Ensuring continued access to Medicaid services following massive cyberattack: NAMD asked and CMS/HHS answered

On behalf of its state and territory membership, NAMD and several of its national partners (ADvancing States, NASDDDS, and NACHC) recently asked CMS/HHS to take immediate action to mitigate the severe and continuing impacts on healthcare providers for millions of Medicaid members that have resulted since the Feb. 21 cyberattack on Change Healthcare, a unit of United Health Group. Since Change was forced to pull down systems that process claims and prescription drug authorization for thousands of pharmacies, hospitals, health centers, and other health care providers, disruption in normal payment processes have affected cash flow and even the viability of providers on which Medicaid members depend.

Excitingly, on Friday the Center for Medicaid and CHIP Services (CMCS) issued an informational bulletin (CIB) that directly responds to each of these points. This is a specific but non-exclusive example of the applied federal-state/territory partnership under which the Medicaid program is operated nationally. It also reflects the enormous value that comes from rolling up of-the-minute experience at the state/territory level through NAMD, on which the federal government can rely to take urgently needed near-term policy action.

What did Medicaid programs ask for?

As the cyberattack unfolded, Medicaid leaders sprang into action, working around the clock to put in place manual processes to ensure that people served by the Medicaid program could maintain access to vital prescriptions and other health care services. While doing so, Medicaid leaders also provided real-time insight to NAMD and our federal partners about the limitations of their ability to respond within existing program authority and identified where federal flexibility was needed to ensure that access to care could be maintained throughout the duration of the crisis.

Informed by this feedback, NAMD raised the call with CMS and administration partners and asked for the following specific federal action:

• flexible authority for Medicaid programs to make rapid interim payments to providers in managed fee-for-service systems;
• flexibility to waive utilization management practices and co-payments that are embedded in state plans; and
• assurances that federal audit agencies will consider the context of this urgent set of circumstances and hold programs harmless from typical documentation requirements.

What actions did the federal government take?

The informational bulletin provides greater detail for implementation, but most significantly, CMCS is providing enforcement discretion that will allow Medicaid programs to elect a State Plan Amendment (SPA) option that will permit them to rapidly implement interim payments to fee-for-service providers of up to the amount paid in a recent prior payment period, that are eligible for federal financial participation (FFP). Related, programs that elect this option will be permitted to:

• fulfill otherwise required procedural requirements including, but not limited to, public notice, within a reasonable time frame after the effective date of the SPA; and
• later reconcile payments.

Related, the bulletin reinforces that:

• Medicaid programs have the further option of submitting a SPA to cover an enhanced pharmacy dispensing fee to pharmacies that have faced administrative burdens including manual documentation processes while ensuring that Medicaid members have continued access to their needed prescriptions.
• Medicaid managed care plans have considerable routine flexibility in making advance provider payments, suspending or modifying prior authorization requirements, allowing early or longer length prescription refills, suspending out-of-network requirements, and modifying cost-sharing requirements to be consistent with changes in the Medicaid state plan.
• CMCS will provide, “PERM [Payment Error Rate Measurement] flexibilities within [its] authority, consistent with flexibilities offered previously when states experienced disruption to their claims processes.”

We are extremely grateful for the fast and comprehensive response from CMCS. We are also indebted to our member states and territories, whose policy and operations leadership activated immediately to protect their members’ access to health care and contributed greatly to collective understanding of the impact of the cyberattack nationwide.

As soon as NAMD became aware of the attack, we began convening daily standup calls for Medicaid agencies to share directly with each other what they were seeing, how they were responding, and what additional supports were needed. NAMD channeled key insights from these conversations to our federal partners, who joined frequently to hear directly from states. We also brought in industry partners to communicate directly with states. This close collaboration yielded even more actionable insights and directly informed the CIB.

What can we all learn from this experience?

All of these practices – real-time communication, continuous feedback loops, creative thinking – reflect the highly effective norms that federal, state, and territory leaders adopted during the COVID-19 public health emergency and carried forward to this emergency. We are proud of how they contributed to development of the bulletin.

But while the community of Medicaid leaders and programs, federal partners, industry partners, the provider community and Medicaid advocates have, through issuance of the bulletin, taken a major step forward in solving the Medicaid provider payment constraints caused by this cyberattack, we have yet untapped opportunities to mutually plan for a future event of this same type. We must do this now as we know that it is a practical certainty that additional cyberattacks are going to occur in the future.

For this reason, we recommend that:

• federal, state and territory Medicaid leaders, as well as the private sector vendors on which government depends, collaborate to identify potential points of vulnerability in Medicaid information and payment processing systems, and build safeguards and redundancies as needed;
• those same partners memorialize a set of process steps and authority templates that can be launched immediately following any subsequent cyberattack that affects Medicaid systems; and
• Congress expand the scenarios under which 1135 waivers can be implemented to include not just pandemics and weather events, but also cyberattacks. These steps will help to ensure that we are better equipped to anticipate and respond to future cyberattacks, with a primary focus on safeguarding access to and utilization of the health care services that are integral to the 80 million people served by Medicaid nationwide.