Skip to main content
All playbooks
Playbook

Your clearinghouse is down

Claims pipeline stalls, eligibility checks fail, and your downtime billing posture is being tested in real time. A cash-flow event that becomes a regulatory event if it lasts long enough.

Last reviewed: May 2026

The first hour

  1. 1Confirm the outage is the clearinghouse, not your EHR or internet. Check the vendor's status page (Change Healthcare, Availity, Waystar, Office Ally, Trizetto) and your EHR's status page.
  2. 2Tell the front desk and the biller in one sentence: claims and eligibility are down at the clearinghouse; keep seeing patients, collect copays, verify insurance manually, catch up the queue when the vendor is back.
  3. 3Switch the biller to manual eligibility on the payer portals (Availity for commercial, MAC portal for Medicare, state portal for Medicaid). Prioritize same-day high-cost procedures and new patients.
  4. 4If the PMS routes everything through the clearinghouse, capture today's charges on a paper superbill so nothing is lost when the queue reopens.
  5. 5Pull the BAA with the clearinghouse out of your contracts folder. You will reference it in the next 48 hours.
  6. 6Notify your cyber and professional-liability carriers in writing — even if PHI is not yet implicated. Most policies require notice within 24–72 hours of a potential incident.
  7. 7Call your bank about a temporary line of credit sized to two months of expenses. The bank moves faster while the outage is still in the news cycle.

Evidence to preserve

What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.

  • Save the vendor's status-page screenshots and any incident-update emails, with timestamps.
  • Keep a written downtime log: start time, services affected, manual workaround used. This is the basis for the business-interruption insurance claim.
  • Preserve your signed BAA and any amendments in a dated folder.
  • Track every delayed dollar and every unbillable encounter for the insurance claim and a possible HHS hardship request.

The HIPAA breach clock

The breach-notification clock starts at discovery. Federal HHS deadline is 60 days; many states are faster.
HHS / patient (federal)
September 5, 2026
60 days from discovery
CA / FL / others
August 6, 2026
30-day state floor
NY / others
August 21, 2026
45-day state floor

Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.

Regulator contacts

Frequently asked

Is a clearinghouse outage a HIPAA breach?+

Not by itself. An outage is an availability event. It becomes a breach only if the vendor confirms PHI was accessed, acquired, or exfiltrated. Your 60-day patient-notification clock starts on the date the vendor notifies you of the breach, not the date the outage began.

Should we switch to a backup clearinghouse?+

If the outage extends past a week, the friction of emergency onboarding (payer enrollment, EFT re-routing, ERA re-enrollment) is usually worth it. Availity, Office Ally, and Waystar have all opened emergency onboarding during major outages and can typically have a small practice submitting within 5–10 business days.

Will the vendor notify our patients for us?+

Do not assume so. The covered entity owns patient notification by default. Some BAAs explicitly shift it to the BA, but most are silent or ambiguous. Confirm in writing — and even if the vendor notifies, OCR can still come back to you.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.