Skip to Main Content

blogpost

PERM: Prepared or not prepared?

By:

As a senior consultant in the BerryDunn Government Consulting Group, Christy has valuable expertise in both Medicaid and the private insurance sector. Her experience and background with the Payment Error Rate Measurement (PERM) program has developed a passion for assisting states in identifying the need to prioritize the activities and resulting outcomes of a PERM cycle as well as offering and assisting with implementation of recommendations to mitigate known areas of concern that may otherwise result in PERM errors.

She has provided valuable contributions while working closely with states to evaluate and implement new processes and procedures to ensure federal compliance measures are in place before PERM reviews begin. Christy has a profound understanding of state and federal policies as they apply to PERM reviews and a broad experience working in and understanding the operation and limitation of many state eligibility systems.

Christy Schilling
06.26.19

Federal contractors with the Centers for Medicare & Medicaid Services (CMS) have begun performing Payment Error Rate Measurement (PERM) reviews under the Final Rule issued in July 2017—a rule that many states may not realize could negatively impact their Medicaid budgets.

PERM is a complex process—states must focus on several activities over a recurring three-year period of time—and states may not have the resources needed to make PERM requirements a priority. However, with the Final Rule, this PERM eligibility review could have financial implications. 

After freezing the eligibility measurement for four years while undergoing pilot review, CMS has established new requirements for the eligibility review component and made significant changes to the data processing and medical record review components. As part of the Final Rule, CMS may implement reductions in the amount of federal funding provided to a state’s Medicaid and Children’s Health Insurance Program (CHIP) programs based on the error rates identified from the eligibility reviews. 

Since the issuance of the Final Rule in July 2017, Cycle 1 states are the first group of states to undergo a PERM cycle, including reviews of the data processing, medical record, and eligibility components. These states are wrapping up the final review activities, and Cycle 2 states are in the early stages of their PERM reviews.

How can your state prepare?

Whether your state is a Cycle 1, Cycle 2, or Cycle 3 state, there are multiple activities your Medicaid departments should engage in throughout each three-year period of time during and between PERM cycles: 

  • Analyzing prior errors cited or known issues, along with the root cause of the error
  • Identifying remedies to reduce future errors
  • Preparing and submitting required questionnaires and documents to the federal contractors for an upcoming review cycle
  • Assisting federal contractors with current reviews and findings
  • Preparing for and undergoing Medicaid Eligibility Quality Control (MEQC) planning and required reviews
  • Corrective action planning

Is your state ready?

We’ve compiled a few basic questions to gauge your state’s readiness for the PERM review cycle:

  • Do you have measures in place to ensure all eligibility factors under review are identifiable and that all federal and state regulations are being met? The eligibility review contractor (ERC) will reestablish eligibility for all beneficiaries sampled for review. This process involves confirming all verification requirements are in the case file, income requirements are met, placement in an accurate eligibility category has taken place, and the timeframe for processing all determinations meets federal and state regulations. 
  • Do you have up-to-date policy and procedures in place for determining and processing Medicaid or CHIP eligibility of an individual? Ensuring eligibility policies and procedures meet federal requirements is just as important as ensuring the processing of applications, including both system and manual actions, meet the regulations. 
  • Does you have up-to-date policy, procedures, and system requirements in place to ensure accurate processing of all Medicaid/CHIP claims? Reviewers will confirm the accuracy of all claim payments based on state and federal regulations. Errors are often cited due to the claims processing system allowing claims to pay that do not meet regulations.
  • Do you have a dedicated team in place to address all PERM requirements to ensure a successful review cycle? This includes staff to answer questions, address review findings, and respond to requests for additional information. During a review cycle, the federal contractors will cite errors based on their best understanding of policies and/or ability to locate required documentation. Responding to requests for information or reviewing and responding to findings in a timely manner should be a priority to ensure accurate findings. 
  • Have you communicated all PERM requirements and updates to policy changes to all Medicaid/CHIP providers? Providers play two integral roles in the success of a PERM review cycle. Providers must understand all claims submission requirements in order to accurately submit claims. Additionally, the medical record review component relies on providers responding to the request for the medical records on a sampled claim. Failure to respond will result in an error. Therefore, states must maintain communication with providers to stress the importance of responding to these requests.
  • Have you begun planning for the MEQC requirement? Following basic requirements identified by CMS during your state’s MEQC period, your state must submit a case planning document to CMS for approval prior to the MEQC review period. After the MEQC review, your state should be prepared to issue findings reports, including a corrective action plan as it relates to MEQC findings.

Need help piloting your state’s PERM review process?

BerryDunn has subject matter experts experienced in conducting PERM reviews, including a thorough understanding of all three PERM review components—eligibility, data processing, and medical record reviews. 

We would love to work with your state to see that measures are in place that will help ensure the lowest possible improper payment error rate. Stay tuned for upcoming blogs where we will discuss other PERM topics, including MEQC requirements, the financial impacts of PERM, and additional details related to each phase of PERM. For questions or to find out more, please email me
 

Topics: #MESC2019, Medicaid

Related Industries

Related Services

Consulting

Information Systems

Organizational and Governance

Related Professionals

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer.

When I was growing up, my dad would leave the Bureau of Motor Vehicles or hang up the phone after talking with the phone company and say sarcastically, “I’m from the government (or the phone company) and I’m here to help you. Yeah, right.” I could hear the frustration in his voice. As I’ve gotten older, I understand the hassle of dealing with bureaucracy, where the red tape can make things more difficult than they need to be, and where customers don’t come first. It doesn’t have to be that way.

In my role performing Independent Verification and Validation (IV&V) at BerryDunn, I hear the same skepticism in the voices of some of my clients. I can hear them thinking, “Let me get this straight… I’m spending millions of dollars to replace my old Medicaid Management Information System (MMIS), and the Centers for Medicare and Medicaid Services (CMS) says I have to hire an IV&V consultant to show me what I am doing wrong? I don’t even control the contract. You’re here to help me? Yeah, right.” Here are some things to assuage your doubt. 

Independent IV&V―what they should do for you and your organization

An independent IV&V partner that is invested in your project’s success can:

  • Enhance your system implementation to help you achieve compliance
  • Help you share best practice experience in the context of your organization’s culture to improve efficiency in other areas
  • Assist you in improving your efficiency and timeliness with project management capabilities.

Even though IV&V vendors are federally mandated from CMS, your IV&V vendor should also be a trusted partner and advisor, so you can achieve compliance, improve efficiency, and save time and effort. 

Not all IV&V vendors are equal. Important things to consider:

Independence―independent vendors are a good place to start, as they are solely focused on your project’s success. They should not be selling you software or other added services, push vendor affiliations, or rubber stamp CMS, nor the state. You need a non-biased sounding board, a partner willing to share lessons learned from experience that will help your organization improve.

Well-rounded perspective―IV&V vendors should approach your project from all perspectives. A successful implementation relies on knowledge of Medicaid policy and processes, Medicaid operations and financing, CMS certification, and project management.

“Hello, we are IV&V from BerryDunn, and we are here to help.”

BerryDunn offers teams that consist of members with complementary skills to ensure all aspects of your project receive expert attention. Have questions about IV&V? Contact our team.
 

Blog
We're IV&V and we are here to help you improve your Medicaid organization

As the Project Management Body of Knowledge® (PMBOK®) explains, organizations fall along a structure and reporting spectrum. On one end of this spectrum are functional organizations, in which people report to their functional managers. (For example, Finance staff report to a Finance director.) On the other end of this spectrum are projectized organizations, in which people report to a project manager. Toward the middle of the spectrum lie hybrid—or matrix—organizations, in which reporting lines are fairly complex; e.g., people may report to both functional managers and project managers. 

Problem: Weak Matrix Medicaid System Vendors

This brings us to weak matrix organizations, in which functional managers have more authority than project managers. Many Medicaid system vendors happen to fall into the weak matrix category, for a number of different reasons. Yet the primary factor is the volume and duration of operational work—such as provider enrollment, claims processing, and member enrollment—that Medicaid system vendors perform once they exit the design, development, and implementation (DDI) phase.

This work spans functional areas, which can muddy the reporting waters. Without strong and clear reporting lines to project managers, project success can be seriously (and negatively) affected if the priorities of the functional leads are not aligned with those of the project. And when a weak matrix Medicaid system vendor enters a multi-vendor environment in which it is tasked with implementing a system that will serve multiple departments and bureaus within a state government, the reporting waters can become even muddier.


Solution: Using a Project Management Office (PMO) Vendor

Conversely, consulting firms that provide Project Management Office (PMO) services to government agencies tend to be strong matrix organizations, in which project managers have more authority over project teams and can quickly reallocate team members to address the myriad of issues that arise on complex, multi-year projects to help ensure project success. PMOs are also typically experienced at creating and running project governance structures and can add significant value in system implementation-related work across government agencies.

Additional benefits of a utilizing a PMO vendor include consistent, centralized reporting across your portfolio of projects and the ability to quickly onboard subject matter expertise to meet program and project needs. 
For more in-depth information on the benefits of using a PMO on state Medicaid projects, stay tuned for my second blog in this series. In the meantime, feel free to send your PMO- or Medicaid-related questions to me
 

Blog
The power of the PMO: Fixing the weak matrix

As your organization works to modernize and improve your Medicaid Enterprise System (MES), are you using independent verification and validation (IV&V) to your advantage? Does your relationship with your IV&V provider help you identify high-risk project areas early, or provide you with an objective view of the progress and quality of your MES modernization initiative? Maybe your experience hasn’t shown you the benefits of IV&V. 

If so, as CMS focuses on quality outcomes, there may be opportunities for you to leverage IV&V in a way that can help advance your MES to increase the likelihood of desired outcomes for your clients. 

According to 45 Code of Federal Regulations (CFR) § 95.626, IV&V may be required for Advanced Planning Document (APD) projects that meet specific criteria. That said, what is the intended role and benefit of IV&V? 

To begin, let’s look at the meaning of “verification” and “validation.” The Institute of Electrical and Electronics Engineers, Inc. (IEEE) Standard for Software Verification and Validation (1012-1998) defines verification as, “confirmation of objective evidence that the particular requirements for a specific intended use are fulfilled.” Validation is “confirmation of objective evidence that specified requirements have been fulfilled.” 

Simply put, verification and validation ensure the right product is built, and the product is built right. 
As an independent third party, IV&V should not be influenced by any vendor or software application. This objectivity means IV&V’s perspective is focused on benefiting your organization. This support includes: 

  • Project management processes and best practices support to help increase probability of project success
  • Collaboration with you, your vendors, and stakeholders to help foster a positive and efficient environment for team members to interact 
  • Early identification of high-risk project areas to minimize impact to schedule, cost, quality, and scope 
  • Objective examination of project health in order for project sponsors, including the federal government, to address project issues
  • Impartial analysis of project health that allows state management to make informed decisions 
  • Unbiased visibility into the progress and quality of the project effort to increase customer satisfaction and reduce the risk and cost of rework
  • Reduction of errors in delivered products to help increase productivity of staff, resulting in a more efficient MES 

Based on our experience, when a trusted relationship exists between state governments and IV&V, an open, collaborative dialogue of project challenges—in a non-threatening manner—allows for early resolution of risks. This leads to improved quality of MES outcomes.    

Is your IV&V provider helping you advance the quality of your MES? Contact our team.

Blog
Leveraging IV&V to achieve quality outcomes

Best practices for financial institution contracts with technology providers

As the financial services sector moves in an increasingly digital direction, you cannot overstate the need for robust and relevant information security programs. Financial institutions place more reliance than ever on third-party technology vendors to support core aspects of their business, and in turn place more reliance on those vendors to meet the industry’s high standards for information security. These include those in the Gramm-Leach-Bliley Act, Sarbanes Oxley 404, and regulations established by the Federal Financial Institutions Examination Council (FFIEC).

On April 2, 2019, the FDIC issued Financial Institution Letter (FIL) 19-2019, which outlines important requirements and considerations for financial institutions regarding their contracts with third-party technology service providers. In particular, FIL-19-2019 urges financial institutions to address how their business continuity and incident response processes integrate with those of their providers, and what that could mean for customers.

Common gaps in technology service provider contracts

As auditors of IT controls, we review lots of contracts between financial institutions and their technology service providers. When it comes to recommending areas for improvement, our top observations include:

  • No right-to-audit clause
    Including a right-to-audit clause encourages transparency and provides greater assurance that vendors are providing services, and charging for them, in accordance with their contract.
  • Unclear and/or inadequate rights and responsibilities around service disruptions
    In the event of a service incident, time and transparency are vital. Contracts that lack clear and comprehensive standards, both for the vendor and financial institution, regarding business continuity and incident response expose institutions to otherwise avoidable risk, including slow or substandard communications.
  • No defined recovery standards
    Explicitly defined recovery standards are essential to ensuring both parties know their role in responding and recovering from a disaster or other technology outage.

FIL-19-2019 also reminds financial institutions that they need to properly inform regulators when they undertake contracts or relationships with technology service providers. The Bank Service Company Act requires financial institutions to inform regulators in writing when receiving third-party services like sorting and posting of checks and deposits, computation and posting of interest, preparation and mailing of statements, and other functions involving data processing, Internet banking, and mobile banking services.

Writing clearer contracts that strengthen your institution

Financial institutions should review their contracts, especially those that are longstanding, and make necessary updates in accordance with FDIC guidelines. As operating environments continue to evolve, older contracts, often renewed automatically, are particularly easy to overlook. You also need to review business continuity and incident response procedures to ensure they address all services provided by third-parties.

Senior management and the Board of Directors hold ultimate responsibility for managing a financial institution’s relationship with its technology service providers. Management should inform board members of any and all services that the institution receives from third-parties to help them better understand your operating environment and information security needs.

Not sure what to look for when reviewing contracts? Some places to start include:

  • Establish your right-to-audit
    All contracts should include a right-to-audit clause, which preserves your ability to access and audit vendor records relating to their performance under contract. Most vendors will provide documentation of due diligence upon request, such as System and Organization Control (SOC) 1 or 2 reports detailing their financial and IT security controls.

    Many right-to-audit clauses also include a provision allowing your institution to conduct its own audit procedures. At a minimum, don’t hesitate to perform occasional walk-throughs of your vendor’s facilities to confirm that your contract’s provisions are being met.
  • Ensure connectivity with outsourced data centers
    If you outsource some or all of your core banking systems to a hosted data center, place added emphasis on your institution’s business continuity plan to ensure connectivity, such as through the use of multiple internet or dedicated telecommunications circuits. Data vendors should, by contract, be prepared to assist with alternative connectivity.
  • Set standards for incident response communications 
    Clear expectations for incident response are crucial  to helping you quickly and confidently manage the impact of a service incident on your customers and information systems. Vendor contracts should include explicit requirements for how and when vendors will communicate in the event of any issue or incident that affects your ability to serve your customers. You should also review and update contracts after each incident to address any areas of dissatisfaction with vendor communications.
  • Ensure regular testing of defined disaster recovery standards
    While vendor contracts don’t need to detail every aspect of a service provider’s recovery standards, they should ensure those standards will meet your institution’s needs. Contracts should guarantee that the vendor periodically tests, reviews, and updates their recovery standards, with input from your financial institution.

    Your data center may also offer regular disaster recovery and failover testing. If they do, your institution should participate in it. If they don’t, work with the vendor to conduct annual testing of your ability to access your hosted resources from an alternate site.

As financial institutions increasingly look to third-party vendors to meet their evolving technology needs, it is critical that management and the board understand which benefits—and related risks—those vendors present. By taking time today to align your vendor contracts with the latest FFIEC, FDIC, and NCUA standards, your institution will be better prepared to manage risk tomorrow.

For more help gaining control over risk and cybersecurity, see our blog on sustainable solutions for educating your Board of Directors and creating a culture of cybersecurity awareness.
 

Blog
Are your vendor contracts putting you at risk?

Editor’s note: If you are a state government CFO, CIO, project or program manager, this blog is for you.

What is the difference in how government organizations procure agile vs. non-agile information technology (IT) services? (Learn more about agile here).

In each case, they typically follow five stages through the process as shown in Figure A:
 

Figure A: Overview of Procurement Process for Agile vs. Non-Agile IT Services

However, there are differences in how these stages are carried out if procuring agile vs. non-agile IT services. 

Unfortunately, most government organizations are unaware of these differences, which could result in unsuccessful procurements and ultimately not meeting your project’s needs and expectations. 
This blog series will illustrate how to strategically adjust the standard stages outlined in Figure A to successfully procure agile IT services.

Stage 1: Plan project
In Stage 1, you define the scope of the project by identifying what your organization wants, needs, and can achieve within the available timeframe and budget. You then determine the project’s objectives while strategically considering their impact on your organization before developing the RFP. Figure B summarizes the key differences between the impacts of agile vs. non-agile services to consider in this stage.


Figure B: Plan Project for Agile vs. Non-Agile IT Services

The nuances of planning for agile services reflect an organization’s readiness for a culture shift to a continuous process of development and deployment of software and system updates. 

Stage 2: Draft RFP
In Stage 2, as part of RFP drafting, define the necessary enhancements and functionality needed to achieve the project objectives determined in Stage 1. You then translate these enhancements and functionalities into business requirements. Requirement types might include business needs as functionality, services, staffing, deliverables, technology, and performance standards. Figure C summarizes the key differences between drafting the RFP for a project procuring agile vs. non-agile services.


Figure C: Draft RFP for Agile vs. Non-Agile IT Services

In drafting the RFP, the scope of work emphasizes expectations for how your team and the vendor team will work together, the terms of how progress will be monitored, and the description of requirements for agile tools and methods.

Stage 3: Issue RFP
In Stage 3, issue the RFP to the vendor community, answer vendor questions, post amendments, and manage the procurement schedule. Since this stage of the process requires you to comply with your organization’s purchasing and procurement rules, Figure D illustrates very little difference between issuing an RFP for a project procuring agile or non-agile services.


Figure D: Issue RFP for Agile vs. Non-Agile IT Services 

Stage 4: Review proposals
In Stage 4, you evaluate vendor proposals against the RFP’s requirements and project objectives to determine the best proposal response. Figure E summarizes the key differences in reviewing proposals for a project that is procuring agile vs. non-agile services.


Figure E: Reviewing Proposals for Agile vs. Non-Agile IT Services 

Having appropriate evaluation priorities and scoring weights that align with how agile services are delivered should not be under-emphasized. 

Stage 5: Award and implement contract
In Stage 5, you award and implement the contract with the best vendor proposal identified during Stage 4. Figure F summarizes the key differences in awarding and implementing the contract for agile vs. non-agile services.


Figure F:  Award and Implement Contract for Agile vs. Non-Agile Services 

Due to the iterative and interactive requirements of agile, it is necessary to have robust and frequent collaboration among program teams, executives, sponsors, and the vendor to succeed in your agile project delivery.

What’s next?
The blog posts in this series will explain step-by-step how to procure agile services through the five stages, and at the series conclusion, your organization will better understand how to successfully procure and implement agile services. If you have questions or comments, please contact our team.  

Blog
Procuring agile vs. non-agile projects in five stages: An overview

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running. Yet, according to the 2019 Centrify Privileged Access Management in the Modern Threatscape survey, 74% of data breaches occurred using privileged accounts. The survey also revealed that of the organizations responding:

  • 52% do not use password vaulting—password vaulting can help privileged users keep track of long, complex passwords for multiple accounts in an encrypted storage vault.
  • 65% still share the use of root and other privileged access—when the use of root accounts is required, users should invoke commands to inherent the privileges of the account (SUDO) without actually using the account. This ensures “who” used the account can be tracked.
  • Only 21% have implemented multi-factor authentication—the obvious benefit of multi-factor authentication is to enhance the security of authenticating users, but also in many sectors it is becoming a compliance requirement.
  • Only 47% have implemented complete auditing and monitoring—thorough auditing and monitoring is vital to securing privileged accounts.

So how does one even begin to trust privileged accounts in today’s environment? 

1. Start with an inventory

To best manage and monitor your privileged accounts, start by finding and cataloguing all assets (servers, applications, databases, network devices, etc.) within the organization. This will be beneficial in all areas of information security such as asset management, change control and software inventory tracking. Next, inventory all users of each asset and ensure that privileged user accounts:

  • Require privileges granted be based on roles and responsibilities
  • Require strong and complex passwords (exceeding those of normal users)
  • Have passwords that expire often (30 days recommended)
  • Implement multi-factor authentication
  • Are not shared with others and are not used for normal activity (the user of the privileged account should have a separate account for non-privileged or non-administrative activities)

If the account is only required for a service or application, disable the account’s ability to login from the server console and from across the network

2. Monitor—then monitor some more

The next step is to monitor the use of the identified privileged accounts. Enable event logging on all systems and aggregate to a log monitoring system or a Security Information and Event Management (SIEM) system that alerts in real time when privileged accounts are active. Configure the system to alert you when privileged accounts access sensitive data or alter database structure. Report any changes to device configurations, file structure, code, and executable programs. If these changes do not correlate to an approved change request, treat them as incidents and investigate.  

Consider software that analyzes user behavior and identifies deviations from normal activity. Privileged accounts that are accessing data or systems not part of their normal routine could be the indication of malicious activity or a database attack from a compromised privileged account. 

3. Secure the event logs

Finally, ensure that none of your privileged accounts have access to the logs being used for monitoring, nor have the ability to alter or delete those logs. In addition to real time monitoring and alerting, the log management system should have the ability to produce reports for periodic review by information security staff. The reports should also be archived for forensic purposes in the event of a breach or compromise.

Gain further assistance (and peace of mind) 

BerryDunn understands how privileged accounts should be monitored and audited. We can help your organization assess your current event management process and make recommendations if improvements are needed. Contact our team.

Blog
Trusting privileged accounts in the age of data breaches

Law enforcement, courts, prosecutors, and corrections personnel provide many complex, seemingly limitless services. Seemingly is the key word here, for in reality these personnel provide a set number of incredibly important services.

Therefore, it should surprise no one that justice and public safety (J&PS) IT departments should also provide a well-defined set of services. However, these departments are often viewed as parking lots for all technical problems. The disconnect between IT and other J&PS business units often stems from differences in organizational culture and structure, and differing department objectives and goals. As a result, J&PS organizations often experience misperception between business units and IT. The solution to this disconnect and misperception? Defining IT department services.

The benefits of defined IT services

  1. Increased business customer satisfaction. Once IT services align with customer needs, and expectations are established (e.g., service costs and service level agreements), customers can expect to receive the services they agreed to, and the IT department can align staff and skill levels to successfully meet those needs.
  2. Improved IT personnel morale. With clear definition of the services they provide to their customers, including clearly defined processes for customers to request those services, IT personnel will no longer be subject to “rogue” questions or requests, and customers won’t be inclined to circumvent the process. This decreases IT staff stress and enables them to focus on their roles in providing the defined services. 
  3. Better alignment of IT services to organizational needs. Through collaboration between the business and IT organizations, the business is able to clearly articulate the IT services that are, and aren’t, required. IT can help define realistic service levels and associated services costs, and can align IT staff and skills to the agreed-upon services. This results in increased IT effectiveness and reduced confusion regarding what services the business can expect from IT.
  4. More collaboration between IT and the organization. The collaboration between the IT and business units in defining services results in an enhanced relationship between these organizations, increasing trust and clarifying expectations. This collaborative model continues as the services required by the business evolve, and IT evolves to support them.
  5. Reduced costs. J&PS organizations that fail to strategically align IT and business strategy face increasing financial costs, as the organization is unable to invest IT dollars wisely. When a business doesn’t see IT as an enabler of business strategy, IT is no longer the provider of choice—and ultimately risks IT services being outsourced to a third-party vendor.

Next steps
Once a J&PS IT department defines its services to support business needs, it then can align the IT staffing model (i.e., numbers of staff, skill sets, roles and responsibilities), and continue to collaborate with the business to identify evolving services, as well as remove services that are no longer relevant. Contact us for help with this next step and other IT strategies and tactics for justice and public safety organizations.

Blog
The definition of success: J&PS IT departments must define services

If you’ve been tasked with leading a high-impact project for your organization, you may find managing the scope, budget and schedule is not enough to ensure project success—especially when you encounter resistance to change. When embarking on large-scale change projects spanning people, processes and technology, appointing staff as “coaches” to help support stakeholders through the change—and to manage resistance to the change—can help increase adoption and buy-in for a new way of doing things.

The first step is to identify candidates for the coaching role. These candidates are often supervisory staff who have credibility in the organization—whether as a subject matter expert, through internal leadership, or from having a history of client satisfaction. Next, you need a work plan to orient them to this role. One critical component is making sure the coaches themselves understand what the change means for their role, and have fully committed before asking them to coach others. They may exhibit initial resistance to the change you will need to manage before they can be effective coaches. According to research done by Prosci®, a leading change management research organization, some of the most common reasons for supervisor resistance in large-scale change projects are:

  • Lack of awareness about and involvement in the change
  • Loss of control or negative impact on job role
  • Increased work load (i.e., lack of time)
  • Culture of change resistance and past failures
  • Impact to their team

You should anticipate encountering these and other types of resistance from staff while preparing them to be coaches. Once coaches buy into the change, they will need ongoing support and guidance to fulfill their role. This support will vary by individual, but may be correlated to what managerial skills they already possess, or don’t. How can you focus on developing coaching skills among your staff for purposes of the project? Prosci® recommends a successful change coach take on the following roles:

  • Communicator—communicate with direct reports about the change
  • Liaison—engage and liaise with the project team
  • Advocate—advocate and champion the change
  • Resistance manager—identify and manage resistance
  • Coach—coach employees through the change

One of the initial tasks for your coaches will be to assess the existing level of change resistance and evaluate what resistance you may encounter. Prosci® identifies three types of resistance management work for your coaches to begin engaging in as they meet with their employees about the change:

  • Resistance prevention―by providing engagement opportunities for stakeholders throughout the project, building awareness about the change early on, and reinforcing executive-level support, coaches can often head off expected resistance.
  • Proactive resistance management―this approach requires coaches to anticipate the needs and understand the characteristics of their staff, and assess how they might react to change in light of these attributes. Coaches can then plan for likely forms of resistance in advance, with a structured mitigation approach.
  • Reactive resistance management―this focuses on resistance that has not been mitigated with the previous two types of resistance management, but instead persists or endures for an extended amount of time. This type of management may require more analysis and planning, particularly as the project nears its completion date.

Do you have candidates in your organization who may need support transitioning into coaching roles? Do you anticipate change resistance among your stakeholders? Contact us and we can help you develop a plan to address your specific challenges.

Blog
How to identify and prepare change management coaches

Truly effective preventive health interventions require starting early, as evidenced by the large body of research and the growing federal focus on the role of Medicaid in addressing Social Determinants of Health (SDoH) and Adverse Childhood Experiences (ACEs).

Focusing on early identification of SDoH and ACEs, CMS recently announced its Integrated Care for Kids (InCK) model and will release the related Notice of Funding Opportunity this fall.

CMS describes InCK as a child-centered approach that uses community-based service delivery and alternative payment models (APMs) to improve and expand early identification, prevention, and treatment of priority health concerns, including behavioral health issues. The model’s goals are to improve child health, reduce avoidable inpatient stays and out-of-home placement, and create sustainable APMs. Such APMs would align payment with care quality and support provider/payer accountability for improved child health outcomes by using care coordination, case management, and mobile crisis response and stabilization services.

State Medicaid agencies have many things to consider when evaluating this funding opportunity. Building on current efforts and innovations, building or leveraging strong partnerships with community organizations, incentivizing evidence-based interventions, and creating risk stratification of the target population are critical parts of the InCK model. Here are three additional areas to consider:

1. Data. States will need information for early identification of children in the target population. State agencies?like housing, justice, child welfare, education, and public health have this information?and external organizations—such as childcare, faith-based, and recreation groups—are also good sources of early identification. It is immensely complicated to access data from these disparate sources. State Medicaid agencies will be required to support local implementation by providing population-level data for the targeted geographic service area.

  • Data collection challenges include a lack of standardized measures for SDoH and ACEs, common data field definitions, or consistent approaches to data classification; security and privacy of protected health information; and IT development costs.
  • Data-sharing agreements with internal and external sources will be critical for state Medicaid agencies to develop, while remaining mindful of protected health information regulations.
  • Once data-sharing agreements are in place, these disparate data sources, with differing file structures and nomenclature, will require integration. The integrated data must then be able to identify and risk-stratify the target population.

For any evaluative approach or any APM to be effective, clear quality and outcome measures must be developed and adopted across all relevant partner organizations.

2. Eligibility. Reliable, integrated eligibility and enrollment systems are crucial points of identification and make it easier to connect to needed services.

  • Applicants for one-benefit programs should be screened for eligibility for all programs they may need to achieve positive health outcomes.
  • Any agency at which potential beneficiaries appear should also have enrollment capability, so it is easier to access services.

3. Payment models. State Medicaid agencies may cover case management services and/or targeted case management as well as health homes; leverage Early and Periodic Screening, Diagnostic, and Treatment (EPSDT) services; and modify managed care organization contract language to encourage, incent, and in some cases, require services related to the InCK model and SDoH. Value-based payment models, already under exploration in numerous states, include four basic approaches:

  • Pay for performance—provider payments are tied directly to specific quality or efficiency indicators, including health outcomes under the provider organization’s control. 
  • Shared savings/risk—some portion of the organization’s compensation depends on the managed care entity achieving cost savings for the targeted patient population, while realizing specific health outcomes or quality improvement.
  • Pay for success—payment is dependent upon achieving desired outcomes rather than underlying services.
  • Capitated or bundled payments—managed care entities pay an upfront per member per month lump sum payment to an organization for community care coordination activities and link that with fee-for-service reimbursement for delivering value-added services.

By focusing on upstream prevention, comprehensive service delivery, and alternative payment models, the InCK model is a promising vehicle to positively impact children’s health. Though its components require significant thought, strategy, coordination, and commitment from state Medicaid agencies and partners, there are early innovators providing helpful examples and entities with vast Section 1115 waiver development and Medicaid innovation experience available to assist.

As state Medicaid agencies develop and implement primary and secondary prevention, cost savings can be achieved while meaningful improvements are made in children’s lives.

Blog
Three factors state medicaid agencies should consider when applying for InCK funding

Good Practices Are Not Enough

When it comes to IT security, more than one CEO running a small organization has told me they have really good people taking care of “all that.” These CEOs choose to believe their people perform good practices. That may be true, but who defines good practices and how they administer them? And when? If “security is everyone’s job,” then nobody is responsible for getting specific things done. Good practices require consistency, and consistency requires structure.

From an audit perspective, a control not written down does not exist. Why? Because it can’t be tested, measured, or validated. An IT Auditor can’t assess controls if they were never defined. Verbal instruction carries by far the most risk. “I told him to do that,” doesn’t pass the smell test in court.

Why Does it Matter?

Because it’s not IT’s job to write policies. Their job is to implement IT decisions made by management. They’re not at the right level to make decisions that impact the entire organization. Why should small organizations concern themselves with developing policies and procedures? Here are two very good reasons:

1. Regulatory Requirements
2. Lawsuits

No matter how small your organization, if you have a corporate network (even cloud-based) and you store credit card transactions, personal health information, client financial information or valuable intellectual property, being aware of state and federal regulatory requirements for protecting that information is vital. It is the responsibility of management to research and develop a management framework for addressing risk.

Lawsuits happen when information is stolen and/or employees are terminated for inappropriate activities. If you have no policies that mandate what is and isn’t acceptable, and what the penalties are for violations, your terminated employee has grounds for a wrongful termination lawsuit: policy should not be written by the IT Department.

If confidential data you are responsible for is stolen and clients sue you, standing up in court and saying “We don’t have any written policies or procedures,” is a sure way to have both significant financial losses and a negative impact on your reputation. For a small organization, that could mean going out of business.

Even if data is stolen from a third-party vendor who stores your data, your organization owns the data and is responsible for ensuring the data is secure with the vendor and meets organizational requirements. Do you have a vendor management policy? If you work with vendors, you need one.

Consider, too, that every organization expects to grow its business. The longer management doesn’t pay attention to policies and procedures, the more difficult it becomes to develop and implement them.

Medium and Large Organizations Need to Pay Attention, too

A policy document provides a framework for defining activities and decision-making by everyone in the organization. A policy contains standards for the organization, and outlines penalties for non-performance. The organization’s management team or board of directors must drive their creation.
Policies also maintain accountability in the eyes of internal and external stakeholders. Even the smallest organization wants their customers and employees to have confidence the organization is protecting important information. By defining the necessary controls for running business operations that address risk and compliance requirements (and reviewing them annually), your management team demonstrates a commitment to good practices.

Procedures are the “How”

Procedures don’t belong in a policy. Departments need to be able to design their own procedures to meet policy requirements and definitions. HR will have procedures for employee privacy and financial information, finance must manage credit card, student, banking or client financial documentation, and IT will need to develop specific technical procedures to document their compliance with policy.

If all those procedures are in a policy, it makes for unwieldy policy documents that management must review and approve. Departments need to change and update their procedures quickly in order to remain effective. For example, a policy may mandate the minimum number of characters in a password, but IT needs to develop the procedures to implement that requirement on many platforms and devices.

What is a “Plan” Used For?

Consider that organizations commonly have a Business Continuity Plan as well as an Incident Response Plan. How is a “plan” different from a policy or procedure?

A plan (for example, an Information Security Plan, or Privacy Plan, etc.) is a collection of related procedures with a specific focus. I have seen these collections called “programs,” but most organizations use “plan” (plus, the Federal government uses that term). The term “program” implies a beginning and an end, as well as tending to be a little too generic (think “School Lunch Program”).

Three Ways Not to Develop Policies, Procedures and Plans

1.

Getting templates from the Internet. Doing a Google search delivers an overwhelming number of approaches, examples and material. Policy templates found online may not be applicable to your organization’s purpose, or require so much editing they defeat the template’s purpose. 

2.

Alternatively, going to organizational peers can endlessly replicate one poorly developed approach to documentation.

3.

Writing policies and procedures totally focused on meeting one regulatory requirement frequently necessitates a total re-write as soon as the next regulation comes along.

Consider the Unique Aspects of Your Organization

What electronic information does your organization consider valuable? During an assessment with a state university, we discovered that the farm research the agriculture school was performing was extremely valuable. While we started out with questions about student health and financial information, the university realized the research data was equally critical. The information might not have federal or state regulations attached to it, but if it is valuable to your organization, you need to protect it. By not taking a one-size fits all approach to our assessment, we were able to meet their specific needs.

Multiple Departments or Locations? Standardize.

Whether your organization is a university, non-profit organization, government agency, medical center or business, you frequently have sub-entities. Each sub-entity or location may have different terms for different functions. For example, at a recent engagement for another university, Information Security “Programs,” “Plans” and “Policies” meant different things on different campuses. This caused confusion on the part of all stakeholders. It also showed a lack of cohesion in the approach to security of the university as a whole. Standardizing language is one of the best ways to have everyone in the organization on the same page, even if the documents are unique to a location, agency or site. This makes planning, implementation, and system upgrade projects run more effectively.

Demonstrate Competence

No matter what terms your organization chooses, using consistent terms is a good way to demonstrate a thoughtful approach. Everyone needs to be talking the same language. Having documents that specify management decisions provides assurance to internal and external stakeholders. Good policies, procedures and plans can mean the difference between a manageable crisis and a business failure.

To receive IT security updates, please sign up here.

Blog
Policies, procedures, and plans—defining the language of your organization

A penalty letter doesn’t mean the IRS is correct, but it’s important you know what to do to avoid paying an erroneous penalty. 

As we’ve written about recently, the IRS has sent out penalty letters to businesses, non-profits, and government agencies indicating they are not in compliance with the ACA employer mandate for 2015.

The letters usually take the position that the employer owes a penalty based on information examined by the IRS, unless the employer can prove otherwise. This puts employers on the defensive, often based on incorrect facts.

Letters we’ve reviewed all assessed significant penalties against the employers. In two of the cases, penalties were more than $500,000. In these cases it appears that companies incorrectly stated that they didn’t offer health insurance coverage to at least 70% of full-time employees. Given the potential penalties involved, you cannot risk a sub-standard response to the IRS.

Because the process is new and there are many unknowns, including IRS errors in processing and interpretation of the forms, be prepared. If your company receives a penalty letter, here’s what we recommend to get you on the right track for working through the process:

  1. Find and review your original 2015 Forms 1094-C and 1095-C that you or your payroll company submitted to the IRS.
  2. Determine when you must respond to the IRS. You have 30 days from the date on the penalty notice letter to file a response.
  3. The employer penalties and how to address them are a tax matter. Get qualified tax advice from an outside expert who understands both tax and the ACA. Fortunately, we meet those criteria and would be delighted to help you. 

Even if you don’t receive one of the first penalty notices, it’s wise to keep abreast of the ACA issues. Sign up here to receive alerts from our tax and ACA experts. Questions? Contact me or Bill Enck for more information.

 

Blog
Guilty until proven innocent? ACA employer penalty letters are here.

Most of us have been (or should have been) instructed to avoid using clichés in our writing. These overstated phrases and expressions add little value, and often only increase sentence length. We should also avoid clichés in our thinking, for what we think can often influence how we act.

Consider, for example, “death by committee.” This cliché has greatly — and negatively — skewed views on the benefits of committees in managing projects. Sure, sometimes committee members have difficulty agreeing with one another, which can lead to delays and other issues. In most cases, though, an individual can’t possibly oversee all aspects of a project, or represent all interests in an organization. Committees are vital for project success — and arguably the most important project committee is the steering committee.

What Exactly is a Steering Committee?
It is a group of high-level stakeholders that provides strategic direction for a project, and supports the project manager. Ideally, the group increases the chances for project success by closely aligning project goals to organizational goals. However, it is important to point out that the group’s top priority is project success.

The committee should represent the different departments and agencies affected by the project, but remain relatively small in size, chaired by someone who is not an executive sponsor of the project (in order to avoid conflicts of interest). While the project manager should serve on the steering committee, they should not participate in decision-making; the project manager’s role is to update members on the project’s progress, areas of concern, current issues, and options for addressing these issues.

Overall, the main responsibilities of a steering committee include:

  1. Approving the Project Charter
  2. Resolving conflicts between stakeholder groups
  3. Monitoring project progress against the project management plan
  4. Fostering positive communicating about the project within the organization
  5. Addressing external threats and issues emerging outside of the project that could impact it
  6. Reviewing and approving changes made to the project resource plan, scope, schedules, cost estimates, etc.

What Are the Pros and Cons of Utilizing a Steering Committee?
A group of executive stakeholders providing strategic direction should benefit any project. Because steering committee members are organizational decision-makers, they have the access and credibility to address tough issues that can put the project at a risk, and have the best opportunities to negotiate positive outcomes. In addition, steering committees can engage executive management, and make sure the project meshes with executive management’s vision, mission, and long-range strategic plan. Steering committees can empower project managers, and ensure that all departments and agencies are on the same page in regards to project status, goals, and expectations. In a 2009 article in Project Management Journal, authors Thomas G. Lechler and Martin Cohen concluded that steering committees are important to implementing and maintaining project management standards on an operational level — not only do steering committees directly support project success, they are instrumental in deriving value from an organization's investments in its project management system.

A steering committee is only as effective as it’s allowed to be. A poorly structured steering committee that lacks formal authority, clear roles, and clear responsibilities can impede the success of a project by being slow to respond to project issues. A proactive project manager can help the organization avoid this major pitfall by helping develop project documents, such as the governance document or project plan that clearly define the steering committee structure, roles, responsibilities and authority.

Steer Toward Success!
Steering committees can benefit your organization and its major projects. Yet understanding the roles and responsibilities — and pros and cons — is only a preliminary step in creating a steering committee. Need some advice on how to organize a steering committee? Want to learn more about steering committee best practices? Together, we can steer your project toward success.

Blog
Success by steering committee

A year ago, CMS released the Medicaid Enterprise Certification Toolkit (MECT) 2.1: a new Medicaid Management Information Systems (MMIS) Certification approach that aligns milestone reviews with the systems development life cycle (SDLC) to provide feedback at key points throughout design, development, and implementation (DDI).

The MECT (recently updated to version 2.2) incorporates lessons learned from pilot certifications in several states, including the successful West Virginia pilot that BerryDunn supported. MECT updates have a direct impact on E&E systems—an impact that may increase in the near future. Here is what you need to know:         

Then: Initial Release

In February 2017, CMS introduced six Eligibility & Enrollment (E&E) checklists. Five were leveraged from the MECT, while the sixth checklist contained unique E&E system functionality criteria and provided a new E&E SDLC that—like the MECT—depicted three milestone reviews and increased the Independent Verification and Validation (IV&V) vendor’s involvement in the checklists completion process.

Now: Getting Started

Completing the E&E checklists will help states ensure the integrity of their E&E systems and help CMS guide future funding. This exercise is no easy task, particularly when a project is already in progress. Completion of the E&E checklists involves many stakeholders, including:

  • The state (likely more than one agency)
  • CMS
  • IV&V
  • Project Management Office (PMO)
  • System vendor(s)

As with any new processes, there are challenges with E&E checklists completion. Some early challenges include:

  • Completing the E&E checklists with limited state project resources
  • Determining applicable criteria for E&E systems, especially for checklists shared with the MMIS
  • Identifying and collecting evidence for iterative projects where criteria may not fall cleanly into one milestone review phase
  • Completing the E&E checklists with limited state project resources
  • Working with the system vendor(s) to produce evidence

What’s Next?

Additionally, working with system vendors may prove tricky for projects that already have contracts with E&E vendors, as E&E systems are not currently subject to certification (unlike the MMIS). This may lead to instances where E&E vendors are not contractually obligated to provide the evidence that would best satisfy CMS criteria. To handle this and other challenges, states should communicate risks and issues to CMS and work together to resolve or mitigate them.

As CMS partners with states to implement the E&E checklists, some questions are expected to be asked. For example, how much information can be leveraged from the MECT, and how much of the checklists completion process must be E&E-specific? Might certification be required in the near future for E&E systems?

While there will be more to learn and challenges to overcome, the first states completing the E&E checklists have an opportunity to lead the way on working with CMS to successfully build and implement E&E systems that benefit all stakeholders.

On July 31, 2017, CMS released the MECT 2.2 as an update to the MECT 2.1.1. As the recent changes continue to be analyzed, what will the impact be to current and future MMIS and E&E projects?

Check back here at BerryDunn Briefings in the coming weeks and we will help you sort it out.

Blog
Check this: CMS checklists aren't just for MMIS anymore.

Four steps to take if you get an ACA Tax Penalty Notice from the IRS

It’s been almost a year since the IRS filing deadline for 2015 Forms 1094-C and 1095-C. Most expected the IRS to issue employer penalty notices related to the 2015 calendar year in late 2016. To date, the IRS has not issued a single penalty notice. Employers who did not comply with the law are subject to penalty and there is a good chance that the IRS will issue 2015 penalty notices soon. So what do you need to do?

If your company receives an ACA penalty notice, you should follow these steps:

  1. Scrutinize the information closely — do not assume the IRS claim is accurate
  2. Be ready to refute the IRS’s claim — be sure to gather all of the pertinent facts
  3. Do not forego your appeal rights — consult with outside tax experts or your legal team to make sure you understand them
  4. Contact a tax specialist for guidance — preferably one with ACA and IRS experience

The fate of the ACA is unknown, but the repeal legislation passed by the House in early May retained the employer mandate penalties for 2015. Thus, there is a good chance that any future repeal legislation will also retain the employer penalties for 2015 — and possibly 2016 and 2017.

The bottom line?

Don’t panic, be prepared, and get outside help if you need it. For more detailed information on ACA Tax Penalty notices, read the article here. If you need specific information or help with your penalty notice, please contact Bill Enck or Roger Prince.

Blog
ACA employer mandate penalty notices: Don't panic!

This site uses cookies to provide you with an improved user experience. By using this site you consent to the use of cookies. Please read our Privacy Policy for more information on the cookies we use and how you can manage them.