Insurance Circular Letter No. 2 (2024)
March 8, 2024
TO: All Insurers Authorized to Write Accident and Health Insurance in New York State, Article 43 Corporations, Health Maintenance Organizations, Student Health Plans Certified Pursuant to Insurance Law § 1124, Municipal Cooperative Health Benefit Plans, Prepaid Health Services Plans, Utilization Review Agents, Licensed Independent Adjusters, and Pharmacy Benefit Managers
RE: Suspension of Certain Utilization Review Requirements, Appeal Timeframes, Claim Submission Timeframes, and Eligibility Verifications
STATUTORY REFERENCES: N.Y. Insurance Law §§ 2911, 3216, 3221, 3224-a, 4303, 4305, 4306, 4903, 4904, and 4914; and Public Health Law §§ 4903, 4904, and 4914
I. Purpose
The purpose of this circular letter is to advise insurers authorized to write accident and health insurance in New York State, Article 43 corporations, health maintenance organizations, student health plans certified pursuant to Insurance Law § 1124, municipal cooperative health benefit plans, and prepaid health services plans, which include Medicaid managed care plans, Child Health Plus, the Essential Plan, managed long term care plans, and the Program of All-Inclusive Care for the Elderly (collectively, “issuers”), independent agents performing utilization review under contract with such issuers, licensed independent adjusters, and pharmacy benefit managers (“PBMs”) that certain preauthorization, concurrent, and retrospective review requirements (collectively, “utilization review requirements”), appeal timeframes, reconsideration timeframes, claim submission timeframes, and eligibility verifications should be suspended or tolled when necessary. Issuers and PBMs should ensure that there are no delays in health care services and that prescription drugs remain accessible to insureds.
On February 21, 2024, Change Healthcare, a platform that provides certain technology solutions for the health care industry, experienced a nationwide network interruption related to a cybersecurity issue (“cyber incident”) and disconnected its systems to protect partners and patients. Change Healthcare is used by a substantial number of hospitals, health care providers, and health care facilities that render health care services, including behavioral health care services, and pharmacies (collectively, “providers”) in New York. As a result of the cyber incident, some providers are unable to request preauthorization; engage in concurrent or retrospective reviews; request reconsiderations; submit internal appeals, external appeals, or claims within the requisite timeframes; verify an insured’s eligibility for coverage; and obtain timely payment for health care services. Issuers and PBMs are strongly encouraged to work with providers to develop solutions to address these issues. In some cases, the issues may be resolved through workarounds, including the use of a vendor other than Change Healthcare to perform these functions. However, other cases may necessitate flexibility with statutory or contractual timeframes or the implementation of solutions to maintain cash-flow for providers.
II. Suspension of Preauthorization Requirements
Insurance Law and Public Health Law §§ 4903 permit issuers to require preauthorization for certain health care services, other than emergency services. However, as a result of the cyber incident, providers that use Change Healthcare may not be able to request preauthorization. Issuers should suspend statutory and contractual preauthorization requirements for providers that use or rely on Change Healthcare for prior authorizations upon receipt of a provider’s signed certification that such suspension is needed because the cyber incident had an adverse impact on the provider’s ability to submit prior authorization requests. Issuers should not penalize the provider for a failure to request preauthorization due to the cyber incident for dates of service on and after February 21, 2024. Any suspension of preauthorization should remain in effect until the provider is able to make preauthorization requests through Change Healthcare again or upon the issuer’s receipt of notification from the provider that the suspension is no longer needed, if earlier. If preauthorization is suspended, a provider should use its best efforts to provide 48 hours’ notice to the issuer after an admission to a hospital or other service is provided, including information necessary for an issuer to assist in coordinating care and discharge planning. Issuers that receive a signed certification from a provider may review services when the provider is able to make preauthorization requests through Change Healthcare again or upon the issuer’s receipt of notification from the provider that the suspension is no longer needed, if earlier.
III. Suspension of Concurrent Review
Insurance Law § 4903(c)(1) and Public Health Law § 4903(3)(a) permit issuers to concurrently review services for medical necessity, including continued or extended health care services or additional services for an insured undergoing a course of continued treatment prescribed by a health care provider. This review is known as concurrent review. Issuers should suspend statutory and contractual concurrent review requirements for providers that use or rely on Change Healthcare for concurrent review upon receipt of a provider’s signed certification that such suspension is needed because the cyber incident had an adverse impact on the provider’s ability to conduct concurrent review. Issuers should not penalize the provider for a failure to conduct concurrent review due to the cyber incident for dates of service on and after February 21, 2024. Any suspension of concurrent review should remain in effect until concurrent review can be done through Change Healthcare again or upon the issuer’s receipt of notification from the provider that the suspension is no longer needed, if earlier. Issuers that receive a signed certification from a provider may review services when concurrent review can be done through Change Healthcare again or upon the issuer’s receipt of notification from the provider that the suspension is no longer needed, if earlier.
IV. Suspension of Retrospective Review
Insurance Law § 4903(d) and Public Health Law § 4903(4) permit issuers to retrospectively review services for medical necessity. This review is known as retrospective review. Issuers should suspend statutory and contractual retrospective review requirements for providers that use or rely on Change Healthcare for retrospective review upon receipt of a provider’s signed certification that such suspension is needed because the cyber incident had an adverse impact on the provider’s ability to conduct retrospective review. Issuers should not penalize the provider for a failure to conduct retrospective review due to the cyber incident for dates of service on and after February 21, 2024. Any suspension of retrospective review should remain in effect until retrospective review can be done through Change Healthcare again or upon the issuer’s receipt of notification from the provider that the suspension is no longer needed, if earlier. Issuers that receive a signed certification from a provider may review services when retrospective review can be done through Change Healthcare again or upon the issuer’s receipt of notification from the provider that the suspension is no longer needed, if earlier.
V. Resumption of Concurrent and Retrospective Review
When concurrent review or retrospective review can be done through Change Healthcare again or upon the issuer’s receipt of notification from the provider that the suspension is no longer needed, if earlier, issuers that provided a suspension in response to a signed certification from a provider may request necessary information to perform concurrent or retrospective reviews, reconcile claims, and make any payment adjustments. Issuers should ensure that documentation requirements for concurrent and retrospective review are reasonable.
VI. Internal and External Appeal Timeframes and Claim Reconsiderations
Insurance Law § 4904(c) and Public Health Law § 4904(3) provide that a health care provider has at least 45 days after receipt of notice of an adverse determination to file an internal appeal with the issuer. Insurance Law § 4903(f) and Public Health Law § 4903(6) permit a provider to request a reconsideration when a utilization review agent renders an adverse determination without attempting to discuss such matter with the provider who specifically recommended the health care service, procedure, or treatment under review. Insurance Law § 4914(b)(1) and Public Health Law § 4914(2)(a) provide that a provider has 60 days to initiate an external appeal after the provider receives notice of a final adverse determination. Issuers should toll the statutory and contractual timeframes for a provider to submit an internal appeal, reconsideration, or an external appeal for providers that use or rely on Change Healthcare for these functions upon receipt of a provider’s signed certification that such tolling is needed because the cyber incident had an adverse impact on the provider’s ability to comply with these timeframes. If the statutory or contractual timeframes expired between February 21, 2024 and the date the issuer received the signed certification, then an issuer should allow the submission of an internal appeal, reconsideration, or an external appeal within a reasonable timeframe. Any tolling of the timeframes should remain in effect until internal and external appeals can be done through Change Healthcare again or upon the issuer’s receipt of notification from the provider that the tolling is no longer needed, if earlier.
VII. Eligibility Verifications
The cyber incident may impact a provider’s ability to confirm an insured’s eligibility for coverage, including whether an issuer or PBM will cover a specific prescription drug. In such cases, issuers and PBMs should work with providers to ensure that there are no delays in health care services and that prescription drugs remain accessible to insureds. In addition, an issuer should waive a provider’s contractual obligations to verify an insured’s eligibility for coverage for providers that use or rely on Change Healthcare for this function upon receipt of a provider’s signed certification that such waiver is needed because the cyber incident had an adverse impact on the provider’s ability to perform this function. The issuer should not penalize the provider for a failure to verify an insured’s eligibility due to the cyber incident for dates of service on and after February 21, 2024. Any waiver should remain in effect until the provider can confirm an insured’s coverage eligibility through Change Healthcare again or upon the issuer’s receipt of notification from the provider that waiver is no longer needed, if earlier.
VIII. Timely Submission of Claims
Insurance Law §§ 3216(d)(1)(G), 3221(a)(9), 3224-a(g), 4305(m), and 4306(n) state that providers have 120 days to submit claims under a health insurance policy or contract. Issuers, and PBMs where the provider is a pharmacy, should toll the statutory and contractual timeframes for providers to submit claims upon receipt of a provider’s signed certification that such tolling is needed because the cyber incident had an adverse impact on the provider’s ability to comply with these timeframes. If the statutory or contractual timeframe expired between February 21, 2024 and the date the issuer or PBM received the signed certification, then an issuer or PBM should allow the submission of a claim within a reasonable timeframe. Any tolling of the timeframe should remain in effect until the provider can submit claims through Change Healthcare again or upon the issuer’s or PBM’s receipt of notification from the provider that the tolling is no longer needed, if earlier. DFS also strongly encourages issuers and providers to work together to develop solutions for the submission of claims that are impacted by the cyber incident, and an issuer should accept alternate methods of submitting claims if feasible for a provider that has been impacted by the cyber incident.
IX. Certification to the Issuer or PBM
In order for an issuer to suspend or toll utilization review requirements, appeal timeframes, reconsideration timeframes, claim submission timeframes, and eligibility requirements, the provider should certify to the issuer, under penalty of law, that suspension or tolling is necessary, because the cyber incident had an adverse impact on the provider’s ability to comply with these requirements. The person signing the certification should be the highest-level management person of the provider with authority to sign on behalf of the provider, which may be the Chief Executive Officer, Chief Financial Officer, Chairperson of the Governing Board, or Officer (President, Vice President, Secretary or Treasurer). Upon receipt of the form, the issuer should also sign it to acknowledge the suspension or tolling of the utilization review requirements, appeal timeframes, reconsideration timeframes, claim submission timeframes, or eligibility requirements, and the issuer should return the form to the provider. The person signing the certification should be the highest-level management person of the issuer with authority to sign on behalf of the issuer, which may be the Chief Executive Officer, Chief Financial Officer, Chairperson of the Governing Board, or Officer (President, Vice President, Secretary or Treasurer). In order for an issuer to suspend claim submission timeframes for a pharmacy when the suspension is necessary due to the cyber incident, the pharmacy should certify to the PBM and thereafter the PBMs and pharmacies should follow the same certification and acknowledgement process above.
The provider should use the certification form developed by the Department of Financial Services (“DFS”) and the Department of Health (“DOH”), which should include the type of requirements it is requesting that the issuer or, in the case of pharmacy claims, the PBM, suspend or toll. The certification can be found here. For each function for which the provider identified as requiring a suspension or tolling of requirements, the provider should immediately inform the issuer or PBM to which it sent a certification if the suspension or tolling of requirements is no longer necessary, and the issuer or PBM should acknowledge receipt. Examples of when suspension or tolling is no longer needed include when the provider secures an alternative vendor to perform these functions, or an issuer presents a workaround that is acceptable to the provider. The provider should also provide a copy of the certification to DOH at [email protected] and to DFS at [email protected], and the provider should notify DOH and DFS when the suspension or tolling of requirements is no longer necessary.
X. Prompt Payment for Services
Insurance Law § 3224-a establishes standards and time frames regarding the prompt payment of health insurance claims by issuers. Issuers and PBMs should work with providers to minimize and resolve payment delays as a result of the cyber incident. Issuers should also work with providers that have been impacted by the cyber incident to provide payment by non-electronic means when requested by a provider.
XI. Other Payments to Providers
The cyber incident may impact cash flows for some providers. Issuers should work with these providers that are in their networks to provide assistance if financially feasible and prudent, after considering the liquidity and solvency of the issuer. Where assistance is needed to avoid any disruption of services provided by a provider, the state strongly urges the issuer and the provider to work together to develop a mutually acceptable plan to provide assistance to the provider, which may include, to the extent an issuer does not currently provide such payment or other advances, periodic interim payments during the cyber incident.
XII. Conclusion
An issuer should suspend or toll utilization review requirements, timeframes for appeals and reconsiderations, timeframes for the submission of claims, and eligibility verifications when it receives a certification from a provider that has had an adverse impact as a result of the cyber incident. Any suspension or tolling should remain in effect until the provider can make the submission through Change Healthcare again or upon the issuer’s or in the case of pharmacy claims, the PBM’s, receipt of notification from the provider that the suspension or tolling is no longer needed, if earlier. Examples of when suspension or tolling is no longer needed include when the provider secures an alternative vendor to perform these functions, or an issuer presents a workaround that is acceptable to the provider. Issuers and PBMs should also work with providers to address any issues that arise as a result of the cyber incident.
Please direct any questions regarding this circular letter by email to [email protected].
Very truly yours,
Lisette Johnson
Chief, Health Bureau