CMS Adds Cyberattack Option to MIPS Hardship Exemption


Due to the ongoing impact of the Change Healthcare cyberattack on an increasing number of physician practices, the Centers for Medicare & Medicaid Services (CMS) has added an option to cite the cyberattack when requesting a hardship exemption within the 2024 Merit-based Incentive Payment System (MIPS).

CMS has added the option to the Extreme and Uncontrollable Circumstances (EUC) application. The 2024 MIPS EUC portal is now open, and physicians have until Dec. 31 to file a hardship application and avoid a 2026 MIPS negative payment adjustment.

When in the EUC portal, physicians can select the event type as “ransom/malware.” after which a drop-down box will appear asking whether the event pertains to the Change Healthcare cyberattack. More information can be found on page 8 of the 2024 MIPS EUC Application User Guide.

When applying for a hardship, physicians have the option to request reweighting of up to four MIPS categories. Reweighting of all performance categories will result in avoiding a negative MIPS payment penalty of up to 9% in 2026. As a reminder, if a physician or group submits data, that submission will override the hardship exception and the physician or group may be scored.

Questions about applying for the hardship exception may be directed to the TMA Knowledge Center by emailing or by calling (800) 880-7955.

Last Updated On

May 30, 2024

Originally Published On

May 30, 2024