack

Special Bulletin

March 18, 2024

State Medicaid programs can make interim payments to fee-for-service providers; CMS encourages states to work with Medicaid managed care organizations to implement a similar policy

The Centers for Medicare & Medicaid Services (CMS) March 15 issued an informational bulletin that provides information on actions states can take to provide relief to Medicaid providers affected by the Change Healthcare cyberattack. On Feb. 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group, shutdown many of its services as the result of a cyberattack. As a result, both health care providers and payers have had reduced revenue cycle capabilities, including the ability to send claims and payment.

AHA Take

We appreciate this additional information as CMS continues to work with stakeholders to find solutions to the Change Healthcare disruption and ameliorate its impact on hospitals, health systems, physicians and other providers.

Informational Bulletin Highlights

CMS encourages states to make interim payments to fee-for-service providers to mitigate the effects of the Change Healthcare cyberattack and to prevent disruption of Medicaid beneficiaries’ access to services and the associated negative health outcomes. Interim payments should use current state plan rates and are limited to expected utilization of allowable services based on provider-specific recent utilization history. CMS clarifies that these are not advance payments. Interim payments must be finalized after functionality has been restored. Interim payments also must meet all documentation requirements, including the requirement that payments are made for allowable services that are affected by the Change Healthcare cyberattack.

States are required to submit a state plan amendment (SPA) for expedited CMS approval. The bulletin outlines what information should be in the SPA, including a provider-specific methodology to reconcile interim payments once functionality has been restored to claims processing systems. CMS encourages states to submit SPAs by March 31, 2024, or notify CMS of their intention to submit a SPA by April 10, 2024. The interim methodology can be made effective retroactively to the first date of disruption due to the cyberattack and must sunset no later than June 30, 2024. CMS describes the additional flexibilities they will grant to states to expedite the SPA approval, as well as the requirements and responsibilities states must meet for approval. States can begin to draw down federal matching funds once a SPA is submitted.

CMS also encourages states to take the following policy actions:

  • Temporarily suspend cost sharing requirements, pending SPA submission and CMS approval.
  • Encourage Medicaid managed care organizations to make interim payments to providers.
  • Work with Medicaid managed care organizations to suspend or modify prior authorization requirements, allow early prescription refills and/or extend the length of refills, suspend out-of-network requirements, and modify existing cost-sharing requirements to be consistent with any changes made to the Medicaid state plan.

Changes made to Medicaid managed care programs typically do not require a SPA but may require contract amendments. In the bulletin, CMS reminds states that they should submit contract amendments to CMS for review and approval and should assess with their actuaries whether any changes affect actuarial soundness or require a rate certification.

Further Questions

If you have further questions on these announcements, please contact Molly Smith, AHA group vice president of policy, at, or Ben Finder, AHA vice president of coverage policy, at

Special Bulletin: CMS Releases Guidance on Medicaid Flexibilities and Response to Change Healthcare Cyberattack page 1.