Skip to Main Content

blogpost

COVID-
19 consulting resources

05.13.20

The BerryDunn Recovery Advisory Team has compiled this guide to COVID-19 consulting resources for state and local government agencies and higher education institutions.

We have provided a list of our consulting services related to data analysis, CARES Act funding and procurement, and legislation and policy implementation. Many of these services can be procured via the NASPO ValuePoint Procurement Acquisition Support Services contract.

READ THE GUIDE NOW

We're here to help.
If you have any questions, please contact us at info@berrydunn.com

Related Professionals

Read this if you use, manage, or procure public safety and corrections technology. 

When initiating the selection of a new technology platform to replace legacy software, how does an agency ensure the new system addresses functional and technical requirements while also complying with procurement standards? Request for Proposals (RFP) serve as an effective purchasing vehicle, particularly when agencies seek to identify modern technology with professional services to implement the software. While correctional agencies may use an RFP to engage a new Offender Management System (OMS) provider, the complexities of the industry and vast range of best practices complicate the planning, scoping, issuance, and evaluation process. 

With the long-term vision set to complete projects on time, under budget, and within scope, independent third-parties write technology RFPs to enhance traceability and accountability during implementation.

An independent third-party can help your agency:

  1. Define a meaningful project scope to scale the vendor market and guide quality proposals
  2. Develop effective forms, worksheets, and attachments to supplement RFP requirements to support compliance and meet proposal standards
  3. Build a balanced evaluation committee with impartial scoring criteria to represent agency-wide needs and fairly rank vendors
  4. Craft a structured procurement package that attracts multiple vendors to find the solution that best fits your needs
  5. Design a reasonable and achievable RFP schedule of events to finish the project in a timely manner
  6. Reduce ambiguity and increase clarity of RFP terms to streamline the process

If your agency incorporates a sound strategy to craft a meaningful RFP, then a lengthy, meandering procurement journey will become a well-defined, objective, and seamless process to identify new software. Furthermore, you can enhance competitive responses with an RFP free from ambiguity―and full of clarity.

If your corrections agency does engage outside help to facilitate development of an RFP for new OMS software, you should ensure that the third party you engage has experience supporting a meaningful, balanced, and structured purchasing process. BerryDunn injects best practices from the Corrections Technology Association (CTA) and American Probation and Parole Association (APPA). Pairing CTA and APPA standards with an RFP tailored to the technology markets will help an agency boost vendor responses to ultimately improve critical operations.

Reach out to our professional team directly for questions, or look out for our next blog providing insight on leveraging industry standards (e.g., CTA, APPA) when crafting an RFP for corrections technology.
 

Blog
Sourcing new IT systems: Third-party advantages

Read this if your organization, business, or institution is receiving financial assistance as a direct result of the COVID-19 pandemic.

Updated: August 5, 2020

Many for-profit and not-for-profit organizations are receiving financial assistance as a direct result of the COVID-19 pandemic. While there has been some guidance, there are still many unanswered questions. One unanswered question has been whether or not any of this financial assistance will be subject to the Single Audit Act. Good news―there’s finally some guidance:

  • For organizations receiving financial assistance through the Small Business Administration (SBA) Payroll Protection Program (PPP), the SBA made the determination that financial assistance is not subject to the Single Audit.
  • The other common type of financial assistance through the SBA is the Emergency Injury Disaster Loan (EIDL) program. The SBA has made the determination that as these are direct loans with the federal government, they will be subject to the Single Audit. 

It is unlikely there will be guidance within the 2020 Office of Management and Budget (OMB) Compliance Supplement related to testing the EIDL program, as the Compliance Supplement anticipated in June 2020 will not have any specific information relative to COVID-19. The OMB announced they will likely be issuing an addendum to the June supplement information specific to COVID-19 by September 2020.

Small- and medium-sized for-profit organizations, and now not-for-profit organizations, are able to access funds through the Main Street Lending Program, which is comprised of the Main Street New Loan Facility, the Main Street Priority Loan Facility, the Main Street Expanded Loan Facility, the Nonprofit Organization New Loan Facility, and the Nonprofit Organization Expanded Loan Facility. We do not currently know how, or if, the Single Audit Act will apply to these loans. Term sheets and frequently asked questions can be accessed on the Federal Reserve web page for the Main Street Lending Program.

Not-for-profits have also received additional financial assistance to help during the COVID-19 pandemic, through Medicare and Medicaid, and through the Higher Education Emergency Relief Fund (HEERF). While no definitive guidance has been received, HEERF funds, which are distributed through the Department of Education’s Education Stabilization Fund, have been assigned numbers in the Catalog of Federal Domestic Assistance, which seems to indicate they will be subject to audit. We are currently awaiting guidance if these programs will be subject to the Single Audit Act and will update this blog as that information becomes available.

Healthcare providers are able to access Provider Relief Funds (PRF) through the US Department of Health & Human Services. PRF help with healthcare-related expenses or lost revenue attributable to COVID-19. Guidance on what qualifies as a healthcare-related expense or lost revenue is still in process, and regular updates are posted on the FAQs of the US Department of Health & Human Services website. According to the Health Resources and Services Administration (HRSA), PRF funds will be subject to the Single Audit Act requirements. It is important to note that while an organization may have received funds exceeding the threshold, it is the expenditure of these funds that counts toward the Single Audit threshold.

If you have questions about accounting for, or reporting on, funds that you have received as a result of the COVID-19 pandemic, please contact a member of our Single Audit Team. We’re here to help.

Blog
COVID-19: Single audit and uniform guidance clarifications

Read this if your organization, business, or institution is receiving financial assistance as a direct result of the COVID-19 pandemic.

Updated: August 5, 2020

We expect to receive guidance on how to determine what qualifies as lost revenue in mid-August, and will post additional information when that becomes available. If you would like the information sent to you directly, please contact Grant Ballantyne.

New information continues to surface about the reporting requirements of the CARES Act Provider Relief Funds (PRFs). The most recent news published by the Health Resources and Services Administration (HRSA) states the funds will be subject to the Single Audit Act requirements. What does this mean and how does it impact your organization? Here’s a brief synopsis. 

A Single Audit (often referred to as a Uniform Guidance audit) is required when total federal grant expenditures for an organization exceed $750,000 in a fiscal year. It is important to note that while an organization may have received funds exceeding the threshold, it is the expenditure of these funds that counts toward the Single Audit threshold.  

PRFs help with healthcare-related expenses or lost revenue attributable to COVID-19. Guidance on what qualifies as a healthcare-related expense or lost revenue is still in process, and regular updates are posted on the FAQs of the US Department of Health & Human Services website.

You may remember, there were originally quarterly reporting requirements related to PRFs. On June 13, 2020 HHS updated their FAQ document to reflect a change in quarterly reporting requirements related to PRFs. According to the updated language, “Recipients of Provider Relief Fund payments do not need to submit a separate quarterly report to HHS or the Pandemic Response Accountability Committee. HHS will develop a report containing all information necessary for recipients of Provider Relief Fund payments to comply with this provision.”

Organizations that receive more than $150,000 in PRFs must still submit reports to ensure compliance with the conditions of the relief funds, but the content of the reports and dates on which these are due is yet to be determined (as of August 4, 2020). The key distinction to remember here is that this limit is based on total funds received, regardless of whether or not expenditures have been made. 

As more information comes out, we will update our website. At the moment the main takeaways are:

  • Expending $750,000 of combined relief funds and other federal awards will trigger a Single Audit
  • Receiving $150,000 of PRFs will cause reporting requirements, on a to-be-determined basis
  • Tracking PRF expenditures throughout the fiscal year will be essential for the dual purpose of reporting expenditures and accumulating any potential Single Audit support

If you would like to speak with a BerryDunn professional about reporting under the Single Audit Act, please contact a member of our Single Audit Team.

Blog
Provider Relief Funds Single Audit

Read this if you are a business with employees working in states other than their primary work location.

The COVID-19 pandemic has forced many of us to leave our offices to work remotely. For many businesses, that means having employees working from home in another state. As telecommuting become much more prevalent, due to both the pandemic and technological advances, state income tax implications have come to the forefront for businesses that now have a remote workforce and employees that may be working in a state other than their primary work location. 

Bipartisan legislation known as the Remote and Mobile Worker Relief Act of 2020 (S.3995) was introduced in the US Senate on June 18, 2020 to address the state and local tax implications of a temporary or permanent remote workforce. The legislation addresses both income tax nexus for business owners and employer-employee payroll tax responsibilities for a remote workforce. Here are some highlights:

Business income tax responsibility

The legislation would provide a temporary income tax nexus exception for businesses with remote employees in other states due to COVID-19. The exception would relieve companies from having nexus for a covered period, provided they have no other economic connection to the state in question. The covered period begins the date employees began working remotely and ends on either December 31, 2020 or the date on which the employer allows 90% of its permanent workforce to return to their primary work location, whichever date comes first.

The temporary tax nexus exception is welcome news for many business owners and employers, as a recent survey by Bloomberg indicated that three dozen states would normally consider a remote employee as a nexus trigger. Additional nexus would certainly add further income tax compliance requirements and potentially additional tax liabilities, complications that no businesses need in this already challenging environment.

Employee and employer tax responsibility

The tax implications for telecommuting vary wildly from state to state and most have not addressed how current laws would be adjusted or enforced due to the current environment. For example, New York implements a “convenience of the employer” rule. So if an out-of-state business has an employee working from home in New York, whether or not those wages are subject to New York state income tax depends on the purpose for the telecommuting arrangement. 

New York’s policy is problematic in the current environment. Arguments could be made that the employee is working for home at their convenience, at the employer’s convenience, or due to a government mandate. It is unclear which circumstance would prevail and as of this writing, New York has not addressed how this rule would apply.

If enacted, the Remote and Mobile Worker Relief Act would restrict a state’s authority to tax wage income earned by employees for performing duties in other states. The legislation would create a 90-day threshold for determining nonresident income tax liability for calendar year 2020, enhancing a bill in the House which proposes a 30-day threshold.

The 90-day threshold applies specifically to instances where the employee work arrangement is different due to the COVID-19 pandemic. For future years, the bill would put in place a standardized 30-day bright-line test, making it easier for employees to know when they are liable for non-resident state income taxes and for employers to know which states they need to withhold payroll taxes. 

What do you need to do?

With or without legislation, the year-end income tax filings and information gathering will be very different for tax year 2020. It’s more important than ever for business owners to have proper record keeping on where their employees are working on a day-to-day basis. This information is crucial in determining potential tax exposure and identifying a strategy to mitigate it. The Remote and Mobile Worker Relief Act would provide needed guidance and restore some sense of tax compliance normalcy.

If you would like more information, or have a question about your specific situation, please contact your BerryDunn tax consultant. We’re here to help.
 

Blog
The remote worker during COVID-19: Tax nexus and the new normal

Read this if you are a member or leader of a policing agency. 

Due to recent events, community members have taken to the streets nationwide to demand what they deserve from the police as a starting point: social and procedural justice. 

Social justice is an essential component of healthy, effective communities. It is based on a fair and just relationship between individuals and society. Social justice demands that those in the community feel safe—including feeling safe from the police. Feeling safe starts with procedurally-just policing. Procedural justice in policing is the principle that forms the foundation of the community’s willingness, individually and aggregately, to accept the actions of the police, obey laws, participate in the criminal justice system, and partner with law enforcement to reduce crime and disorder, and is dependent on the community’s acceptance of policing actions as fair and equitable. Procedural justice consists of four primary pillars:

  1. FAIRNESS
    Being fair in processes
  2. VOICE
    Providing the opportunity for voice 
  3. TRANSPARENCY
    Being transparent in actions
  4. IMPARTIALITY
    Being impartial in decision-making

Achieving social and procedural justice within policing requires meaningful change and reform that must extend beyond prior efforts. 

Across the United States, communities are calling for revised policies, targeted training, increased accountability, and better screening of police candidates. All of these efforts are important and should be explored. However, these same efforts have been pursued since community-oriented policing (COP) became popular in the 80s and 90s, and even as COP gained additional interest and momentum following a series of high-profile excessive-force incidents that trace back nearly a decade. Despite substantial focus on these areas within the law enforcement industry, concerns over systemic racism, biased policing, and a lack of trust between the police and the community continue to persist.

Community Co-production Policing: The crucial next step

The current policing environment calls for broad and deep reforms in the operations and collaborative culture of police agencies. This level of reform requires a coordinated effort to reframe the police department as a community-owned resource, and can be accomplished through engaging a Community Co-production Policing (CCPP) model. Implementation of the CCPP model, developed by BerryDunn in collaboration with practitioners and community members across the country, merges and unifies police agencies and communities through multiple collaborative pathways, resulting in shared responsibilities in areas such as guidance, oversight, and the development of policies, operational strategies, public safety priorities, and other shared goals.  

Co-production expands the focus of traditional COP and includes a greater level of community participation and involvement in key policing strategies that affect the community. The key distinction is that while COP is informative, interactive, allows for community input, and is often collaborative with regard to problem solving, co-production involves a greater level of influence and involvement by the community regarding the overarching policing strategies and priorities that ultimately affect those being served by the police agency.  

Building trust and confidence with the community

From a co-production policing perspective, influence and involvement from the community form the foundation for trust and confidence in the police agency and agreement in the processes, procedures, and practices used in pursuit of public safety for those who live in or visit the community. This level of involvement serves as a persistent external accountability process, which helps ensure consistent alignment between community desires and expectations and the actions the police use to meet them. 

Co-production is a collaborative process, not an oversight process. It involves working together to cooperatively co-produce public safety, in a respectful and thoughtful manner that places value on mutuality.

Below, the goals and predicted outcomes of the CCPP model are outlined. Accomplishing the CCPP goals is expected to produce the predicted outcomes, and these new positive outcomes address the longstanding negative outcomes that remain unresolved within the policing industry.

CCPP Goals and Predicted Outcomes
CCCP GOALS PREDICTED OUTCOMES
Reducing fractionalism: The inharmonious separation which has occurred between the community and those responsible for policing it. Increased community trust: Because the community shares decision-making authority in substantive policing matters, they will have shared ownership over the results.
Creating transparency: There can be no more secrecy in accountability or policymaking, or in determining strategies to address and reduce crime and disorder. Enhanced public safety: Trust is the cornerstone to solving crimes, and when trust is established, people will more readily assist in public safety matters affecting them.
Balancing power: Those who police the community must have the authority to do so, however, police department governance should be a shared responsibility. Improved racial/diversity equity: Diverse partnerships lead to greater understanding, which in turn, changes perspectives, beliefs, and behaviors.


The public outcry for police reform provides cities, towns, and counties with a rare opportunity to affect how their communities are policed in the future. This opportunity involves transforming policing towards a collaborative model where the police departments of the future are increasingly community-based and community-operated. BerryDunn’s CCPP model can help communities achieve this level of reform and transformation. 

For more information

Mitch Weinzetl and BerryDunn’s Justice and Public Safety (J&PS) team are leading this unique service. Our independence and objectivity enables a facilitation-based approach to engaging stakeholders across the community with the goal of collaborating on a future policing model that addresses the need for public safety in a way that is informed and inspired by the community that the police departments serve. 

To learn more about how the CCPP model can help reconnect your police department and your community, contact Mitch Weinzetl.
 

Blog
Policing in America: Time for a change

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

  • What metrics will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to notify us or produce an alert?
  • What does exceeding a threshold mean to our business?
  • Who on our team will be notified if an alert is warranted?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Blog
Oxymoron of the month: Outsourced accountability

Read this if you are a state Medicaid or CHIP agency.

The Centers for Medicare & Medicaid Services (CMS) has temporarily suspended all Payment Error Rate Measurement (PERM) improper payment-related engagement/communication and data requests to providers and state agencies as a result of the COVID-19 nationwide public health emergency declaration. 

CMS has also adopted a temporary policy of relaxed enforcement regarding activities related to Medicaid Eligibility Quality Control (MEQC) until further notice.

CMS continues to provide state Medicaid and Children’s Health Insurance Program (CHIP) agencies with a number of methods to assist in each state’s approach and response to the COVID-19 pandemic. Some flexibilities offered to state Medicaid and CHIP agencies include:

  • Eligibility and enrollment 
  • Benefits 
  • Cost-sharing 
  • Financing 
  • Managed care 

While this has been communicated with state Medicaid and CHIP agencies, you should take some important steps to manage these flexibilities to ensure you don’t encounter issues when PERM and MEQC review activities resume. Reviews are conducted according to state and federal policies and regulations in force at the time of service on the sampled claims under review. 

CMS has issued guidance to identify whether or not each of the flexibilities requires an approved state plan amendment (SPA), waiver, or whether simply providing documentation in the individual case file will provide the required support when PERM and MEQC activities resume. 

Additionally, it is equally important to ensure the “pre-COVID” processes and procedures resume immediately upon expiration of the public health emergency declaration in order to remain in compliance with state and federal regulations. 

Here are a few key considerations to help reduce the number of errors identified once PERM resumes:

  • Management of new state-specific policies and procedures in effect during the COVID-19 pandemic is critical. You need to ensure all processes requiring CMS approval or notification have been enacted and that these temporary processes revert back to pre-COVID processes immediately upon termination of the public health emergency.
  • Continued training and guidance to Medicaid and CHIP staff during this time to ensure understanding of expectations and adherence to new processes. Applying and understanding eligibility and enrollment flexibilities for both members and providers is vital to meet all expectations and documentation requirements.

New updates continue to be announced by CMS to ensure Americans have access to the care they need during this time. This requires remaining diligent to the expectations of these flexibilities and preparing for the impact of PERM and MEQC outcomes when these activities resume. This is key to reducing improper payment error rates. 

For additional detailed information regarding the identified flexibilities above, please refer to the PERM cycle preparation tool we have prepared.

If you have questions regarding relaxed requirements or you would like to have an in-depth conversation with our PERM experts, please contact the team.
 

Blog
PERM is suspended―key considerations during COVID-19 

Read this if you are a government agency interested in creating a drone program or evaluating your current program.

A lot has changed since BerryDunn’s blog, Prize in the sky: Creating drone programs for local governments was published. At the time, technology news website Recode reported that since December 2015 almost 800,000 drones had been registered with the Federal Aviation Administration (FAA). 

As of March 10, 2020, the FAA reports that number had nearly doubled, to 1,563,263 registered drones with 171,744 remote pilots certified under Part 107. 

Changes are underway

One of the most far-reaching changes being considered is the remote identification of unmanned aircraft systems contained in the FAA Notice of Proposed Rule Making issued December 31, 2019. This proposed action would require the remote identification (Remote ID) of unmanned aircraft, similar to the identification provided by transponders in manned aircraft. The FAA received over 53,000 comments to the proposed rule. If approved this rule will require drones flown in the National Airspace System (NAS) to have the capability of broadcasting certain identity information, adding to drone cost. Depending on the length of any potential grandfather period, the rule may make some existing drones illegal to fly. 

Another recent development is the late 2019 introduction of the American Security Drone Act. If passed, this Act would prevent federal agencies from purchasing any drones or “unmanned aircraft systems” from a nation identified as a national security threat. That would include China and Iran. Although the Act only applies to federal agencies, many local governments tend to follow the federal lead. Additionally, many local government drone programs use federal grant funds to initiate or sustain their drone programs. Local government agencies will have to watch the development of this Act carefully.

Passage will make the purchase and operation of foreign manufactured drones, or drones with certain foreign manufactured components unlawful for federal departments or agencies. This is significant in that industry analysts estimate that the Chinese drone company DJI has approximately 70% of the global drone market share, and manufactures the vast majority of drones used by local governments.  

What hasn’t changed

As the drone landscape continues to evolve, some things remain the same. According to the FAA, local governments looking to establish a drone program still have two options to legally fly drones under 55 pounds: 

  • Fly under 14 Code of Federal Regulations (CFR) part 107, the small unmanned aircraft system (UAS) rule. Part 107 allows operations of drones or UAS under 55 pounds, at or below 400 feet above ground level (AGL), for visual line-of-sight operations only.
  • Fly under the statutory requirements for public aircraft (49 United States Code (U.S.C.) §40102(a) and § 40125). Operate with a Certificate of Waiver or Authorization (COA) to be able to self-certify UAS and operators for flights performing governmental functions. 

There are pros and cons for each of these options, as shown below, and it is important for you to carefully consider which option best meets your mission. Government organizations have the advantage of using both options, provided they meet the separate requirements for each option, and determine which option the organization will use prior to the beginning of each flight. The option of flying under Part 107, or as a public aircraft using a COA is unique to government organizations. This option allows government organizations to pick the flight option that is most advantageous for the mission. 

For example, relatively routine public safety operations such as taking photos and mapping for accident reconstruction most like would be flown under Part 107, as advance notification requirements required in many COAs would not be needed. Whereas operation in circumstances prohibited under Part 107, may be authorized by the government agencies COA. 

Table 1: Pros and Cons of UAS operations under a COA versus Part 107

Public Aircraft Ops (COA) Part 107
Pros Self-certify aircraft airworthiness Requirements and certification published and broadly know
Determine aircrew and UAS remote operation training requirements Commercial training and testing for UAS remote operator license commercially available 
Cons The application process can be long, often taking several months Flight restrictions may not be compatible with government agency mission requirements
Visual observer may be required UAS pilots must complete required training and pass FAA exam

Another requirement that has not changed, is that your government organization must registered with the FAA before flying. Registration is relatively straight forward using the FAA drone zone website. Following registration, you will receive an FAA registration certificate. The FAA requires a drone operator to have the registration certificate (either a paper or digital copy) in their possession when they fly. 

Considerations before starting

Before jumping on the drone bandwagon, your organization should carefully evaluate how drones will be used within the organization. Development of policy, consideration for communications with citizens about the program and how information collected will be stored and used are considerations that should be addressed before any purchase is made. Multiple organizations have highlighted the need for planning prior to purchasing drones:

  • The International Fire Chiefs Association recommends that “fire and emergency service takes into account the legal, ethical and moral considerations of flying a UAS for each situation…and municipalities or public safety agencies seeking to use UAS should construct usage policies.
  • In a report to the National Institute of Justice in December 2019, the National Police Foundation stated, "Do not acquire a system until the agency’s UAS program has been clearly defined, especially the mission, and approved for implementation." (Lessons Learned from the Early Adopters (Shinnamon, D. L., & Cowell, B. M. (2019), Building and managing a successful public safety UAS program: Practical guidance and lessons learned from the early adopters. Washington, DC: National Police Foundation).  

A solid approach to establishing a drone program

The challenges of creating a drone program can overwhelm government organizations or agencies, especially small to mid-sized entities. Dealing with issues such as airspace restrictions, training requirements, weather effects on small UAS operations, remote ID and crew resource management can be daunting without assistance. In addition to Federal requirements, many states have passed regulations affecting drone use.  

BerryDunn’s history of assisting local governments continues with our comprehensive drone program, that we can tailor to meet your individual agency needs. We can assist in establishing requirements, develop a concept of operations, write policy, conduct FAA filings, and, if desired, provide training for public aircraft operators.

A further benefit to local governments: BerryDunn is not affiliated with any drone manufacturer, and does not sell hardware or software. Our independence allows us to conduct a truly objective analysis and provide drone program regulations in your best interest. If you have questions about starting a drone program, or have a specific question about your situation, please contact us. We’re here to help. 

Blog
Drone updates: Changes and new legislation challenge government agencies

Read this if you are a leader at a state Medicaid agency, Long-Term Care Hospital, Rural Health Clinic, Federally Qualified Health Center, or intermediate care facility.

The new fact sheet from CMS provides state and local governments that may be developing alternate care sites with information on how to receive payments for acute inpatient and outpatient care through federal programs, including Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP).

CMS notes that it is easiest for an existing enrolled hospital or health system to obtain payments through CMS programs for covered health care services furnished at the ACS by treating the ACS as a short-term extension of their current ‘brick-and-mortar’ facilities. 

State and local governments that want to build a hospital ACS have three options if they wish to be paid by CMS for providing covered hospital inpatient and outpatient services:

  1. Transfer operation and billing for care delivered in the ACS to a hospital or health system which is enrolled
  2. Enroll the ACS as a new hospital in CMS programs
  3. As an alternative, instead of making facility payments, enrolled physicians or other non-physician practitioners may bill for covered services that they furnish at the ACS

CMS guidance to states on implementing the optional COVID-19 testing group 

CMS has provided new guidance to states who may be planning to implement the Optional COVID-19 Testing Group, which was established by the Families First Coronavirus Response Act (FFCRA) for uninsured individuals in order to furnish COVID-19 testing and associated services.

  • The guidance from CMS outlines the different requirements connected with implementing the uninsured group, inclusive of eligibility and enrollment, data reporting, and claims. 
  • The guidance also describes flexibilities available to help states achieve implementation of the new group and strategies to meet related requirements. 
  • For more information related to the eligibility requirements and the Federal Medical Assistance Percentage (FMAP) available for coverage, states can also refer to Section B of the FFCRA and Coronavirus Aid, Relief, and Economic Security (CARES) Act Frequently Asked Questions (FAQs) posted April 13, 2020.

CMS announces enhanced enforcement actions based on nursing home COVID-19 data and inspection results

Earlier in the month of June, CMS released new guidelines related to enforcement for nursing homes who may have violations of infection control practices.

  • CMS intends to apportion $80 million in CARES Act funding to states in order to increase infection control surveys. With CARES Act funding, states will be required to carry out on-site surveys of nursing homes with previous COVID-19 outbreaks, in addition to nursing homes with newly confirmed cases.
  • CMS will make technical assistance available in support of this effort through Quality Improvement Organizations (QIOs) for nursing homes to assist in establishing best practices for infection control.
  • States are required to submit 100% of focused surveys of their nursing homes to CMS by July 31, 2020. It should be noted that submission delays may result in reductions to a state’s Cares Act allocation for FFY 2021.

HHS announces 45-day compliance deadline extension for providers

On May 22, The Department of Health and Human Service (HHS) announced a 45-day extension to the deadline for providers who are receiving payments from the Provider Relief Fund to accept the necessary terms and conditions of the payments.

  • Should providers wish to keep funds—which may have been automatically dispersed—they must agree to the terms and conditions of the Provider Relief Fund.
  • In order to support impacted facilities there is $50 billion in available COVID-19 relief funding for distribution to providers that bill for Medicare beneficiaries.
  • The announcement from HHS gives providers 90 days from the original receipt date of a payment to accept the terms and conditions.  Alternatively, providers may choose to return the funds.

HHS announces $4.9 billion distribution to nursing facilities impacted by COVID-19

HHS has announced it has begun the distribution of additional relief funds to Skilled Nursing Facilities (SNFs) in order to address ongoing needs related to COVID-19. Such needs include labor, improving testing capacity, and obtaining personal protective equipment as well as additional expenses specifically linked to the COVID-19 pandemic.

  • HHS intends to make the fund distributions to SNFs on both a fixed and variable basis. 
  • Each eligible SNF will receive a fixed dissemination of $50,000 in addition to an allotment of $2,500 per bed. All certified SNFs with six or more certified beds will be eligible for this distribution.
  • Recipients of these funds must attest that they will use Provider Relief Fund payments for allowed purposes under the terms and conditions as well as agree to comply with future audit and reporting requirements.

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the Medicaid consulting team

Blog
CMS releases new guidance on Alternate Care Sites, the optional COVID-19 testing group, and more

Read this if your organization, business, or institution has leases and you’ve been eagerly awaiting and planning for the implementation of the new lease standards.

Ready? Set? Not yet. As we have prepared for and experienced delays related to Financial Accounting Standards Board (FASB) Accounting Standards Codification Topic 842, Leases, and Governmental Accounting Standards Board (GASB) Statement No. 87, Leases, we thought the time had finally come for implementation. With the challenges that COVID-19 has brought to everyone, the FASB and GASB recognize the significant impact COVID-19 has had on commercial businesses, state and local governments, and not-for-profits and both have proposed delays in effective dates for various accounting standards, including both lease standards.

But wait, there’s more! In response to feedback FASB received during the comment period for the lease standard, the revenue recognition standard has also been extended. We didn’t see that coming, and expect that many organizations that didn’t opt for early adoption will breathe a collective sigh of relief.

FASB details and a deeper dive

On May 20, 2020, FASB voted to delay the effective date of the lease standard and the revenue recognition standard. A formal Accounting Standards Update (ASU) summarizing these changes will be released early June. Here’s what we know now:

  • Revenue recognition―for entities that have not yet issued financial statements, the effective date of the application of FASB Accounting Standards Codification (ASC) Topic 606, Revenue Recognition, has been delayed by 12 months (effective for reporting periods beginning after December 15, 2019). This does not apply to public entities or nonpublic entities that are conduit debt obligors who previously adopted this guidance.
  • Leases―for entities that have not yet adopted the guidance from ASC 842, Leases, the effective date has been extended by 12 months (effective for reporting periods beginning after December 15, 2021).
  • Early adoption of either standard is still allowed.

FASB has also provided clarity on lease concessions that are highlighted in Topic 842. 

We recognize many lessors are making concessions due to the pandemic. Under current guidance in Topics 840 and 842, changes to lease contracts that were not included in the original lease are generally accounted for as lease modifications and, therefore, a separate contract. This would require remeasurement of the new lease contract and related right-of-use asset. 

FASB recognized this issue and has published a FASB Staff Questions and Answers (Q&A) Document, Topic 842 and Topic 840: Accounting for Lease Concessions Related to the Effects of the COVID-19 Pandemic. Under this new guidance, if lease concessions are made relating to COVID-19, entities do not need to analyze each contract to determine if a new contract has been entered into, and will have the option to apply, or not to apply, the lease modification provisions of Topics 840 and 842.

GASB details

On May 8, 2020, GASB issued Statement No. 95, Postponement of the Effective Dates of Certain Authoritative Guidance. GASB 95 extends the implementation dates of several pronouncements including:
•    Statement No. 84, Fiduciary Activities―extended by 12 months (effective for reporting periods beginning after December 15, 2019)
•    Statement No. 87, Leases―extended by 18 months (effective for reporting periods beginning after June 15, 2021)

More information

If you have questions, please contact a member of our financial statement audit team. For other COVID-19 related resources, please refer to BerryDunn’s COVID-19 Resources Page.
 

Blog
May 2020 accounting standard delay status: GASB and FASB

Read this if you are a police executive, city/county administrator, or elected government official responsible for a law enforcement agency. 

Who you gonna call? 

Law enforcement agencies provide essential services to our communities vital to maintaining order and public safety. These critical organizations always answer the call, and they are prepared for every type of disaster imaginable: floods, hurricanes, tornadoes, blizzards, train derailments, and even... a pandemic?

Police agencies plan, prepare, and train for disasters, and are particularly adept and agile in their response to them. As an industry, law enforcement agencies are also very good at helping one another in times of need. When there is a major disaster in your community, your agency can always count on neighboring departments sending you some much needed resources―that is, unless everyone has the same problem. Then what do you do?

Although law enforcement agencies are very capable, their strength is in sprinting, not running marathons. Even the best and most-qualified police agencies struggle with the strain of long-lasting disasters, particularly when there are no other resources to help. That is when having the right patrol-schedule design can be critical. If your patrol schedule is inefficient in the first place, managing a lengthy disaster or critical event will magnify those inefficiencies, exhausting your personnel and fiscal resources at the same time.

Flaws in patrol schedule design = reduced efficiency

Flaws in the patrol schedule design often contribute to reduced efficiency and suboptimal performance, and design issues may work against your ability to maintain operational staffing during critical times of need. So, how do you know if your patrol schedule is serving you well? 

To help agencies evaluate their patrol schedules, BerryDunn has developed at free tool. Click here to measure your patrol schedule against key design components and considerations. If your agency scores low in this self-assessment, it may be time to consider making some adjustments. 

The path to resolving inefficiencies in your patrol work schedule and optimizing the effective deployment of patrol personnel requires thoughtful consideration of several overarching goals:

  • Reducing or eliminating predictable overtime
  • Eliminating peaks and valleys in staffing due to scheduled leave
  • Ensuring appropriate staffing levels in all patrol zones or beats
  • Providing sufficient staff to manage multiple and priority Calls for Service  in patrol zones or beats
  • Satisfying both operational and staff needs, including helping to ensure a proper work/life balance and equitable workloads for patrol staff

Accomplishing these goals requires an intentional approach, customized to your agency’s characteristics (e.g., staffing levels, geographic factors, crime rates, zone/beat design, contract/labor rules). BerryDunn can help your agency assess the patrol schedule, and if necessary, provide guidance and assistance on implementation of a more effective model. 

If you are interested in a patrol work-schedule assessment or redesign or a patrol staffing study, our dedicated Justice & Public Safety consultants are available to discuss your organization’s needs.

Blog
Continuity of patrol operations in a COVID-19 environment

Read this if you are planning for, or are in the process of implementing a new software solution.

User Acceptance Testing (UAT) is more than just another step in the implementation of a software solution. It can verify system functionality, increase the opportunity for a successful project, and create additional training opportunities for your team to adapt to the new software quickly. Independent verification through a structured user acceptance plan is essential for a smooth transition from a development environment to a production environment. 

Verification of functionality

The primary purpose of UAT is to verify that a system is ready to go live. Much of UAT is like performing a pre-flight checklist on an aircraft. Wings... check, engines... check, tires... check. A structured approach to UAT can verify that everything is working prior to rolling out a new software system for everyone to use. 

To hold vendors accountable for their contractual obligations, we recommend an agency test each functional and technical requirement identified in the statement of work portion of their contract. 

It is also recommended that the agency verify the functional and technical requirements that the vendor replied positivity to in the RFP for the system you are implementing. 

Easing the transition to a new software

Operational change management (OCM) is a term that describes a methodology for making the switch to a new software solution. Think of implementing a new software solution like learning a new language. For some employees, the legacy software solution is the only way they know how to do their job. Like learning a new language, changing the way business and learning a new software can be a challenging and scary task. The benefits outweigh the anxiety associated with learning a new language. You can communicate with a broader group of people, and maybe even travel the world! This is also true for learning a new software solution; there are new and exciting ways to perform your job.

Throughout all organizations there will be some employees resistant to change. Getting those employees involved in UAT can help. By involving them in testing the new system and providing feedback prior to implementation, they will feel ownership and be less likely to resist the change. In our experience, some of the most resistant employees, once involved in the process, become the biggest champions of the new system.  

Training and testing for better results

On top of the OCM and verification benefits a structured UAT can accomplish, UAT can be a great training opportunity. An agency needs to be able to perform actions of the tested functionality. For example, if an agency is testing a software’s ability to import a document, then a tester needs to be trained on how to do that task. By performing this task, the tester learns how to login to the software, navigate the software, and perform tasks that the end user will be accomplishing in their daily use of the new software. 

Effective UAT and change management

We have observed agencies that have installed software that was either not fully configured or the final product was not what was expected when the project started. The only way to know that software works how you want is to test it using business-driven scenarios. BerryDunn has developed a UAT process, customizable to each client, which includes a UAT tracking tool. This process and related tool helps to ensure that we inspect each item and develop steps to resolve issues when the software doesn’t function as expected. 

We also incorporate change management into all aspects of a project and find that the UAT process is the optimal time to do so. Following established and proven approaches for change management during UAT is another opportunity to optimize implementation of a new software solution. 

By building a structured approach to UAT, you can enjoy additional benefits, as additional training and OCM benefits can make the difference between forming a positive or a negative reaction to the new software. By conducting a structured and thorough UAT, you can help your users gain confidence in the process, and increase adoption of the new software. 

Please contact the team if you have specific questions relating to your specific needs, or to see how we can help your agency validate the new system’s functionality and reduce resistance to the software. We’re here to help.   
 

Blog
User Acceptance Testing: A plan for successful software implementation

Read this if you are a CIO, CFO, Provost, or President at a higher education institution.

In my conversations with CIO friends over the past weeks, it is obvious that the COVID-19 pandemic has forced a lot of change for institutions. Information technology is the underlying foundation for supporting much of this change, and as such, IT leaders face a variety of new demands now and into the future. Here are important considerations going forward.

Swift impact to IT and rapid response

The COVID-19 pandemic has had a significant impact on higher education. At the onset of this pandemic, institutions found themselves quickly pivoting to work from home (WFH), moving to remote campus operations, remote instruction within a few weeks, and in some cases, a few days. Most CIOs I spoke with indicated that they were prepared, to some extent, thanks to Cloud services and online class offerings already in place—it was mostly a matter of scaling the services across the entire campus and being prepared for returning students and faculty on the heels of an extended spring break.

Services that were not in place required creative and rapid deployment to meet the new demand. For example, one CIO mentioned the capability to have staff accept calls from home. The need for softphones to accommodate student service and helpdesk calls at staff homes required rapid purchase, deployment, and training.

Most institutions have laptop loan programs in place but not scaled to the size needed during this pandemic. Students who choose to attend college on campus are now forced to attend school from home and may not have the technology they need. The need for laptop loans increased significantly. Some institutions purchased and shipped laptops directly to students’ homes. 

CIO insights about people

CIOs shared seeing positive outcomes with their staff. Almost all of the CIOs I spoke with mentioned how the pandemic has spawned creativity and problem solving across their organizations. In some cases, past staffing challenges were put on hold as managers and staff have stepped up and engaged constructively. Some other positive changes shared by CIOs:

  • Communication has improved—a more intentional exchange, a greater sense of urgency, and problem solving have created opportunities for staff to get engaged during video calls.
  • Teams focusing on high priority initiatives and fewer projects have yielded successful results. 
  • People feel a stronger connection with each other because they are uniting behind a common purpose.

Perhaps this has reduced the noise that most staff seem to hear daily about competing priorities and incoming requests that seem to never end.

Key considerations and a framework for IT leaders 

It is too early to fully understand the impact on IT during this phase of the pandemic. However, we are beginning to see budgetary concerns that will impact all institutions in some way. As campuses work to get their budgets settled, cuts could affect most departments—IT included. In light of the increased demand for technology, cuts could be less than anticipated to help ensure critical services and support are uninterrupted. Other future impacts to IT will likely include:

  • Support for a longer term WFH model and hybrid options
  • Opportunities for greater efficiencies and possible collaborative agreements between institutions to reduce costs
  • Increased budgets for online services, licenses, and technologies
  • Need for remote helpdesk support, library services, and staffing
  • Increased training needs for collaborative and instructional software
  • Increased need for change management to help support and engage staff in the new ways of providing services and support
  • Re-evaluation of organizational structure and roles to right-size and refocus positions in a more virtual environment
  • Security and risk management implications with remote workers
    • Accessibility to systems and classes 

IT leaders should examine these potential changes over the next three to nine months using a phased approach. The diagram below describes two phases of impact and areas of focus for consideration. 

Higher Education IT Leadership Phases

As IT leaders continue to support their institutions through these phases, focusing on meeting the needs of faculty, staff, and students will be key in the success of their institutions. Over time, as IT leaders move from surviving to thriving, they will have opportunities to be strategic and create new ways of supporting teaching and learning. While it remains to be seen what the future holds, change is here. 

How prepared are you to support your institution? 

If we can help you navigate through these phases, have perspective to share, or any questions, please contact us. We’re here to help.

Blog
COVID-19: Key considerations for IT leaders in Higher Ed

Read this if you are at a state Medicaid agency or CHIP agency.

CMS has posted additional Frequently Asked Questions (FAQs) to Medicaid.gov, to aid state Medicaid and Children’s Health Insurance Program (CHIP) agencies in their response to the coronavirus disease 2019 (COVID-19) pandemic.

These new FAQs have been integrated into the previously released COVID-19 FAQ document. The new FAQs cover a variety of Medicaid and CHIP topics, including:

  • Emergency Preparedness and Response
  • Eligibility and Enrollment Flexibilities
  • Benefit Flexibilities
  • Cost-Sharing Flexibilities
  • Financing Flexibilities  
  • Managed Care Flexibilities
  • Information Technology  
  • Data Reporting

Updated CMS processes for reviewing 2021 contracts between states and Medicare Dual Eligible Special Needs Plans (D-SNPs)

CMS has issued a reminder to states of the upcoming submission deadline for the Contract Year (CY) 2021 contracts with Medicare Advantage Dual Eligible Special Needs Plans (D-SNPs). The due date for D-SNPs to submit to CMS their CY 2021 contracts with the state Medicaid agencies is July 6, 2020.

  • CMS encourages state Medicaid agencies to review the November 14, 2019 Informational Bulletin that describes new requirements for CY 2021 D-SNP contracts, which CMS finalized in rulemaking to implement new statutory provisions of the Bipartisan Budget Act (BBA) of 2018.
  • The Integrated Care Resource Center (ICRC) continues to provide technical assistance to states to help with the implementation of these new requirements. CMS and ICRC have a number of important resources for states regarding the new requirements for contracts with D-SNPs. Additional resources for states can be found here.
  • As a result of COVID-19, CMS is extending the review and approval timelines to allow D-SNPs more time to work with states on the new CY 2021 requirements. As a result, D-SNPs will have until November 2, 2020 to resubmit revised state Medicaid agency contracts or contract amendments.

CMS announces rule changes to support healthcare workforce augmentation

CMS has taken steps to limit or remove potential barriers for hiring and retaining physicians, nurses, and other healthcare professionals in order to keep staffing levels high at healthcare facilities.

  • In response to the need for in-home services during the COVID-19 crisis, nurse practitioners, clinical nurse specialists, and physician assistants can now provide home health services. These changes are effective for both Medicare and Medicaid.
  • Prior to this, Medicare and Medicaid home health member were only able to receive home health services with the certification of a physician. 
  • Physicians and other practitioners whose privileges are expiring will be able to continue taking care of patients. Consistent with a change made for hospitals, CMS is waiving a requirement for ambulatory surgery centers to periodically reappraise medical staff privileges during the COVID-19 emergency declaration. 

Interim Final Rule Updating Requirements for Notification of Confirmed and Suspected COVID-19 Cases Among Residents and Staff in Nursing Homes 

CMS has issued a memo along with frequently asked questions which address the new requirement that nursing homes and long term care facilities report COVID-19 facility data to the Centers for Disease Control and Prevention (CDC).

  • CMS will be requiring nursing homes to report COVID-19 facility data to the CDC and to residents, their representatives, and families of residents in facilities. 
  • CMS has updated the COVID-19 Focused Survey for Nursing Homes, Entrance Conference Worksheet, COVID-19 Focused Survey Protocol, and Summary of the COVID-19 Focused Survey for Nursing Homes to reflect COVID-19 reporting requirements. 
  • CMS will begin posting data from the CDC National Healthcare Safety Network (NHSN) for viewing by facilities, stakeholders, or the general public. The COVID-19 public use file will be available on https://data.cms.gov/.
     

Increase hospital capacity - CMS Hospitals Without Walls

On April 30, CMS announced expansions of the Hospitals Without Walls initiative, granting flexibility for services to be provided outside of traditional venues.

  • CMS is encouraging the use of existing flexibilities that allow outpatient hospital services to be delivered outside of traditional settings, such as at expansion locations, converted hotels or parking lots, or patients’ homes.
  • Certain outpatient departments that relocate off-site can qualify to be paid under the Outpatient Prospective Payment System (OPPS), rather than the Physician Fee Schedule.
  • Hospitals may relocate outpatient departments to more than one off-campus location, or partially relocate while still furnishing care at the original site.
  • As part of the CARES Act, long-term acute-care hospitals can now accept patients from any acute-care hospital and be paid at a higher Medicare rate.

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
Additional Medicaid & CHIP COVID-19 FAQs

Read this if you are in administration at a college or university.

Colleges and universities have been working around the clock to convert their in-person academic programming to online learning and to quickly disburse grant funding to students in line with broad eligibility requirements, all while adjusting to their own new work environments. In the search for funding in a time when many institutions are refunding student payments at unexpected and unprecedented levels, many institutions have found themselves ineligible for the Payroll Protection Program (PPP) offered under the CARES Act if the federal work study students were included in the employee count. In a welcome change, a recent interim final rule issued by the US Small Business Administration (SBA) has been released that will change the eligibility criteria for the emergency relief offered under the PPP. One of the most notable changes in the interim rule will allow colleges and universities to exclude federal work study students in determining their eligibility. 

Student workers have historically counted as employees under SBA programs. This temporary change would provide relief for many small institutions, whose federal work study programs would otherwise drive up their employment pool over the 500 employee threshold and exclude them from participation in the PPP. While federal work study positions fill important roles throughout many campus facilities, this interim final rule recognizes the primary function of a federal work study program is to provide financial aid for students attending school and is incidental to the role of the student on campus. As expected, as these positions are mostly federally funded, the interim final rule excludes these expenditures in determining the available loan amount under the PPP.

These changes are consistent with other areas of existing federal law, as noted in the interim final rule, these workers are already generally exempt from other federal employment requirements, like Federal Unemployment taxes. In order to allow for swift action, the interim final rule is effective immediately upon posting to the federal register.

We’re here to help.
For more information, or if you have questions about your specific situation, please contact the higher education consulting team.

Blog
Federal Work-Study (FWS) excluded from PPP eligibility determination

Read this if you are a leader at a state Medicaid agency.

Leveraging Medicaid to support and fund state efforts
In infectious disease control and prevention, contact tracing is the process of identifying people who may have come into contact with an infected person and tracking with whom the infected person has been in contact. The intent is to halt the chain of transmission. State Medicaid Agencies (SMAs) may be able to leverage the Medicaid program to support state efforts with systems, training, and reimbursement for contact tracing. 

What is contact tracing?
Tracing the contacts of infected individuals throughout a community, testing their contacts for infection, and treating and quarantining the disease when it is found is a long-standing practice to address infectious diseases. While contact tracing may not be a service that is reimbursable by Medicaid, it may be possible for Medicaid to cover a broader package of services designed to slow the spread of COVID-19.

Contact tracing has three major components:

  1. Contact identification—Confirmation of an individual’s infection is the first step. Once identified, it is essential to identify any additional people with whom that person came into contact, including family, co-workers, community members, etc.
  2. Contact tracing—After conducting a complete review of the individual's contacts, outreach begins to inform them of their contact status and discuss critical next steps, starting with testing.
  3. Contact follow-up—Continued follow-up with identified contacts helps prevent the spread of infection by monitoring spread and/or additional symptoms.

Public health experts maintain that contact tracing is one of the tools needed to manage the pandemic. Medicaid can play a key role in supporting systems, training, and reimbursement for contact tracing. This is enabled through Medicaid’s unique role as a significant payer in the healthcare system, along with its role as a government partnership between federal and state governments. In addition, acting to implement contact tracing may offer an opportunity to increase employment at a time when the economy has shed countless jobs. 

Systems and training: Medicaid support for health IT system
To support contact tracing, Medicaid agencies can leverage 75% or 90% federal match or Federal Financial Participation (FFP) for the systems, training, and equipment. This match is applicable for the Medicaid population, while the remainder likely needs to be cost-allocated to other state programs. Activities that can qualify include:

  • Design, development, and installation (DDI) of Medicaid solutions. The Centers for Medicare and Medicaid Services (CMS) may allow this funding to apply to data-tracking systems or changes to support new reimbursement models. 
  • Provider outreach and training related to systems operation, such as training on claims submissions, claims processing, and eligibility inquiries related to case management and care coordination.
  • Training of vendor or state personnel directly engaged in the operation of an approved system, including workers processing claims or determining eligibility.

To obtain this type of funding, states must submit an advanced planning document (APD). 

Reimbursement: Services and authority options for contact tracing
For Medicaid to support contact tracing, SMAs need to identify both state plan services and authority to provide the service. Defining a service and authority may be challenging, as contact tracing is historically a public health intervention and not a medical service that directly benefits a Medicaid member. CMS does not typically allow this type of service under Medicaid. Given the flexibility afforded under current disaster declarations, however, CMS may have more flexibility than usual. Some options for services include: 

Case management

  • How it works 
    First, an individual tests positive and contact-tracing interviews occur. Then, a healthcare provider, such as a hospital, reaches out to the individual, facilitates testing and education, delivers results, and follows up for any care needed. This process applies to any Medicaid members or other individuals who have private insurance that is identified. The provider can discharge the member from case management once the individual recovers. Case management as a Medicaid service is unique in that a diagnosis requiring medical management is the impetus for providing the service.
  • Federal approval rationale
    Hospitals may be a good partner for this service due to CMS’s Hospital Without Walls guidance. If the hospital partners with the Public Health Entity for contact tracing, then the case management piece could—in theory—be billed by the staff providing case management through the hospital. The hospital would also be able to bill for testing and lab, care, etc. Public Health could track where there is capacity through the medical community for treatment, especially hospital beds, ventilators, and alternative testing sites. The case manager providing coordination of care for COVID-19 testing and treatment would have access to the hospital medical record system, and the hospital could bill for the service.

Health home

  • How it works
    A health home under the state plan could also serve as a vehicle for services for this population. To better care for Medicaid members with chronic conditions, the Affordable Care Act created an optional Medicaid state plan benefit to coordinate care. Health homes are designed to integrate all physical and behavioral healthcare. Participation in health homes is voluntary. In order for members to participate, they must possess at least one chronic condition (e.g., high blood pressure, asthma, obesity, diabetes, or any serious chronic condition) and be at risk for a second (e.g., COVID-19).
  • Federal approval rationale
    The health home may be a good support model, as it is eligible for FFP of 90% for the first two years—likely long enough to respond to the pandemic—making it economically attractive. 

The most flexible potential authority for a Medicaid agency to use for contact tracing is the 1115 waiver. As part of the Medicaid Disaster Response Toolkit, CMS made expedited review available. In addition, State Medicaid Director Letter (SMDL) #20-002 provides guidance on a new section 1115 waiver available to assist states in addressing the COVID-19 public health emergency. 

Section 1115 demonstration waiver
The 1115 waiver is the most dynamic option available, and states can access it through the 1115 disaster waiver option under the Medicaid toolkit. The state may be able to show that providing contact tracing will result in savings for services billed under Medicaid. These savings may be able to be justified by decreasing the number of people who test positive for the virus, leading to budget neutrality. The budget neutrality model would need to show “with” and “without waiver” scenarios that demonstrate to Medicaid the cost of the spread of the virus with and without contact tracing. A challenge to this approach is the time necessary to develop the waiver and budget neutrality model and gain CMS approval. 

Recently, CMS approved one of these new section 1115 waivers for the state of Washington. While Washington did not request to cover contact tracing, the speed of approval and the fact that CMS has indicated for the pandemic 1115 requests states will not be required to submit budget neutrality calculations, is a positive indicator for states to consider in envisioning creative models for leveraging Medicaid to minimize the impacts of COVID-19. 

Next steps

  • Check in with your CMS contacts. COVID-19 is new, and America’s response continues to evolve. Check in with your CMS contact for input on the latest guidance that may be applicable to your agency. 
  • Develop an APD. Develop your state’s APD to help fund the technology needs for tracking COVID-19, along with training for your SMA team and providers. 
  • Determine services. In partnership with CMS, determine if case management, a health home, or other service makes the most sense for your state to help trace contacts, reduce the spread of COVID-19, and encourage employment in this important work. 
  • Submit your waiver for state plan amendment. After working with CMS to determine the service that makes sense for your state, develop and submit the request to provide this service through a 1115 waiver, 1135 waiver, or if necessary, emergency state plan amendment. 

We’re here to help
If you have more questions or want to have an in-depth conversation about your specific situation, please contact the Medicaid consulting team

Blog
Contact tracing for COVID-19: What it is and how Medicaid can use it

Read this if you are a tax-exempt organization.

The IRS recently issued proposed regulations (REG-106864-18) related to Internal Revenue Code Section 512(a)(6), which requires tax-exempt entities to calculate unrelated business taxable income (UBTI) separately for each unrelated trade or business carried on by the organization.

For years beginning after December 31, 2017, exempt organizations with more than one unrelated trade or business are no longer permitted to aggregate income and deductions from all unrelated trades or businesses when calculating UBTI. In August 2018, the IRS issued Notice 2018-67, which discussed and solicited comments regarding various issues arising under Code Section 512(a)(6) and set forth interim guidance and transition rules relating to that section. 

The good news
The new proposed regulations expand upon Notice 2018-67 and provide for the following:

  • An exempt organization would identify each of its separate unrelated trades or businesses using the first two digits of the NAICS code that most accurately describes the trade or business. Activities in different geographic areas may be aggregated.
  • The total UBTI of an organization with more than one unrelated trade or business would be the sum of the UBTI computed with respect to each separate unrelated trade or business (subject to the limitation that UBTI with respect to any separate unrelated trade or business cannot be less than zero). 
  • An exempt organization with more than one unrelated trade or business would determine the NOL deduction allowed separately with respect to each of its unrelated trades or businesses.
  • An organization with losses arising in a tax year beginning before January 1, 2018 (pre-2018 NOLs), and with losses arising in a tax year beginning after December 31, 2017 (post-2017 NOLs), would deduct its pre-2018 NOLs from total UBTI before deducting any post-2017 NOLs with regard to a separate unrelated trade or business against the UBTI from such trade or business. 
  • An organization's investment activities would be treated collectively as a separate unrelated trade or business. In general, an organization's investment activities would be limited to its:
     
    1. Qualifying partnership interests
    2. Qualifying S corporation interests
    3. Debt-financed property or properties 

Organizations described in Code Sec. 501(c)(3) are classified as publicly supported charities if they meet certain support tests. The proposed regulations would permit an organization with more than one unrelated trade or business to aggregate its net income and net losses from all of its unrelated business activities for purposes of determining whether the organization is publicly supported. 

The missing news: Unaddressed items from the new guidance
With the changes provided by these proposed regulations we anticipate less complexity and lower compliance costs in applying Code Section 512(a)(6). While this new guidance is considered taxpayer friendly, the IRS still has more work to do. Items not yet addressed include:

  • Allocation of expenses among unrelated trade or businesses and between exempt and non-exempt activities.
  • The ordering rules for applying charitable deductions and NOLs.
  • Net operating losses as changed under the CARES Act.

The IRS is requesting comments on numerous key situations. Until the regulations are finalized, organizations can rely on either these proposed regulations, Notice 2018-67, or a reasonable good-faith interpretation of Code Sections 511-514 considering all the facts and circumstances.
We will keep you informed with the latest developments.

If you have any questions, please contact the not-for-profit consulting team

Blog
IRS unrelated business taxable income update: The good news and the missing news

Editor's note: Read this if you are a leader in higher education.

The Department of Education has released guidance to colleges and universities on how the CARES Act grants to institutions, under the Higher Education Emergency Relief Fund (HEERF), may be used. The guidance comes in the form of answers to frequently asked questions, which we recommend institutions read before accepting the funds. Some key answers included in the document:

  1. A school has to participate in the HEERF funding to be used for grants to students to get the institutional share.
  2. Schools can use these funds to cover the costs of refunds for room and board provided as a result of campus closure.
  3. These funds can be used to make additional emergency financial aid grants to students impacted by campus closure.

We urge schools to retain supporting documentation of the proper use of these funds to allow for a compliance audit, should that be required. 

Questions?
Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

Blog
The Higher Education Emergency Relief Fund (HEERF): Guidelines

Read this if you are a leader at a state Medicaid agency, Long-Term Care Hospital, Rural Health Clinic, Federally Qualified Health Center, or intermediate care facility.

New toolkit launches to help states navigate COVID-19 health workforce challenges 

In order to maximize workforce flexibility to help confront COVID-19, CMS and the Assistant Secretary of Preparedness and Response (ASPR) have released a new toolkit to assist state and local healthcare decision makers. The toolkits are available as a set of resource collections including:

Our team will be taking a closer look at these resource collections in the coming week and plan to have detailed information on the opportunities within.

Compliance flexibilities announced for implementation of interoperability final rules due to COVID-19

CMS and the Office of the National Coordinator for Health IT (ONC), in conjunction with the Health and Human Services (HHS) Office of Inspector General (OIG), have announced a policy of enforcement discretion to allow compliance flexibilities regarding the implementation of the interoperability final rules previously announced on March 9, 2020.

  • Announced in March, the Interoperability and Patient Access final rule (CMS-9115-F) is focused on the pursuit of interoperability and patient access to health information.
  • CMS-regulated payers, including Medicaid Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP FFS programs, and CHIP managed care entities are required to implement and maintain a secure, standards-based (HL7 FHIR Release 4.0.1) API that allows members access their claims and encounter information, as well as provider directory information available through third-party applications of their choice.
  • Due to the public health emergency posed by COVID-19, CMS is exercising the “enforcement discretion” to adopt a temporary policy of relaxed enforcement for the final rule.

CMS releases additional blanket waivers for Long-Term Care Hospitals (LTCHs), Rural Health Clinics (RHCs), Federally Qualified Health Centers (FQHCs) and intermediate care facilities

CMS is providing additional blanket waivers related to care for patients in LTCHs, temporary expansion locations of RHCs and FQHCs, staffing and training modifications in intermediate care facilities for individuals with intellectual disabilities, and the limit for substitute billing arrangements (locum tenens).

  • The new flexibilities do not require a waiver or any requests be sent to CMS electronically or any other notification to CMS regional offices.
  • The guidance includes flexibilities related to provider location, staffing, reporting requirements, discharge, patient rights and other areas regulated by CMS.
  • The blanket waiver authority exercised by CMS in this case applies only to federal requirements and does not apply to state requirements for licensure or conditions of participation.

State of Washington COVID-19-related section 1115(a) demonstration approval

Washington’s approval is the first section 1115(a) demonstration specifically intended to combat the effects of COVID-19 in a state.

  • CMS authorized a time-limited approval for several of the requests in Washington’s March 24, 2020 section 1115(a) demonstration with a retroactive effective date of March 1, 2020 through 60 days after the public health emergency declaration.
  • CMS approved two waiver authority requests, as well as six expenditure authority requests from Washington’s section 1115(a) demonstration. 
  • CMS did not require the state to submit budget neutrality calculations for the Washington COVID-19 section 1115(a) demonstration. 

CMS issues guidance allowing Independent Freestanding Emergency Departments (IFEDs) to provide care to Medicare and Medicaid beneficiaries during the COVID-19 Public Health Emergency

CMS issued guidance On April 21, 2020 which allows licensed IFEDs in the states of Colorado, Delaware, Rhode Island, and Texas to temporarily provide care to Medicare and Medicaid patients to address any surge.

  • IFEDs generally offer a range of services including basic imaging services, computed tomography (CT) scans, ultrasound, and basic on-site laboratory services. During this public health emergency these entities can temporarily bill Medicare and Medicaid as a certified hospital.
  • CMS is waiving certain conditions of participation for hospital operations to maximize patient care capabilities during this public health emergency. IFEDs may participate in Medicare and Medicaid in one of three ways: 
     
    • Becoming affiliated with a Medicare/Medicaid-certified hospital under the temporary expansion 1135 emergency waiver; 
    • Participating in Medicaid under the clinic benefit if permitted by the state; or
    • Enrolling temporarily as a Medicare/Medicaid-certified hospital to provide hospital services.

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
CMS launches toolkits, releases guidance, and loosens some restrictions to help states and others address COVID-19

Read this if your organization, business, or institution has leases and you’ve been eagerly awaiting and planning for the implementation of the new lease standards.

Ready? Set? Not yet. As we have prepared for and experienced delays related to Financial Accounting Standards Board (FASB) Accounting Standards Codification Topic 842, Leases, we thought the time had finally come for implementation. With the challenges that COVID-19 has brought to everyone, the FASB recognizes the significant impact COVID-19 has brought to commercial businesses and not-for-profits and is proposing a one-year delay in implementation, as described in this article posted to the Journal of Accountancy: FASB effective date delay proposals to include private company lease accounting.

But what about lease concessions? We all recognize many lessors are making concessions due to the pandemic. Under current guidance in Topics 840 and 842, changes to lease contracts that were not included in the original lease are generally accounted for as lease modifications and, therefore, a separate contract. This would require remeasurement of the new lease contract and related right-of-use asset. FASB recognized this issue and has published a FASB Staff Questions and Answers (Q&A) Document,  Topic 842 and Topic 840: Accounting for Lease Concessions Related to the Effects of the COVID-19 Pandemic. Under this new guidance, if lease concessions are made relating to COVID-19, entities do not need to analyze each contract to determine if a new contract has been entered into, and will have the option to apply, or not to apply, the lease modification provisions of Topics 840 and 842.

Implementation of the lease accounting standard will most likely be delayed for Governmental Accounting Standards Board (GASB) entities as well. On April 15, 2020, the GASB issued an exposure draft that would delay most GASB statements and implementation guides due to be implemented for fiscal years 2019 and later. Most notably, this includes Statement 84, Fiduciary Activities, and Statement 87, Leases. Comments on the proposal will be accepted through April 30, and the board plans to consider a final statement for issuance on May 8. More information may be found in this article from the Journal of Accountancy: GASB proposes postponing effective dates due to pandemic.

More information

Whether you are a FASB or GASB entity, you can expect a delay in the implementation of the lease standard. If you have questions, please contact a member of our financial statement audit team. For other COVID-19 related resources, please refer to BerryDunn’s COVID-19 Resources Page.

Blog
FASB and GASB news: Postponement of the lease accounting standards

Read this if you are a not-for-profit looking to learn more about tax filing deadlines.

State of New Hampshire: If your organization has a December 31 year-end, your annual report filing with the Charitable Trusts Unit and related payment are still due by May 15. If you are not ready to file, you may file Form NHCT-4 for an extension by May 15. If your organization has a June 30 year-end, you may email the State Attorney General to ask for additional time to July 15.

April 24, 2020, UPDATE: Commonwealth of Massachusetts: The Massachusetts Attorney General’s office has extended the Form PC filing requirement. All filing deadlines for annual charities filings for fiscal year 2019 have been extended by six months. This extension is in addition to the automatic six month extension that many not-for-profits receive. In addition, original signatures, photocopies of signatures, and e-signatures (e.g., DocuSign) will be accepted.

On April 9, 2020, the Internal Revenue Service (IRS) issued Notice 2020-23, its third round of tax filing relief guidance, which amplifies relief set forth in previously issued IRS notices providing relief to taxpayers affected by COVID-19. Notice 2020-23 also provides additional time to perform certain other actions. The Notice holds the special distinction of being the first to provide specific relief to not-for-profit organizations with return filing and tax payment obligations due between April 1 and July 15, 2020. The details are highlighted below:

Tax deadline extended to July 15, 2020
The Notice explicitly states that Form 990-T tax payment and filing obligations due during the period between April 1 and July 15 will be automatically extended to July 15, 2020. Additionally, Form 990-PF (and associated tax payments) as well as quarterly Federal estimated tax payments remitted via Form 990-W are also explicitly noted and are granted an extension to July 15.
    
While this is certainly good news, the more eagerly anticipated news is the Notice also includes “Affected Taxpayers” who are required to perform “Specified Time-Sensitive Actions” referenced in Revenue Procedure 2018-58. The Revenue Procedure specifically mentions exempt organizations as “Affected Taxpayers” required to perform “specified time-sensitive actions”—one such action being the filing of Form 990.

In summary (with the combined power of the Notice and Revenue Procedure), any entity with a Form 990, Form 990-EZ, Form 990-PF, Form 990-T, Form 990-W estimated tax filing requirement, Form 1120-POL or Form 4720 filing obligation due between April 1 and July 15, 2020 now have until July 15, 2020 to file. Needless to say this is very welcome news for an industry that like so many others, is being pushed to the brink during this turbulent and difficult time.

Additional extensions
Notice 2020-23 (with reference to Revenue Procedure 2018-58) also extends the due date of certain forms, notices, applications, and other exempt organization activities due between April 1 and July 15, 2020, until July 15, 2020 as noted below: 

  • Community health needs assessments (CHNAs) and Implementation Strategies
  • Application for Recognition of Exemption (Forms 1023 and 1024) 
  • Section 501(h) Elections and Revocations (Form 5768)
  • Information Return of US Persons with Respect to Certain Foreign Corporations (Form 5471)
  • Political Organization Notices and Reports (Forms 8871 and 8872)
  • Notification of Intent to Operate as a Section 501(c)(4) Organization (Form 8976) 

We are here to help
Please contact the BerryDunn not-for-profit tax team if you have any questions, or would like to discuss your specific situation.

Blog
Not-for-profit May 15 tax deadline extended

Editor's note: Read this if you are a leader in higher education.

The Department of Education (ED) has released the first round of guidance to colleges and universities, with more detail to begin issuing much-needed emergency funding grants to students from the Higher Education Emergency Relief Fund (HEERF), provided as part of the CARES Act.

The guidance clarifies a variety of questions about the portion of the funding to be used for emergency financial aid grants to students, most notably:

  • These funds cannot be used to fund room and board refunds.
  • These funds cannot be used to cover overdue student bills at the institution.
  • Only students eligible to participate in Title IV programs may receive emergency financial aid grants. Students who have not filed a FAFSA but who are eligible to file a FAFSA may receive emergency financial aid grants.

A broader summary from NASFAA can be found here.

While not specifically addressed in this guidance, the HEERF has been provided a CFDA number which leads our team to believe there is a good likelihood these funds will be included in some fashion under the Uniform Guidance compliance audits. We urge schools to retain adequate documentation from their decision making process to allow for a compliance audit, should that be required. We anticipate additional guidance on the HEERF will be forthcoming as schools begin to award the grants to students.

Questions?
Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

Blog
Update from ED on CARES Act grants to students

As resources are released to help higher education institutions navigate the rapidly changing landscape, we will add important links and information to this blog post:

Industry resources:
US Department of Education (ED)

Guidance for colleges:

Guidance on leases:
FASB and GASB news: Postponement of the lease accounting standards

We are here to help
Please contact the BerryDunn higher education team if you have any questions, or would like to discuss your specific situation.

Blog
Resources for higher education institutions affected by COVID-19

Read this if you work at a public health department and would like a brief summary of how you can maximize funding and meet new federal requirements.

Unpacking the trillions

In response to the COVID-19 pandemic, several pieces of legislation were passed by congress and signed into law. The three bills, H.R. 6074 Coronavirus Preparedness and Response Supplemental Appropriations Act, H.R. 6201 Families First Coronavirus Response Act, and H.R. 748 Coronavirus Aid, Relief, and Economic Security (CARES) Act, have provided funding for various federal agencies with different roles in responding to the crisis. Because of the urgency required, much of the guidance for use of funds and reporting requirements were released after passage of the bills or have yet to be released.

Here is a brief timeline and summary of the acts:

Implication and next steps for state public health departments

While little guidance has been provided for how state public health departments should prepare to access federal funds, BerryDunn will continue to monitor and release updates as they become available. 

While at this point HR 6074 has the greatest implications for public health departments, here are some actions that states should take now for their public health programs from the recent legislation:

  1. H.R. 6074: Provides appropriations to the CDC to be allocated to states for COVID-19 expenses.
    • To ensure maximum funding, prepare a spend plan to submit to CDC.
    • To ensure compliance, provide CDC with copies or access to COVID-19 data collected with these funds.
    • To maximize the impact of new funding, develop a COVID-19 community intervention plan.
    • To support streamlined operations, submit revised work plans to CDC.
    • To prevent missed deadlines, submit any requests for deadline extensions to the CDC.
  2. H.R. 6201: Provides guidance specific to the Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) programs.
    • To encourage social distancing and loosen administrative requirements, seek waivers through the USDA’s Food and Nutrition Service (FNS).
    • To ensure compliance, prepare to submit a report summarizing the use of waivers on population outcomes by March 2021.
  3. H.R. 748: Allocates $150 billion to a coronavirus relief fund for state, local, and tribal governments.
  • To secure funding, monitor the US Department of Health & Human Services (HHS) for guidance on using funds for:
    • Coronavirus prevention and preparation
    • Tools to build health data infrastructure
    • COVID-19 Public Health Emergency expenses
    • Developing countermeasures and vaccines for coronavirus
    • Telehealth and rural health activities
       
  • To ensure HIPAA compliance when sharing protected patient health information, monitor the US Department of Health & Human Services (HHS) for guidance.

For more information

For specific issues your agency has, or if you have other questions, please contact us. We’re here to help. 

Blog
COVID-19 laws and their impact on state public health agencies

Read this if you are a leader at a state Medicaid agency.

CMS has delivered nearly  $34 billion, later updated to $51 billion, in the past week to the healthcare providers on the frontlines battling the 2019 novel coronavirus

  • The process in which CMS is implementing requests has reduced times of an accelerated or advance payment to four to six days. Previously the timeframe was three to four weeks. 
  • To date, CMS has received over 25,000 requests from providers and suppliers for accelerated and advance payments. Of these, CMS has approved over 17,000 requests in the past week. 
  • It should be noted that this funding is separate and distinct from the $100 billion provided in the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

CMS issues new wave of infection control guidance based on CDC guidelines to protect patients and healthcare workers 

CMS has issued a series of updated guidance documents focused on infection control to prevent the spread of COVID-19 in a variety of inpatient and outpatient care settings.

  • The updated guidance includes a number of updates, notably the option of providing home dialysis training and support services. These are designed to help some dialysis patients stay home during the pandemic.
  • In particular, the guidance includes the establishment of Special Purpose Renal Dialysis Facilities (SPRDFs), which can allow dialysis facilities to isolate vulnerable or infected patients.
  • For hospitals, psychiatric hospitals and CAHs, the updated guidance provides recommendations on screening and visitation restrictions, discharge to subsequent care locations, as well as staff screening and testing.

CMS acts to ensure US healthcare facilities can maximize frontline workforces to confront COVID-19 crisis 

CMS has temporarily suspended a number of rules in order for hospitals, clinics, and other healthcare facilities to boost their frontline medical staffs.

The CMS guidance focuses on reducing supervision and certification requirements so that practitioners can both be hired rapidly and perform work to the extent of their licensure. CMS guidance allows the following:

  • Doctors can now directly care for patients in certain settings without having to be physically present.
  • Nurse practitioners may now perform some medical exams on Medicare patients at skilled nursing.

CMS approves additional state Medicaid waivers and amendments to give states flexibility to address coronavirus pandemic

CMS continues to deliver regulatory relief to a number of new states in the form of waivers and state plan amendments.

  • In total, CMS has now approved 49 emergency 1135 waivers, 26 state amendments, seven COVID-19 related Medicaid disaster amendments and the first CHIP COVID-related disaster amendment
  • The COVID-related Children’s Health Insurance Program (CHIP) disaster amendment is for the State of Maine. 
  • CMS has now approved COVID-related Medicaid disaster state plan amendments for North Dakota, Rhode Island, and Wyoming.

HHS authorizes licensed pharmacists to order and administer COVID-19 tests

On April 8, HHS released new guidance under the Public Readiness and Emergency Preparedness Act that authorizes licensed pharmacists to order and administer FDA-approved COVID-19 tests.

  • The guidance allows pharmacists to order and administer COVID-19 tests to their patients will provide easier access to testing and will expand testing for healthcare workers and first responders. 

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
CMS approves over $51 billion for providers with the accelerated/advance payment program for Medicare providers

Read this if you are an IT Leader, CFO, COO, or other C-suite leader responsible for selecting a new system.

Vendor demonstrations are an important milestone in the vendor selection process. Demonstrations allow you to validate what a vendor’s software is capable of, evaluate the usability with your own eyes, and confirm the fit to your organization’s objectives.

Our client found itself in a situation where, after many months of work developing requirements, issuing a request for proposal, and reviewing vendor proposals they were ready to conduct demonstrations. Despite a governor’s executive order for social distancing and limitations on non-essential travel, our client needed to conduct demonstrations to achieve an important project milestone. This presented an opportunity to help them plan, test, and facilitate remote vendor demonstrations with great success.

This brief case study shares some of the key success factors we found in conducting remote demonstrations and some lessons learned after they were complete.

  1. Prepare 
    Establish a clear agenda, schedule, script, and plan in advance of the demonstrations. This helps keep everyone coordinated throughout the demos.
  2. Test
    It is important to test the vendor’s video conference solution from all locations prior to the demonstrations. We tested with both vendors a week ahead of demos.
  3. Establish Ground Rules
    Establishing ground rules allows the meetings to go better, be more efficient, and stay on time. For example, is a moment of silence a consensus to move on or must you wait for someone to unmute their line to verbally confirm to proceed.
  4. Have clear roles by location
    Clear roles help to facilitate the demonstration. Designated time keepers, scribes, and local facilitators help the demonstration go smoothly, and decreases communication issues.
  5. Be close to the microphone
    Essential common sense, but when you can’t see everyone, loud, clear questions and answers make the demos more effective.
  6. Ask vendors to build in pauses to allow for questions
    Since vendors may not be able to see a hand raised, asking vendors to build specific pauses into their demonstrations allows space for questions to be asked easily.
  7. Do a virtual debrief 
    At the end of each vendor demonstration we had our own videoconferencing meeting set up to facilitate a virtual debrief. This allowed us to capture the evaluation notes of the day prior to the next demo. Planning these in advance and having them on people’s calendars made joining the meetings quick and seamless.

Observations and other lessons learned

Following the remote demonstrations we identified a few observations and lessons learned:

  1. Visibility was better
    By not having everyone crowded into one room, people were able to see the screen and the vendor’s software clearly.
  2. Different virtual platforms required orientation
    We wanted vendors to use the tools they were accustomed to using. This led to us using different products for different demonstrations. This was not insurmountable, but required orientation to get used to their tools at the start of each demo.
  3. Video helped debriefing
    Given the quick planning we did not have video capability from all locations for our virtual debrief. It was helpful to see the people sharing their comments following each demonstration. We will plan for video capabilities at all locations next time.
  4. Having a set order for people to provide feedback helped
    During the first debriefing, we established a set order for people to speak and share their thoughts. This limited talking over each other and allowed everyone to hear the thoughts of their peers clearly.
  5. Be patient with slowness
    For the most part we had successful demos with limited slowness. There were a couple points where slowness was encountered. We remained patient, adjusted the schedule, and in the worst case, added an extra break for people.
  6. Staying engaged takes effort
    Sitting all day on a remote demo and paying attention took effort to stay engaged. Building in specific times for Q&A, calling on people by name, and designing it so it wasn’t eight hours straight of presentation helped with engagement.

Restricted travel in response to COVID-19 has led our clients and our teams to be creative and agile in achieving objectives. The remote demonstrations proved highly successful, accomplished the goals, and met our client’s critical timing milestone. At the end of four days of demos, our client commented that the remote demos were perhaps even better than if they had been conducted onsite. As we look at the long view, we may find that clients prefer remote demonstrations even when social distancing and travel restrictions are lifted.

Blog
Social distancing case study: Hosting remote vendor demonstrations

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
     

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
     
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Blog
The three P's of improving your company's cybersecurity soft skills

Read this if you would like a refresher of common-sense approaches to protect against fraud while working remotely.

Coronavirus (COVID-19) has imposed many challenges upon us physically, mentally, and financially. Directly or indirectly, we all are affected by the outbreak of this life-threatening disease. Anxious times like this provide perfect opportunities for fraudsters. The fraud triangle is a model commonly used to explain the three components that may cause someone to commit fraud when they occur together:

  1. Financial pressure/motivation 
    In March 2020, the unemployment rate increased by 0.9 percent to 4.4 percent, and the number of unemployed persons rose by 1.4 million to 7.1 million.
  2. Perceived opportunity to commit fraud 
    Many people are online all day, providing more opportunities for internet crime. People are also desperate for something, from masks and hand sanitizers to coronavirus immunization and cures, which do not yet exist. 
  3. Rationalization 
    People use their physical, mental, or financial hardship to justify their unethical behaviors.

To combat the increasing coronavirus-related fraud and crime, the Department of Justice (DOJ) launched a national coronavirus fraud task force on March 23, 2020. It focuses on the detection, investigation, and prosecution of fraudulent activity, hoarding, and price gouging related to medical resources needed to respond to the coronavirus. US attorney’s offices are also forming local task forces where federal, state, and local law enforcement work together to combat the coronavirus related crimes. Things are changing fast, and the DOJ has daily updates on the task force activities. 

Increased awareness for increased threats

Given the increase in fraudulent activity during the COVID-19 outbreak, it’s important for employees now working from home to be aware of ways to protect themselves and their companies and prevent the spread of fraud. Here are some of the top COVID-19-related fraud schemes to be aware of. 

  • Phishing emails regarding virus information, general financial relief, stimulus payments, and airline carrier refunds
  • Fake charities requesting donations for illegitimate or non-existent organizations 
  • Supply scams including fake shops, websites, social media accounts, and email addresses claiming to sell supplies in high demand but then never providing the supplies and keeping the money 
  • Website and app scams that share COVID-19 related information and then insert malware that could compromise the device and your personal information
  • Price gouging and hoarding of scarce products
  • Robocalls or scammers asking for personal information or selling of testing, cures, and essential equipment
  • Zoom bombing and teleconference hacking

If you have encountered suspicious activity listed above, please report it to the FBI’s Internet Crime Complaint Center.

Staying vigilant

To protect yourself from these threats, remember to use proper security measures and follow these tips provided by the Federal Bureau of Investigation (FBI) and DOJ:

  • Verify the identity of the company, charity, or individual that attempts to contact you in regards to COVID-19.
  • Do not send money to any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail. 
  • Understand the features of your teleconference platform and utilize private meetings with a unique code or password that is not shared publicly.
  • Do not open attachments or click links within emails from senders you do not recognize.
  • Do not provide your username, password, date of birth, social security number, insurance information, financial data, or other personal information in response to an email or robocall.
  • Always verify the web address of legitimate websites and manually type them into your browser.
  • Check for misspellings or wrong domains within a link (for example, an address that should end in a ".gov" ends in .com" instead).

Stay aware, and stay informed. If you have specific concerns or questions, or would like more information, please contact our team. We’re here to help.
 

Blog
COVID-19 and fraud―a security measures refresher

Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

While COVID-19 has forced many of us into a remote work environment, we also have to deal with the challenges that come along with it. The stark contrast between an office environment and one that potentially involves working in isolation can be a difficult adjustment. Office kitchen conversations have evolved into conversations with pets, our newest co-workers. A quick, in-person question has now turned into an email, phone, or video call. And job responsibilities expand as we try to not only juggle work but also ensure our children focus on school work―and don’t destroy the house. 

Not only has this forced environment caused social challenges, it has also opened the door for internal control challenges, as  internal controls designed to operate effectively in an office environment may not be ideal for a remote workplace. Even ones that are appropriately designed, may prove to be operating ineffectively in this new environment. Let’s take a look at some internal control challenges, and potential solutions, faced by working in a remote environment.

Establishing a remote control environment

Exercising appropriate tone at the top and establishing appropriate oversight can be challenging with a remote workforce. Ethics and governance policies play an important role in setting clear expectations about workplace behaviors. But, a workforce is much more apt to follow a leadership team’s example rather than a policy. All of those office conversations, even the conversations that are not work related, help set an expectation of appropriate and inappropriate behaviors. These conversations often happen naturally in the office via a quick conversation in passing in the hallway or a late-Friday happy hour with your department. However, these interactions do not naturally occur in a remote workplace. Leadership and department heads should make an active effort to maintain communication with their workforce. Some things to consider:

  • Send out weekly emails to the entire department and possibly more personal, one-on-one videoconferences or phone calls between your department heads or managers and individual members of their teams.
  • These department-wide emails should stress the importance of communication as well as continuing to produce high quality work and maintaining accountability. 
  • One-on-one meetings should be used to check in with employees to ensure their work needs are being met. 

Employees will most likely have many suggestions to improve their new work environment, including suggestions on how to improve communication amongst team members. 

The power of video

Videoconferencing also provides a great opportunity to stay connected. Virtual happy hours simulate an in-person happy hour. This is a great way to check-in with team members and show that, although people are out of sight, they are not out of mind. Town hall-type meetings can also be explored. Your leadership team can solicit open discussion. Agenda items may include office status updates, technological considerations, and an opportunity for employees to openly discuss current challenges due to working in a remote environment. Employees are going to have anxiety about the current environment. These meetings can help put employees at ease.

Risk assessment

Internal control environments are constantly evolving. Employees leave. Software is updated.  Offered services and products change. The list goes on. However, it is unprecedented that an internal control environment has changed so rapidly. Given these unprecedented times, there is potential for higher risk of fraud, internally and externally. Those responsible for designing internal controls (control owners) should reassess your company’s environment. Although internal controls can be designed in a manner in which they operate effectively regardless of the circumstances, it is possible there are unintended changes to processes that have occurred. 

For instance, let’s say the employee responsible for reviewing loan file maintenance changes is now working an alternative work schedule due to personal obligations. This employee does not have the ability to make loan file changes; therefore, segregation of duties has never been an issue. An employee within loan servicing has agreed to take some of the employee’s responsibilities and is now reviewing some of the loan file maintenance changes, which has put this employee in a position to review some of their own changes. 

Furthermore, some internal controls that require employees be at a physical location to operate may also be compromised, such as inventory cycle counts. If these controls are unable to operate, control owners will need to consider the impacts on the affected transaction areas, and if there are compensating controls that can be designed to alleviate some of the control risk.

Control activities

Accounts payable and check signing

The accounts payable and cash disbursement process will most likely be upended as a result of your new remote environment. Bills received through the mail will need to be scanned to the accounts payable clerk for entry into the accounting system. Some offices have designated certain personnel responsible for checking mail on an infrequent basis, for instance, weekly. Check signing may also prove to be a challenge as blank check stock may be inaccessible. Electronic receipt of invoices and signing of checks, as well as the use of wire and ACH transfers, lend themselves as feasible solutions. Email approvals may suffice when multiple signers are needed to approve high dollar disbursements.

Segregation of duties

As mentioned above, it is possible processes have inadvertently changed, exposing certain internal controls to ineffectiveness. Segregation of duties may become difficult as employees shift to alternative work schedules or have other issues. Maintaining segregation of duties should be a top priority for control owners and is something that should be constantly assessed as circumstances change. Challenging times may make segregation of duties difficult and may force you to get creative by requesting employees perform duties they are not otherwise accustomed to performing.

Digital sign-offs

You should also consider the manner in which you document the completion of controls. Control owners should be cautious about the integrity of an employee’s initials simply typed onto a digital document, as any employee can perform this task. Digital signatures, which require an employee to enter credentials prior to signing, enhance the integrity of a sign-off and are often time stamped. Digital signatures may also “lock down” the document, prohibiting any changes to the signed document.

Timely review

Given the circumstances, it is not unreasonable that preparation and review may take longer than under normal circumstances. Even if additional time is granted for the preparation and review of documents, you should consider the implications this has on the transaction class as a whole. The longer it takes to complete a control, the greater the consequences may be if you identify an error. For instance, the impact of an incorrect change to a loan rate index can be substantial if not identified timely. If identified quickly, you can avoid consequences later.

Information and communication

For many companies that have moved from a paper to a digital environment, sharing of information should not be an issue. However, for those that still operate in a mostly paper environment, performing tasks and sharing information with team members may prove to be difficult. And, those without the capability of scanning and sending documents from home could compromise a specific internal control altogether. Being forced to work remotely may be the perfect excuse to move paper processes into a digital format.

Monitoring

Monitoring your internal control environment is of the utmost importance given these significant changes. Frequent conversations should be had with control owners to ensure changes to processes do not render controls ineffective. Identified gaps in internal controls should be addressed proactively. Provide control owners with the opportunity to discuss changes to control processes with Internal Audit or Risk Management so such departments can consider the impact of changes on internal control. This also gives these departments the opportunity to cover any resulting gaps.

Permanent changes

Once the remote workplace requirements end, the effects of working in such an environment will not. There are many benefits and efficiencies to be found in working remotely. As people have now been forced to work in such an environment, they will be more apt to continue to do so. Therefore, let’s take this opportunity to revise processes and internal controls to be “remote workplace” compatible. This will provide a long-lasting impact to your organization far beyond the pandemic. 
 

Blog
How does your control environment look in a remote world?

BerryDunn’s Healthcare/Not-for-Profit Practice Group members have been working closely with our clients as they navigate the effect the COVID-19 pandemic will have on their ability to sustain and advance their missions.

We have collected several of the questions we received, and the answers provided, so that you may also benefit from this information. We will be updating our COVID-19 Resources page regularly. If you have a question you would like to have answered, please contact Sarah Belliveau, Not-for-Profit Practice Area leader, at sbelliveau@berrydunn.com.

The following questions and answers have been compiled into categories: stabilization, cash flow, financial reporting, endowments and investments, employee benefits, and additional considerations.

STABILIZATION
Q: Is all relief focused on small to mid-size organizations? What can larger nonprofit organizations participate in for relief?
A:

We have learned that there is an as-yet-to-be-defined loan program for mid-sized employers between 500-10,000 employees. You can find information in the Loans Available for Nonprofits section (link below) of  the CARES Act as well as on the Independent Sector CARES Act web page, which will be updated regularly.

Q: Should I perform financial modeling so I can understand the impact this will have on my organization? Things are moving so fast, how do I know what federal programs are available to provide assistance?
A:

The first step in developing a short-term model to navigate the next few months is to gain an understanding of the programs available to provide assistance. These resources summarize some information about available programs:

Loans Available for Nonprofits in the CARES Act
Families First Coronavirus Response Act (FFCRA): FAQs for Businesses
CARES Act Tax Provisions for Not-for-Profit Organizations

The next step is to develop scenarios ranging from best case to worst case to analyze the potential impact of revenue and/or cost reductions on the organization. Modeling the various options available to you will help to determine which program is best for your organization. Each program achieves a different objective – for instance:

  • The Paycheck Protection Program can assist in retaining employees in the short term.
  • The Emergency Economic Injury Grants are helpful in covering a small immediate liquidity need.
  • The Small Business Debt Relief Program provides aid to those concerned with making SBA loan payments.

Additionally, consider non-federal options, such as discussing short-term deferrals with your current bank.

Q: How should I create a financial forecast/model for the next year?
A:

If you have the benefit of waiting, this is likely a time period in which it makes sense to delay significant in-depth forecasting efforts, particularly if your business environment is complicated or subject to significantly volatility as a result of recent events. The concern with beginning to model for future periods, outside of the next three-to-six months, is that you’ll be using information that is incomplete and ever-changing. This could lead to snap judgments that are short-term in nature and detrimental to long-term planning and success of your organization. 

With that said, we recognize that delaying this analysis will be unsettling to many CFOs and business managers who need to have a strategy moving forward. In developing this model for next year, consider the following elements of a strong model:

  1. Flexible and dynamic – Allow room for the model to adapt as more information is available and as additional insight is requested by your constituents (board members, department heads, lenders, etc.).
  2. Prioritize – Start with your big-ticket items. These should be the items that drive results for the organization. Determine what your top two to three revenue and expense categories are and focus on wrapping your arms around the future of those. From there, look for other revenue and expense sources that show correlation with one of the big two to three. Using a dynamic model, these should be automatically updated when assumptions on correlated items change. Don’t waste time on items that likely don’t impact decision making. Finally, build consensus on baseline assumptions, whether it be through management or accounting team, the board, or finance committee.
  3. Stress-test – Provide for the reality that your assumptions, and thus model, will be wrong. Develop scenarios that run from best-case to worst-case. Be honest with your assumptions.
  4. Identify levers – As you complete stress-testing, identify your action plan under different circumstances. What are expenditures that can be deferred in a worst-case scenario? What does staffing look like at various levels?
  5. Cash is king – The focus on forecasting and modeling is often on the net income of the organization and the cash flows generated. In a time such as this, the exercise is likely to focus on future liquidity. Remember to consider your non-income and expense items that impact cash flow, such as principal payments on debt service, planned additions to property & equipment, receipts on pledge payments, and others.  
CASH FLOW
Q: How can I alleviate cash flow strain in the near term?
A:

While the House and Senate have reacted quickly to bring needed relief to individuals and businesses across the country, the reality for most is that more will need to be done to stabilize. Operationally, obvious responses in the short term should be to eliminate all nonessential purchasing and maximize the billing and collection functions in accounts receivable. Another option is to utilize or increase an existing line of credit, or establish a new line of credit, to alleviate short term cash flow shortfalls. Organizations with investment portfolios can consider the prudence of increasing the spending draw on those funds. Rather than making a few drastic changes, organizations should take a multi-faceted approach to reduce the strain on cash flow while protecting the long term sustainability of the mission.

Q: How can I increase my organization’s reach to help with disaster relief? If we establish a special purpose fund, what should my organization be thinking about?
A:

Many organizations are looking for ways to increase their direct impact and give funding to individuals or organizations they may not have historically supported. For those who are want to expand their grant or gift making or want to establish a disaster relief fund, there are things to consider when doing so to help protect the organization. The nonprofit experts at Hemenway & Barnes share their thoughts on just how to do that.

FINANCIAL REPORTING
Q: What accounting standards have been delayed or are in the process of being delayed?
A:

FASB:
The $2.2 trillion stimulus package includes a provision that would allow banks the temporary option to delay compliance with the current expected credit losses (CECL) accounting standard. This would be delayed until the earlier end of the fiscal year or the end of the coronavirus national emergency.

GASB:
On March 26, 2020, the Governmental Accounting Standards Board (GASB) announced it has added a project to its current technical agenda to consider postponing all Statement and Implementation Guide provisions with an effective date that begins on or after reporting periods beginning after June 15, 2018. The GASB has received numerous requests from state and local government officials and public accounting firms regarding postponing the upcoming effective dates of pronouncements as these state and local government offices are closed and officials do not have access to the information needed to implement the Statements. Most notably this would include Statement No. 84, Fiduciary Activities, and Statement No. 87, Leases.

The Board plans to consider an Exposure Draft for issuance in April and finalize the guidance in May 2020.

ENDOWMENTS AND INVESTMENTS 
Q: What should I consider with regard to endowments?
A:

Many nonprofits with endowments are considering ways to balance an increased reliance on their investment portfolios with the responsibility to protect and preserve the spending power of donor-restricted gifts. Some things to think about include the existence (or absence) of true restrictions, spending variations under the Uniform Prudent Management of Institutional Funds Act (UPMIFA) applicable in your state, borrowing from an endowment, or requesting from the donor the release of restrictions. All need to be balanced with the intended duration and preservation of the endowment fund. Hemenway & Barnes shares their thoughts relative to the utilization of endowments during this time of need.

EMPLOYEE BENEFITS
Q: We are going to suspend our retirement plan match through June 30, 2020 and I picked a start date of April 1st. What we need help with is our bi-weekly payroll (which is for HOURLY employees). Their next pay date is April 3rd, for time worked through March 28th. Time worked March 29-31 would be paid on April 17th. How should we handle the match during this period for the hourly employees?
A:

The key for determining what to include for the matching calculation is when it is paid, not when it was earned. If the amendment is effective April 1st, then any amounts paid after April 1st would not have matching contributions calculated. This means that the amounts paid on April 3rd would not have any matching contributions calculated.

Q: Can you please provide guidance on the Families First Coronavirus Response Act (FFCRA) and how it may impact my organization?
A:

On March 30th, BerryDunn published a blog post to help answer your questions around the FFCRA.

If you have additional questions, please contact one of our Employee Benefit Plan professionals

ADDITIONAL CONSIDERATIONS
Q: I heard there was going to be an incentive for charitable giving in the new act. What's that all about?
A:

According to Sections 2204 and 2205 of the CARES Act:

  • Up to $300 of charitable contributions can be taken as a deduction in calculating adjusted gross income (AGI) for the 2020 tax year. This will provide a tax benefit even to those who do not itemize.
  • For the 2020 tax year, the tax cap has been lifted for:
    • Individuals-from 60% of AGI to 100%
    • Corporations-annual limit is raised from 10% to 25% (for food donations this is raised from 15% to 25%)
Q: Have you heard if the May 15th tax deadline will be extended?
A:

Unfortunately, we have not heard. As of April 6th, the deadline has not been extended.

Q: Could you please summarize for me the tax provisions in the CARES Act that you think are most applicable to not-for-profits?
A: Absolutely! Our not-for-profit tax professionals have compiled this document, which provides a high-level outline of tax provisions in the CARES Act that we believe would be of interest to our clients.

We are here to help
Please contact the BerryDunn not-for-profit team if you have any questions, or would like to discuss your specific situation.

Blog
COVID-19 FAQs—Not-for-Profit Edition

Read this if you are an IT Leader, CMO, CNO, CFO, or COO in a healthcare setting that may be looking at offering telehealth services.

Adopting telehealth technology is happening rapidly in response to social distancing and the strain that COVID-19 is putting on health systems. In response to this strain and with focus on "flattening the curve" by improving access amid a torrent of temporarily closed provider offices, some state and federal restrictions on telehealth have been lifted with the passage of the CARES Act.  

So, now, the question is not if your organization should implement telehealth services but how do you do it rapidly, effectively, holistically, and with an eye on wide-spread adoption?  

Telehealth is a bit more complex than other services, because it requires a patient to be able to use technology and follow through on provider advice―without physical discussion and interaction. Taking the time with your clinicians to increase their comfort using the technology can help put your patients at ease during this uncertain time while maintaining the clinician-patient relationship. Here are things to consider to become effective with telehealth programs:

  1. Identify purpose and goals. Do you want to expand access, support more patients, improve outcomes, support social distancing, or have further geographic reach? All of the above? 
  2. Choose an approach. Use existing technology within your EHR or use a third party solution.
  3. Test the solution. Check connectivity, devices (iPhone vs Android), and patient skill level.
  4. Camera placement is important. Making sure the patient can see the provider will be important for patients.
  5. Practice with a colleague and an open mind. Develop confidence and help foster patient trust. 
  6. Be adaptable to this being different. As this is new for all parties, showing patience and maintaining calm goes a long way to help ease patient worry.
  7. Consider and plan for the patient’s technical ability, or lack thereof. Be prepared to help troubleshoot minor technical barriers or utilize alternative processes without hampering the clinical encounter. 
  8. Look directly into the camera. Helps establish and maintain the patient-provider relationship. 
  9. Document in real time. Complete good notes, as the volume of telehealth visits and lack of physical proximity to the patient will make it more challenging to remember details later. 
  10. Develop “how to” content for your staff. This will help front line staff explain what the patient should expect before the visit and will outline clear follow up procedures, should there be any technical issues.

Once you have the more technical pieces planned, the keys to success will be testing technology and workflow and embracing the change. As we know, it doesn’t take much for a vulnerable patient to lose ground. Now is the time to expand your reach, lower costs, improve outcomes, improve relationships, show adaptability, sustain progress, and send healthcare directly into the home.

We are here to help
If you have any questions about your specific needs, please contact the healthcare consulting team.

Blog
How to effectively implement telehealth services

Editor's note: read this if you are a leader in higher education. 

The Department of Education’s Office of Postsecondary Education posted an Electronic Announcement on April 3, 2020, to provide an update to the policy and operational guidance issued in March as a result of the COVID-19 pandemic national emergency. 

In addition to extending the March 5, 2020 guidance to apply to payment periods or terms beginning between March 5, 2020 and June 1, 2020, the Department has confirmed the temporary closure will not result in loss of institutional eligibility or participation. A few other changes to note:

  • Leaves of absence due to COVID-19-related concerns or limitations (such as interruption of a travel-abroad program) can be requested after the date the leave has begun.
  • Updates to the academic calendar requirements will allow institutions to offer courses on a schedule that would otherwise cause the program to be considered a non-standard term if it allows students to complete the term.
  • Calculated expected family contribution amounts will exclude from income any grants or low-interest loans received by victims of an emergency from a federal or state entity as part of the needs analysis.

One trend that continues to permeate the Department’s guidance is for institutions to document, as contemporaneously as possible, actions taken as a result of COVID-19 (including professional judgment decisions, on a case-by-case basis). 

The Department will be issuing more guidance on the impact of the CARES Act on R2T4 calculations, satisfactory academic progress requirements, the extension of the single audit by the Office of Management and Budget, and the potential impact to future FISAP filings. We highly recommend you read the full announcement as it outlines a wide variety of important details. 

Questions? Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.


 

Blog
COVID-19: Department of Education operational guidance

Read this if you are a leader at a state Medicaid agency.

Here is a summary of information we have gleaned from the Center for Medicare and Medicaid Services (CMS) Administrator Verma’s recent call.

CMS is implementing new rules and waivers that increase provider flexibility and free up resources to deal with a surge in COVID-19 patients. CMS is working with the provider community to provide clarity around specific changes that impact their operations.

  • The rulemaking process has been dramatically expedited to accommodate recent and forthcoming regulatory changes
  • CMS is in the process of working out details to administer CARES Act provisions, including further regulatory flexibilities, expansion of accelerated payment program, and $100 billion appropriated to reimburse eligible health care providers
  • CMS clarifies that the 3-Day Rule Waiver for skilled nursing facilities applies throughout the country and to all patients, regardless of their COVID-19 status

Medicaid Substance Use Disorder Treatment via Telehealth, and Rural Health Care and Medicaid Telehealth Flexibilities Guidance

This informational bulletin is composed of two parts: Rural Health Care and Medicaid Telehealth Flexibilities and Medicaid Substance Use Disorder Treatment via Telehealth.

  • The informational bulletin identifies opportunities for telehealth delivery for services to increase access to Medicaid services. It is composed of two parts, Rural Health Care and Medicaid Telehealth Flexibilities and Medicaid Substance Use Disorder (SUD) Treatment Services Furnished via Telehealth
  • The bulletin provides SUD guidance around Medication Assisted Treatment (MAT), counseling, high risk populations, and other areas critical to providing SUD services.

Long-Term Care Nursing Homes Telehealth and Telemedicine Tool Kit

CMS is issuing an electronic toolkit regarding telehealth and telemedicine for Long Term Care Nursing Home Facilities.

  • The toolkit includes electronic links to sources of information regarding telehealth and telemedicine, including the changes made by CMS over the last week in response to the national health emergency.
  • Much of the toolkit’s information is intended for providers who may wish to establish a permanent telemedicine program, but there is information here that will help in the temporary deployment of a telemedicine program as well.
  • There are specific documents identified that may be useful in choosing telemedicine vendors, equipment, and software, initiating a telemedicine program, monitoring patients remotely, and developing documentation tools. 


CMS makes regulatory changes to help US healthcare system address COVID-19 patient surge

CMS has issued a number of temporary regulatory waivers and new rules to assist the nation’s healthcare system with improved flexibility.

  • Increased hospital capacity. CMS will allow communities to take advantage of local ambulatory surgery centers that have canceled elective surgeries, per federal recommendations.
  • Healthcare workforce expansion. CMS’s temporary requirements allow hospitals and healthcare systems to increase their workforce capacity by removing barriers for physicians, nurses, and other clinicians to be readily hired from the local community as well as those licensed from other states without violating Medicare rules.
  • Paperwork requirements. CMS is temporarily eliminating paperwork requirements.
  • Telehealth in Medicare. CMS will now allow for more than 80 additional services to be furnished via telehealth.

Additional COVID-19 FAQs for state Medicaid and Children's Health Insurance Program (CHIP) agencies

CMS released an update to the COVID-19 FAQs posted on March 18, 2020 related to emergency preparedness and response, eligibility and enrollment flexibilities, benefit flexibilities, cost sharing flexibilities, financial flexibilities, managed care flexibilities, fair hearing flexibilities, health information exchange flexibilities, and COVID-19 T-MSIS coding guidance. Notably:

  • States that have CHIP disaster provisions in their state plans can activate these provisions. CMS considers a significant outbreak of an infectious disease to be a disaster. CMS also recommends that states that do not have disaster relief provisions in their CHIP state plans include language that a federal- or governor-declared emergency is considered an event that can trigger the disaster provisions.

States may not suspend use of their AVS, however CMS reminds states that they can rely on self-attestation of assets and verify financial assets using their AVS post-enrollment in Medicaid.

  • CMS can help provide technical assistance regarding approaches states can use to rapidly scale telehealth technologies.
  • CMS clarified and provided COVID-19 T-MSIS coding guidance.

For more information

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
Takeaways from CMS national stakeholder call

Read this if you are a business owner, in management, or in HR at a company with less than 500 employees.

We have received many questions regarding the FFCRA and its provisions and how it affects different employers and their employees. Here are some of the questions our clients have asked the most. Please contact us if you have questions regarding your specific situation. We’re here to help.  

Besides compensation, what other costs paid by an employer are eligible for the credit (i.e., employer paid health insurance, employer payroll taxes)?
Employers can deduct the cost of providing continuing health care coverage, and the employer’s share of Medicare taxes related to the leave wages. Any compensation paid under the FFCRA is not subject to the employer’s portion of the Social Security tax.

How do you determine the total number of employees? 
In calculating the total number of employees, all full-time or part-time employees working within the US, including all US territories or possessions, are counted, including all employees on leave and temp employees who are jointly employed with another company as determined under the Fair Labor Standards Act (FLSA). 

How does a business know if it employs less than 500 employees and is subject to the FFCRA?
Generally, a private sector employer is subject to the Family and Medical Leave Act of 1993 (FMLA) if it employs 50 or more employees for each working day during each of 20 or more calendar workweeks in the current or preceding calendar year. The FAQs issued by the Department of Labor (DOL) indicate an employer has fewer than 500 employees if, at the time an employee’s leave is to be taken, there are fewer than 500 full-time and part-time employees within the United States, which includes any state of the United States, the District of Columbia, or any territory or possession of the United States. 

In making this determination, an employer should include employees on leave; temporary employees who are jointly employed by you and another employer (regardless of whether the jointly-employed employees are maintained on only your or another employer’s payroll); and day laborers supplied by a temporary agency (regardless of whether you are the temporary agency or the client firm if there is a continuing employment relationship). Workers who are independent contractors under the FLSA, rather than employees, are not considered employees for purposes of the 500-employee threshold.

Where a corporation has an ownership interest in another corporation, the two corporations are separate employers unless they are joint employers under the FLSA with respect to certain employees. In general, two or more entities are separate employers unless they meet the integrated employer test under the FMLA.

Please check with your advisors if you believe the integrated employer test may apply to your businesses.

Which employees are entitled to the $511 payment under sick leave?
For an employee who is unable to work because of the coronavirus quarantine or self-quarantine or has COVID-19 symptoms and is seeking a medical diagnosis, the employee may receive sick leave wages equal to the employee’s regular rate of pay, up to $511 per day and $5,111 in the aggregate, for a total of 10 days. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

Which employees are entitled to the $200 payment under sick leave?
For an employee who is caring for someone with COVID-19, or is caring for a child because the child’s school or child care facility is closed, or the child care provider is unavailable due to the coronavirus, the employee may receive sick leave wages equal to two-thirds of the employee’s regular rate of pay, up to $200 per day and $2,000 in the aggregate, for up to 10 days. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

Which employees are entitled to the $200 payment under the family leave portion of FFCRA?
For an employee who is unable to work because of a need to care for a child whose school or child care facility is closed or whose child care provider is unavailable due to the coronavirus, the employee may receive family leave wages equal to two-thirds of the employee’s regular rate of pay, capped at $200 per day or $10,000 in the aggregate. Up to 10 weeks of qualifying leave can be counted towards the child care leave credit. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

What is “regular rate of pay” for purposes of the FFCRA?
For purposes of the FFCRA, the regular rate of pay used to calculate paid leave is the average of the employee’s regular rate over a period of up to six months prior to the date on which leave is taken. If an employee has not worked for the current employer for six months, the regular rate used to calculate paid leave is the average regular rate of pay for each week the employee has worked for the current employer.

If an employee is paid with commissions, tips, or piece rates, these amounts will be incorporated into the above calculation to the same extent they are included in the calculation of the regular rate under the FLSA.

You can also compute this amount for each employee by adding all compensation that is part of the regular rate over the above period and divide that sum by all hours actually worked in the same period.

What is the effective date of the sick leave/family leave provisions?
Employers must comply with the FFCRA from April 1, 2020, until it expires on December 31, 2020. Paid leave prior to April1, 2020 will not count. The IRS recently issued guidance indicating the tax credits for qualified sick leave wages and qualified family leave wages required to be paid by the FFRCA will apply to wages paid for the period beginning on April 1, 2020, and ending on December 31, 2020.

Who is considered a “health care provider”?
For the purposes of employees who may be exempted from paid sick leave or expanded family and medical leave by their employer under the FFCRA, a health care provider is anyone employed at any doctor’s office, hospital, health care center, clinic, post-secondary educational institution offering health care instruction, medical school, local health department or agency, nursing facility, retirement facility, nursing home, home health care provider, any facility that performs laboratory or medical testing, pharmacy, or any similar institution, employer, or entity. This includes any permanent or temporary institution, facility, location, or site where medical services are provided that are similar to such institutions. 

This definition includes any individual employed by an entity that contracts with any of the above institutions, employers, or entities institutions to provide services or to maintain the operation of the facility. This also includes anyone employed by any entity that provides medical services, produces medical products, or is otherwise involved in the making of COVID-19 related medical equipment, tests, drugs, vaccines, diagnostic vehicles, or treatments. This also includes any individual that the highest official of a state or territory, including the District of Columbia, determines is a health care provider necessary for that state’s or territory’s or the District of Columbia’s response to COVID-19.

To minimize the spread of the virus associated with COVID-19, the DOL encourages employers to be judicious when using this definition to exempt health care providers from the provisions of the FFCRA.

For more information
If you have more questions, or have a specific question about your particular situation, please call us. We’re here to help. 

Blog
Families First Coronavirus Response Act (FFCRA): FAQs for businesses

Per CMS, all state Medicaid agencies, including territories, are eligible for the increased Federal Medical Assistance Percentage (FMAP), provided they adhere to the conditions outlined in the Families First Coronavirus Response Act (FFCRA). 

Key takeaways:

  • The increase in FMAP will be retroactive to January 1, 2020 and will be available to state Medicaid agencies through the end of the quarter in which the public health emergency for COVID-19 ends.
  • This guidance answers some of the following questions for states, including:
    • How long the funding will be available and when it begins
    • What costs are matchable under the enhanced funding 
    • The specific conditions under which states are eligible to claim the funds 
    • What documentation and processes will be needed in order to gain full access to funding

Trump administration releases COVID-19 checklists and tools to accelerate relief for state Medicaid & CHIP programs

In order to assist states as part of the COVID-19 outbreak, the Trump administration has released a number of tools and checklists that constitute a federal authority toolkit to support states in applying for and receiving federal waivers and other key flexibilities for their program. 

Key takeaways:
The tools released today include:

CMS issues FAQs on catastrophic health coverage and the coronavirus

A catastrophic health plan may not provide coverage of an essential health benefit prior to an enrollee meeting the deductible for that plan. In order to clarify treatment and coverage of COVID-19 for catastrophic health plans CMS has issued Frequently Asked Questions (FAQs).

Key takeaways:

  • Catastrophic plans currently include coverage for the diagnosis and treatment of COVID-19 as they must cover the essential health benefits (EHB) as required by the Patient Protection and Affordable Care Act (PPACA).
  • Issuers of catastrophic plans will be able to provide coverage for the diagnosis and treatment of COVID-19 for enrollees who have not yet met their deductible without CMS taking enforcing action.
  • The FAQ document encourages states to take an enforcement approach and CMS does not “consider a state to have failed to substantially enforce section 1302(e) of the PPACA if it takes such an approach.”

Relief for clinicians, providers, hospitals, and facilities participating in quality reporting programs in response to COVID-19

CMS is granting exceptions from reporting requirements and extensions for clinicians and providers participating in Medicare quality reporting programs.  

Key takeaways:

  • The exceptions include pending dates for measure reporting and data submission for related programs. 
  • For data submission deadlines in April and May of 2020, submission of those data will be optional, based on the facility’s choice to report.
  • 2019 data submission
    • Deadline extended from March 31, 2020 to April 30, 2020.
    • Deadlines for October 1, 2019 - December 31, 2019 (Q4) 
    • Data submission is optional for inpatient rehabilitation and hospital-acquired conditions.

CMS releases telehealth toolkits for general practitioners and End-Stage Renal Disease (ESRD) providers

CMS has released two toolkits on telehealth which follow the broadened access to Medicare telehealth services under the 1135 waiver authority and Coronavirus Preparedness and Response Supplemental Appropriations Act.

Key takeaways:

  • The toolkit consists of electronic links to sources of information pursuant to telehealth and telemedicine. 
  • Generally directed towards providers, particularly ones who may be considering a permanent telemedicine program.
  • CMS notes that most of the resources were established prior to the current COVID-19 crisis. As a result, there are likely references to rules and regulations whose requirements may have been waived for the duration of the outbreak.

Toolkits:

For more information

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
New guidance regarding enhanced Medicaid funding for states

Here is a summary of information we have gleaned from recent CMS updates and guidance. 

COVID-19 stakeholder call - March 16 

CMS held a National Stakeholder Call on March 16, 2020 to update the healthcare community on the rapidly evolving COVID-19 situation, which was declared a national emergency by President Trump on March 13, 2020.

Key takeaways:

  • Administrator Verma reaffirmed the goal of reducing administrative barriers in the way of healthcare workers and agencies and to support them as best CMS is able.
  • Acknowledging that there were questions on testing, Administrator Verma outlined that there will be a ramp-up in testing in conjunction with state and local governments. 
  • CMS is relaxing clinician enrollment requirements for Medicare and making the same option available to states in their Medicaid programs.
  • The administration has been clear that it wants agencies to focus on infection control efforts. CMS is designing a streamlined template to evaluate infection control.
  • CMS sends guidance to Programs of All-Inclusive Care for the Elderly (PACE) Organizations.

On March 17, 2020, CMS issued guidance to all Programs of All-Inclusive Care for the Elderly (PACE) Organizations (POs) on accepted policies and standard procedures with respect to infection control.

Key takeaways:

  • POs will need to create, apply, and sustain a documented infection control plan that involves procedures to recognize, examine, regulate, and avert infections in PACE centers
  • POs will need to work to prevent infections within each participant’s place of residence, as well as implement procedures to record and develop corrective actions related to incidents of infection.
  • CMS provides guidance that recognizes POs may need to undertake strategies that do not traditionally comply with CMS PACE program requirements in order to provide benefits while guarding from COVID-19. Some examples of this may include telehealth services.
  • President Trump expands telehealth benefits for Medicare beneficiaries during COVID-19 outbreak.

CMS is expanding Medicare’s telehealth benefits under the 1135 waiver authority and the Coronavirus Preparedness and Response Supplemental Appropriations Act.

Key takeaways:

  • Under the new 1135 waiver, Medicare can pay for office, hospital, and other visits provided via telehealth across the country and including in patient’s place of residence starting March 6, 2020. 
  • Medicare telehealth visits: These visits are considered the same as in-person visits and are paid at the same rate as regular, in-person visits.
  • Virtual check-ins: Virtual check-in services can only be reported when the billing practice has an established relationship with the member.  
  • E-visits: Such services can only be reported when the billing practice has an established relationship with the patient.  

CMS coronavirus partner virtual toolkit

CMS has released a virtual toolkit to help stakeholders stay up-to-date on CMS materials available on COVID-19. Here is specific guidance from the toolkit designed for states and health plans:

CMS approves first state request for 1135 Medicaid waiver in Florida and Washington

The 1135 waiver allows Florida and Washington to modify certain Medicaid program requirements, policies, operational procedures, and deadlines applicable to each state’s administration of its Medicaid program during the period of the national state of emergency to prevent further transmission of COVID-19. 

Key takeaways from Florida’s waiver

  • Provider participation flexibilities for Medicaid and CHIP Waiver of Service Prior Authorization (PA) Requirements for fee-for-service delivery systems
  • Waiver for Pre-Admission Screening and Annual Resident Review (PASRR) Level II Level II Assessments for 30 Days
  • Waiver to allow evacuating facilities to provide services in alternative settings, such as a temporary shelter when a provider’s facility is inaccessible
  • Waiver to temporarily delay scheduling for state fair hearing requests and appeal deadlines (NOTE: CMS was unable to waive all of Florida’s requested authorities in this area)

If you have questions or would like more information, we are here to help. Please contact us

Blog
CMS update for the healthcare community: Our takeaways

In early March 2020, the US Department of Education (ED) issued a Dear Colleague Letter, “Guidance for interruptions of study related to Coronavirus (COVID-19),” posting a subsequent update March 20 to include the document “Frequently Asked Questions Related to COVID-19.” The information below has been excerpted directly from the letter and compiled with the needs of our higher education clients in mind.

This electronic announcement addresses concerns regarding how higher education leaders should comply with Title IV, Higher Education Act (HEA) policies for students whose activities are impacted by the coronavirus and COVID-19:

  • Either directly because the student is ill or quarantined, or 
  • Indirectly because the student was recalled from travel-abroad experiences, can no longer participate in internships or clinical rotations, or attends a campus that has temporarily suspended operations.

This information provides some flexibility for schools working to help students complete the term in which they are currently enrolled. Some of the most important changes to note:

  • Federal Work Study (FWS)
    For students enrolled and performing FWS at a campus that must close due to COVID-19, or for a FWS student who works for an employer that closes as a result of COVID-19, the institution may continue paying the student federal work-study wages during that closure if it occurred after the beginning of the term, the institution is continuing to pay its other employees (including faculty and staff), and the institution continues to meet its institutional wage share requirement.
  • Length of academic year
    If at any point an institution determines it will close as the result of a campus health emergency, it may contact the school participation team to request a temporary reduction in the length of its academic year.
  • Professional judgement
    Financial aid administrators (FAA) have statutory authority to use professional judgement to make adjustments on a case-by-case basis to the cost of attendance or to the data elements used in calculating the EFC to reflect a student’s special circumstances. The use of professional judgement where students and/or their families have been affected by COVID-19 is permitted, such as in the case where an employer closes for a period of time as a result of COVID-19. 
  • Reentering the same payment period
    If an institution that has closed subsequently re-opens during the same payment period or period of enrollment, and permits students to continue coursework that they were taking at the time of the closure, students that return to class at that time are considered to have reentered the same period and retain eligibility for Title IV aid that they were otherwise eligible to receive before the closure.

We highly recommend you read the full letter, as it outlines additional important details and includes recently added FAQ documents.

Questions? Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

For further reading
Guidance for interruptions of study related to Coronavirus (COVID-19) 
FAQs
COVID-19 ("Coronavirus") Information and Resources for Schools and School Personnel
 

Blog
Guidance from the US Department of Education Dear Colleague Letter

The President signed The Families First Coronavirus Response Act (hereinafter the “Act”) into law on March 18th and the provisions are effective April 2nd. You can read the congressional summary here. There are two provisions of the Act that deal with paid leave provisions for employees. Here are some highlights for employers.

The provisions of the Act are only required for employers with fewer than 500 employees. Employers with over 499 employees are not required to provide the sick/family leave contained in the Act, but could voluntarily elect to follow the new rules. The expectation is that employers with over 499 employees are providing some level of sick/family leave benefits already. In any case, employers with over 499 employees are not eligible for the tax credits. 

Employers with fewer than 500 employees are required to provide employees with up to 80 hours of paid sick leave over a two-week period if the employee:

  • Self-isolates because of a diagnosis with COVID-19, or to comply with a recommendation or order to quarantine;
  • Obtains a medical diagnosis or care if the employee is experiencing COVID-19 symptoms;
  • Needs to care for a family member who is self-isolating due to a COVID-19 diagnosis or quarantining due to COVID-19 symptoms; or
  • Is caring for a child whose school has closed, or childcare provider is unavailable, due to COVID-19.

These rules apply to all employees regardless of the length of time they have worked for the employer. The 80-hours would be pro-rated for those employees who do not normally work a 40-hour week. 

Employees who take leave because they themselves are sick (i.e., the first two bullets above) can receive up to $511 per day, with an aggregate limit of $5,110. If, on the other hand, an employee takes leave to care for a child or other family member (i.e., the last two bullets above), the employee will be paid two-thirds (2/3) of their regular weekly wages up to a maximum of $200 per day, with an aggregate limit of $2,000.

Days when an individual receives pay from their employer (regular wages, sick pay, or other paid time off) or unemployment compensation do not count as leave days for the purposes of this benefit.

Family and Medical Leave Act

Employees who have been employed for at least 30-days also have the right to take up to 12 weeks of job-protected leave under the Family and Medical Leave Act (FMLA). The Act requires that 10 of these 12 weeks (i.e., after the sick leave discussed above is taken) be paid at a rate of no less than two-thirds of the employee’s usual rate of pay. Any leave taken under this portion of the ACT will be limited to $200 per day with an aggregate limit of $10,000.

Exemptions

The Secretary of Labor has the authority to issue regulations exempting: (1) certain healthcare providers and emergency responders from taking leave under the Act; and (2) small businesses with fewer than 50 employees from the requirements of the Act if it would jeopardize the viability of the business.

Expiration

The provisions of the Act are set to expire on December 31, 2020, and unused time will not carry over from one year to the next.

Tax credits 

The Act provides for refundable tax credits to help an employer cover the costs associated with providing paid emergency sick leave or paid FMLA. The tax credits work as follows:

  • A refundable tax credit for employers equal to 100 percent of qualified family leave wages paid under the Act.
  • A refundable tax credit for employers equal to 100 percent of qualified paid sick leave wages paid under the Act. 
  • The tax credits are taken on Form 941 – Employer’s Quarterly Federal Income Tax Return filed for the calendar quarter when the leave is taken and reduce the employer’s portion of the Social Security taxes due. If the credit exceeds the employer’s total liability for Social Security taxes for all employees for any calendar quarter, the excess credit is refundable to the employer.

For more information

We are here to help. Please contact our benefit plan consultants if you have any questions or would like to discuss your specific situation. 

Blog
Highlights of the recently passed paid sick and family leave act: What you need to know

Editor’s note: Please read this if you are a not-for-profit board member, CFO, or any other decision maker within a not-for-profit.

In a time where not-for-profit (NFP) organizations struggle with limited resources and a small back office, it is important not to overlook internal audit procedures. Over the years, internal audit departments have been one of the first to be cut when budgets are tight. However, limited resources make these procedures all the more important in safeguarding the organization’s assets. Taking the time to perform strategic internal audit procedures can identify fraud, promote ethical behavior, help to monitor compliance, and identify inefficiencies. All of these lead to a more sustainable, ethical, and efficient organization. 

Internal audit approaches

The internal audit function can take on many different forms, depending on the size of the organization. There are options between the dedicated internal audit department and doing nothing whatsoever. For example:

  • A hybrid approach, where specific procedures are performed by an internal team, with other procedures outsourced. 
  • An ad hoc approach, where the board or management directs the work of a staff member.

The hybrid approach will allow the organization to hire specialists for more technical tasks, such as an in-depth financial analysis or IT risk assessment. It also recognizes internal staff may be best suited to handle certain internal audit functions within their scope of work or breadth of knowledge. This may add costs but allows you to perform these functions otherwise outside of your capacity without adding significant burden to staff. 

The ad hoc approach allows you to begin the work of internal audit, even on a small scale, without the startup time required in outsourcing the work. This approach utilizes internal staff for all functions directed by the board or management. This leads to the ad-hoc approach being more budget friendly as external consultants don’t need to be hired, though you will have to be wary of over burdening your staff.

With proper objectivity and oversight, you can perform these functions internally. To bring the process to your organization, first find a champion for the project (CFO, controller, compliance officer, etc.) to free up staff time and resources in order to perform these tasks and to see the work through to the end. Other steps to take include:

  1. Get the audit/finance committee on board to help communicate the value of the internal audit and review results of the work
  2. Identify specific times of year when these processes are less intrusive and won’t tax staff 
  3. Get involved in the risk management process to help identify where internal audit can best address the most significant risks at the organization
  4. Leverage others who have had success with these processes to improve process and implementation
  5. Create a timeline and maintain accountability for reporting and follow up of corrective actions

Once you have taken these steps, the next thing to look at (for your internal audit process) is a thoughtful and thorough risk assessment. This is key, as the risk assessment will help guide and focus the internal audit work of the organization in regard to what functions to prioritize. Even a targeted risk assessment can help, and an organization of any size can walk through a few transaction cycles (gift receipts or payroll, for example) and identify a step or two in the process that can be strengthened to prevent fraud, waste, and abuse.  

Here are a few examples of internal audit projects we have helped clients with:

  • Payroll analysis—in-depth process mapping of the payroll cycle to identify areas for improvement
  • Health and education facilities performance audit—analysis of various program policies and procedures to optimize for compliance
  • Agreed upon procedures engagement—contract and invoice/timesheet information review to ensure proper contractor selection and compliant billing and invoicing procedures 

Internal audits for companies of all sizes

Regardless of size, your organization can benefit from internal audit functions. Embracing internal audit will help increase organizational resilience and the ability to adapt to change, whether your organization performs internal audit functions internally, outsources them, or a combination of the two. For more information about how your company can benefit from an internal audit, or if you have questions, contact us

Blog
Internal audit potential for not-for-profit organizations

Editor's note: read this if you are a CFO, controller, accountant, or business manager.

We auditors can be annoying, especially when we send multiple follow-up emails after being in the field for consecutive days. Over the years, we have worked with our clients to create best practices you can use to prepare for our arrival on site for year-end work. Time and time again these have proven to reduce follow-up requests and can help you and your organization get back to your day-to-day operations quickly. 

  1. Reconcile early and often to save time.
    Performing reconciliations to the general ledger for an entire year's worth of activity is a very time consuming process. Reconciling accounts on a monthly or quarterly basis will help identify potential variances or issues that need to be investigated; these potential variances and issues could be an underlying problem within the general ledger or control system that, if not addressed early, will require more time and resources at year-end. Accounts with significant activity (cash, accounts receivable, investments, fixed assets, accounts payable and accrued expenses and debt), should be reconciled on a monthly basis. Accounts with less activity (prepaids, other assets, accrued expenses, other liabilities and equity) can be reconciled on a different schedule.
  2. Scan the trial balance to avoid surprises.
    As auditors, one of the first procedures we perform is to scan the trial balance for year-over-year anomalies. This allows us to identify any significant irregularities that require immediate follow up. Does the year-over-year change make sense? Should this account be a debit balance or a credit balance? Are there any accounts with exactly the same balance as the prior year and should they have the same balance? By performing this task and answering these questions prior to year-end fieldwork, you will be able to reduce our follow up by providing explanations ahead of time or by making correcting entries in advance, if necessary. 
  3. Provide support to be proactive.
    On an annual basis, your organization may go through changes that will require you to provide us documented contractual support.  Such events may include new or a refinancing of debt, large fixed asset additions, new construction, renovations, or changes in ownership structure.  Gathering and providing the documentation for these events prior to fieldwork will help reduce auditor inquiries and will allow us to gain an understanding of the details of the transaction in advance of performing substantive audit procedures. 
  4. Utilize the schedule request to stay organized.
    Each member of your team should have a clear understanding of their role in preparing for year-end. Creating columns on the schedule request for responsibility, completion date and reviewer assigned will help maintain organization and help ensure all items are addressed and available prior to arrival of the audit team. 
  5. Be available to maximize efficiency. 
    It is important for key members of the team to be available during the scheduled time of the engagement.  Minimizing commitments outside of the audit engagement during on site fieldwork and having all year-end schedules prepared prior to our arrival will allow us to work more efficiently and effectively and help reduce follow up after fieldwork has been completed. 

Careful consideration and performance of these tasks will help your organization better prepare for the year-end audit engagement, reduce lingering auditor inquiries, and ultimately reduce the time your internal resources spend on the annual audit process. See you soon. 

Blog
Save time and effort—our list of tips to prepare for year-end reporting

Editor’s note: read this if you work for, or are affiliated with, a charitable organization that receives donations. Even the most mature nonprofit organizations may miss one of these filings once in a while. Some items (e.g., the donor acknowledgement letter) may feel commonplace, but a refresher—especially at a particularly busy time of the year as it pertains to giving—can fend off fines.

As the holiday season is now in full swing, the season of giving is also upon us. Perhaps not surprisingly, the month of December is by far the most charitable month of the year, accounting for almost one-third of all charitable gifts made annually. And with all that giving comes the requirement of charitable organizations to provide donor acknowledgements, a formal “thank you” of the gift being received. Different gifts require differing levels of acknowledgement, and in some cases an additional IRS form (or two) may need to be filed. Doing some work now may save you time (and a fine or two) later. 

While children are currently busy making lists for Santa Claus, in the spirit of giving we present to you our list of donor acknowledgement requirements―and best practices―to help you gain control of this issue for the holiday season and beyond.

Donor acknowledgement letters

Charitable (i.e., 501(c)(3)) organizations are required to provide a donor acknowledgement letter to each donor contributing $250 or more to the organization, whether it be cash or non-cash items (i.e., publicly traded securities, real estate, artwork, vehicles, etc.) received. The letter should include the following: 

  1. Name of the organization
  2. Amount of cash contribution
  3. Description of non-cash items (but not the value) 
  4. Statement that no goods and services were provided (assuming this is the case)
  5. Description and good faith estimate of the value of goods and services provided by the organization in return for the contribution, if any
  6. Statement that goods or services provided by the organization in return for the contribution consisted entirely of intangible religious benefit, if any

It is not necessary to include either the donor’s social security number or tax identification number on the written acknowledgment and as a best practice should not be included in the letter.

In addition to including the elements above, the written acknowledgement is also required to be contemporaneous, that is, sent out in a timely fashion. According to the IRS, a donor must receive the acknowledgment by the earlier of:

  • The date on which the donor actually files his or her individual federal income tax return for the year of the contribution
  • The due date (including extensions) of the return in order to be considered contemporaneous

Quid pro quo disclosure statements

When a donor makes a payment greater than $75 to a charitable organization partly as a contribution and partly as a payment for goods and services, a disclosure statement is required to notify the donor of the value of the goods and services received in order for the donor to determine the charitable contribution component of their payment.

An example of this would be if the organization sold tickets to its annual fundraising dinner event. Assume the ticket costs $100 and at the event the ticketholder receives a dinner valued at $40. In this example, the donor’s tax deduction may not exceed $60. Because the donor’s payment (quid pro quo contribution) exceeds $75, the charitable organization must furnish a disclosure statement to the donor, even though the deductible amount doesn’t exceed $75.

It’s important to note that there are some exclusions to these requirements if the value received is considered to be de minimis (known as the Token Exception), but the value received needs to be relatively small (ex: receiving a coffee mug with a picture of the organization’s logo on it). Please consult your tax advisor for more details.

If the organization does not issue disclosure statements, the IRS can issue penalties of $10 per contribution, not to exceed $5,000 per fundraising event or mailing. An organization may be able to avoid the penalty if reasonable cause can be demonstrated.

Receiving or selling donated noncash property? Forms 8283 & 8282 may be required.

If a charitable organization receives noncash donations, it may be asked to sign Form 8283. This form is required to be filed by the donor and included with their personal income tax return. If a donor contributes noncash property (excluding publicly traded securities) valued at over $5,000, the organization will need to sign Form 8283, Section B, Part IV acknowledging receipt of the noncash item(s) received.

By signing Form 8283, the donee organization is not only acknowledging receipt, but is also affirming that if the property being received is sold, exchanged, or otherwise disposed of within three years of the original donation date, the organization will be required to file Form 8282. A copy of this form is filed with the IRS and must also be provided to the original donor. Form 8282 is not required for sales of donated publicly traded securities. The penalty for failure to file Form 8282 when required is generally $50 per form.

Cars, boats, and yes, even airplanes? That would be Form 1098-C.

An airplane? Yes, even an airplane can be donated, and the donee organization must file a separate Form 1098-C, Contributions of Motor Vehicles, Boats, and Airplanes, with the IRS for each contribution of a qualified vehicle that has a claimed value of more than $500. Contemporaneous written acknowledgement requirements apply here too, and Form 1098-C can act as acknowledgement for this purpose. An acknowledgment is considered contemporaneous if it is furnished to the donor no later than 30 days after the date of the contribution if you plan to use the item for a mission-related purpose, or 30 days after the date of the sale of the item to an unrelated third party.

Penalties for failure to provide contemporaneous written acknowledgement for qualified vehicles can be pretty stiff, generally calculated as a percentage of the sale price if sold, or a percentage of the claimed value if not sold. Should you have any questions or receive a request regarding any of the forms noted above, please consult your tax advisor.

As you can see, the rules around donor acknowledgements can seem a lot like Grandma’s fruitcake―complex and perhaps a bit on the nutty side. When issuing donor acknowledgements this holiday season and beyond, be sure to review the list above and check it twice. Doing so may end up keeping you off of the IRS’s naughty list!

Blog
Donor acknowledgements: We have to file what?

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on a State Medicaid Enterprise System (MES) certification effort.

On October 24, 2019, the Centers for Medicaid and Medicare Services (CMS) published the Outcomes-Based Certification (OBC) guidance for the Electronic Visit Verification (EVV) module. Now, CMS is looking to bring the OBC process to the rest of the Medicaid Enterprise. 

The shift from a technical-focused certification to a business outcome-focused approach presents a unique opportunity for states as they begin re-procuring—and certifying—their Medicaid Enterprise Systems (MES).

Once you have defined the scope of your MES project—and know you need to undertake CMS certification—you need to ask “what’s next?” OBC can be a more efficient certification process to secure Federal Financial Participation (FFP).

What does OBC certification entail?

Rethinking certification in terms of business outcomes will require agencies to engage business and operations units at the earliest possible point of the project development process to define the program goals and define what a successful implementation is. One way to achieve this is to consider MES projects in three steps. 

Three steps to OBC evaluation

Step 1: Define outcomes

The first step in OBC planning seems easy enough: define outcomes. But what is an outcome? To answer that, it’s important to understand what an outcome isn’t. An outcome isn’t an activity. Instead, an outcome is the result of the activity. For example, the activity could be procuring an EVV solution. In this instance, an outcome could be that the state has increased the ability to detect fraud, waste, and abuse through increased visibility into the EVV solution.

Step 2: Determine measurements

The second step in the OBC process is to determine what to measure and how exactly you will measure it. Deciding what metrics will accurately capture progress toward the new outcomes may be intuitive and therefore easy to define. For example, a measure might simply be that each visit is captured within the EVV solution.

Increasing the ability to detect fraud, waste, and abuse could simply be measured by the number of cases referred to a Medicaid fraud unit or dollars recovered. However, you may not be able to easily measure that in the short-term. Instead, you may need to determine its measurement in terms of an intermediate goal, like increasing the number of claims checked against new data as a result of the new EVV solution. By increasing the number of checked claims, states can ensure that claims are not being paid for unverified visits. 

Step 3: Frequency and reporting

Finally, the state will need to determine how often to report to measure success. States will need to consider the nuances of their own Medicaid programs and how those nuances fit into CMS’ expectations, including what data is available at what intervals.

OBC represents a fundamental change to the certification process, but it’s important to highlight that OBC isn’t completely unfamiliar territory. There is likely to be some carry-over from the certification process as described in the Medicaid Enterprise Certification Toolkit (MECT) version 2.3. The current Medicaid Enterprise Certification (MEC) checklists serve as the foundation for a more abbreviated set of criteria. New evaluation criteria will look and feel like the criteria of old but are likely to be a fraction of the 741 criteria present in the MECT version 2.3.

OBC offers several benefits to states as you navigate federal certification requirements:

  1. You will experience a reduction in the amount of time, effort, and resources necessary to undertake the certification process. 
  2. OBC refocuses procurement in terms of enhancements to the program, not in new functions. Consequently, states will also be able to demonstrate the benefits that each module brings to the program which can be integral to stakeholder support of each module. 
  3. Early adoption of the OBC process can allow you to play a more proactive role in certification efforts.

Continue to check back for a series of our project case studies. Additionally, if you are considering an OBC effort and have questions, please contact our team. You can read the OBC guidance on the CMS website here
 

Blog
Three steps to outcomes-based certification

Editor's note: Read this if you are a CTO, CIO, or administrator at a college or university. This is the first blog in a series on business lessons and best practices from American literature. For this series, interviewees select from a list of American literary quotes through which to view, and discuss, their focus or industry. The goal? To generate some novel insight.

The interviewees: David Houle and Joseph Traino, consultants at BerryDunn
The focus: Higher education
The quote: “Our inventions are wont to be pretty toys . . . They are but improved means to an unimproved end.”  -- Henry David Thoreau, Walden; or, Life in the Woods

Thoreau wrote this shortly after the Industrial Revolution. How does its cynicism apply to higher education during the Digital Revolution?

David Houle (DH): It speaks to my basic philosophy about applying technology to the needs of higher education clients. I’m not a “technology for the sake of technology” cheerleader. 

Joseph Traino (JT): People often believe that applying new technology to a business problem is going to solve the business problem. That rarely happens. For example, most higher education clients have a student information system. These clients often feel that, in order to resolve certain issues, they should update the system software, whereas the issues are often resolved by updating business practices to be more efficient and effective. 

DH: Right. We are often brought in to identify needed technology changes but end up stressing practices, processes, and people. If staff can’t correctly use a new technology, then the technology will not provide a real, valuable service.

When implementing a new technology, what’s the #1 thing that a higher education institution can do to prevent or avoid “an unimproved end”?

JT: Fully understand the technology’s impact on stakeholders, such as students, faculty, and staff, and answer the “why?”

DH: Keep people in mind and gain their buy-in when making technology decisions.

What technology, or technology-related change, is going to have the biggest effect on higher education over the next five years?

DH: Clients love to ask us this question (laughs). And if I truly knew the answer, I’d be on some Caribbean island right now, filthy rich and sipping a piña colada. That said, I think the technology demands of the new workforce are going to have the biggest effect. To paraphrase the new workforce: “I don’t want to stare at a green screen. And what in the world is DOS?” Conversely, the personnel who used to support these homegrown, in-house “green screen” products want to retire and leave the workforce. 

JT: I agree that the demands of the new workforce will continue to affect higher education and steer institutions away from term-based courses and programs and toward more flexible, student-centric courses and programs. From a technology standpoint, I think AI and bots are going to replace many of the manual processes that we still see today in higher education. These new technologies will create greater efficiencies—but also possibly reduce jobs—at institutions.

DH: Higher education leaders with vision have already grasped this idea of cutting administrative costs wherever possible, because those costs are not what place students in seats—or in front of screens. On the flip side, advising is currently an underserved area in higher education. So there is an opportunity for leaders to reallocate administrative resources to fulfill advising roles and to help students—such as at-risk and first-generation students—not just in the classroom, but through their learning journey.

Circling back to the Thoreau quote, I’m sure many higher education staff fear technology will lead to “unimproved ends” for their careers. How do you navigate those fears when working with clients? 

JT: It’s certainly a challenge. We currently face some of those fears when working with IT departments—more services are being moved to the cloud, and there is less of a need for on-site database administrators and system administrators, as an example. Alluding to what Dave said about advising, I think many higher education jobs can be shifted to provide interactive high-tech, high-touch services to students.

DH: And to be blunt, some people don’t want to shift, don’t want to change. The people part is the most challenging part of technology adoption. 

In this discussion about technology, we keep returning to people—and the people side of change. Are higher education clients typically responsive to the concept of change management?

JT: There’s typically some reticence, and a lack of understanding about the value of change management. In most cases, change management requires an investment beyond the technology investment. But change management is key to success. 

DH: Reticence is a good word. Yet I do think that views about change management are changing rapidly. Higher education leaders who have been through a significant system or process change now seem to understand the value of change management and know that change management is a necessity, not a luxury. 

In the end, are you confident that new technology is going to benefit students and their educational goals? 

DH: I’m unsure if technology improves the quality of education. However, I am sure that technology increases the options for the delivery of education. And greater flexibility in education delivery is certainly beneficial, especially because the traditional student is now non-traditional. Ongoing and 24/7 access demands in education are here to stay.

JT: I agree with Dave wholeheartedly. I think technology will help improve the means to the end, but I’m not sure if technology is going to improve the end. Technology is just one part of the education equation. 
 

Blog
Technology ≠ Education

Editor's note: read this blog if you are a state liquor administrator or at the C-level in state government. 

Surprisingly, the keynote address to this year’s annual meeting of the National Alcohol Beverage Control Association (NABCA) featured few comments on, well, alcohol. 

Why? Because cannabis is now the hot topic in state government, as consumers await its legalization. While the thought of selling cannabis may seem foreign to some state administrators, many liquor agencies are―and should be―watching. The fact is, state liquor agencies are already equipped with expertise and the technology infrastructure needed to lawfully sell a controlled substance. This puts them in a unique position to benefit from the industry’s continued growth. Common technology includes enterprise resource planning (ERP) and point-of-sale (POS) systems.

ERP

State liquor agencies typically use an ERP system to integrate core business functions, including finance, human resources, and supply chain management. Whether the system is handling bottles of wine, cases of spirits, or bags of cannabis, it is capable of achieving the same business goals. 

The existing checks and balances on controlled substances like alcohol in their current ERP system translate well to cannabis products. This leads to an important point: state governments do not need to procure a new IT system solely for regulating cannabis.

By leveraging existing ERP systems, state liquor agencies can sidestep much of the time, effort, and expense of selecting, procuring, and implementing a new system solely for cannabis sales and management. In control states, where the state has exclusively control of alcohol sales, liquor agencies are often involved in every stage of product lifecycle, from procurement to distribution to retailing.

With a few modifications, the spectrum of business functions that control states require for liquor—procuring new product, communicating with vendors and brokers, tracking inventory, and analyzing sales—can work just as well for cannabis.

POS

POS systems are necessary for most retail stores. If a state liquor agency decides to sell cannabis products in stores, they can use a POS system to integrate with the agency’s ERP system, though store personnel may require training to help ensure compliance with related regulations.

Cannabis is cash only (for now)

There is one major difference in conducting liquor versus cannabis sales at any level: currently states conduct all cannabis sales in cash. With cannabis illegal on the federal level, major banks have opted to decline any deposit of funds earned from cannabis-related sales. While some community banks are conducting cannabis-related banking, many retailers selling recreational cannabis in places like Colorado and California still deal in cash. While risky and not without challenges, these transactions are possible and less onerous to federal regulators. 

Taxes 

As markets develop, monthly tax revenue collections from cannabis continue to grow. Colorado and California have found cannabis-related tax revenue a powerful tool in hedging against uncertainty in year-over-year cash flows. Similar to beer sold wholesale, which liquor agencies tax even in control states, cannabis can be taxed at multiple levels depending on the state’s business model.

E-commerce

Even with liquor, few state agencies have adopted direct-to-consumer online sales. However, as other industries continue shifting toward e-commerce and away from brick and mortar retailing, private sector competition will likely feed increased consumer demand for online sales. Similar to ERP and POS systems, states can increase revenue by selling cannabis through e-commerce sales channels. In today’s online retail world, many prefer to buy products from their computer or smart phone instead of shopping in stores. State agencies should consider selling cannabis via the web to maximize this revenue opportunity. 

Applying expertise in the systems and processes of alcoholic beverage control can translate into the sale and regulation of cannabis, easing the transition states face to this burgeoning industry. If your agency is considering bringing in cannabis under management, you should consider strategic planning sessions and even begin a change management approach to ensure your agency adapts successfully. 

Blog
Considering cannabis: How state liquor agencies can manage the growing industry

This spring, I published a blog about the importance of data governance in higher education institutions. In the summer, a second blog covered implementing baseline principles for data governance. With fall upon us, it is time to transition to discussing three critical steps to create a data governance culture. 

1.    Understand the people side of change.

The culture of any organization begins and ends with its people. As you know, people are notoriously finicky when it comes to change (especially change like data governance initiatives that may alter the way we have to understand or interact with institutional data). I recommend that any higher education institution apply a change management methodology (e.g., Prosci®, Lewin’s Change Management Model) in order to gauge the awareness of, the desire for, and the practical realities of this change. If you apply your chosen methodology in an effective and consistent manner, change management will help you increase buy-in and break down resistance. 

2.    Identify and empower the right people for the right roles.

Higher education institutions often focus on data governance processes and technologies. While this is necessary, you can’t overlook the people part of data governance. In fact, you can argue it is the most important part, because without people, there will be no one to follow the processes you create or use the technologies you implement. 

To find the right people, you need to identify and establish three specific roles for your institution: data trustees, data stewards, and data managers. Once you have organized these roles and responsibilities, data governance becomes easier to manage. Some definitions:

Data trustees (the sponsors) – senior leadership (or designees) who oversee data policy, planning, and management. Their responsibilities include: 

  • Promoting data governance 
  • Approving and updating data policies​​
  • Assigning and overseeing data stewards
  • Being responsible for data governance

Data stewards (the owners) – directors, managers, associate deans, or associate vice presidents who manage one or more data types. Their responsibilities include:

  • Applying and overseeing data governance policies in their functional areas
  • Following legal requirements pertaining to data in their functional areas
  • Classifying data and identifying data safeguards
  • Being accountable for data governance

Data managers (the caretakers) – data system managers, senior data analysts, or functional users (registrar, financial aid, human resources, etc.) who perform day-to-day data collection and management operations. Their responsibilities include:

  • Implementing data governance policies in their functional areas
  • Resolving data issues in their functional areas 
  • Provide training and appropriate documentation to data users
  • Being informed and consulted about data governance

3.    Be consistent and hold people accountable.

Ultimately, your data governance team needs accountability in order to thrive. Therefore, it is up to data trustees, data stewards, and data managers to hold regular meetings, take and distribute meeting notes, and identify and follow up on meeting action items. Without this follow through, data governance initiatives will likely stall or stop altogether. 

More information on data governance 

Are you still curious about additional guiding principles of data governance in higher education? Please contact the team
 

Blog
People Power: Enacting Sustainable Data Governance

Editors note: read this if you are a leader in an accountable care organization and interested in value-based contracting.

Accountable Care Organizations (ACOs) and value-based payments: an introduction

With the goal of slowing the rising cost of healthcare while maintaining the delivery of high-quality care, the Centers for Medicare & Medicaid Services (CMS) and private payers utilize a number of different provider payment models. The primary approach to address increasing healthcare costs has been to move away from fee-for-service payment models—which incentivize increasing the volume of care provided—to value-based payment models, which hold providers accountable for both the cost and quality of care they provide. The models have the potential to lead to reduced revenue for some providers, an outcome that can be avoided by successfully attracting larger patient populations. 

Value-based payment model options 

CMS has been a driver in this transition by moving physician reimbursement from being solely based on the Resource-Based Relative Value Scale (RBRVS) fee-for-service methodology to one that adds performance-based elements either through the Merit-based Incentive Payment System (MIPS) or Advanced Alternative Payment Models (Advanced APMs):

  • Providers that are MIPS eligible will have up to 9% of their RBRVS-based payments adjusted for four categories: quality, cost, clinical practice improvement activities, and promoting interoperability.
  • Providers in an Advanced APM may earn an incentive payment based on their participation in an innovative payment model―with more opportunity for incentive rewards being given to those who take downside financial risk. 

On the hospital side, CMS developed the Hospital Value-Based Purchasing (VBP) Program in order to move away from reimbursement based strictly on Diagnosis Related Groups (DRGs). The Hospital VBP Program rewards hospitals with incentive payments based on the quality of care they provide to Medicare beneficiaries. 

ACO value-based payment models are APMs that typically incorporate quality and the total cost of care for all services for a specific population, rather than just a specific clinical condition or care episode. Under the ACO model, CMS contracts with providers to assume increasing financial risk and reward opportunities while also being held accountable for their quality performance managing defined sub-populations they serve. These types of models are also employed by private payers.

How can ACOs succeed with payment models constantly changing?

ACOs should proceed with caution as they enter models with accountability for financial risk such as the newly finalized CMS Pathways to Success program and certain private payer commercial models. In order to be successful in any model, it is critical that ACOs have an adequate foundation in place and a provider network built to provide coordinated care. Some of the key elements for your success include:

  • Population data: Data for the ACO members that is a comprehensive record of their recent health utilization and spending history is critical.
  • Eligibility reporting: Require that eligibility files are provided on a monthly basis, and understand the way in which members are attributed or assigned. 
  • Claims data: Ensure accurate and complete claims data will be provided by payers monthly for the ACO members.
  • Financial/quality reporting: Ensure creation of infrastructure to generate reporting from the population data on a timely basis. Without timely reporting, the actual performance against benchmarks will not be known until it is too late to take any action.
  • Actuarial support: Validating spending targets and performance settlement should draw on the expertise of a qualified actuary.
  • Clinical documentation: Ambulatory clinical documentation categorizes patients based on the complexity of their diagnoses, which can be a predictor of future health care costs and used to identify at risk members for care management, disease management, and other programs. 
  • Population health management tools: Establish capabilities around population health management, specifically data aggregation and analysis that results in actionable recommendations
  • Audit capability: Verify the accuracy of payer financial and quality reports including the risk adjustment methodology.

Success in value-based payment models will require ACOs to understand changes to their population and quickly respond to address quality, utilization, and cost trends. 

WEBINAR
Demystifying Value-Based Contracting: Key Steps To Empower Your Organization

Want to learn more? Watch our value-based contracting webinar.

Blog
Success in value-based payment for ACOs

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Blog
Five IT risks everyone should be aware of

Editor’s note: If you are a higher education CFO, CIO, CTO or other C-suite leader, this blog is for you.

The Gramm-Leach-Bliley Act (GLBA) has been in the news recently as the Federal Trade Commission (FTC) has agreed to extend a deadline for public comment regarding proposed changes to the Safeguards Rule. Here’s what you need to know.

GLBA, also known as the Financial Modernization Act, is a 1999 federal law providing rules to financial institutions for protecting consumer information. Colleges and universities fall under this act because they conduct financial activities (e.g., administration of financial aid, loans, and other financial services).

Under the Safeguards Rule financial Institutions must develop, implement, and maintain a comprehensive information security program that consists of safeguards to handle customer information.

Proposed changes

The FTC is proposing five modifications to the Safeguards Rule. The new act will:

  • Provide more detailed guidance to impacted institutions regarding how to develop and implement specific aspects of an overall information security program.
  • Improve the accountability of an institution’s information security programs.
  • Exempt small business from certain requirements.
  • Expand the definition of “financial institutions” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
  • Propose to include the definition of “financial institutions” and related examples in the rule itself rather than cross-reference them from a related FTC rule (Privacy of Consumer Financial Information Rule).

Potential impacts for your institution

The Federal Register, Volume 84, Number 65, published the notice of proposed changes that once approved by the FTC would add more prescriptive rules that could have significant impact on your institution. For example, these rules would require institutions to:

  1. Expand existing security programs with additional resources.
  2. Produce additional documentation.
  3. Create and implement additional policies and procedures.
  4. Offer various forms of training and education for security personnel.

The proposed rules could require institutions to increase their commitment in time and staffing, and may create hardships for institutions with limited or challenging resources.

Prepare now

While these changes are not final and the FTC is requesting public comment, here are some things you can do to prepare for these potential changes:

  • Evaluate whether your institution is compliant to the current Safeguards Rule.
  • Identify gaps between current status and proposed changes.
  • Perform a risk assessment.
  • Ensure there is an employee designated to lead the information security program.
  • Monitor the FTC site for final Safeguard Rules updates.

In the meantime, reach out to us if you would like to discuss the impact GLBA will have on your institution or if you would like assistance with any of the recommendations above. You can view a comprehensive list of potential changes here.

Source: Federal Trade Commission. Safeguards Rule. Federal Register, Vol. 84, No. 65. FTC.gov. April 4, 2019. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

Blog
Higher ed: GLBA is the new four-letter word, but it's not as bad as you think

Read this if you are a police executive, city/county administrator, or elected government official, responsible for a law enforcement agency. 

“We need more cops!”  

Do your patrol officers complain about being short-staffed or too busy, or that they are constantly running from call to call? Does your agency struggle with backed-up calls for service (CFS) or lengthy response times? Do patrol staff regularly find themselves responding to another patrol area to handle a CFS because the assigned officer is busy on another call? Are patrol officers denied leave time or training opportunities because of staffing issues? Does the agency routinely use overtime to cover predictable shift vacancies for vacations, holidays, or training? 

If one or more of these concerns sound familiar, you may need additional patrol resources, as staffing levels are often a key factor in personnel deployment challenges. Flaws in the patrol schedule design may also be responsible, as they commonly contribute to reduced efficiency and optimal performance, and design issues may be partially responsible for some of these challenges, regardless of authorized staffing levels.
 
With community expectations at an all-time high, and resource allocations remaining relatively flat, many agencies have growing concerns about managing increasing service volumes while controlling quality and building/maintaining public trust and confidence. Amid these concerns, agencies struggle with designing work schedules that efficiently and optimally deploy available patrol resources, as patrol staff become increasingly frustrated at what they consider a lack of staff.

The path to resolving inefficiencies in your patrol work schedule and optimizing the effective deployment of patrol personnel requires thoughtful consideration of several overarching goals:

  • Reducing or eliminating predictable overtime
  • Eliminating peaks and valleys in staffing due to scheduled leave
  • Ensuring appropriate staffing levels in all patrol zones or beats
  • Providing sufficient staff to manage multiple and priority CFS in patrol zones or beats
  • Satisfying both operational and staff needs, including helping to ensure a proper work/life balance and equitable workloads for patrol staff

Scheduling alternatives

One common design issue that presents an ongoing challenge for agencies is the continued use of traditional, balanced work schedules, which spread officer work hours equally over the year. Balanced schedules rely on over-scheduling and overtime to manage personnel allocation and leave needs and, by design, are very rigid. Balanced work schedules have been used for a very long time, not because they’re most efficient, but because they’re common, familiar, and easily understood―and because patrol staff are comfortable with them (and typically reluctant to change). However, short schedules offer a proven alternative to balanced patrol work schedules, and when presented with the benefits of an alternative work schedule design (e.g., increased access to back-up, ease of receiving time off or training, consistency in staffing, less mandatory overtime), many patrol staff are eager to change.

Short schedules

Short schedules involve a more contemporary design that includes a flexible approach that focuses on a more adaptive process of allocating personnel where and when they are needed. They are significantly more efficient than balanced schedules and, when functioning properly, they can dramatically improve personnel deployments, bring continuity to daily staffing, and reduce overtime, among other operational benefits. Given the current climate, most agencies are unlikely to receive substantial increases in personnel allocations. If that is true of your agency, it may be time to explore the benefits of alternative patrol work schedules.

A tool you can use

Finding scheduling strategies that work in this climate requires an intentional approach, customized to your agency’s characteristics (e.g., staffing levels, geographic factors, crime rates, zone/beat design, contract/labor rules). To help guide you through this process, BerryDunn has developed a free tool for evaluating patrol schedules. Click here to measure your patrol schedule against key design components and considerations.

If you are curious about alternative patrol work schedules, our dedicated justice and public Safety consultants are available to discuss your organization’s needs.

Blog
Efficient police patrol work schedules―By design

In light of the recent cyberattacks in higher education across the US, more and more institutions are finding themselves no longer immune to these activities. Security by obscurity is no longer an effective approach—all  institutions are potential targets. Colleges and universities must take action to ensure processes and documentation are in place to prepare for and respond appropriately to a potential cybersecurity incident.

BerryDunn’s Rick Gamache recently published several blog articles on incident response that are relevant to the recent cyberattacks. Below I have provided several of his points tailored to higher education leaders to help them prepare for cybersecurity incidents at their institutions.

What are some examples of incidents that managers need to prepare for?

Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with higher education institutions. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons. Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest security teams include staff members outside of IT. When you’re responding to incidents, you want people who can look at a problem or situation from an external perspective, not just a technical or operational perspective within IT. These team members can help answer questions such as, what does the world see when they look at our institution? What institutional information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?

I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?

There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities, so your team can assign and track tasks.

Any other tips for developing incident response plans?

First, managers should work with, and solicit feedback from across the academic and administrative areas within the institution when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your institution’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your students and external stakeholders in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your institution. The last thing you want is students and stakeholders receiving conflicting messages about the incident. 

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?

Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should institutions have dedicated incident response teams?

Definitely. Institutions should identify and staff teams using internal resources. Some institutions may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, institutions should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every institution can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your institution about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?

Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a hackathon. The word can elicit negative or concerned reactions. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the institution for another, higher-paying job. I think you should be committed to the growth of your team members―it’ll only make your institution more secure.

What are some best practices managers should follow when reporting incidents to their leadership?

Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in an institutional context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the institution. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

How much institution-wide communication should there be about incidents?

That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole institution know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire institution about an incident, refer to your Legal Department. In general, institution-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: senior leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

What are the key takeaways for higher education leaders?

Here are key takeaways to help higher education leaders prepare for and respond appropriately to cybersecurity incidents:

  1. Understand your institution’s current cybersecurity environment. 
    Questions to consider: Do you have Chief Information Security Officer (CISO) and/or a dedicated cybersecurity team at your institution? Have you conducted the appropriate audits and assessments to understand your institution’s vulnerabilities and risks?
  2. Ensure you are prepared for cybersecurity incidents. 
    Questions to consider: Do you have a cybersecurity plan with the appropriate response, communication, and recovery plans/processes? Are you practicing your plan by walking through tabletop exercises? Do you have incident response teams?

Higher education continues to face growing threats of cybersecurity attacks – and it’s no longer a matter of if, but when. Leaders can help mitigate the risk to their institutions by proactively planning with incident response plans, communication plans, and table-top exercises. If you need help creating an incident response plan or wish to speak to us regarding preparing for cybersecurity threats, please reach out to us.
 

Blog
Cyberattacks in higher education—How prepared are you?

Phew! We did it—The Medicaid Enterprise Systems Conference (MESC) 2019 is one for the books! And, it was a great one. Here is my perspective on objectives and themes that will guide our work for the year.

Monday 

My day started in the fog—I live on an island in Maine, take a boat to get into Portland, and taxi to the airport. Luckily, I got to Portland, and, ultimately Chicago, on time and ready to go. 

Public Sector Technology Group (PSTG) meeting

At the PSTG meetings, we reviewed activities from the previous year and did some planning for the coming year. Areas for consideration included:

  • Modernization Schedule
  • Module Definitions
  • Request for Proposal (RFP) Requirements
  • National Association of State Procurement Officers

Julie Boughn, Centers for Medicare and Medicaid (CMS) Director, Data and Systems Group (DSG) introduced her new boss, Karen Shields, who is the Deputy Director for the Center for Medicaid and CHIP Services (CMCS) within CMS. Karen shared her words of wisdom and encouragement with us, while Julie reminded us that being successful in our work is about the people. CMS also underscored the goal of speeding up delivery of service to the Medicaid program and asking ourselves: “What is the problem we are trying to resolve?” 

CMS’ “You be the State” officer workshop

Kudos to CMS for creating this open environment of knowledge sharing and gathering input.  Areas for discussion and input included:

  • APD Processes
  • Outcomes-Based Certification
  • Increasing and Enhancing Accountability

Tuesday
Opening Plenary

I was very touched by the Girls Inc. video describing the mission of Girls Inc. to inspire girls to be strong, smart, and bold. With organizations like this, and our awareness and action, I am optimistic for the future. Thank you to NESCSO for including this in their opening program.

John Doerr, author of Measure What Matters: OKRs: The Simple Idea that Drives 10x Growth and famed investor, shared his thoughts on how to create focus and efficiency in what we do. Julie’s interview with him was excellent, and I appreciated how John’s Objectives and Key Results (OKR) process prompted Julie to create objectives for what we are trying to do. The objectives Julie shared with us:

  • Improve the quality of our services for users and other stakeholders 
  • Ensure high-quality data is available to manage the program and improve policy making 
  • Improve procurement and delivery of Medicaid technology projects

Sessions

The sessions were well attended and although I can't detail each specific session I attended, I will note that I did enjoy using the app to guide me through the conference. NESCSO has uploaded the presentations. 

Auxiliary meetings

Whether formal or informal, meetings are one of the big values of the conference—relationships are key to everyone’s success, and meeting with attendees in one-on-one environments was incredibly productive. 

Poster session

The poster sessions were excellent. States are really into this event, and it is a great opportunity for the MESC community to engage with the states and see what is going on in the Medicaid Enterprise space.

Wednesday

Some memorable phrases heard in the sessions:

  • Knowledge is power only if you share it
  • We are in this together and want the same outcomes, so let’s share more
  • Two challenges to partnering projects—the two “P”s—are purchasing and personnel
  • Don’t let perfection be the enemy of the good
  • Small steps matter
  • Sharing data is harder than it needs to be—keep in mind the reason for what you are doing

Our evening social event was another great opportunity to connect with the community at MESC and the view of Chicago was beautiful.

Julie Boughn challenged us to set a goal (objective) in the coming year, and, along with it, to target some key results in connection with that goal. Here are some of her conference reflections:

  • Awesome
    • Several State Program and Policy leaders participated at MESC—impressed with Medicaid Director presence and participation
    • Smaller scoped projects are delivering in meeting the desired improved speed of delivery and quality
    • Increased program-technology alignment
  • Not so awesome
    • Pending state-vendor divorces
    • Burden of checklists and State Self-Assessments (SS-As)—will have something to report next year
    • There are still some attempts at very large, multi-year replacement projects—there is going to be a lot of scrutiny on gaining outcomes. Cannot wait five years to change something.

OKRs and request for states and vendors

  • Objective: Improve the quality of services for our users and other stakeholders
    • Key Result (KR): Through test results and audits, all States and CMS can state with precision, the overall accuracy of Medicaid eligibility systems.
    • KR: 100% of State electronic visit verification (EVV) systems are certified and producing annual performance data.
    • KR: 100% of States have used CMS-required testing guidance to produce testing results and evidence for their eligibility systems.
  • Objective: Ensure high-quality data is available to manage the program and improve policy making
    • KR: Transformed Medicaid Statistical Information System (T-MSIS) data is of sufficient quality that it is used to inform at least one key national Medicaid policy decision that all states have implemented.
    • KR:  Eliminate at least two state reporting requirements because T-MSIS data can be used instead.
    • KR: At least five states have used national or regional T-MSIS data to inform their own program oversite and/or policy-making decisions.
  • Objective: Improve how Medicaid technology projects are procured and delivered
    • KR: Draft standard language for outcomes metrics for at least four Medicaid business areas.
    • KR:  Five states make use of the standard NASPO Medicaid procurement.
    • KR:  CMS reviews of RFPs and contracts using NASPO vehicle are completed within 10 business days.
    • KR:  Four states test using small incremental development phases for delivery of services.
  • Request: Within 30 days, states/vendors will identify at least one action to take to help us achieve at least one of the KRs within the next two years.

Last thoughts

There is a lot to digest, and I am energized to carry on. There are many follow-up tasks we all have on our list. Before we know it, we’ll be back at next year’s MESC and can check in on how we are doing with the action we have chosen to help meet CMS’s requirements. See you in Boston!

Blog
MESC 2019―Reflections and Daily Recap

Editor’s note: If you are a state government CFO, CIO, project or program manager, this blog is for you. 

This is the second blog post in the blog series: “Procuring Agile vs. Non-Agile Service”. Read the first blog. This blog post demonstrates the differences in Stage 1: Plan Project in the five stages of procuring agile vs. non-agile services.

Overview of Procurement Process for Agile vs. Non-Agile IT Services

What is important to consider in agile procurement?

Here are some questions that can help focus the planning for procurement of IT services for agile vs. non-agile projects.

Plan Project Considerations for Agile vs. Non-Agile IT Services

Why are these considerations important?

When you procure agile IT services, you can define the scope of your procurement around a vision of what your organization intends to become, as opposed to being restricted to an end-date for a final delivery.

In an agile project, you get results iteratively; this allows you to constantly reassess requirements throughout the project, including the project plan, the guiding principles, and the project schedule. Your planning is not restricted to considering the effect of one big result at the end of the project schedule. Instead, your plan allows for sequencing of changes and improvements that best reflect the outcomes and priorities your organization needs

Since planning impacts the people-aspect of your strategy, it is important to consider how various teams and stakeholders will provide input, and how you will make ongoing communication updates throughout the project. With an agile procurement project, your culture will shift, and you will need a different approach to planning, scheduling, communicating, and risk management. You need to communicate daily, allowing for reviewing and adjusting priorities and plans to meet project needs. 

How do you act on these considerations?

A successful procurement plan of agile IT services should include the following steps:

  1. Develop a project charter and guiding principles for the procurement that reflect a vision of how your organization’s teams will work together in the future
  2. Create a communication plan that includes the definition of project success and communicates project approach
  3. Be transparent about the development strategy, and outline how iterations are based on user needs, that features will be re-prioritized on an ongoing basis, and that users, customers, and stakeholders are needed to help define requirements and expected outcomes
  4. Provide agile training to your management, procurement, and program operation teams to help them accept and understand the project will present deliverables in iterations, to include needed features, functionality and working products
  5. Develop requirements for the scope of work that align with services and outcomes you want, rather than documented statements that merely map to your current processes 

What’s next? 

Now that you have gained insight into the approach to planning an agile project, consider how you may put this first stage into practice in your organization. Stay tuned for guidance on how to execute the second stage of the procurement process—how to draft the RFP. Our intention is that, following this series, your organization will better understand how to successfully procure and implement agile services. If you have questions or comments, please contact our team.
 

Blog
Plan agile projects: Stage 1

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on a State Medicaid Enterprise System (MES) certification effort.

Measuring performance of Medicaid Enterprise Systems (MES) is emerging as the next logical step in moving Medicaid programs toward modularity. As CMS continues to refine and implement outcomes-based modular certification, it is critical that states adapt to this next step in order to continue to meet CMS funding requirements.

This measurement, in terms of program outcomes, presents a unique set of challenges, many of which a state may not have considered before. A significant challenge is determining how and where to begin measuring program outcomes―to meet it, states can leverage a trusted, independent partner as they undertake an outcomes-based effort.

Outcomes-based planning can be thought of as a three-step process. First, and perhaps most fundamental, is to define outcomes. Second, you need to determine what measurements will demonstrate progress toward achieving those outcomes. And the final step is to create reporting measurements and their frequency. Your independent partner can help you answer these critical questions and meet CMS requirements efficiently by objectively guiding you toward realizing your goals.

  1. Defining Outcomes
    When defining an outcome, it is important to understand what it is and what it isn’t. An outcome is a benefit or added value to the Medicaid program. It is not an output, which is a new or enhanced function of a new MES module. An output is the product that supports the outcome. For example, the functionality of a new Program Integrity (PI) module represents an output. The outcome of the new PI module could be that the Medicaid program continuously improves based on data available because of the new PI module. Some outcomes may be intuitive or obvious. Others may not be as easy to articulate. Regardless, you need to direct the focus of your state and solution vendor teams on the outcome to uncover what the underlying goal of your Medicaid program is.
     
  2. Determining Measurements
    The second step is to measure progress. Well-defined Key Performance Indicators (KPIs) will accurately capture progress toward these newly defined outcomes. Your independent partner can play a key role by posing questions to help ensure the measurements you consider align with CMS’ goals and objectives. Additionally, they can validate the quality of the data to ensure accuracy of all measurements, again helping to meet CMS requirements.
     
  3. Reporting Measurements
    Finally, your state must decide how―and how often―to report on outcomes-based measurements. Your independent partner can collaborate with both your state and CMS by facilitating conversations to determine how you should report, based on a Medicaid program’s nuances and CMS’ goals. This can help ensure the measurements (and support information) you present to CMS are useful and reliable, giving you the best chance for attaining modular certification.

Are you considering an outcomes-based CMS modular certification, or do you have questions about how to best leverage an independent partner to succeed with your outcomes-based modular certification effort? BerryDunn’s extensive experience as an independent IV&V and Project Management Office (PMO) partner includes the first pilot outcomes-based certification effort with CMS. Please visit our IV&V and certification experts at our booth at MESC 2019 or contact our team now.

Blog
Three steps to measure Medicaid Enterprise Systems outcomes

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer.

As CMS moves away from the monolithic Medicaid Management Information System (MMIS) toward an outcomes-based approach that includes a modular Medicaid Enterprise System (MES), there is now more emphasis on system integration (SI). 

In the August 16, 2016 letter, State Medicaid Director (SMD) #16-010, CMS clarified the role of the system integrator (SI) by stating:

CMS envisions a discrete role for the system integrator (SI) in each state, with specific focus on ensuring the integrity and interoperability of the Medicaid IT architecture and cohesiveness of the various modules incorporated into the Medicaid enterprise. 

While the importance of the SI role is apparent, not all states have the resources to build the SI capability within their own organizations. Some state Medicaid IT teams try to solve this by delegating management roles to vendors or contractors. This approach has various risks. A state could lose:

  • Institutional knowledge, as vendors and contractors transition off the project
  • Control of governance, oversight, and leadership
  • The ability to enforce contractual requirements across each vendor, especially the SI

In addition, the ramifications of loss of state accountability can have wide-reaching implementation, operational, and financial impacts, including:

  • The loss of timely decision making, causing projects to fall behind schedule
  • State-specific policy needs not being met, impacting how the MMIS functions in production 
  • Poor integration into the state-specific Operation and Maintenance (O&M) support model, increasing the state’s portion of long-term O&M costs
  • Inefficient and ineffective contract management of each module vendor and contractor (including the SI), possibly leading to unneeded change requests and cost overruns
  • Lack of coordination with the state’s business or IT roadmap initiatives (i.e., system consolidation or cloud migration vendor/approach), possibly leading to rework and missed opportunities to reduce cost or improve interoperability 

Apply strong governance and IV&V to tackle risks

Because the SI vendor is responsible for the integration of multiple modules across multiple vendors, you may consider delegating oversight of module vendors to the SI vendor. 

The major benefit states get from using the SI vendor is efficiency. Having your vendor as the central point of contact can quickly resolve technical issues, while allowing easy coordination of project tasks across each module vendor on a continual basis. 

If you choose to use a vendor for the SI role, establish safeguards and governance to make sure your goals are being met:

  • Build a project-specific governance model (executive committee [EC]) to oversee the vendors and the project
  • Establish a regular meeting cadence for the EC to allow for status updates on milestones and discuss significant project risks and issues 
  • Allocate state resources into project leadership roles (i.e., project manager, vendor contract manager, security lead, testing/Quality Assurance lead, etc.)
  • Conduct regular (weekly) SI status meetings to track progress and address risks and issues 

You also need a strong, involved governance structure that includes teams of state senior leadership, state program managers, SI vendor engagement/contract managers, and Independent Verification and Validation (IV&V) vendors. By definition, one responsibility of IV&V is to identify and monitor project risks and issues that could arise from a lack of independence. 

Your governance teams can debate decisions and disputes, risks and issues, and federal compliance issues with their vendors to define direction and action plans. However, a state representative within these teams should always make the final management decisions, approve all SI scope items and changes, and approve all contractual deliverables from each vendor or contractor.

Your state staff (business and IT) provides project management decision, business needs, requirements (functional and non-functional), policy guidance, and continuity as the vendors and/or contractors change over time. 

The conclusion? In order to be successful, you must retain certain controls and expertise to deploy and operate a successful MMIS system. Our consultants understand the need to keep you in control of managing key portions of implementation projects/programs and operational tasks. If you have questions, please contact BerryDunn’s Medicaid team.  
 

Blog
Risks when using vendors to manage Medicaid system implementation projects

Read this if you are a City/County Administrator, Building Official, Community Development Director, Planning Director, Development Services Manager or work with customers providing a service for a fee.

Planning and development service fees are, for many municipalities, often discussed but rarely changed. There are a number of reasons you might need to consider or defend your fee structure―complaints from developers, rising costs of operation, and changes in code or process are just a few. 

But when is the right time for a formal review of your service fees? There are several key organizational factors that should prompt an in-depth study of your fees, either internally or with the assistance of an objective advisor. It may be time for an update if:

  • You’re considering a new permitting system. New technology may streamline your workflows, simplify processes for your customers, or necessitate changes in your staffing. All of these secondary changes can impact the cost of your services. In addition, if you’re anticipating significant changes to your fee structure or methodology (e.g., moving to full cost recovery), you’ll want to configure your new system to support that going forward.
  • You have an enterprise development fund. Development fees are collected to cover the cost of providing a service. The methodology you use to charge fees should be based on defensible formulas that can withstand the scrutiny of your customers and cover the cost to provide the service. In addition, reserve funds should be adequate to ensure your development service is funded through the completion of the project. 
  • The regulations in your municipality are changing. Perhaps your organization is moving to a unified or form-based code or making changes to the International Building or Fire Codes. Changes in the process and requirements for development may require a reevaluated fee structure.
  • It’s been a while. Even if your organization is not experiencing any significant or sweeping change, small shifts can accumulate over the years, resulting in significant fee adjustments that may be tough for you to implement and for your customers to understand. Periodically reviewing service demand and benchmarking your individual fees against those of neighboring communities can help to avoid sticker shock.

If any of these scenarios sound familiar, you may want to consider a fee review, which may consist of benchmarking against similar jurisdictions. Not sure what level of review your organization needs? Our dedicated government consultants include former planners and community development leaders who have walked in your shoes and can talk through the considerations with you.
 

Blog
When time is money: Reviewing your planning and development service fees

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, State Procurement Officer, or work in a State Medicaid Program Integrity Unit.

The Centers for Medicare & Medicaid Services (CMS) issued a Payment Error Rate Measurement (PERM) Final Rule on July 5, 2017, that made several changes to the PERM requirements. One important change was the updates to the Medicaid Eligibility Quality Control (MEQC) requirement. 

The Final Rule restructures the MEQC program into a pilot program that requires states to conduct eligibility reviews during the two years between PERM cycles. CMS has also introduced the potential for imposing disallowances or reductions in federal funding percentage (FFP) as a result of PERM eligibility error rates that do not meet the national standard. One measure states can use to lessen the chance of this happening is by successfully carrying out the requirements of the MEQC pilot. 

What states should know―important points to keep in mind regarding MEQC reviews:

  • Each state must have a team in place to conduct MEQC reviews. The individuals responsible for the MEQC reviews and associated activities must be separate from the state agencies and personnel responsible for Medicaid and Children’s Health Insurance Program (CHIP) policy and operations, including eligibility determinations.
  • States can apply for federal funding to help cover the costs of the MEQC activities. CMS encourages states to partner with a contractor in conducting the MEQC reviews.
  • The deadline to submit the state planning document to CMS is November 1 following the end of your state’s PERM cycle. If you are a Cycle 2 state, your MEQC planning document is due by November 1, 2019. 
  • If you are a Cycle 1 state, you are (or should be) currently undergoing the MEQC reviews.
  • There are minimum sample size requirements for the MEQC review period: 400 negative cases and 400 active cases (consisting of both Medicaid and CHIP cases) over a period of 12 months.
  • Upon conclusion of all MEQC reviews, states must submit a final findings report along with a corrective action plan that addresses all error findings identified during the MEQC review period.

CMS encourages states to utilize federal funding to carry out and fulfill MEQC requirements. BerryDunn has staff with experience in preparing Advanced Planning Documents (APD) and can assist your state in submitting an APD request to CMS for these MEQC activities. 

Check out the previously released blog, “PERM: Prepared or Not Prepared?” and stay tuned for upcoming blogs about specific PERM topics, including the financial impacts of PERM, and how each review phase will affect your state.   

For questions or to find out more, contact the team

Blog
PERM: Does MEQC affect states?

Read this if you are an Institutional Research (IR) Director, a Registrar, or are in the C-Suite.

In my last blog, I defined the what and the why of data governance, and outlined the value of data governance in higher education environments. I also asserted data isn’t the problem―the real culprit is our handling of the data (or rather, our deferral of data responsibility to others).

While I remain convinced that data isn’t the problem, recent experiences in the field have confirmed the fact that data governance is problematic. So much, in fact, that I believe data governance defies a “solid,” point-in-time solution. Discouraged? Don’t be. Just recalibrate your expectations, and pursue an adaptive strategy.

This starts with developing data governance guiding principles, with three initial points to consider: 

  1. Key stakeholders should develop your institution’s guiding principles. The team should include representatives from areas such as the office of the Registrar, Human Resources, Institutional Research, and other significant producers and consumers of institutional data. 
  2. The focus of your guiding principles must be on the strategic outcomes your institution is trying to achieve, and the information needed for data-driven decision-making.
  3. Specific guiding principles will vary from institution to institution; effective data governance requires both structure and flexibility.

Here are some baseline principles your institution may want to adopt and modify to suit your particular needs.

  • Data governance entails iterative processes, attention to measures and metrics, and ongoing effort. The institution’s governance framework should be transparent, practical, and agile. This ensures that governance is seen as beneficial to data management and not an impediment.
  • Governance is an enabler. The institution’s work should help accomplish objectives and solve problems aligned with strategic priorities.
  • Work with the big picture in mind. Start from the vantage point that data is an institutional asset. Without an institutional asset mentality it’s difficult to break down the silos that make data valuable to the organization.
  • The institution should identify data trustees and stewards that will lead the data governance efforts at your institution
    • Data trustees should have responsibility over data, and have the highest level of responsibility for custodianship of data.
    • Data stewards should act on behalf of data trustees, and be accountable for managing and maintaining data.
  • Data quality needs to be baked into the governance process. The institution should build data quality into every step of capture and entry. This will increase user confidence that there is data integrity. The institution should develop working agreements for sharing and accessing data across organizational lines. The institution should strive for processes and documentation that is consistent, manageable, and effective. This helps projects run smoothly, with consistent results every time.
  • The institution should pay attention to building security into the data usage cycle. An institution’s security measures and practices need to be inherent in the day-to-day management of data, and balanced with the working agreements mentioned above. This keeps data secure and protected for the entire organization.
  •  Agreed upon rules and guidelines should be developed to support a data governance structure and decision-making. The institution should define and use pragmatic approaches and practical plans that reward sustainability and collaboration, building a successful roadmap for the future. 

Next Steps

Are you curious about additional guiding principles? Contact me. In the meantime, keep your eyes peeled for a future blog that digs deeper into the roles of data trustees and stewards.
 

Blog
Governance: It's good for your data

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer.

When I was growing up, my dad would leave the Bureau of Motor Vehicles or hang up the phone after talking with the phone company and say sarcastically, “I’m from the government (or the phone company) and I’m here to help you. Yeah, right.” I could hear the frustration in his voice. As I’ve gotten older, I understand the hassle of dealing with bureaucracy, where the red tape can make things more difficult than they need to be, and where customers don’t come first. It doesn’t have to be that way.

In my role performing Independent Verification and Validation (IV&V) at BerryDunn, I hear the same skepticism in the voices of some of my clients. I can hear them thinking, “Let me get this straight… I’m spending millions of dollars to replace my old Medicaid Management Information System (MMIS), and the Centers for Medicare and Medicaid Services (CMS) says I have to hire an IV&V consultant to show me what I am doing wrong? I don’t even control the contract. You’re here to help me? Yeah, right.” Here are some things to assuage your doubt. 

Independent IV&V―what they should do for you and your organization

An independent IV&V partner that is invested in your project’s success can:

  • Enhance your system implementation to help you achieve compliance
  • Help you share best practice experience in the context of your organization’s culture to improve efficiency in other areas
  • Assist you in improving your efficiency and timeliness with project management capabilities.

Even though IV&V vendors are federally mandated from CMS, your IV&V vendor should also be a trusted partner and advisor, so you can achieve compliance, improve efficiency, and save time and effort. 

Not all IV&V vendors are equal. Important things to consider:

Independence―independent vendors are a good place to start, as they are solely focused on your project’s success. They should not be selling you software or other added services, push vendor affiliations, or rubber stamp CMS, nor the state. You need a non-biased sounding board, a partner willing to share lessons learned from experience that will help your organization improve.

Well-rounded perspective―IV&V vendors should approach your project from all perspectives. A successful implementation relies on knowledge of Medicaid policy and processes, Medicaid operations and financing, CMS certification, and project management.

“Hello, we are IV&V from BerryDunn, and we are here to help.”

BerryDunn offers teams that consist of members with complementary skills to ensure all aspects of your project receive expert attention. Have questions about IV&V? Contact our team.
 

Blog
We're IV&V and we are here to help you improve your Medicaid organization

Federal contractors with the Centers for Medicare & Medicaid Services (CMS) have begun performing Payment Error Rate Measurement (PERM) reviews under the Final Rule issued in July 2017—a rule that many states may not realize could negatively impact their Medicaid budgets.

PERM is a complex process—states must focus on several activities over a recurring three-year period of time—and states may not have the resources needed to make PERM requirements a priority. However, with the Final Rule, this PERM eligibility review could have financial implications. 

After freezing the eligibility measurement for four years while undergoing pilot review, CMS has established new requirements for the eligibility review component and made significant changes to the data processing and medical record review components. As part of the Final Rule, CMS may implement reductions in the amount of federal funding provided to a state’s Medicaid and Children’s Health Insurance Program (CHIP) programs based on the error rates identified from the eligibility reviews. 

Since the issuance of the Final Rule in July 2017, Cycle 1 states are the first group of states to undergo a PERM cycle, including reviews of the data processing, medical record, and eligibility components. These states are wrapping up the final review activities, and Cycle 2 states are in the early stages of their PERM reviews.

How can your state prepare?

Whether your state is a Cycle 1, Cycle 2, or Cycle 3 state, there are multiple activities your Medicaid departments should engage in throughout each three-year period of time during and between PERM cycles: 

  • Analyzing prior errors cited or known issues, along with the root cause of the error
  • Identifying remedies to reduce future errors
  • Preparing and submitting required questionnaires and documents to the federal contractors for an upcoming review cycle
  • Assisting federal contractors with current reviews and findings
  • Preparing for and undergoing Medicaid Eligibility Quality Control (MEQC) planning and required reviews
  • Corrective action planning

Is your state ready?

We’ve compiled a few basic questions to gauge your state’s readiness for the PERM review cycle:

  • Do you have measures in place to ensure all eligibility factors under review are identifiable and that all federal and state regulations are being met? The eligibility review contractor (ERC) will reestablish eligibility for all beneficiaries sampled for review. This process involves confirming all verification requirements are in the case file, income requirements are met, placement in an accurate eligibility category has taken place, and the timeframe for processing all determinations meets federal and state regulations. 
  • Do you have up-to-date policy and procedures in place for determining and processing Medicaid or CHIP eligibility of an individual? Ensuring eligibility policies and procedures meet federal requirements is just as important as ensuring the processing of applications, including both system and manual actions, meet the regulations. 
  • Do you have up-to-date policy, procedures, and system requirements in place to ensure accurate processing of all Medicaid/CHIP claims? Reviewers will confirm the accuracy of all claim payments based on state and federal regulations. Errors are often cited due to the claims processing system allowing claims to pay that do not meet regulations.
  • Do you have a dedicated team in place to address all PERM requirements to ensure a successful review cycle? This includes staff to answer questions, address review findings, and respond to requests for additional information. During a review cycle, the federal contractors will cite errors based on their best understanding of policies and/or ability to locate required documentation. Responding to requests for information or reviewing and responding to findings in a timely manner should be a priority to ensure accurate findings. 
  • Have you communicated all PERM requirements and updates to policy changes to all Medicaid/CHIP providers? Providers play two integral roles in the success of a PERM review cycle. Providers must understand all claims submission requirements in order to accurately submit claims. Additionally, the medical record review component relies on providers responding to the request for the medical records on a sampled claim. Failure to respond will result in an error. Therefore, states must maintain communication with providers to stress the importance of responding to these requests.
  • Have you begun planning for the MEQC requirement? Following basic requirements identified by CMS during your state’s MEQC period, your state must submit a case planning document to CMS for approval prior to the MEQC review period. After the MEQC review, your state should be prepared to issue findings reports, including a corrective action plan as it relates to MEQC findings.

Need help piloting your state’s PERM review process?

BerryDunn has subject matter experts experienced in conducting PERM reviews, including a thorough understanding of all three PERM review components—eligibility, data processing, and medical record reviews. 

We would love to work with your state to see that measures are in place that will help ensure the lowest possible improper payment error rate. Stay tuned for upcoming blogs where we will discuss other PERM topics, including MEQC requirements, the financial impacts of PERM, and additional details related to each phase of PERM. For questions or to find out more, please email me
 

Blog
PERM: Prepared or not prepared?

As the Project Management Body of Knowledge® (PMBOK®) explains, organizations fall along a structure and reporting spectrum. On one end of this spectrum are functional organizations, in which people report to their functional managers. (For example, Finance staff report to a Finance director.) On the other end of this spectrum are projectized organizations, in which people report to a project manager. Toward the middle of the spectrum lie hybrid—or matrix—organizations, in which reporting lines are fairly complex; e.g., people may report to both functional managers and project managers. 

Problem: Weak Matrix Medicaid System Vendors

This brings us to weak matrix organizations, in which functional managers have more authority than project managers. Many Medicaid system vendors happen to fall into the weak matrix category, for a number of different reasons. Yet the primary factor is the volume and duration of operational work—such as provider enrollment, claims processing, and member enrollment—that Medicaid system vendors perform once they exit the design, development, and implementation (DDI) phase.

This work spans functional areas, which can muddy the reporting waters. Without strong and clear reporting lines to project managers, project success can be seriously (and negatively) affected if the priorities of the functional leads are not aligned with those of the project. And when a weak matrix Medicaid system vendor enters a multi-vendor environment in which it is tasked with implementing a system that will serve multiple departments and bureaus within a state government, the reporting waters can become even muddier.


Solution: Using a Project Management Office (PMO) Vendor

Conversely, consulting firms that provide Project Management Office (PMO) services to government agencies tend to be strong matrix organizations, in which project managers have more authority over project teams and can quickly reallocate team members to address the myriad of issues that arise on complex, multi-year projects to help ensure project success. PMOs are also typically experienced at creating and running project governance structures and can add significant value in system implementation-related work across government agencies.

Additional benefits of a utilizing a PMO vendor include consistent, centralized reporting across your portfolio of projects and the ability to quickly onboard subject matter expertise to meet program and project needs. 
For more in-depth information on the benefits of using a PMO on state Medicaid projects, stay tuned for my second blog in this series. In the meantime, feel free to send your PMO- or Medicaid-related questions to me
 

Blog
The power of the PMO: Fixing the weak matrix

As your organization works to modernize and improve your Medicaid Enterprise System (MES), are you using independent verification and validation (IV&V) to your advantage? Does your relationship with your IV&V provider help you identify high-risk project areas early, or provide you with an objective view of the progress and quality of your MES modernization initiative? Maybe your experience hasn’t shown you the benefits of IV&V. 

If so, as CMS focuses on quality outcomes, there may be opportunities for you to leverage IV&V in a way that can help advance your MES to increase the likelihood of desired outcomes for your clients. 

According to 45 Code of Federal Regulations (CFR) § 95.626, IV&V may be required for Advanced Planning Document (APD) projects that meet specific criteria. That said, what is the intended role and benefit of IV&V? 

To begin, let’s look at the meaning of “verification” and “validation.” The Institute of Electrical and Electronics Engineers, Inc. (IEEE) Standard for Software Verification and Validation (1012-1998) defines verification as, “confirmation of objective evidence that the particular requirements for a specific intended use are fulfilled.” Validation is “confirmation of objective evidence that specified requirements have been fulfilled.” 

Simply put, verification and validation ensure the right product is built, and the product is built right. 
As an independent third party, IV&V should not be influenced by any vendor or software application. This objectivity means IV&V’s perspective is focused on benefiting your organization. This support includes: 

  • Project management processes and best practices support to help increase probability of project success
  • Collaboration with you, your vendors, and stakeholders to help foster a positive and efficient environment for team members to interact 
  • Early identification of high-risk project areas to minimize impact to schedule, cost, quality, and scope 
  • Objective examination of project health in order for project sponsors, including the federal government, to address project issues
  • Impartial analysis of project health that allows state management to make informed decisions 
  • Unbiased visibility into the progress and quality of the project effort to increase customer satisfaction and reduce the risk and cost of rework
  • Reduction of errors in delivered products to help increase productivity of staff, resulting in a more efficient MES 

Based on our experience, when a trusted relationship exists between state governments and IV&V, an open, collaborative dialogue of project challenges—in a non-threatening manner—allows for early resolution of risks. This leads to improved quality of MES outcomes.    

Is your IV&V provider helping you advance the quality of your MES? Contact our team.

Blog
Leveraging IV&V to achieve quality outcomes

Best practices for financial institution contracts with technology providers

As the financial services sector moves in an increasingly digital direction, you cannot overstate the need for robust and relevant information security programs. Financial institutions place more reliance than ever on third-party technology vendors to support core aspects of their business, and in turn place more reliance on those vendors to meet the industry’s high standards for information security. These include those in the Gramm-Leach-Bliley Act, Sarbanes Oxley 404, and regulations established by the Federal Financial Institutions Examination Council (FFIEC).

On April 2, 2019, the FDIC issued Financial Institution Letter (FIL) 19-2019, which outlines important requirements and considerations for financial institutions regarding their contracts with third-party technology service providers. In particular, FIL-19-2019 urges financial institutions to address how their business continuity and incident response processes integrate with those of their providers, and what that could mean for customers.

Common gaps in technology service provider contracts

As auditors of IT controls, we review lots of contracts between financial institutions and their technology service providers. When it comes to recommending areas for improvement, our top observations include:

  • No right-to-audit clause
    Including a right-to-audit clause encourages transparency and provides greater assurance that vendors are providing services, and charging for them, in accordance with their contract.
  • Unclear and/or inadequate rights and responsibilities around service disruptions
    In the event of a service incident, time and transparency are vital. Contracts that lack clear and comprehensive standards, both for the vendor and financial institution, regarding business continuity and incident response expose institutions to otherwise avoidable risk, including slow or substandard communications.
  • No defined recovery standards
    Explicitly defined recovery standards are essential to ensuring both parties know their role in responding and recovering from a disaster or other technology outage.

FIL-19-2019 also reminds financial institutions that they need to properly inform regulators when they undertake contracts or relationships with technology service providers. The Bank Service Company Act requires financial institutions to inform regulators in writing when receiving third-party services like sorting and posting of checks and deposits, computation and posting of interest, preparation and mailing of statements, and other functions involving data processing, Internet banking, and mobile banking services.

Writing clearer contracts that strengthen your institution

Financial institutions should review their contracts, especially those that are longstanding, and make necessary updates in accordance with FDIC guidelines. As operating environments continue to evolve, older contracts, often renewed automatically, are particularly easy to overlook. You also need to review business continuity and incident response procedures to ensure they address all services provided by third-parties.

Senior management and the Board of Directors hold ultimate responsibility for managing a financial institution’s relationship with its technology service providers. Management should inform board members of any and all services that the institution receives from third-parties to help them better understand your operating environment and information security needs.

Not sure what to look for when reviewing contracts? Some places to start include:

  • Establish your right-to-audit
    All contracts should include a right-to-audit clause, which preserves your ability to access and audit vendor records relating to their performance under contract. Most vendors will provide documentation of due diligence upon request, such as System and Organization Control (SOC) 1 or 2 reports detailing their financial and IT security controls.

    Many right-to-audit clauses also include a provision allowing your institution to conduct its own audit procedures. At a minimum, don’t hesitate to perform occasional walk-throughs of your vendor’s facilities to confirm that your contract’s provisions are being met.
  • Ensure connectivity with outsourced data centers
    If you outsource some or all of your core banking systems to a hosted data center, place added emphasis on your institution’s business continuity plan to ensure connectivity, such as through the use of multiple internet or dedicated telecommunications circuits. Data vendors should, by contract, be prepared to assist with alternative connectivity.
  • Set standards for incident response communications 
    Clear expectations for incident response are crucial  to helping you quickly and confidently manage the impact of a service incident on your customers and information systems. Vendor contracts should include explicit requirements for how and when vendors will communicate in the event of any issue or incident that affects your ability to serve your customers. You should also review and update contracts after each incident to address any areas of dissatisfaction with vendor communications.
  • Ensure regular testing of defined disaster recovery standards
    While vendor contracts don’t need to detail every aspect of a service provider’s recovery standards, they should ensure those standards will meet your institution’s needs. Contracts should guarantee that the vendor periodically tests, reviews, and updates their recovery standards, with input from your financial institution.

    Your data center may also offer regular disaster recovery and failover testing. If they do, your institution should participate in it. If they don’t, work with the vendor to conduct annual testing of your ability to access your hosted resources from an alternate site.

As financial institutions increasingly look to third-party vendors to meet their evolving technology needs, it is critical that management and the board understand which benefits—and related risks—those vendors present. By taking time today to align your vendor contracts with the latest FFIEC, FDIC, and NCUA standards, your institution will be better prepared to manage risk tomorrow.

For more help gaining control over risk and cybersecurity, see our blog on sustainable solutions for educating your Board of Directors and creating a culture of cybersecurity awareness.
 

Blog
Are your vendor contracts putting you at risk?

Editor’s note: If you are a state government CFO, CIO, project or program manager, this blog is for you.

What is the difference in how government organizations procure agile vs. non-agile information technology (IT) services? (Learn more about agile here).

In each case, they typically follow five stages through the process as shown in Figure A:
 

Figure A: Overview of Procurement Process for Agile vs. Non-Agile IT Services

However, there are differences in how these stages are carried out if procuring agile vs. non-agile IT services. 

Unfortunately, most government organizations are unaware of these differences, which could result in unsuccessful procurements and ultimately not meeting your project’s needs and expectations. 
This blog series will illustrate how to strategically adjust the standard stages outlined in Figure A to successfully procure agile IT services.

Stage 1: Plan project
In Stage 1, you define the scope of the project by identifying what your organization wants, needs, and can achieve within the available timeframe and budget. You then determine the project’s objectives while strategically considering their impact on your organization before developing the RFP. Figure B summarizes the key differences between the impacts of agile vs. non-agile services to consider in this stage.


Figure B: Plan Project for Agile vs. Non-Agile IT Services

The nuances of planning for agile services reflect an organization’s readiness for a culture shift to a continuous process of development and deployment of software and system updates. 

Stage 2: Draft RFP
In Stage 2, as part of RFP drafting, define the necessary enhancements and functionality needed to achieve the project objectives determined in Stage 1. You then translate these enhancements and functionalities into business requirements. Requirement types might include business needs as functionality, services, staffing, deliverables, technology, and performance standards. Figure C summarizes the key differences between drafting the RFP for a project procuring agile vs. non-agile services.


Figure C: Draft RFP for Agile vs. Non-Agile IT Services

In drafting the RFP, the scope of work emphasizes expectations for how your team and the vendor team will work together, the terms of how progress will be monitored, and the description of requirements for agile tools and methods.

Stage 3: Issue RFP
In Stage 3, issue the RFP to the vendor community, answer vendor questions, post amendments, and manage the procurement schedule. Since this stage of the process requires you to comply with your organization’s purchasing and procurement rules, Figure D illustrates very little difference between issuing an RFP for a project procuring agile or non-agile services.


Figure D: Issue RFP for Agile vs. Non-Agile IT Services 

Stage 4: Review proposals
In Stage 4, you evaluate vendor proposals against the RFP’s requirements and project objectives to determine the best proposal response. Figure E summarizes the key differences in reviewing proposals for a project that is procuring agile vs. non-agile services.


Figure E: Reviewing Proposals for Agile vs. Non-Agile IT Services 

Having appropriate evaluation priorities and scoring weights that align with how agile services are delivered should not be under-emphasized. 

Stage 5: Award and implement contract
In Stage 5, you award and implement the contract with the best vendor proposal identified during Stage 4. Figure F summarizes the key differences in awarding and implementing the contract for agile vs. non-agile services.


Figure F:  Award and Implement Contract for Agile vs. Non-Agile Services 

Due to the iterative and interactive requirements of agile, it is necessary to have robust and frequent collaboration among program teams, executives, sponsors, and the vendor to succeed in your agile project delivery.

What’s next?
The blog posts in this series will explain step-by-step how to procure agile services through the five stages, and at the series conclusion, your organization will better understand how to successfully procure and implement agile services. If you have questions or comments, please contact our team.  

Blog
Procuring agile vs. non-agile projects in five stages: An overview

Focus on the people: How higher ed institutions can successfully make an ERP system change

The enterprise resource planning (ERP) system is the heart of an institution’s business, maintaining all aspects of day-to-day operations, from student registration to staff payroll. Many institutions have used the same ERP systems for decades and face challenges to meet the changing demands of staff and students. As new ERP vendors enter the marketplace with new features and functionality, institutions are considering a change. Some things to consider:

  1. Don’t just focus on the technology and make change management an afterthought. Transitioning to a new ERP system takes considerable effort, and has the potential to go horribly wrong if sponsorship, good planning, and communication channels are not in place. The new technology is the easy part of a transition—the primary challenge is often rooted in people’s natural resistance to change.  
  2. Overcoming resistance to change requires a thoughtful and intentional approach that focuses on change at the individual level. Understanding this helps leadership focus their attention and energy to best raise awareness and desire for the change.
  3. One effective tool that provides a good framework for successful change is the Prosci ADKAR® model. This framework has five distinct phases that align with ERP change:

These phases provide an approach for developing activities for change management, preparing leadership to lead and sponsor change and supporting employees through the implementation of the change.

The three essential steps to leveraging this framework:

  1. Perform a baseline assessment to establish an understanding of how ready the organization is for an ERP change
  2. Provide sponsorship, training, and communication to drive employee adoption
  3. Prepare and support activities to implement, celebrate, and sustain participation throughout the ERP transition

Following this approach with a change management framework such as the Prosci ADKAR® model can help an organization prepare, guide, and adopt ERP change more easily and successfully. 

If you’re considering a change, but need to prepare your institution for a healthy ERP transition using change management, chart yourself on this ADKAR framework—what is your organization’s change readiness? Do you have appropriate buy-in? What problems will you face?

You now know that this framework can help your changes stick, and have an idea of where you might face resistance. We’re certified Prosci ADKAR® practitioners and have experience guiding Higher Ed leaders like you through these steps. Get in touch—we’re happy to help and have the experience and training to back it up. Please contact the team with any questions you may have.

1Prosci ADKAR®from http://www.prosci.com

Blog
Perspectives of an Ex-CIO

Law enforcement, courts, prosecutors, and corrections personnel provide many complex, seemingly limitless services. Seemingly is the key word here, for in reality these personnel provide a set number of incredibly important services.

Therefore, it should surprise no one that justice and public safety (J&PS) IT departments should also provide a well-defined set of services. However, these departments are often viewed as parking lots for all technical problems. The disconnect between IT and other J&PS business units often stems from differences in organizational culture and structure, and differing department objectives and goals. As a result, J&PS organizations often experience misperception between business units and IT. The solution to this disconnect and misperception? Defining IT department services.

The benefits of defined IT services

  1. Increased business customer satisfaction. Once IT services align with customer needs, and expectations are established (e.g., service costs and service level agreements), customers can expect to receive the services they agreed to, and the IT department can align staff and skill levels to successfully meet those needs.
  2. Improved IT personnel morale. With clear definition of the services they provide to their customers, including clearly defined processes for customers to request those services, IT personnel will no longer be subject to “rogue” questions or requests, and customers won’t be inclined to circumvent the process. This decreases IT staff stress and enables them to focus on their roles in providing the defined services. 
  3. Better alignment of IT services to organizational needs. Through collaboration between the business and IT organizations, the business is able to clearly articulate the IT services that are, and aren’t, required. IT can help define realistic service levels and associated services costs, and can align IT staff and skills to the agreed-upon services. This results in increased IT effectiveness and reduced confusion regarding what services the business can expect from IT.
  4. More collaboration between IT and the organization. The collaboration between the IT and business units in defining services results in an enhanced relationship between these organizations, increasing trust and clarifying expectations. This collaborative model continues as the services required by the business evolve, and IT evolves to support them.
  5. Reduced costs. J&PS organizations that fail to strategically align IT and business strategy face increasing financial costs, as the organization is unable to invest IT dollars wisely. When a business doesn’t see IT as an enabler of business strategy, IT is no longer the provider of choice—and ultimately risks IT services being outsourced to a third-party vendor.

Next steps
Once a J&PS IT department defines its services to support business needs, it then can align the IT staffing model (i.e., numbers of staff, skill sets, roles and responsibilities), and continue to collaborate with the business to identify evolving services, as well as remove services that are no longer relevant. Contact us for help with this next step and other IT strategies and tactics for justice and public safety organizations.

Blog
The definition of success: J&PS IT departments must define services

“The world is one big data problem,” says MIT scientist and visionary Andrew McAfee.

That’s a daunting (though hardly surprising) quote for many in data-rich sectors, including higher education. Yet blaming data is like blaming air for a malfunctioning wind turbine. Data is a valuable asset that can make your institution move.

To many of us, however, data remains a four-letter word. The real culprit behind the perceived data problem is our handling and perception of data and the role it can play in our success—that is, the relegating of data to a select, responsible few, who are usually separated into hardened silos. For example, a common assumption in higher education is that the IT team can handle it. Not so. Data needs to be viewed as an institutional asset, consumed by many and used by the institution for the strategic purposes of student success, scholarship, and more.

The first step in addressing your “big” data problem? Data governance.

What is data governance?

There are various definitions, but the one we use with our clients is “the ongoing and evolutionary process driven by leaders to establish principles, policies, business rules, and metrics for data sharing.”

Please note that the phrase “IT” does not appear anywhere in this definition.

Why is data governance necessary? For many reasons, including:

  1. Data governance enables analytics. Without data governance, it’s difficult to gain value from analytics initiatives which will produce inconsistent results. A critical first step in any data analytics initiative is to make sure that definitions are widely accepted and standards have been established. This step allows decision makers to have confidence in the data being analyzed to describe, predict, and improve operations.
     
  2. Data governance strengthens privacy, security, and compliance. Compliance requirements for both public and private institutions constantly evolve. The more data-reliant your world becomes, the more protected your data needs to be. If an organization does not implement security practices as part of its data governance framework, it becomes easier to fall out of compliance. 
     
  3. Data governance supports agility. How many times have reports for basic information (part-time faculty or student FTEs per semester, for example) been requested, reviewed, and returned for further clarification or correction? And that’s just within your department! Now add multiple requests from the perspective of different departments, and you’re surely going through multiple iterations to create that report. That takes time and effort. By strengthening your data governance framework, you can streamline reporting processes by increasing the level of trust you have in the information you are seeking. Understanding the value of data governance is the easy part/ The real trick is implementing a sustainable data governance framework that recognizes that data is an institutional asset and not just a four-letter word.

Stay tuned for part two of this blog series: The how of data governance in higher education. In the meantime, reach out to me if you would like to discuss additional data governance benefits for your institution.

Blog
Data is a four-letter word. Governance is not.

If you’ve been tasked with leading a high-impact project for your organization, you may find managing the scope, budget and schedule is not enough to ensure project success—especially when you encounter resistance to change. When embarking on large-scale change projects spanning people, processes and technology, appointing staff as “coaches” to help support stakeholders through the change—and to manage resistance to the change—can help increase adoption and buy-in for a new way of doing things.

The first step is to identify candidates for the coaching role. These candidates are often supervisory staff who have credibility in the organization—whether as a subject matter expert, through internal leadership, or from having a history of client satisfaction. Next, you need a work plan to orient them to this role. One critical component is making sure the coaches themselves understand what the change means for their role, and have fully committed before asking them to coach others. They may exhibit initial resistance to the change you will need to manage before they can be effective coaches. According to research done by Prosci®, a leading change management research organization, some of the most common reasons for supervisor resistance in large-scale change projects are:

  • Lack of awareness about and involvement in the change
  • Loss of control or negative impact on job role
  • Increased work load (i.e., lack of time)
  • Culture of change resistance and past failures
  • Impact to their team

You should anticipate encountering these and other types of resistance from staff while preparing them to be coaches. Once coaches buy into the change, they will need ongoing support and guidance to fulfill their role. This support will vary by individual, but may be correlated to what managerial skills they already possess, or don’t. How can you focus on developing coaching skills among your staff for purposes of the project? Prosci® recommends a successful change coach take on the following roles:

  • Communicator—communicate with direct reports about the change
  • Liaison—engage and liaise with the project team
  • Advocate—advocate and champion the change
  • Resistance manager—identify and manage resistance
  • Coach—coach employees through the change

One of the initial tasks for your coaches will be to assess the existing level of change resistance and evaluate what resistance you may encounter. Prosci® identifies three types of resistance management work for your coaches to begin engaging in as they meet with their employees about the change:

  • Resistance prevention―by providing engagement opportunities for stakeholders throughout the project, building awareness about the change early on, and reinforcing executive-level support, coaches can often head off expected resistance.
  • Proactive resistance management―this approach requires coaches to anticipate the needs and understand the characteristics of their staff, and assess how they might react to change in light of these attributes. Coaches can then plan for likely forms of resistance in advance, with a structured mitigation approach.
  • Reactive resistance management―this focuses on resistance that has not been mitigated with the previous two types of resistance management, but instead persists or endures for an extended amount of time. This type of management may require more analysis and planning, particularly as the project nears its completion date.

Do you have candidates in your organization who may need support transitioning into coaching roles? Do you anticipate change resistance among your stakeholders? Contact us and we can help you develop a plan to address your specific challenges.

Blog
How to identify and prepare change management coaches

Writing a Request for Proposal (RFP) for a new software system can be complex, time-consuming, and—let’s face it—frustrating, especially if you don’t often write RFPs. The process seems dogged by endless questions, such as:

  • How specific should the problem statement and system requirements be?
  • How can the RFP solicit a response that proves the vendor is qualified?
  • Should the RFP include legal terms and conditions? If so, which ones? 
  • Is there another strategy that can help cut down on size without forfeiting a quality response?

The public RFP process can be onerous for both the issuer and the respondents, as they can reach lengths upwards of 100 pages. And, while your procurement department would probably never let you get away with developing an RFP that is only one page, we know a smaller document requires less labor and time devoted to writing and reading. What if you could create a lean, mean, and focused RFP? Here are some tips for creating such a document: 

Describe the problem as simply as possible. At its core, an RFP is a problem statement—your organization has a particular problem, and it needs the right solution. To get the right solution, keep your RFP laser-focused: adequately but briefly convey your problem and desired outcomes, provide simple rules and guidelines for respondents to submit their proposed solutions, and clarify how you will evaluate responses to make a selection. Additional information can be white noise, making it harder for respondents to give you what you want: easy-to-read and evaluate proposals. Use bullet points and keep the narrative to a minimum.

Be creative and open about how vendors must respond. RFPs often have pages of directions on how vendors need to write responses or describe their products. The most important component is to emphasize vendor qualifications. Do you want to know if the vendor can deliver a quality product? Request sample deliverables from past projects. Also ask for the number of successful past projects, with statistics on the percent deviation to client schedule, budget, including explanations for large variances. Does your new system need to keep audit trails and product billing reports? Rely on a list of pass/fail requirements and then a separate table for nice-to-have or desired functionalities.

Save the legal stuff until the end. Consider including legal terms and conditions as an attachment instead of in the body of an RFP. If you’re worried about compliance, you can require respondents to attest in writing that they found, read, and understand your terms and conditions, or state that by responding to the RFP they have read and agreed to them. State that any requested deviations can be negotiated later to save space in the RFP. You can also decrease length by attaching a glossary of terms. What’s more, if you find yourself including language from your state’s procurement manual, provide a link to the manual itself instead.

Create a quality template to save time later. Chances are your organization has at least one RFP template you use to save time, but are you using that template because it gets you the best responses, or because you’re in the habit of using it? If your answer is the latter, it may be to time review and revise those old templates to reflect your current business needs. Maybe the writing style can be clearer and more concise, or sections combined or reordered to make the RFP more intuitive.

Qualify providers in advance and reduce the scope. Another time-saver is a pre-qualification, where solution providers propose on an RFP focused primarily on their experience and qualifications. Smaller statements of work are then issued to the qualified providers, allowing for shorter drafting, response, and award timelines. If procurement rules allow, break the procurement up into a requests for information (RFI) and then a smaller RFP.

Need additional RFP assistance?
A simplified RFP can reduce long hours needed to develop and evaluate responses to RFPs, while vendors have more flexibility to propose the solutions you need. To learn more about how BerryDunn’s extensive procurement experience can help your organization develop effective RFPs.
 

Blog
The one-page RFP: How to create lean, mean, and focused RFPs

As a new year is upon us, many people think about “out with the old and in with the new”. For those of us who think about technology, and in particular, blockchain technology, the new year brings with it the realization that blockchain is here to stay (at least in some form). Therefore, higher education leaders need to familiarize themselves with some of the technology’s possible uses, even if they don’t need to grasp the day-to-day operational requirements. Here’s a high-level perspective of blockchain to help you answer some basic questions.

Are blockchain and bitcoin interchangeable terms?

No they aren’t. Bitcoin is an electronic currency that uses blockchain technology, (first developed circa 2008 to record bitcoin transactions). Since 2008, many companies and organizations utilize blockchain technology for a multitude of purposes.

What is a blockchain?

In its simplest terms, a blockchain is a decentralized, digital list (“chain”) of timestamped records (“blocks”) that are connected, secured by cryptography, and updated by participant consensus.

What is cryptography?

Cryptography refers to converting unencrypted information into encrypted information—and vice versa—to both protect data and authenticate users.

What are the pros of using blockchain?

Because blockchain technology is inherently decentralized, you can reduce the need for “middleman” entities (e.g., financial institutions or student clearinghouses). This, in turn, can lower transactional costs and other expenses, and cybersecurity risks—as hackers often like to target large, info-rich, centralized databases.

Decentralization removes central points of failure. In addition, blockchain transactions are generally more secure than other types of transactions, irreversible, and verifiable by the participants. These transaction qualities help prevent fraud, malware attacks, and other risks and issues prevalent today.

What are the cons of using blockchain technology?

Each blockchain transaction requires signature verification and processing, which can be resource-intensive. Furthermore, blockchain technology currently faces strong opposition from certain financial institutions for a variety of reasons. Finally, although blockchains offer a secure platform, they are not impervious to cyberattacks. Blockchain does not guarantee a hacker-proof environment.

How can blockchain benefit higher education institutions?

Blockchain technology can provide higher education institutions with a more secure way of making and recording financial transactions. You can use blockchains to verify and transfer academic credits and certifications, protect student personal identifiable information (PII) while simultaneously allowing students to access and transport their PII, decentralize academic content, and customize learning experiences. At its core, blockchain provides a fresh alternative to traditional methods of identity verification, an ongoing challenge for higher education administration.

As blockchain becomes less of a buzzword and begins to expand beyond the realm of digital currency, colleges and universities need to consider it for common challenges such as identity management, application processing, and student credentialing. If you’d like to discuss the potential benefits blockchain technology provides, please contact me.

Blog
Higher education and blockchain 101: It's not just for bitcoin anymore

Your government agency just signed the contract to purchase and implement a shiny new commercial off-the-shelf (COTS) software to replace your aging legacy software. The project plan and schedule are set; the vendor is ready to begin configuration and customization tasks; and your team is eager to start the implementation process.

You are, in a word, optimistic. But here comes the next phase of the project—the gap analysis, in which your project team and the vendor’s project team test the new software to see how well it fulfills your requirements. Spending sufficient time and energy on the gap analysis increases the likelihood the resulting software is configured to support the desired workflows and processes of the agency, while taking advantage of the software’s features and benefits. Yet this phase can be stressful because it will identify some gaps between what you want and what the software can provide.

While some of the gaps may be resolved by simple adjustments to software configuration, others may not—and can result in major issues impacting project scope, schedule, and/or cost. How do you resolve these major gaps?

Multiple Methods. Don’t let your optimism die on the vine. There are, in fact, multiple ways to address major gaps to keep you on schedule and on budget. They include:

Documenting a change request through a formal change control process. This will likely result in the vendor documenting the results of the new project scope. This, in turn, may impact the project’s schedule and cost. It promotes best practice by formally documenting approved changes to project scope, including any impact on schedule and cost. However, the change request process may take longer than you may originally anticipate, as it includes:

Documenting the proposed change
Scoping the change, including the impact on cost and schedule
Review of the proposed scope change with the project team and vendor
Final approval of the change before the vendor can begin work

Collaborating with the vendor on a solution that fits within the confines of the selected software. With no actual customization required, this may result in a functionality compromise, and may also involve compromise by the project team and the vendor. However, it does not require a formal process to document and approve a change in scope, schedule or cost, since there are no impacts on these triple constraints.

Collaborating with the vendor and internal project stakeholders to redefine business processes. This may or may not result in a change request. It also promotes best practice, as the business processes become more efficient, and are supported by the selected software product without customization. This will require a focus on organizational change management, since the resulting processes are not reflective of the “way things are done today.”

Accepting the gap—and doing nothing. If the gap has little or no impact on business process efficiency or effectiveness, this method is likely the least impactful on the project, as there are no changes to scope, schedule, or cost. However, the concept of “doing nothing” to address the gap may have the same organizational change ramifications as the previous point.

Of course, there are other methods for addressing major software gaps. The BerryDunn team brings experience in facilitating discussions with agencies and their vendors to discuss gaps, their root causes, and possible solutions. We leverage a combination of project management discipline, organizational change management qualifications, and deep expertise to help clients increase the success likelihood for COTS software implementations—while maintaining their vital relationships with vendors.

Blog
Grappling with software gaps

State governments regularly negotiate contracts with vendors. Unfortunately, these negotiations are often prolonged, which can have major downstream effects on projects, procurements, and implementations—including skewed timelines, delayed milestones, and increased costs. Here are five suggestions for shortening contract negotiations. 

  1. Limit project scope. Leaner project scope equals shorter contract negotiations. Conversely, the sheer number of requirements, terms, and conditions for larger projects naturally inflate negotiations. Limiting scope means being conservative in what you are looking to achieve. Planning a core systems modernization? They can cost tens of millions of dollars. Limit scope (and cost) to just certain modules. If, for example, you have an ERP modernization, limit projects and procurements to key modules and milestones. 
  2. Use project management techniques. Treat the negotiation like a small project. For example, compile a list of tasks and deadlines, as well as names for necessary signatures. Develop a project plan and hold weekly check-ins to keep things on track. Assign someone in your organization as a single point of contact to help shepherd the contract through the process. 
  3. Make the vendor’s proposal part of the contract?verbatim. Some states still require copying the proposal response into a contract document, and that often requires modification of proposal language, which slows things down. Attach the solution proposal to the contract cover pages(s) so that the proposal is there, word for word. 
  4. Have vendors define deliverables, except for the minimum deliverables you must have. Vendors should know how to deliver their product and services and should include items they expect to be paid for, such as completion of a development cycle, software licenses, and a gap analysis report. Rather than define what deliverables you need, let the vendors define them, except for any mandatory ones, such as a training or testing plan. Ask for interim or draft versions of training or testing plans as part of proposal submission. 
  5. Tell vendors ahead of time what the payment constraints are. As a state government, you are bound by budget cycles and authority to spend. You also want working product tied to payment. With both factors in mind, tell vendors up front how much of the contract can be paid in a certain year and how much you are willing to tie to what deliverables. Don’t want to pay more than, say 40% of the project cost for non-software deliverables? Say so. Vendors can then plan their paydays and deliverable sequence accordingly. 

    You can also save time and effort by not negotiating at all. States often assume there will be, or allow for, negotiation periods. Yet states can make clear that no negotiation will occur after contract award—or limit what can be negotiated to a small, finite number of items. To prepare for this approach, states should gleam vendor stipulations ahead of time, and perhaps even score vendors on the number or type of stipulations. Use a pre-award proposal clarification period to clarify any terms or demands that are unfavorable to the state and consider ranking or evaluating proposals on the number of objections to terms/conditions raised. 

States should feel empowered to shorten (or, when appropriate, even eliminate) contract negotiations. After all, state time is state money.

Blog
Meet deadlines and cut costs: Five steps to faster contract negotiations

Modernization means different things to different people—especially in the context of state government. For some, it is the cause of a messy chain reaction that ends (at best) in frustration and inefficiency. For others, it is the beneficial effect of a thoughtful and well-planned series of steps. The difference lies in the approach to transition - and states will soon discover this as they begin using the new Comprehensive Child Welfare Information System (CCWIS), a case management information system that helps them provide citizens with customized child welfare services.

The benefits of CCWIS are numerous and impressive, raising the bar for child welfare and providing opportunities to advance through innovative technology that promotes interoperability, flexibility, improved management, mobility, and integration. However, taking advantage of these benefits will also present challenges. Gone are the days of the cookie-cutter, “one-size-fits-all” approach. Here are five facts to consider as you transition toward an effective modernization.

  1. There are advantages and challenges to buying a system versus building a system internally. CCWIS transition may involve either purchasing a complete commercial off-the-shelf (COTS) product that suits the state, or constructing a new system internally with the implementation of a few purchased modules. To decide which option is best, first assess your current systems and staff needs. Specifically, consider executing a cost-benefit analysis of options, taking into account internal resource capabilities, feasibility, flexibility, and time. This analysis will provide valuable data that help you assess the current environment and identify functional gaps. Equipped with this information, you should be ready to decide whether to invest in a COTS product, or an internally-built system that supports the state’s vision and complies with new CCWIS regulations.
     
  2. Employ a modular approach to upgrading current systems or building new systems. The Children’s Bureau—an office of the Administration for Children & Families within the U.S. Department of Health and Human Services—defines “modularity” as the breaking down of complex functions into separate, manageable, and independent components. Using this modular approach, CCWIS will feature components that function independently, simplifying future upgrades or procurements because they can be completed on singular modules rather than the entire system. Modular systems create flexibility, and enable you to break down complex functions such as “Assessment and Intake,” “Case Management,” and “Claims and Payment” into modules during CCWIS transition. This facilitates the development of a sustainable system that is customized to the unique needs of your state, and easily allows for future augmentation.
     
  3. Use Organizational Change Management (OCM) techniques to mitigate stakeholder resistance to change. People are notoriously resistant to change. This is especially true during a disruptive project that impacts day-to-day operations—such as building a new or transitional CCWIS system. Having a comprehensive OCM plan in place before your CCWIS implementation can help ensure that you assign an effective project sponsor, develop thorough project communications, and enact strong training methods. A clear OCM strategy should help mitigate employee resistance to change and can also support your organization in reaching CCWIS goals, due to early buy-in from stakeholders who are key to the project’s success.
     
  4. Data governance policies can help ensure you standardize mandatory data sharing. For example, the Children’s Bureau notes that a Title IV-E agency with a CCWIS must support collaboration, interoperability, and data sharing by exchanging data with Child Support Systems?Title IV-D, Child Abuse/Neglect Systems, Medicaid Management Information Systems (MMIS), and many others as described by the Children’s Bureau.

    Security is a concern due to the large amount of data sharing involved with CCWIS systems. Specifically, if a Title IV-E agency with a CCWIS does not implement foundational data security measures across all jurisdictions, data could become vulnerable, rendering the system non-compliant. However, a data governance framework with standardized policies in place can protect data and surrounding processes.
     
  5. Continuously refer to federal regulations and resources. With the change of systems comes changes in federal regulations. Fortunately, the Children’s Bureau provides guidance and toolkits to assist you in the planning, development, and implementation of CCWIS. Particularly useful documents include the “Child Welfare Policy Manual,” “Data Sharing for Courts and Child Welfare Agencies Toolkit,” and the “CCWIS Final Rule”. A comprehensive list of federal regulations and resources is located on the Children’s Bureau website.

    Additionally, the Children’s Bureau will assign an analyst to each state who can provide direction and counsel during the CCWIS transition. Continual use of these resources will help you reduce confusion, avoid obstacles, and ultimately achieve an efficient modernization program.

Modernization doesn’t have to be messy. Learn more about how OCM and data governance can benefit your agency or organization.

Blog
Five things to keep in mind during your CCWIS transition

Truly effective preventive health interventions require starting early, as evidenced by the large body of research and the growing federal focus on the role of Medicaid in addressing Social Determinants of Health (SDoH) and Adverse Childhood Experiences (ACEs).

Focusing on early identification of SDoH and ACEs, CMS recently announced its Integrated Care for Kids (InCK) model and will release the related Notice of Funding Opportunity this fall.

CMS describes InCK as a child-centered approach that uses community-based service delivery and alternative payment models (APMs) to improve and expand early identification, prevention, and treatment of priority health concerns, including behavioral health issues. The model’s goals are to improve child health, reduce avoidable inpatient stays and out-of-home placement, and create sustainable APMs. Such APMs would align payment with care quality and support provider/payer accountability for improved child health outcomes by using care coordination, case management, and mobile crisis response and stabilization services.

State Medicaid agencies have many things to consider when evaluating this funding opportunity. Building on current efforts and innovations, building or leveraging strong partnerships with community organizations, incentivizing evidence-based interventions, and creating risk stratification of the target population are critical parts of the InCK model. Here are three additional areas to consider:

1. Data. States will need information for early identification of children in the target population. State agencies?like housing, justice, child welfare, education, and public health have this information?and external organizations—such as childcare, faith-based, and recreation groups—are also good sources of early identification. It is immensely complicated to access data from these disparate sources. State Medicaid agencies will be required to support local implementation by providing population-level data for the targeted geographic service area.

  • Data collection challenges include a lack of standardized measures for SDoH and ACEs, common data field definitions, or consistent approaches to data classification; security and privacy of protected health information; and IT development costs.
  • Data-sharing agreements with internal and external sources will be critical for state Medicaid agencies to develop, while remaining mindful of protected health information regulations.
  • Once data-sharing agreements are in place, these disparate data sources, with differing file structures and nomenclature, will require integration. The integrated data must then be able to identify and risk-stratify the target population.

For any evaluative approach or any APM to be effective, clear quality and outcome measures must be developed and adopted across all relevant partner organizations.

2. Eligibility. Reliable, integrated eligibility and enrollment systems are crucial points of identification and make it easier to connect to needed services.

  • Applicants for one-benefit programs should be screened for eligibility for all programs they may need to achieve positive health outcomes.
  • Any agency at which potential beneficiaries appear should also have enrollment capability, so it is easier to access services.

3. Payment models. State Medicaid agencies may cover case management services and/or targeted case management as well as health homes; leverage Early and Periodic Screening, Diagnostic, and Treatment (EPSDT) services; and modify managed care organization contract language to encourage, incent, and in some cases, require services related to the InCK model and SDoH. Value-based payment models, already under exploration in numerous states, include four basic approaches:

  • Pay for performance—provider payments are tied directly to specific quality or efficiency indicators, including health outcomes under the provider organization’s control. 
  • Shared savings/risk—some portion of the organization’s compensation depends on the managed care entity achieving cost savings for the targeted patient population, while realizing specific health outcomes or quality improvement.
  • Pay for success—payment is dependent upon achieving desired outcomes rather than underlying services.
  • Capitated or bundled payments—managed care entities pay an upfront per member per month lump sum payment to an organization for community care coordination activities and link that with fee-for-service reimbursement for delivering value-added services.

By focusing on upstream prevention, comprehensive service delivery, and alternative payment models, the InCK model is a promising vehicle to positively impact children’s health. Though its components require significant thought, strategy, coordination, and commitment from state Medicaid agencies and partners, there are early innovators providing helpful examples and entities with vast Section 1115 waiver development and Medicaid innovation experience available to assist.

As state Medicaid agencies develop and implement primary and secondary prevention, cost savings can be achieved while meaningful improvements are made in children’s lives.

Blog
Three factors state medicaid agencies should consider when applying for InCK funding

Cloud services are becoming more and more omnipresent, and rapidly changing how companies and organizations conduct their day-to-day business.

Many higher education institutions currently utilize cloud services for learning management systems (LMS) and student email systems. Yet there are some common misunderstandings and assumptions about cloud services, especially among higher education administrative leaders who may lack IT knowledge. The following information will provide these leaders with a better understanding of cloud services and how to develop a cloud services strategy.

What are cloud services?

Cloud services are internet-based technology services provided and/or hosted by offsite vendors. Cloud services can include a variety of applications, resources, and services, and are designed to be easily scalable, cost effective, and fully managed by the cloud services vendor.

What are the different types?

Cloud services are generally categorized by what they provide. Today, there are four primary types of cloud services:

Cloud Service Types 

Cloud services can be further categorized by how they are provided:

  1. Private cloud services are dedicated to only one client. Security and control is the biggest value for using a private cloud service.
  2. Public cloud services are shared across multiple clients. Cost effectiveness is the best value of public cloud services because resources are shared among a large number of clients.
  3. Hybrid cloud services are combinations of on-premise software and cloud services. The value of hybrid cloud services is the ability to adopt new cloud services (private or public) slowly while maintaining on-premise services that continue to provide value.

How do cloud services benefit higher education institutions?

Higher education administrative leaders should understand that cloud services provide multiple benefits.
Some examples:

Cloud-Services-for-Higher-Education


What possible problems do cloud services present to higher education institutions?

At the dawn of the cloud era, many of the problems were technical or operational in nature. As cloud services have become more sophisticated, the problems have become more security and business related. Today, higher education institutions have to tackle challenges such as cybersecurity/disaster recovery, data ownership, data governance, data compliance, and integration complexities.

While these problems and questions may be daunting, they can be overcome with strong leadership and best-practice policies, processes, and controls.

How can higher education administrative leaders develop a cloud services strategy?

You should work closely with IT leadership to complete this five-step planning checklist to develop a cloud services strategy: 

1. 

Identify new services to be added or consolidated; build a business case and identify the return on investment (ROI) for moving to the cloud, in order to answer:

• 

What cloud services does your institution already have?

• 

What cloud services does your institution already have?

• 

What services should you consider replacing with cloud services, and why?

• 

How are data decisions being made?

2. 

Identify design, technical, network, and security requirements (e.g., private or public; are there cloud services already in place that can be expanded upon, such as a private cloud service), in order to answer:

• 

Is your IT staff ready to migrate, manage, and support cloud services?

• 

Do your business processes align with using cloud services?

• 

Do cloud service-provided policies align with your institution’s security policies?

• 

Do you have the in-house expertise to integrate cloud services with existing on-premise services?

3. 

Decide where data will be stored; data governance (e.g., on-premise, off-premise data center, cloud), in order to answer:

• 

Who owns the data in the institution’s cloud, and where?

• 

Who is accountable for data decisions?

4. 

Integrate with current infrastructure; ensure cloud strategy easily allows scalability for expansion and additional services, in order to answer:

• 

What integration points will you have between on-premise and cloud applications or services, and can the institution easily implement, manage, and support them?

5. 

Identify business requirements — budget, timing, practices, policies, and controls required for cloud services and compliance, in order to answer:

• 

Will your business model need to change in order to support a different cost model for cloud services (i.e., less capital for equipment purchases every three to five years versus a steady monthly/yearly operating cost model for cloud services)?

• 

Does your institution understand the current state and federal compliance and privacy regulations as they relate to data?

• 

Do you have a contingency plan if its primary cloud services provider goes out of business?

• 

Do your contracts align with institutional, state, and federal guidelines?

Need assistance?

BerryDunn’s higher education team focuses on advising colleges and universities in improving services, reducing costs, and adding value. Our team is well qualified to assist in understanding the cloud “skyscape.” If your institution seeks to maximize the value of cloud services or develop a cloud services strategy, please contact me.

Blog
Cloud services 101: An almanac for higher education leaders

The late science fiction writer (and college professor) Isaac Asimov once said: “I do not fear computers. I fear the lack of them.” Had Asimov worked in higher ed IT management, he might have added: “but above all else, I fear the lack of computer staff.”

Indeed, it can be a challenge for higher education institutions to recruit and retain IT professionals. Private companies often pay more in a good economy, and in certain areas of the nation, open IT positions at colleges and universities outnumber available, qualified IT workers. According to one study from 2016, almost half of higher education IT workers are at risk of leaving the institutions they serve, largely for better opportunities and more supportive workplaces. Understandably, IT leadership fears an uncertain future of vacant roles—yet there are simple tactics that can help you improve the chances of filling open positions.

Emphasize the whole package

You need to leverage your institution’s strengths when recruiting IT talent. A focus on innovation, project leadership, and responsibility for supporting the mission of the institution are important attributes to promote when recruiting. Your institution should sell quality of life, which can be much more attractive than corporate culture. Many candidates are attracted to the energy and activity of college campuses, in addition to the numerous social and recreational outlets colleges provide.

Benefit packages are another strong asset for recruiting top talent. Schools need to ensure potential candidates know the amount of paid leave, retirement, and educational assistance for employees and employee family members. These added perks will pique the interest of many candidates who might otherwise have only looked at salary during the process.

Use the right job title

Some current school vacancies have very specific job titles, such as “Portal Administrator” or “Learning Multimedia Developer.” However, this specificity can limit visibility on popular job posting sites, reducing the number of qualified applicants. Job titles, such as “Web Developer” and “Java Developer,” can yield better search results. Furthermore, some current vacancies include a number or level after the job title (e.g., “System Administrator 2”), which also limits visibility on these sites. By removing these indicators, you can significantly increase the applicant pool.

Focus on service, not just technology

Each year, institutions deploy an increasing number of Software as a Service (SaaS) and hosted applications. As higher education institutions invest more in these applications, they need fewer personnel for day-to-day technology maintenance support. In turn, this allows IT organizations to focus limited resources on services that identify and analyze technology solutions, provide guidance to optimize technology investments, and manage vendor relationships. IT staff with soft skills will become even more valuable to your institution as they engage in more people- and process-centric efforts.

Fill in the future

It may seem like science fiction, but by revising your recruiting and retention tactics, your higher education institution can improve its chances of filling IT positions in a competitive job market. In a future blog, I’ll provide ideas for cultivating staff from your institution via student workers and upcoming graduates. If you’d like to discuss additional staffing tactics, send me an email.

Blog
No science fiction: Tactics for recruiting and retaining higher education IT positions

When an organization wants to select and implement a new software solution, the following process typically occurs:

  1. The organization compiles a list of requirements for essential and non-essential (but helpful) functions.
  2. The organization incorporates the requirements into an RFP to solicit solutions from vendors.
  3. The organization selects finalist vendors to provide presentations and demonstrations.
  4. The organization selects one preferred vendor based on various qualifications, including how well the vendor’s solution meets the requirements listed in the RFP. A contract between the organization and vendor is executed for delivery of the solution.
  5. The preferred vendor conducts a gap analysis to see if there are gaps between the requirements and its solution—and discloses those gaps.
  6. The preferred vendor resolves the gaps, which often results in change orders, cost adjustments, and delays.

Sound painful? It can be. Step #5—the gap analysis, and its post-contract timing—is the main culprit. However, without it, an organization will be unaware of solution shortcomings, which can lead to countless problems down the road. So what’s an organization to do?

A Possible Solution
One suggestion: Don’t wait until you choose the preferred vendor for a gap analysis. Have finalist vendors conduct pre-contract gap analyses for you.

You read that right. Pay each finalist vendor to visit your organization for a week to learn about your current and desired software needs. Then pay them to develop and present a report, based on both the RFP and on-site discussions, which outlines how their solution will meet your current and desired software needs—as well as how they will meet any gaps. Among other things, a pre-contract gap analysis will help finalist vendors determine:

  • Whether programming changes are necessary to meet requirements
  • Whether functions can be provided through configuration setup, changes in database tables, or some other non-customized solution
  • What workarounds will be necessary
  • What functionalities they can't, or won't, provide

Select a preferred vendor based on both their initial proposal and solution report.
Of course, to save time and money, you could select only one finalist vendor for the pre-contract gap analysis. But having multiple finalist vendors creates a competitive environment that can benefit your organization, and can prevent your organization from having to go back to other vendors if you’re dissatisfied with the single finalist vendor’s proposal and solution report, or if contract negotiations prove unsuccessful.

Pros
You can set realistic expectations. By having finalist vendors conduct gap analyses during the selection process, they will gain a better understanding of your organization, and both your essential and nonessential software needs. In turn, your organization gets a better understanding of the functionality and limitations of the proposed solutions. This allows your organization to pinpoint costs for system essentials, including costs to address identified gaps. Your organization can also explore the benefits and costs of optional functions. Knowing the price breakdowns ahead of time will allow your organization to adjust its system requirements list.

You can reduce the need for, or pressure to accept, scope changes and change orders. Adding to, or deleting from, the scope of work after solution implementation is underway can create project delays and frustration. Nailing down gaps—and the preferred vendor’s solutions to meet those gaps—on the front end increases efficiency, helps to ensure best use of project resources, and minimizes unnecessary work or rework. It may also save you expense later on in the process.

Cons
You will incur additional up-front costs. Obviously, your organization will have to pay to bring finalist vendors on-site so they can learn the intricacies of your business and technical environment, and demonstrate their proposed solutions. Expenses will include vendors’ time, costs for transportation, lodging, and meals. These costs will need to be less than those typically incurred in the usual approach, or else any advantage to the modified gap analysis is minimized.

You might encounter resistance. Some finalist vendors might not be willing to invest the time and effort required to travel and conduct gap analyses for a system they may not be selected to implement. They will be more interested in the larger paycheck. Likewise, stakeholders in your own organization might feel that the required costs and time investments are impractical or unrealistic. Remind staff of the upfront investment and take note of which vendors are willing to do the same.

Blog
The pros and cons of pre-contract gap analyses

People are naturally resistant to change. Employees facing organizational change that will impact day-to-day operations are no exception, and they can feel threatened or fearful of what that change will bring. Even more challenging are multiyear initiatives where the project’s completion is years away.

How can your agency or organization help employees prepare for change—and stay motivated for an outcome—many years in the making?


Start With the Individual

Organizational change requires individual change. For the change to be successful and lasting, an agency should apply organizational change management strategies that help lead people to your desired outcome.

With any new project or initiative, people need to understand why the project is happening before they support it. Communicate the reasons for the change—and the benefit to the employee (what’s in it for them)—so each individual is more inclined to actively support the project. Clearly communicating the why at the onset of the project can help employees feel vested in, and part of, the change. As Socrates said, “The secret of change is to focus all your energy, not on fighting the old, but building the new.” A clear vision can inspire each employee’s desire for the “new” to succeed.

Shift to Individual Goals

It’s a challenge to maintain your employees’ motivation for an organizational change occurring over the long haul. Below are some suggestions on how to sustain interest and enthusiasm for multi-year projects:

  1. Break the project down into smaller, specific milestones. Short-term goals highlight important deadlines and create tangible progress points to reach and celebrate. The master project schedule should be an integration of the organizational change management plan and the project management plan so any resource constraints you identify in the project management plan also become an input when identifying change management resources and activity levels. This integration also highlights the importance of key organizational change management milestones and activities in an effort to ensure they are on a parallel tack as traditional project tasks.
  2. Effectively communicate status updates and successes. In large, agency-wide projects, there are often a variety of stakeholders, each with different communication expectations and needs. The methods, content, and frequency of communication will vary accordingly. Develop a communications strategy as part of your organizational change management plan, to identify who will be responsible to send communications, when and how they will be sent, key messages of the communications, and what feedback mechanisms are in place to continue the conversation after initial delivery. For example, the project team needs a different level of detail than the legislature, or the public. Making the content relevant to each stakeholder group is important because it gives each group what they need to know so they don’t drown in a flood of unneeded information.
  3. Create buy-in by involving employees. A feeling of ownership naturally results from participation in a project, which helps increase enthusiasm. Often the time to do this is when discussing changes to business processes. Once you determine the mandatory features of the future state, (e.g., financial controls, legal requirements, legislative mandates) consider including stakeholder feedback on decisions more focused on preference. It is important for stakeholders to see their suggestions accepted and implemented, or if not implemented, that there was at least a structured process for thoughtfully considering their feedback, and a business case for why their suggestions didn’t make it into the project.
  4. Conduct lessons learned assessments after each major milestone. The purpose of conducting lessons learned activities is to capture what worked and what didn’t. Using surveys or other feedback systems, such as debrief meetings, allows stakeholders to voice their thoughts or concerns. By soliciting feedback after each milestone, leadership can quickly adapt to challenges, address any misunderstandings or concerns, and capitalize on successes.
  5. Reinforce how the project meets the goals of the agency or organization. Maintaining enthusiasm and support for a long-term goal takes a constant reminder of the overall organizational goals. It is important for senior leadership to communicate the impact of the project on the agency or organization and to stakeholders and keep the project at the forefront of people’s minds. Project goals may change during the duration of the project, but the project sponsor should continue to be active and visible in communicating the goals and leading the project.

Change is difficult—change that is years in the making is even more challenging. Applying a structured organizational change management process and using these tips can help keep employees energized and help ensure you reach the desired project goals.

Blog
Change management: Keeping employees motivated during multiyear projects

While new software applications help you speed up processes and operations, deciding which ones will work best for your organization can quickly evolve into analysis paralysis, as there are so many considerations.

Case in point: Software as a Service (SaaS) model
The benefits of the SaaS model, in which a vendor remotely hosts an organization’s applications, are fairly well known: your organization doesn’t have to shell out for costly hardware, the vendor tackles upgrades, backups, data recovery, and security, and you have more time and money to focus on your business goals.

There are multiple factors to look at when determining whether a SaaS solution is right for you. We’ve compiled a list of the top three SaaS considerations:

1. Infrastructure and capacity
Your organization should consider your own people, processes, and tools when determining whether SaaS makes sense. While an on-site solution may require purchasing new technologies, hiring new staff, and realigning current roles and responsibilities to maintain the system, maintaining a SaaS solution may also require infrastructure updates, such as increased bandwidth to sufficiently connect to the vendor's hosting site.

Needless to say, it’s one thing to maintain a solution; it’s an entirely different thing to keep it secure. An on-site hosting solution requires constant security upgrades, internal audits, and a backup system—all of which takes time and money. A SaaS model requires trust in your vendor to provide security. Make sure your potential vendor uses the latest security measures and standards to keep your critical business data safe and secure.

2. Expense
When you purchase major assets—for example, hardware to host its applications—it incurs capital expenses. Conversely, when you spend money on day-to-day operations (SaaS subscriptions), it incurs operating expenses.

You should weigh the pros and cons of each type of expense when considering a SaaS model. On-site upfront capital expenses for hosting hardware are generally high, and expenses can spike overtime when you update the technology, which can be difficult to predict. And don’t forget about ongoing costs for maintenance, software upgrades, and security patches.

In the SaaS model, you spread out operating costs over time and can predict costs because you are paying via subscription—which generally includes costs for maintenance, software upgrades, and security patches. However, remember you can depreciate capital expenses over time, whereas the deductibility of operating expenses are generally for the year you use them.

3. Vendor viability
Finally, you need to conduct due diligence and vet SaaS vendors before closing the deal. Because SaaS vendors assume the responsibility for vital processes, such as data recovery and security, you need to make sure the potential vendor is financially stable and has a sustainable business model. To help ensure you receive the best possible service, select a vendor considered a leader in its market sector. Prepare a viable exit strategy beforehand so you can migrate your business processes and data easily in case you have any issues with the SaaS provider.

You must read—and understand—the fine print. This is especially important when it comes to the vendor’s policies toward data ownership and future migrations to other service providers, should that become necessary. In other words: Make sure you have final say and control over your data.

Every organization has different aspects of their situation to consider when making a SaaS determination. Want to learn more? It’s a snap! Contact the authors: Clark Lathrum and Matthew Tremblay

Blog
SaaS: Is it right for you? Making SaaS determinations a snap.

Over the course of its day-to-day operations, every organization acquires, stores, and transmits Protected Health Information (PHI), including names, email addresses, phone numbers, account numbers, and social security numbers.

Yet the security of each organization’s PHI varies dramatically, as does its need for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Organizations that meet the definition of a covered entity or business associate under HIPAA must comply with requirements to protect the privacy and security of health information.

Noncompliance can have devastating consequences for an organization, including:

  • Civil violations, with fines ranging from $100 to $50,000 per violation
  • Criminal penalties, with fines ranging from around $50,000 to $250,000, plus imprisonment

All it takes is just one security or privacy breach. As breaches of all kinds continue to rise, this may be the perfect time to evaluate the health of your organization’s HIPAA compliance. To keep in compliance and minimize your risk of a breach, your organization should have:

  • An up-to-date and comprehensive HIPAA security and privacy plan
  • Comprehensive HIPAA training for employees
  • Staff who are aware of all PHI categories
  • Sufficiently encrypted devices and strong password policies

HIPAA Health Check: A Thorough Diagnosis

If your organization doesn’t have these safeguards in place, it’s time to start preparing for the worst — and undergo a HIPAA health check.

Organizations need to understand what they have in place, and where they need to bolster their practice. Here are a variety of fact-finding methods and tools we recommend, including (but not limited to):

  • Administrative, technical, and physical risk analyses
  • Policy, procedure, and business documentation reviews
  • Staff surveys and interviews
  • IT audits and testing of data security

Once you have diagnosed your organization’s “as-is” status, you need to move your organization toward the “to-be” status — that is, toward HIPAA compliance — by:

  • Prioritizing your HIPAA security and privacy risks
  • Developing tactics to mitigate those risks
  • Providing tools and tactics for security and privacy breach prevention and minimization
  • Creating or updating policies, procedures, and business documents, including a HIPAA security and privacy plan

As each organization is different, there are many factors to consider as you go through these processes, and customize your approach to the HIPAA-compliance needs of your organization.

The Road to Wellness

An ounce of prevention is worth a pound of cure. Don’t let a security or privacy breach jump-start the compliance process. Reach out to us for a HIPAA health check. Contact us if you have any questions on how to get your organization on the road to wellness.

Blog
How healthy is your organization's HIPAA compliance?

As a leader in a higher education institution, you'll be familiar with this paradox: Every solution can lead to more problems, and every answer can lead to more questions. It’s like navigating an endless maze. When it comes to mobile apps, the same holds true. So, the question: Should your institution have a mobile app? The Answer? Absolutely.

Devices, not computers, are how millenials communicate, gather, inform, and engage. Millennials, on average, spend 90 hours per month on mobile apps, not including web searches and website visits.

Students are no exception. A 2016 Nielsen study showed that 98% of millennials aged 18 – 24, and 97% of millennials aged 25 – 34, owned a smartphone, while a 2017 comScore report stated that one out of five millennials no longer use desktop devices, including laptops. Mobile apps have quickly filled the desktop void, and as students grow more reliant on mobile technology, colleges and universities are in the mix, creating apps to bolster student engagement.

So should you create an app? Here are some questions you should answer before creating a mobile app. Welcome to the labyrinth! But don’t be frustrated—answer these questions to help you avoid dead ends and overspending.

1. Is a mobile app part of your IT Strategy? Including a mobile app in your IT strategy minimizes confusion at all levels about the objectives of mobile app implementation. It also helps dictate whether an institution needs multiple mobile apps for various functions, or a primary app that connects users with other functionality. If an institution has multiple campuses, should you align all campuses with a single app, or if will each campus develop their own?

2. What will the app do? Mobile apps can perform a multitude of functions, but for the initial implementation, select a few key functions in one main area, such as academics or student life. Institutions can then add functionality in the future as mobile adoption grows, and demand for more functions increases.

3. Who will use the app? Mobile apps certainly improve engagement throughout the student life cycle—from prospect to student to alumni—but they also present opportunities for increased faculty, staff, and community engagement. And while institutions should identify the immediate audience of the app, they should also identify future users, based upon functionality.

4. Who will manage the app? Institutions should determine who is going to manage the mobile app, and how. The discussion should focus on access, content, and functionality. Is the institution going to manage everything in house, from development to release to support, or will a mobile app vendor provide this support under contract? Depending on your institution, these discussions will vary.

5. What data will the app use? Like any new software system, an app is only as good as its supporting data. It’s important to assess the systems to integrate with the mobile app, and determine if the systems’ data is up-to-date and ready for integration. Consider the use of application program interfaces, or APIs. APIs allow apps and platforms to interact with one another. They can enable social media, news, weather, and entertainment apps to connect with your institution’s app, enhancing the user experience with more content for users.

6. How much data security does your app need? Depending on the functionality of the app you create, you will need varying degrees of security, including user authentication safeguards and other protections to keep information safe.

7. How much can you spend for the app? Your institution should decide how much you will spend on initial app development, with an eye toward including maintenance and development costs for future functionality. Complexity increases costs, so you will need to  budget accordingly. Include budget planning for updates and functionality improvements after launch.

You will also need to establish a timeline for the project and roll out. And note that apps deployed toward the end of the academic year experience less adoption than apps deployed at the beginning of the academic year.

Once your institution answers these questions, you will be off to a good start. And as I stated earlier, every answer to a question can lead to more questions. If your institution needs help navigating the mobile app labyrinth, please reach out to me

Blog
The mobile app labyrinth: Seven questions higher education institutions should ask

Private-sector pundits love to drone on about drones! Also known as Unmanned Aircraft Systems (UASs), drones are dramatically altering processes and increasing opportunities in the for-profit world. There is no doubt that these changes and resulting benefits are helping to increase drone usage; in March 2017, technology news website Recode reported that since December 2015 almost 800,000 drones had been registered with the Federal Aviation Administration (FAA).

Yet private businesses don’t operate all 800,000. Various government organizations have seen the value of UASs—especially local government agencies—and are using them. Public safety departments are using UASs to reduce risk and increase situational awareness during hostage negotiations, SWAT operations, search and rescue, firefighting, accident investigations, hazardous material situations, and disaster surveillance. Many use drones to quickly (and inexpensively) document projects, survey land, and create maps. As officials in places such as Appleton, Wisconsin know, the possibilities of drone usage by local governments are endless.

Still, drone technology remains relatively new, and navigating the regulatory environment can be difficult. As a result, establishing a local government UAS program is time-consuming and full of obstacles. Local officials have many questions, including:

  • How can we establish drone programs that meet regulatory requirements?

  • How do we inform and educate constituents about drone programs?

  • What is the typical budget for a local government drone program?

  • How can we determine if we can operate as civil users under FAA Part 107, or as public aircraft operators?

  • What are general best practices for local government drone use?

Daunting, certainly, but help is here. We have assisted local governments for over two decades, and have developed a comprehensive drone program that we can tailor to meet individual agency needs. We can assist in establishing requirements, develop a concept of operations, write policy, conduct FAA filings, and, if desired, provide training for public aircraft operators.

A further benefit to local governments: BerryDunn is not affiliated with any drone manufacturer, and does not sell hardware or software. Our independence allows us to conduct a truly objective analysis and provide drone program recommendations that are in your best interest.

Blog
Prize in the sky: Creating drone programs for local governments

Most of us have been (or should have been) instructed to avoid using clichés in our writing. These overstated phrases and expressions add little value, and often only increase sentence length. We should also avoid clichés in our thinking, for what we think can often influence how we act.

Consider, for example, “death by committee.” This cliché has greatly — and negatively — skewed views on the benefits of committees in managing projects. Sure, sometimes committee members have difficulty agreeing with one another, which can lead to delays and other issues. In most cases, though, an individual can’t possibly oversee all aspects of a project, or represent all interests in an organization. Committees are vital for project success — and arguably the most important project committee is the steering committee.

What Exactly is a Steering Committee?
It is a group of high-level stakeholders that provides strategic direction for a project, and supports the project manager. Ideally, the group increases the chances for project success by closely aligning project goals to organizational goals. However, it is important to point out that the group’s top priority is project success.

The committee should represent the different departments and agencies affected by the project, but remain relatively small in size, chaired by someone who is not an executive sponsor of the project (in order to avoid conflicts of interest). While the project manager should serve on the steering committee, they should not participate in decision-making; the project manager’s role is to update members on the project’s progress, areas of concern, current issues, and options for addressing these issues.

Overall, the main responsibilities of a steering committee include:

  1. Approving the Project Charter
  2. Resolving conflicts between stakeholder groups
  3. Monitoring project progress against the project management plan
  4. Fostering positive communicating about the project within the organization
  5. Addressing external threats and issues emerging outside of the project that could impact it
  6. Reviewing and approving changes made to the project resource plan, scope, schedules, cost estimates, etc.

What Are the Pros and Cons of Utilizing a Steering Committee?
A group of executive stakeholders providing strategic direction should benefit any project. Because steering committee members are organizational decision-makers, they have the access and credibility to address tough issues that can put the project at a risk, and have the best opportunities to negotiate positive outcomes. In addition, steering committees can engage executive management, and make sure the project meshes with executive management’s vision, mission, and long-range strategic plan. Steering committees can empower project managers, and ensure that all departments and agencies are on the same page in regards to project status, goals, and expectations. In a 2009 article in Project Management Journal, authors Thomas G. Lechler and Martin Cohen concluded that steering committees are important to implementing and maintaining project management standards on an operational level — not only do steering committees directly support project success, they are instrumental in deriving value from an organization's investments in its project management system.

A steering committee is only as effective as it’s allowed to be. A poorly structured steering committee that lacks formal authority, clear roles, and clear responsibilities can impede the success of a project by being slow to respond to project issues. A proactive project manager can help the organization avoid this major pitfall by helping develop project documents, such as the governance document or project plan that clearly define the steering committee structure, roles, responsibilities and authority.

Steer Toward Success!
Steering committees can benefit your organization and its major projects. Yet understanding the roles and responsibilities — and pros and cons — is only a preliminary step in creating a steering committee. Need some advice on how to organize a steering committee? Want to learn more about steering committee best practices? Together, we can steer your project toward success.

Blog
Success by steering committee

The relationship between people, processes, and technology is as elemental as earth—and older than civilization. From the first sharpened rock to the Internet of Things, the three have been crucially intertwined and interdependent. There would have been no Industrial Revolution, for instance, without entrepreneurs who developed new tools to facilitate new manufacturing methods.

Of course, the increasing complexity of processes and the rapid innovations in technology tend to eclipse the present role that people play in progress. On the surface the trend seems understandable, even reasonable, when it comes to implementing a new Enterprise Resource Planning (ERP) system. Implementing a new ERP system is one of the most daunting projects an institution can undertake. Some sobering statistics—over 70% of all implementations take longer than planned, while over 50% go over budget—illustrate why many institutions focus on selecting the right ERP model and purchasing the right software. This is important, yet there are two excellent and connected reasons why your institution should focus on the “people component” of an ERP implementation.

Reason #1: The Technology is Tenable

Companies have improved and vetted ERP systems over time, so that today there’s little chance your institution will purchase poorly designed ERP software. And you have multiple options. For example, you could pursue a hosted ERP model in which a data center houses your ERP system, or a Software as a Service (SaaS) model, in which a third party administers your ERP software. These options help minimize hardware implementation, maintenance, and incomplete attempts at full system utilization—which in turn saves you time, money, and headaches.

In short: You won’t have to bear the full brunt of the tech burden, and the software and hardware you purchase should work. This enables you to concentrate on the people component of the system.

Reason #2: People Propel the Processes

A higher education institution can optimize an ERP system to complete countless processes: automating registration, onboarding staff, processing financial aid, improving self-service capabilities, simplifying record-keeping, etc. Yet a system can’t do all this on its own (not yet, at least). People—both functional and IT staff—propel these processes. For this to happen, your institution needs to secure buy-in and equip people with vision, training, and resources.

People are wary of ERP projects, for good reason. When an institution decides to tackle an ERP implementation the onus often falls on already busy staff, some of whom may rather find a new career than manage a new system implementation. Your staff and their institutional knowledge are your greatest assets. It is important to empower staff to define how future-state business processes should work—and for you to remember that a common reason for ERP implementation failure is lack of engagement. Sometimes, those at the executive level make decisions without adequate input from the people who actually do the work. You will need to sharpen your “people skills” in order to educate stakeholders on the value of a new ERP system, and how the software will make their day-to-day roles and responsibilities more efficient and effective. To ensure that staff have the bandwidth to engage in this change, it is advisable to provide backfill for key administrative functions.

Designing business processes of a future-state system is arguably the most challenging part of an ERP implementation. Often, stakeholders don’t understand the new functionality that a future system can offer because they have only used the prior system. It is important to engage the ERP vendor early and educate your staff to ensure that they understand the possibilities when designing future-state processes.

Once you have designed processes, training should take center stage. And once again, people play a pivotal role in this process. Modern ERP systems usually require staff to fundamentally conduct business differently; this can require training not only on the new system, but also on other foundational technologies (e.g., the office suite) not relied upon before. It is important to identify these needs and incorporate them into your institution’s training plan up front.

An effective training plan needs to balance multiple types of training, ranging from formal classroom sessions to online learning and train-the-trainer sessions. Tech-savvy staff will be able to train other staff in using the new ERP system, which will not only increase the skill sets of said staff, but will also help them better understand how their roles fit within the larger picture of the institution. This, in turn, will organically improve communication and workflow, as well as lead to more collaboration and teamwork. The result: positive institution-wide change.

Moving Forward

Think about your institution’s focus when implementing a new ERP system—and be aware of the benefits that it could have for your staff, your students, and your bottom line. You will face other ERP-related challenges, such as selecting the right third-party vendor and facilitating change management. If you’d like to discuss some strategies for tackling these challenges, this process is easy—just send me an email.

Blog
The people component: Why higher education institutions should focus on staff when implementing an ERP system

As more state and local government workers enter retirement, state and local agencies are becoming more dependent on millennial workers — the largest and most educated generation of workers in American history. But there is a serious gap between supply and demand.

As noted in a 2016 report by the Bureau of Labor Statistics titled 
Household Data Annual Averages 15, only 25.6% of current
government workers are between the ages of 18 and 35.

This trend isn’t necessarily shocking; many millennials choose higher-paying jobs in the private sector over lower-paying jobs in the public sector, especially when the days of a lifelong government career, and generous pensions, are dwindling. But it is a serious labor problem for government agencies — one that requires creative solutions. To entice these new workers, state and local governments need to adopt new recruiting and retaining methods.

Recruiting Methods

While money matters to millennials, they also want to live a life of adventure, try new things, embrace trailblazing technology, pursue meaningful goals, and gain a sense of both personal and civic accomplishment. In short, these new workers have values that differ from previous generations. You can help entice them by:

  • Highlighting your state and local agency’s mission and greater purpose. Many millennials want to affect change and find careers consistent with their values. Include information in your job descriptions about the positive environmental and social impact your agency makes.

  • Updating your technology. Millennials have grown up with technology (literally at their fingertips), can adapt to change as no other generation before them, and often strive to remain on the “cutting edge.” By updating your agency’s technology, you will not only improve your organization and benefit the public you serve, but also have a better chance of recruiting the best and brightest millennials.

  • Providing them with a work-life balance. Life outside of work is just as important to millennials as their careers. They don’t plan to wait for retirement to finally pursue their interests, so providing them with a level of flexibility is key to recruitment. Consider offering flexible workdays, remote working capabilities, extended parental leave, sabbatical opportunities, and “mental health days.” The more flexibility state and local agencies provide, the more incentive there is for millennials.

Retaining Methods

Recruiting millennials for government jobs is challenging enough, and retaining them can prove even harder, as job hopping is standard practice for many members of this generation. Nevertheless, there are certain methods your agency can adopt to prevent millennial turnover. We suggest:

  • Investing in employee development and training. Training and creating opportunities for promotion and career advancement are motivating incentives to millennials. Professional development excites millennials and investing in them will pay off for the agency — and the employees will be more engaged and likely to stay.

  • Showing employees they are valued. Recognition is the biggest motivator besides money — millennials want acknowledgement for the good work that they do. Communicate achievements and provide awards to recipients in front of their peers. This not only gives them credit, but also motivates others. Continuing to communicate to your employees how their work supports their values reminds them they made the right decision in joining the public sector in the first place.

Make Your Move

Millennials are worthy of your attention! To compete with the private sector — to recruit and retain them — your government agency has to take an innovative approach to capitalize on this ever-growing demographic. If your state or local agency needs help refreshing your technology, reviewing current policies and procedures, or taking a fresh look at your processes, contact BerryDunn. We would love to talk about your commitment to your future!

You may also be interested in: CFOs for Hire; How to Attract and Retain Workers in a Seller's Market

Blog
Getting millennial with it: How state and local governments can recruit and retain a new generation of workers

A year ago, CMS released the Medicaid Enterprise Certification Toolkit (MECT) 2.1: a new Medicaid Management Information Systems (MMIS) Certification approach that aligns milestone reviews with the systems development life cycle (SDLC) to provide feedback at key points throughout design, development, and implementation (DDI).

The MECT (recently updated to version 2.2) incorporates lessons learned from pilot certifications in several states, including the successful West Virginia pilot that BerryDunn supported. MECT updates have a direct impact on E&E systems—an impact that may increase in the near future. Here is what you need to know:         

Then: Initial Release

In February 2017, CMS introduced six Eligibility & Enrollment (E&E) checklists. Five were leveraged from the MECT, while the sixth checklist contained unique E&E system functionality criteria and provided a new E&E SDLC that—like the MECT—depicted three milestone reviews and increased the Independent Verification and Validation (IV&V) vendor’s involvement in the checklists completion process.

Now: Getting Started

Completing the E&E checklists will help states ensure the integrity of their E&E systems and help CMS guide future funding. This exercise is no easy task, particularly when a project is already in progress. Completion of the E&E checklists involves many stakeholders, including:

  • The state (likely more than one agency)
  • CMS
  • IV&V
  • Project Management Office (PMO)
  • System vendor(s)

As with any new processes, there are challenges with E&E checklists completion. Some early challenges include:

  • Completing the E&E checklists with limited state project resources
  • Determining applicable criteria for E&E systems, especially for checklists shared with the MMIS
  • Identifying and collecting evidence for iterative projects where criteria may not fall cleanly into one milestone review phase
  • Completing the E&E checklists with limited state project resources
  • Working with the system vendor(s) to produce evidence

What’s Next?

Additionally, working with system vendors may prove tricky for projects that already have contracts with E&E vendors, as E&E systems are not currently subject to certification (unlike the MMIS). This may lead to instances where E&E vendors are not contractually obligated to provide the evidence that would best satisfy CMS criteria. To handle this and other challenges, states should communicate risks and issues to CMS and work together to resolve or mitigate them.

As CMS partners with states to implement the E&E checklists, some questions are expected to be asked. For example, how much information can be leveraged from the MECT, and how much of the checklists completion process must be E&E-specific? Might certification be required in the near future for E&E systems?

While there will be more to learn and challenges to overcome, the first states completing the E&E checklists have an opportunity to lead the way on working with CMS to successfully build and implement E&E systems that benefit all stakeholders.

On July 31, 2017, CMS released the MECT 2.2 as an update to the MECT 2.1.1. As the recent changes continue to be analyzed, what will the impact be to current and future MMIS and E&E projects?

Check back here at BerryDunn Briefings in the coming weeks and we will help you sort it out.

Blog
Check this: CMS checklists aren't just for MMIS anymore.

Because we’ve been through this process many times, we’ve learned a few lessons and determined some best practices. Here are some tips to help you promote a positive post go-live experience.

The road to go-live is paved with good intentions. When an organization identifies a need to procure a new or upgraded system, that road can be long. It requires extensive planning, building a business case, defining requirements, procuring the system, testing it, and implementing it. Not to mention preparing your team to start using it. You’ve worked really hard to get to this point, and it feels like you’re about to cross the finish line. Well, grab some Gatorade because you’re not quite there yet. Post go-live is your cool-down, and it’s an important part of the race.

Preparation is key.
If you haven’t built a go-live plan into your overall implementation plan, you may see stress levels rise significantly in the days and weeks leading up to go-live. Like a runner prepares for a big race, a project lead must adequately prepare the team to begin using the new system, while still handling unexpected obstacles.  While there are many questions you should ask as you prepare to go live, you need to gain buy-in on the plan from the beginning and manage it to ensure follow-through.

Have your contract and deliverables handy.
Your system vendor implementation team will look to hand you off to their support team soon after go-live. It is crucial that you review all of the deliverables outlined in your contract to ensure all of the agreed-upon functionality is up and running, and all contracted deliverables have been provided and approved. Don’t transition to support until you’ve had enough time to see the system through significant processes (e.g. payroll, month-end close). In the period immediately after go-live, the vendor implementation team is your best resource to help address these issues, so it’s a good idea to have easy access to them.

Encourage use and feedback.
Functional leads and project champions need to continue communications past go-live to encourage use and provide a mechanism for addressing feedback. Employing change management best practices will go a long way in ensuring you use the system properly — and to its best capabilities.

Plan ahead for expanded use and future issues. 
Because a system implementation can be extremely resource-intensive, it is common to suppress or forgo functionality to implement at a later date (e.g., citizen and vendor self-service). In addition, we sometimes see issues arise during significant operational milestones (e.g., renewal processing, year-end close). Have a plan in place to decide how you will address known and unknown issues that arise.

While there is no silver bullet to solve all of the potential go-live woes, you can promote a smooth transition from a legacy system to a new system by implementing these tips. The time you spend up front will help offset many headaches down the road, promote end-user engagement, and ensure you’re getting the most from your investment.

Blog
We're live! Now what?

We all know them. In fact, you might be one of them — people who worry the words “go live” will lead to job loss (theirs). This feeling is not entirely irrational. When an organization is ready to go live from an existing legacy system to a new enterprise system, stress levels rise and doubts emerge: What can go wrong? How much time will be lost? Are we really ready for this?

We’re here to help. Here is a list of go-live essentials to help you mitigate stress and assess your readiness. While not all-encompassing, it’s a good place to start. Here’s what you need:

  1. A detailed project plan which specifies all of the implementation tasks
    A project plan is one of the most important parts of an implementation. A detailed plan that identifies all of the implementation tasks along with an assigned resource for each task is critical to success. The implementation vendor and the organization should develop this plan together to get buy-in from both teams.
  1. A completed system configuration
    New system configuration is one of the most time-consuming aspects of a technology implementation. If you don’t complete the implementation in a timely manner, it will impact your go-live date. Configure the new system based upon the best practices of the system — not how the existing system was — for timely implementation.
  1. External system interface identification
    While replacement of some external systems may be a goal of an implementation, there may be situations where external systems are not replaced or the organization has to send and/or receive data from external organizations. And while new systems have advanced interface technology capabilities, the external systems may not share these capabilities. Therefore it is imperative that you identify external system interfaces to avoid gaps in functionality.
  1. Testing, testing, testing
    End-to-end testing or User Acceptance Testing (UAT) is often overlooked. It involves completing testing scenarios for each module to ensure appropriate system configuration. While the timing of UAT may vary, allow adequate time to identify solutions to issues that may result from UAT.
  1. Data conversion validation
    When you begin using a new system, it’s best to ensure you’re working with clean, up-to-date data. Identify data conversion tasks in the project plan and include multiple data conversion passes. You must also determine if the existing data is actually worth converting. When you complete the data conversion, check for accuracy.
  1. End user training
    You must train all end users to ensure proper utilization across the organization. Don’t underestimate the amount of time needed for end user training. It is also important to provide a feedback mechanism for end users to determine if the training was successful.
  1. A go-live cutover plan
    The overall project plan may indicate go-live as an activity. List specific activities to complete as part of go-live. You can build these tasks into the project plan or maintain them as a separate checklist to promote a smooth transition.
  1. Support structure
    Establish an internal support structure when preparing for go-live to help address issues that may arise. Most organizations take time to configure and test the system and provide training to end users prior to go-live. Questions will arise as part of this process — establish a process to track and address these questions.

Technology implementations can significantly impact your organization, and it’s common for stress levels to rise during the go-live process. But with the right assessment and preparation, you can lessen their impact and reduce staff stress. Our experienced, objective advisors work with public and private sector organizations across the country to oversee large enterprise projects from inception to successful completion. Please reach out to us to learn more about preparing for your next big project.

Blog
Don't worry, just assess: Eight tips for reducing go-live stress

Electronic accessibility in every aspect of modern life has increased ten-fold, but government — and courts in particular — has been slow to follow.

History Lesson
The idea that criminal court proceedings are accessible by the public is a pillar of our justice system, rooted in the First Amendment. This public right to unrestricted access in criminal and civil court proceedings has been interpreted by many states to extend to court documents and court records (as long as not otherwise protected).

Traditionally, public access to court proceedings and records has been limited to those taking place in the courthouse, between the hours of 8:00 am and 4:00 pm. In most every other aspect of our lives, we have 24/7 access to everything from live streaming of our home security systems, to ordering our groceries or dinner from our mobile devices — while traveling at 30,000 feet! Government — and courts in particular — has been slow to follow in the rush to 24/7 electronic accessibility.

Part of the rationale behind the hesitation to jump on the electronic bandwagon, are the ethical issues surrounding unlimited electronic public access. So while the First Amendment provides for public access to information, conversely the Fourteenth Amendment interprets the definition of “liberty” to include a right to privacy. Deciding between these two semmingly contradictory rights becomes a challenge for courts when determining what form of electronic access is appropriate for court documents.

The pros
Unlimited electronic access to publicly available documents:

  • Serve a variety of public interests while eliminating the need to travel to the courthouse to research and copy documents.
  • Acts both as a deterrent to violating laws and as protection to those whose rights have been violated.
  • Tends to instill fairness, transparency, and equality of court proceedings.
  • Protects the community and allows the media to report on matters of public interest in a more convenient, timely, and streamlined manner.

The cons
While there are compelling reasons to provide electronic public access, they don’t take into account the potential for it to be used inappropriately. Risks include:

  • Increased chance of identity theft, leading to loss of property, finances, and credit
  • Exposure to sensitive information that may be harmful to all those involved
  • Negative impact on privacy
  • Deter public interest lawsuits for fear of overexposure
  • Mistakes or abuse of legal process can have far-reaching implications on individuals

What can states do?
Allowing unlimited remote electronic access to court documents could compromise the privacy rights and concerns of individuals and increase the risk of harm to those participating in court proceedings. This issue demands the full attention of the courts nationwide, but not with an “all-or-nothing” approach.

Many states struggle with striking this balance. To mitigate some of the potentially damning effects, states have taken different approaches. The National Center for State Courts (NCSC) has brought attention to the issues on several occasions. In 2002, the NCSC and the State Justice Institute funded the project, “Developing a Model Written Policy Governing Access to Court Records” and more recently the NCSC has published the “Privacy/Public Access to Court Records Resource Guide”.

Some states have redacted confidential information from electronic documents and some have limited what information or categories are available on the internet, only posting some combination of the following:

  • Appellate decisions
  • Final judgments, orders, and decrees
  • Basic information of the litigant or party to the case
  • Calendars and case docket lists

Our recommendation
States must agree upon the amount of access they will provide electronically. To tackle this, each state should:

  • Consider forming an access committee(s) to determine what guidelines are needed to balance the free access rights of the public with the privacy rights of individuals
  • Policy decisions should be publicly posted to the judiciary, legislators, and the public at large; and
  • Should be regularly revisited to ensure an appropriate balance is continually achieved

Interested in learning how your state can address this or similar issues? Reach out to BerryDunn's justice and public safety experts and we can discuss the particular issue facing your state and the best practices for approaching it.

Blog
Striking a balance: Public right of access to court records vs. the privacy rights of individuals

Online banking? Check.
Online shopping? You bet.
Online permit application submittal? What? Actually, yes.


As Americans are becoming more and more accustomed to performing everyday functions online, local governments are evolving and keeping up with the times. This online evolution is coming in the form of implementing modern enterprise applications with electronic workflow and a public-facing portal that allows residents to apply for permits, submit documentation, pay for, and collaborate with local government staff to perform a variety of processes.

One area of recent focus is the online submittal and routing of electronic planning and permit applications, and supporting plans and drawings. This effort is often driven by a desire to expand e-government offerings available to the public, while also realizing internal efficiencies through electronic workflow and simultaneous review, and a reduction in paper usage.

If you were to take a tour of most City or County Building, Planning, or Development Departments, in many instances you would see bins containing rolls of large (24”x36”) scale drawings that support planning (e.g., subdivision, rezoning, etc.) or permit (e.g., new family residential dwelling, accessory building, etc.) documents. With local government agencies receiving hundreds of paper applications each year, the internal driver for moving to an electronic submittal and review environment is evident. Additionally, when it is understood that the applicant develops these documents in a Computer Aided Design (CAD) system prior to printing, and are also required to submit applications in-person during business hours, the need for simplified online processes is even more pressing.

On the surface, moving to an electronic application submittal and review platform may appear pretty straightforward. However, like any major process and technology change there are several major considerations. Here are three that each agency should look at prior to starting an electronic application submittal and review project.

  1. Change to Current Business Processes
    Current processes related to application submittal, completeness review, routing to reviewers, consolidation of review comments, and return of comments and mark-ups to applicants are paper intensive.
    • Are current processes designed around paper submittals?
    • Will reviews be simultaneous or sequential? Should this change?
    • How will electronic copies be distributed to reviewers? How about third-party reviewers?
    • How will comments be consolidated and returned to the applicant?
    • Will plans be submitted online and/or in person via USB/CD?
  2. Change to Current Policies
    Current policies are most likely based on a paper plan set being received, routed, and archived. It is very likely that these policies will require updating with a change to electronic submittal and review.
    • Will plans be required to be submitted electronically? For some case types?
    • Will a hard copy plan set still be required?
    • How will final plans be archived?
    • Will an additional fee be charged to offset equipment and hardware costs?
    • Will the fee schedule incentivize electronic submittals?
    • Will staff be required to perform their mark-ups electronically?
  3. Change to Technology Tools
    Drafting tables, light tables, red pens, and rulers are common tools used to support a paper-based environment. Electronic submittal and review will require a different set of tools.
    • Does your current planning/permitting system have the tools to support an electronic workflow?
    • What software and hardware tools will staff use to complete their review?
    • Will all reviewers be required to complete their reviews electronically?
    • How will revised plans be provided to an applicant (e.g., portal, email, etc.)?
    • How will signatures and stamps be applied to electronic plans?
    • How will resubmittals and multiple versions of plans be managed?

Transitioning to an electronic plan submittal and review environment may seem overwhelming, but when done correctly the benefits can be significant. BerryDunn can assist with answering questions related to transitioning to an electronic plan submittal and review environment. Get more information on how BerryDunn can help your agency navigate this here.

Blog
Moving to electronic plan submittal and review: Three things to consider