Your clearinghouse is down
Claims pipeline stalls, eligibility checks fail, and your downtime billing posture is being tested in real time. A cash-flow event that becomes a regulatory event if it lasts long enough.
The first hour
- 1Confirm the outage is the clearinghouse, not your EHR or internet. Check the vendor's status page (Change Healthcare, Availity, Waystar, Office Ally, Trizetto) and your EHR's status page.
- 2Tell the front desk and the biller in one sentence: claims and eligibility are down at the clearinghouse; keep seeing patients, collect copays, verify insurance manually, catch up the queue when the vendor is back.
- 3Switch the biller to manual eligibility on the payer portals (Availity for commercial, MAC portal for Medicare, state portal for Medicaid). Prioritize same-day high-cost procedures and new patients.
- 4If the PMS routes everything through the clearinghouse, capture today's charges on a paper superbill so nothing is lost when the queue reopens.
- 5Pull the BAA with the clearinghouse out of your contracts folder. You will reference it in the next 48 hours.
- 6Notify your cyber and professional-liability carriers in writing — even if PHI is not yet implicated. Most policies require notice within 24–72 hours of a potential incident.
- 7Call your bank about a temporary line of credit sized to two months of expenses. The bank moves faster while the outage is still in the news cycle.
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- Save the vendor's status-page screenshots and any incident-update emails, with timestamps.
- Keep a written downtime log: start time, services affected, manual workaround used. This is the basis for the business-interruption insurance claim.
- Preserve your signed BAA and any amendments in a dated folder.
- Track every delayed dollar and every unbillable encounter for the insurance claim and a possible HHS hardship request.
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- HHS OCR Breach Portal (triggered only if vendor confirms PHI exposure)
- HHS Breach Notification Rule guidance
- State AG breach notification (varies by state)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
Is a clearinghouse outage a HIPAA breach?+
Not by itself. An outage is an availability event. It becomes a breach only if the vendor confirms PHI was accessed, acquired, or exfiltrated. Your 60-day patient-notification clock starts on the date the vendor notifies you of the breach, not the date the outage began.
Should we switch to a backup clearinghouse?+
If the outage extends past a week, the friction of emergency onboarding (payer enrollment, EFT re-routing, ERA re-enrollment) is usually worth it. Availity, Office Ally, and Waystar have all opened emergency onboarding during major outages and can typically have a small practice submitting within 5–10 business days.
Will the vendor notify our patients for us?+
Do not assume so. The covered entity owns patient notification by default. Some BAAs explicitly shift it to the BA, but most are silent or ambiguous. Confirm in writing — and even if the vendor notifies, OCR can still come back to you.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.
Billing service, MSP, transcription vendor, answering service, cloud backup, marketing agency, interpreter service. The 60-day clock starts on you, the covered entity, the moment they tell you. Attribution, BAA enforcement, and patient notification are the next 60 days.