On February 21, 2024, Change Healthcare, a platform that provides certain technology solutions for the health care industry, experienced a nationwide network interruption related to a cybersecurity issue (cyber incident) and disconnected its systems to protect partners and patients. Change Healthcare is used by hospitals, health care providers, and health care facilities that render health care services, including behavioral health care services and pharmacies (collectively, “providers”) across the country. As a result of the cyber incident, some providers are unable to request preauthorization; engage in concurrent or retrospective reviews; request reconsiderations; submit internal appeals, external appeals, or claims within the requisite timeframes; verify an insured’s eligibility for coverage; and obtain timely payment for health care services. Accordingly, the New York Department of Financial Services (DFS) has taken substantial steps to address the impact on healthcare providers and the members and insureds to whom they provide healthcare services.

DFS strongly encouraged issuers and Pharmacy Benefit Managers (PBMs) to accommodate providers by developing solutions to address these issues. In some cases, the issues may be resolved through work arounds, including the use of a vendor other than Change Healthcare to perform these functions. However, DFS’s guidance acknowledges that other cases “may necessitate flexibility with statutory or contractual timeframes or the implementation of solutions to maintain cash-flow for providers.”

NY DFS guidance linked here discusses the ramifications of these cyber events, including suspension of preauthorization requirements, suspension of concurrent review and suspension of retrospective review. Resumption of such activity as well as internal and external appeal timeframes and claim reconsiderations, potential impact of the cyber-attack on eligibility verifications and timeliness of claims submissions are also addressed. To that end, DFS concludes that an issuer should suspend or toll utilization review requirements, timeframes for appeals and reconsiderations, timeframes for the submission of claims, and eligibility verifications when it receives a certification from a provider that has had an adverse impact because of the cyber incident. Any suspension or tolling should remain in effect until the provider can resume submission through Change Healthcare or upon the issuers or, in the case of pharmacy claims, the PBM’s receipt of notification from the provider that the suspension or tolling is no longer needed, if earlier.

On March 8, 2024, DFS issued more formal guidance through Insurance Circular Letter No. 2 (2024) to “all Insurers Authorized to Write Accident and Health Insurance in New York State, Article 43 Corporations, Health Maintenance Organizations, Student Health Plans Certified Pursuant to Insurance Law § 1124, Municipal Cooperative Health Benefit Plans, Prepaid Health Services Plans, Utilization Review Agents, Licensed Independent Adjusters, and Pharmacy Benefit Managers (“PBMs”)” suspending or tolling (when necessary) certain Utilization Review Requirements, Appeal Timeframes, Claim Submission Timeframes and Eligibility Verifications. Issuers and PBMs were instructed to ensure that there are no delays in healthcare services and that prescription drugs remain accessible to insureds and members. In view of the prompt pay standards and time frames established regarding payment of health insurance claims, both issuers and PBMs were advised to coordinate with providers to minimize and resolve payment delays resulting from the Change Healthcare cyber incident.

Issuers were further encouraged to address with providers impacted by the incident the ability to make payments by non-electronic means at a provider’s request. The Circular Letter directed issuers to suspend or toll utilization review requirements, timeframes for appeals and reconsiderations, timeframes for the submission of claims, and eligibility verifications when it receives a certification from a provider that has had an adverse impact as a result of the cyber incident. Any suspension or tolling is expected to remain in effect until the provider can resume submission through Change Healthcare or upon the issuer’s or, in the case of pharmacy claims, the PBM’s receipt of notification from the provider that the suspension or tolling is no longer needed, if earlier. Examples of when suspension or tolling is no longer needed include when the provider secures an alternative vendor to perform these functions or an issuer presents a workaround that is acceptable to the provider.

Questions regarding measures to be taken to protect providers, members and insureds impacted by the Change Healthcare cyber incident can be directed to DFS’ Health Care Office at health@dfs.ny.gov.