Category: Compliance, Privacy & Security
This category explores the intersection of legal and technical considerations surrounding data protection and cybersecurity. The topics aim to provide valuable insights for businesses, IT professionals, and individuals on navigating the evolving landscape of compliance, privacy, and security.
Even Computers Get Viruses—Cybersecurity and Healthcare
Struggling with Price Transparency? You’re Not Alone.
Payer Price Transparency – Easily Provide Pricing Information Online
Payer Price Transparency by Quadax
Ensure Compliance with CMS Payer Price Transparency Rules
Quickly deploy secure, compliant and user-friendly web pages where patients can interactively explore shoppable services and create personalized estimates.
MIPS Scoring for Facility-based Pathologists: 3 Things You Need to Know
There are two pathways under the Quality Payment Program (QPP): MIPs and Advanced APMs. Unless you qualify as a participating clinician in an Advanced Alternative Performing Model, MIPS will be your default. MIPS has four weighted performance categories, identified below. This post will focus on Quality and Cost.
- Quality
- Improvement Activities
- Promoting Interoperability
- Cost
As a facility administrator, navigating the requirements to be successfully compliant with MIPS can be confusing, especially for those CMS considers non-patient facing clinicians, like pathologists. Pathologists must optimize their participation in order to minimize the risk of losing out on bonus opportunities stemming from new and evolving CMS payment models. One of those models centers on the new policies of Facility-Based Measurements. As a facility administrator, what do you need to know?
1. Definition of facility-based
Individual Facility-based clinician
• Must have 75% or more of covered professional services in any of the following:
◽ Inpatient hospital (POS 21), or
◽ On-campus outpatient hospital (POS 22), or
◽ Emergency room (POS 23), and
◽ Have at least one service billed with POS 21 or POS 23
Facility-based group
• At least 75% of MIPS-eligible clinicians billing under the group’s TIN are identified as facility-based.
Attributed to a facility with a Hospital VBP score
2. Your facility-based status
The easiest way to determine and confirm your 2019 Facility-based status is to start with CMS by utilizing their online MIPS eligibility and look-up tool, found at https://qpp.cms.gov/participation-lookup. (You will need your HCQIS Access Roles and Profile System (HARP) credentials, Tax Identification Number (TIN) and National Provider Number (NPI).) This tool will also inform you if you are exempt from MIPS, in which case, you will not be responsible for MIPS reporting. If you are not exempt, the tool will provide you with any special status needed for reporting other than facility-based. The tool will also indicate your attributed facility if you have facility-based status.
If you are a facility-based pathologist or group, CMS will automatically assign you Quality and Cost scores for based on the attributed facility’s Hospital Value-Based Purchasing (HVP) program. CMS will assign these scores even if you are not a patient-facing clinician.
Facility-based pathologists should attest to Interoperability Activity scores separately to maximize their MIPS score. Facility-based pathology groups must attest to these scores separately from the facility in order to be assesses as a group and to maximize their MIPA score.
3. Your potential 2019 MIPS performance
You can preview your Quality and Cost scores on the QPP website for estimated 2019 MIPS performance period, based on 2019 Hospital VBP Total Performance Scores (TPS) mapped to 2017 performance QPP data.
The 2019 MIPs scores will use 2020 Hospital VBP scores mapped to QPP data from the 2019 performance period. Note, scores between the preview and 2019 MIPS may change. How? There could be changes in the hospital to which the clinician or group is attributed. There could be updates to the HVBP TPS between 2019 and 2020 at the attributed hospital. Or, there could be updates to the distribution of MIPS quality and cost performance scores. The College of American Pathology suggests you may want to report on MIPS separately if you are not confident in your hospital’s VBP score as CMS will take the higher score from your reporting data.
The CMS recommends that eligible professionals check with the QPP Help Desk for more information on measures and the QPP.
QPP Help Desk Contact Information:
7:00 AM–7:00 PM CT Monday – Friday
email: QPP@cms.hhs.gov
Phone: 866-288-8292
*Adapted from Facility-Based Measurement: A Practical Overview, by Emily E. Volk, MD, MBA, FCAP (Aug 2019).
Considerations for Private Companies Implementing ASC 606 Revenue Guidance – Part 2
Part 2: Audit Requirements
To assist private companies in understanding what the auditors will request and review, we have identified some of the relevant auditing standard requirements below.
Management’s implementation plan and documentation
Management’s implementation plan encompasses many activities—scoping, accounting assessment, solutions development, and other activities. Auditors need obtain an understanding of this plan.
From a scoping perspective, management is expected to have a variety of key processes and controls implemented to identify revenue streams, relevant contract components and features and business practices to support their accounting policy conclusions. Auditors need to understand how management selected contracts to validate the contract components and features identified during the initial scoping phase. Auditors will also need to perform testing to validate management’s assessment in order to provide support to the audit opinion.
From an accounting assessment perspective, the auditing standards require the auditor to obtain an understanding of the entity’s accounting policies including the reasons for any changes in these policies. To do so, auditors will be reviewing management’s documentation to determine if the accounting policies comply with ASC 606, and validating that the company’s accounting complies with those policies.
Internal control considerations
The auditing standards require the auditor to obtain an understanding of company’s internal controls relevant to the audit. Further, the auditor must evaluate the design of the controls and determine whether they have been implemented by performing procedures in addition to inquiry of the entity’s personnel. As a result, management must evaluate how any changes due to the implementation of ASC 606 impact its control environment.
Further, the new guidance requires management to either recast prior-period financial statements presented for comparative purposes (full retrospective method) or record a transition adjustment and provide disclosures of significant changes by financial statement line item (modified retrospective method). Management must have controls and processes in place for either method chosen. Auditors must obtain an understanding of those controls and test to substantiate there is not a material misstatement.
Extensive new disclosures
The extensive new disclosures required by ASC 606 may require companies to update systems, processes, and controls used to develop disclosures. It is important to note that those companies that assert they will experience little or no impact to top line revenue due to adopting ASC 606 will likely still expend a significant amount of effort to comply with the extensive new disclosure requirements. The auditors will need to perform testing in order to substantiate the new disclosures and underlying information used to support those disclosures.
Management’s progress
It is important for companies to keep their auditors abreast of implementation issues and progress. The more communication the company and auditors have throughout the implementation process, the less likely it is that surprises will arise.
The following indicators may lead the auditor to conclude that management is behind or failing to execute their implementation plan and, therefore, may necessitate additional work:
-
-
- Inability of management to articulate the details of their implementation plan or make progress toward implementing that plan
- Lack of a detailed implementation plan and timeline
- Evidence that key deadlines from the timeline have been missed and that there are neither plans to catch up nor enough time to do so
- Poor tone at the top, including lack of involvement from those charged with governance
-
Where do we start?
A comprehensive implementation plan that includes the right people across the right functions is critical to a successful implementation of the new guidance. Companies should consider the following action items as they tackle ASC 606:
-
-
- Train employees across the organization on ASC 606, and allow employees to help identify impacts to their own functional areas (forecasting, employee benefits, tax, sales teams)
- Develop an overall implementation plan and timeline
- Evaluate competence across the organization, and consider hiring external service providers to assist with the implementation process, as needed
- Inventory all contracts with customers and identify key terms and conditions, as well as any deviations from those standard terms
- For areas of change between existing GAAP and ASC 606, identify cross-functional impacts to the organization (including tax impacts)
- Make any accounting policy elections and document new policies, as needed
- Document and implement any internal control changes
- Identify disclosure gaps that require system updates or changes, and initiate the process to close those gaps
-
“One of the biggest takeaways we hear from public companies is not to underestimate the amount of time required to complete the implementation of ASC 606. Because the new guidance touches so many areas of the business, the implementation requires extensive coordination across functional areas which, of course, takes time and effort.”
Cullen Walsh, Partner
Grant Thornton Accounting Advisory Services
Want to learn more about how ASC 606 can affect your organization? Join Cullen Walsh, Partner, Accounting Advisory Services at Grant Thornton and Walt Williams, Director of Revenue Optimization and Strategy at Quadax, as they present, “ASC 606 – Lessons Learned and What You Need to Know” on Tuesday, November 27 at 2:00 p.m. EST.
Register For Webinar
For more information on how Grant Thornton can help your company, contact your GT Audit Partner Daryl Buck, Cullen Walsh, Matthew McCleary, Chris Stephenson, or your local GT service provider.
“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the GTIL member firms provide audit, tax and advisory services to their clients, as the context requires. GTIL and each of its member firms are separate legal entities and are not a worldwide partnership. GTIL does not provide services to clients. Services are delivered by the member firms in their respective countries. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. In the United States, visit grantthornton.com for details.
© 2018 Grant Thornton LLP. All rights reserved. U.S. member firm of Grant Thornton International Ltd
Considerations for Private Companies Implementing ASC 606 Revenue Guidance – Part 1
By: Grant Thornton LLP (Special Guest Post)
As the effective date for the new revenue guidance in ASC 606, Revenue from Contracts with Customers, quickly approaches for many private companies (January 1, 2019 for calendar-year companies), management and audit committee members are faced with many questions.
- What lessons have been learned from public companies’ implementation of the new revenue standard?
- What will my auditor be looking for?
- Where do we start?
This blog addresses these questions and serves as a conversation prompter to help executive management engage with those parties involved in the implementation process.
Remember, implementing the new revenue guidance is not just an accounting exercise. The implementation process is a cross-functional exercise that requires coordination between tax, sales, and information technology (IT), among other functions.
“Even companies that are not expecting a material change in revenue must undergo an exercise to identify gaps between existing accounting and ASC 606, determine if any changes need to be made (including system changes), implement the changes, and document the analysis for the external auditors. This process can be time-consuming and require significant effort.”
Daryl Buck, National Managing Partner
Accounting Advisory Services
What lessons have been learned?
As public companies are in the process of finalizing their ASC606 implementations, we can share some “lessons learned” from observing the implementation process and interviewing those overseeing the implementation process.
Get the right people involved, earlier rather than later
Because of the pervasive effect of the new guidance on an organization, management must identify the right stakeholders to provide input into the implementation process. Not only does a company need to identify the right people within the organization to provide input (sales teams, IT, tax), but a company should not hesitate to engage external professionals where assistance is needed (training, technical accounting expertise, IT changes, etc.). Getting the right team in place from the start is key to a successful implementation.
Do not underestimate the effort required to inventory contracts
One of the first implementation tasks for many companies is to inventory their existing revenue contracts, identify standard terms and conditions, then determine if any contracts deviate from those standard terms. For companies that allow sales teams to deviate from standard contract wording, this process can be time consuming and require extensive communication and coordination.
Allow extra time for key contract terms
The new revenue guidance requires companies to evaluate their existing arrangements against the new five-step revenue model. This analysis may be straightforward for some contracts, but if your contracts include any of the following provisions, plan to spend extra effort and time to address these provisions and document your analysis:
1. Multiple goods or services — Performance obligations are the unit of account for applying the new revenue standard, so determining the appropriate performance obligations in a contract is critical to how a company will recognize revenue. The criteria for identifying performance obligations are new and therefore companies need to take a fresh look at their goods and services and assess them against the new criteria.
2. Variable consideration (meaning any consideration that causes the transaction price to vary) such as retrospective volume discounts, rebates, bonuses, or penalties — The new revenue standard generally requires companies to estimate these amounts for purposes of determining the transaction price and evaluate whether to constrain the amount of estimated variable consideration to ensure that revenue is recognized only to the extent it is probable that a significant reversal in cumulative revenue recognized for the contract will not occur when the uncertainty is resolved.
3. Material rights (for example, a prospective volume discount that is incremental to the range of discounts typically given to a particular class of customer in a geographical area or market) — Under the new model, a company must account for a material right as a separate performance obligation and this may require a complex accounting exercise to allocate a portion of the overall transaction price to the material right performance obligation.
4. Modifications — ASC 606 includes prescriptive new guidance for modifications and this has necessitated some companies to implement system solutions to track and account for these modifications.
5. Contract costs — The new revenue standard introduces guidance for costs incurred from a contract with a customer, which has been codified in ASC 340-40. Companies are required to capitalize certain costs under this new guidance and therefore companies that may have elected to expense certain costs in the past may experience a change under the new guidance.
6. Customized goods — Companies that produce customized goods and have an enforceable right to payment for work completed to date may experience a change in accounting as the new guidance requires the company to recognize revenue as it performs the work, that is, over time (rather than at a point in time).
Do not forget about disclosures
Private companies may be spared from some of the new, extensive disclosure requirements that public companies have to comply with, but private company disclosures will still require significant time and effort. Private companies must disclose disaggregated revenue information, information about performance obligations, and significant judgments in determining the timing of satisfying performance obligations and in estimating variable consideration.
Watch for Part 2 of this blog series addressing audit requirements and considerations on November 13.
Want to learn more about how ASC 606 can affect your organization? Join Cullen Walsh, Partner, Accounting Advisory Services at Grant Thornton and Walt Williams, Director of Revenue Optimization and Strategy at Quadax, as they present, “ASC 606 – Lessons Learned and What You Need to Know” on Tuesday, November 27 at 2:00 p.m. EST.
Register For Webinar
For more information on how Grant Thornton can help your company, contact your GT Audit Partner Daryl Buck, Cullen Walsh, Matthew McCleary, Chris Stephenson, or your local GT service provider.
“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the GTIL member firms provide audit, tax and advisory services to their clients, as the context requires. GTIL and each of its member firms are separate legal entities and are not a worldwide partnership. GTIL does not provide services to clients. Services are delivered by the member firms in their respective countries. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. In the United States, visit grantthornton.com for details.
© 2018 Grant Thornton LLP. All rights reserved. U.S. member firm of Grant Thornton International Ltd
Thwart Cyber Threats – Employee Security Awareness & Training
Healthcare is under cyber attack. As one of the top five most targeted industry sectors, healthcare organizations are finding that it is often an organization’s own employees who open the door to theft, malware, ransomware, and a host of other security issues. Enterprise-wide cybersecurity awareness training can strengthen your frontline defense.
The best defense is a good offense.
Employee security awareness has been cited as the source of greatest concern regarding threat exposure. The 2017 HIMSS Cybersecurity Survey found that 87% of respondents conduct security awareness training classes for their staff at least once a year. What is your organization’s security strategy and does it include employee security awareness and training?
Risk prevention starts with an informed workforce.
HIPAA’s Security Rule requires covered entities and business associates to “implement a security awareness and training program for all members of its workforce (including management)”. In the OCR July 2017 Cyber Awareness Newsletter, the U.S. Department of Health and Human Services (HHS) provides further guidance and interpretation on this topic. When structuring your employee security awareness strategy, consider a multi-communication approach—training, updates, and alerts.
- Regularly scheduled training
Educate workforce members on your security policies, practices, and protocols. As new cyber threats are identified, be sure your educational strategy is flexible enough to keep materials current and up-to-date. Select an annual, semi-annual, or quarterly training program based on the security needs of your organization as determined by your risks analyses. Given the size of your organization, computer-based training may provide the most flexible format and allow for online scoring techniques that can document ongoing enterprise-wide participation and level of engagement. Make sure all new hires receive security training as part of their initial onboarding.
- Periodic security news updates
Issue periodic security updates and reminders. For many companies, a monthly newsletter is emailed to all employees providing timely, relevant content about new, emerging threats and how employees should respond to them. Frequency and content is based on the security needs of your organization as determined by your risks analyses.
- Immediate security alerts
Quickly communicate immediate security threats to employees. Predetermine the alert messaging format and channel of distribution. Consider the security needs of your organization as determined by your risks analyses.
Your organization is as secure as your employees (and vendors) are aware. That is why at Quadax we engage in on-going, enterprise-wide security awareness training for all-employees, coupled with monthly security news updates and timely alerts. We make employee awareness and training an integral part of our security strategy.
For more information on cybersecurity, check out the 15th Annual Information Security Summit located in Cleveland, OH at the Cleveland I-X Center. Quadax Senior Manager, Information Security, Patrick Duffy, will be presenting Security Awareness Training for the Reluctant Many on Friday, November 3, 2017. If attending the Summit, add Patrick’s session to your agenda to learn more about security awareness training for your employees.
Business Continuity for Your Revenue Cycle – Are You Prepared?
Witnessing the aftermath of Hurricane Harvey, businesses are reminded that disaster can strike at any time. Being prepared is critical. For healthcare organizations, the rigors of contingency planning are on-going. Whether a catastrophic event or a localized outage, an interruption in your organization’s operations can be costly, compromising performance, productivity, and cash flow.
Achieving a state of preparedness, business continuity planning considers contingencies to create the options and ensure their reliable availability during and after an event. Effective healthcare IT business continuity planning protects against the inability to access critical data, an interruption in communications, or technology downtime due to an infrastructure failure. Consider all possible risks—natural disaster, power outage, hardware or network failure—analyzing the likelihood of occurrence and its impact on your operations. Determine, document, and regularly test your mitigation strategy and recovery procedures.
To help you get started, The Office of the National Coordinator for Health Information Technology has published the Safety Assurance Factors for EHR Resilience (SAFER) guide complete with self-assessment contingency planning checklists, recommended practice worksheets, and additional resources and references.
Business continuity planning in healthcare is more than just good business, it’s the law. Mandatory under the Health Insurance Portability and Accountability Act (HIPAA), The Department of Health and Human Services (HHS) requires that organizations have a “comprehensive testing and monitoring strategy in place to prevent and manage downtime events.” This mandate, as part of HIPAA’s Security Rule, requires technology and protocols to back up data, be able to rapidly restore data and continue operating in “emergency mode” after an event. For more information, visit Summary of the HIPAA Security Rule and Guidance on Risk Analysis on the HHS website.
When developing and testing your business continuity plan, be sure to assess the preparedness of your service and software vendors, including RCM systems and support in your assessment. Your cash flow is critical to your organization and should not be overlooked.
At Quadax, we are committed to security, privacy and compliance; investing heavily to protect our clients’ data as well as our own, with infrastructure designed for optimal business continuity, risk mitigation, disaster recovery, and HIPAA and HITECH compliance. With robust data centers, we have the redundancy to supply our clients a high level of uptime. To further enhance our effectiveness, Quadax recently installed a 500-kilowatt, 850-gallon diesel-powered generator at our main office. The generator, capable of supplying full power to maintain 100% of our operations at Quadax’s main office, provides our staff with reliable uptime so they can deliver dependable service and support to our clients. Learn more about RCM solutions powered by Quadax.
RAC Audits and What They Mean for Healthcare Providers
A legacy of the Medicare Modernization Act of 2003 and mandated by the Tax Relief and Health Care Act of 2006, the Recovery Audit Contractor (RAC) program recovers hundreds of millions of dollars for the Medicare Trust. Designed to identify and correct improper Medicare payments made to providers, RAC audits can cost healthcare providers time and money.
In their 2016 annual report, the Medicare Trust predicted the fund behind Medicare Part A, at the current rate of spending, is due for depletion in 2028.* Concern about this potential insolvency combined with RACs increasing ability to harness the power of big data has led to an enormous increase in RAC audits and their subsequent appeals during the last several years.
The Government Accountability Office (GAO) issued a report in June 2016 stating that there had been a 936% increase in appeals at CMS (Centers for Medicare & Medicaid), which ultimately led to a severe backlog in the appeals process and mounting criticism. In a recent court order, Health and Human Services (HHS) has been mandated to fix the Medicare appeals backlog by the end of 2020 and to meet annual backlog reduction goals during the interim.* While efforts to reduce the case backlog are underway, the RAC program continues to generate new RAC audits. RAC audits are not going away. *Since publication, the appellate court on Friday, August 11, 2017 overturned the recent district court ruling which ordered HHS to clear the Medicare reimbursement appeals backlog by 2020 stating that the order was “an error of law” and “an abuse of discretion.”
How do RAC audits play out for providers?
First, the provider gets a hardcopy letter notifying them of the audit. The contractor will then carry out one of two types of reviews: complex or automated. Complex audits must be done manually and typically involve a Manual Records Request / ADR letter. Automated RAC claim reviews do not require manual input, using powerful algorithms that can potentially land any given provider with fee-for-service Medicare claims in a stressful situation.
A big audit has the potential to cause a lot of damage, especially to smaller providers that may not have the cash to pay the amount indicated by the audit before appealing it. If a provider doesn’t pay the amount right away, it will start gaining interest at a very high percentage (ca. 10-12%). If that provider neglects to pay with the intent to appeal, and then loses the appeal, they will have to pay for the owed amount revealed in the audit as well as the interest accrued. On the other hand, if a provider pays right away, appeals the audit, then wins the appeal, CMS will reimburse the amount with interest. However, considering the current state of CMS’s appeals backlog, this decision is not always an easy one to make.
What can providers do to stay vigilant regarding RAC audits?
Fortunately, there are many steps providers can take to ensure that potential RAC audits don’t lead to any unpleasant surprises.
Stay informed
The CMS website is a good place to start along with the CMS’s three official auditing partners: Performant Recovery, Inc. (Region 1 and 5), Cotiviti, LLC (Region 2 and 3), and HMS Federal Solutions (Region 4). Each of these organizations offers information aimed at preparing providers for a RAC audit.
In addition to Medicare-sponsored resources, there are plenty of industry publications that regularly report on RAC audits and offer RAC-focused articles, blog posts, webinars, and other useful content. To name a few: Becker’s Hospital Review, RACmonitor, HME Business, For the Record Magazine, the American Medical Association, the American Hospital Association, and more.
Make sure your RCM partner uses RAC-specific edits
The best protection is prevention. Healthcare providers of considerable size often elect to partner with Revenue Cycle Management (RCM) organizations to manage everything from claim scrubbing, to bill collection, to appeals management. The best solutions out there will help you stay a step ahead of potential audits by automatically scrubbing your Medicare claims to make sure they are CMS-compliant before you send them.
Take advantage of AHA’s RACTrac Survey with a compatible vendor.
Though RAC audits put providers on the defense, providers do have a voice in negotiations with lobbyists, lawmakers and RAC contractors: the American Hospital Association (AHA). One of the AHA’s initiatives is the RACTrac Survey, which collects data submitted by participating providers and compiles quarterly reports meant to “assess the impact [of] the Medicare Recovery Audit Contractor (RAC) program on providers”.
The survey can be time consuming. But if done with the help of an RCM vendor certified by the AHA to be compatible with the RACTrac survey, your claim data can be automatically imported in a matter of seconds.
As the frequency of RAC audits continues to increase, so does the likelihood that your company will one day face one. They can seem daunting. But with the proper preparation, even a RAC audit can be surprisingly doable.
(*) source: 2016 Annual Report of the Boards of Trustees of The Federal Hospital Insurance and Federal Supplementary Medical Insurance Trust Funds, Actuarial Analysis of Present Value, page 71.