Skip to Main Content

blogpost

User Acceptance Testing: A plan for successful software implementation

05.20.20

Read this if you are planning for, or are in the process of implementing a new software solution.

User Acceptance Testing (UAT) is more than just another step in the implementation of a software solution. It can verify system functionality, increase the opportunity for a successful project, and create additional training opportunities for your team to adapt to the new software quickly. Independent verification through a structured user acceptance plan is essential for a smooth transition from a development environment to a production environment. 

Verification of functionality

The primary purpose of UAT is to verify that a system is ready to go live. Much of UAT is like performing a pre-flight checklist on an aircraft. Wings... check, engines... check, tires... check. A structured approach to UAT can verify that everything is working prior to rolling out a new software system for everyone to use. 

To hold vendors accountable for their contractual obligations, we recommend an agency test each functional and technical requirement identified in the statement of work portion of their contract. 

It is also recommended that the agency verify the functional and technical requirements that the vendor replied positivity to in the RFP for the system you are implementing. 

Easing the transition to a new software

Operational change management (OCM) is a term that describes a methodology for making the switch to a new software solution. Think of implementing a new software solution like learning a new language. For some employees, the legacy software solution is the only way they know how to do their job. Like learning a new language, changing the way business and learning a new software can be a challenging and scary task. The benefits outweigh the anxiety associated with learning a new language. You can communicate with a broader group of people, and maybe even travel the world! This is also true for learning a new software solution; there are new and exciting ways to perform your job.

Throughout all organizations there will be some employees resistant to change. Getting those employees involved in UAT can help. By involving them in testing the new system and providing feedback prior to implementation, they will feel ownership and be less likely to resist the change. In our experience, some of the most resistant employees, once involved in the process, become the biggest champions of the new system.  

Training and testing for better results

On top of the OCM and verification benefits a structured UAT can accomplish, UAT can be a great training opportunity. An agency needs to be able to perform actions of the tested functionality. For example, if an agency is testing a software’s ability to import a document, then a tester needs to be trained on how to do that task. By performing this task, the tester learns how to login to the software, navigate the software, and perform tasks that the end user will be accomplishing in their daily use of the new software. 

Effective UAT and change management

We have observed agencies that have installed software that was either not fully configured or the final product was not what was expected when the project started. The only way to know that software works how you want is to test it using business-driven scenarios. BerryDunn has developed a UAT process, customizable to each client, which includes a UAT tracking tool. This process and related tool helps to ensure that we inspect each item and develop steps to resolve issues when the software doesn’t function as expected. 

We also incorporate change management into all aspects of a project and find that the UAT process is the optimal time to do so. Following established and proven approaches for change management during UAT is another opportunity to optimize implementation of a new software solution. 

By building a structured approach to UAT, you can enjoy additional benefits, as additional training and OCM benefits can make the difference between forming a positive or a negative reaction to the new software. By conducting a structured and thorough UAT, you can help your users gain confidence in the process, and increase adoption of the new software. 

Please contact the team if you have specific questions relating to your specific needs, or to see how we can help your agency validate the new system’s functionality and reduce resistance to the software. We’re here to help.   
 

Related Professionals

Read this if you are a police executive, city/county administrator, or elected government official responsible for a law enforcement agency. 

Who you gonna call? 

Law enforcement agencies provide essential services to our communities vital to maintaining order and public safety. These critical organizations always answer the call, and they are prepared for every type of disaster imaginable: floods, hurricanes, tornadoes, blizzards, train derailments, and even... a pandemic?

Police agencies plan, prepare, and train for disasters, and are particularly adept and agile in their response to them. As an industry, law enforcement agencies are also very good at helping one another in times of need. When there is a major disaster in your community, your agency can always count on neighboring departments sending you some much needed resources―that is, unless everyone has the same problem. Then what do you do?

Although law enforcement agencies are very capable, their strength is in sprinting, not running marathons. Even the best and most-qualified police agencies struggle with the strain of long-lasting disasters, particularly when there are no other resources to help. That is when having the right patrol-schedule design can be critical. If your patrol schedule is inefficient in the first place, managing a lengthy disaster or critical event will magnify those inefficiencies, exhausting your personnel and fiscal resources at the same time.

Flaws in patrol schedule design = reduced efficiency

Flaws in the patrol schedule design often contribute to reduced efficiency and suboptimal performance, and design issues may work against your ability to maintain operational staffing during critical times of need. So, how do you know if your patrol schedule is serving you well? 

To help agencies evaluate their patrol schedules, BerryDunn has developed at free tool. Click here to measure your patrol schedule against key design components and considerations. If your agency scores low in this self-assessment, it may be time to consider making some adjustments. 

The path to resolving inefficiencies in your patrol work schedule and optimizing the effective deployment of patrol personnel requires thoughtful consideration of several overarching goals:

  • Reducing or eliminating predictable overtime
  • Eliminating peaks and valleys in staffing due to scheduled leave
  • Ensuring appropriate staffing levels in all patrol zones or beats
  • Providing sufficient staff to manage multiple and priority Calls for Service  in patrol zones or beats
  • Satisfying both operational and staff needs, including helping to ensure a proper work/life balance and equitable workloads for patrol staff

Accomplishing these goals requires an intentional approach, customized to your agency’s characteristics (e.g., staffing levels, geographic factors, crime rates, zone/beat design, contract/labor rules). BerryDunn can help your agency assess the patrol schedule, and if necessary, provide guidance and assistance on implementation of a more effective model. 

If you are interested in a patrol work-schedule assessment or redesign or a patrol staffing study, our dedicated Justice & Public Safety consultants are available to discuss your organization’s needs.

Blog
Continuity of patrol operations in a COVID-19 environment

Read this if you are a business owner or advisor to business owners.

With continued uncertainty in the business environment stemming from the COVID-19 pandemic, now may be a good time to utilize trust, gift, and estate strategies in the transfer of privately held business interests.

In simple terms, business valuation is a function of future cash flow and the risk in achieving those cash flows. As uncertainty in the ability to achieve future cash flow rises, risk rises at the same time. The value of a business is driven by risk. Holding all else equal, as risk continues to increase, the value of a business decreases. Similarly, if all else is equal, a continuing decline in anticipated cash flow results in decreased business values. An increase in risk, coupled with growing uncertainty and decline in cash flow may create a compounding effect of depressing business values. 

Cash flow challenges

Even if the cash flow of a privately held business has held up thus far, there is great uncertainty as to future cash flow. The duration of this uncertainty is a major concern for many business owners in the current environment. It was not long ago that many were anticipating the pandemic impact would be short-lived, resulting in a v-shaped recovery. Those expectations have given way as national unemployment numbers continue to climb. This continued uncertainty may lessen the value of privately held businesses. Depending on the company, its expectations, and impact from industry and economic factors, the effect on future cash flow may be significant.

With these elements in mind, the current and near-term may serve as an advantageous time to consider the transfer of interests in a privately held business. Increased risk and lowered future expectations will combine, resulting in lower values—particularly as compared to performance during the recent strong economy. 

Further opportunities exist if you are considering transferring a non-controlling interest in a company. Discounts applicable to minority or fractional interests typically include discounts for lack of control and lack of marketability, and in some cases discounts for lack of voting rights. These discounts may serve to further reduce the overall value transferred through a given strategy. 

What strategies can be used to capitalize in this environment?

From a federal perspective, gift and estate tax lifetime exemption amounts are at all-time highs; currently, $11.58 million per individual in 2020. With portability, a married couple can gift or transfer over $23 million in value without incurring a federal gift or estate tax.

Coupled with the ever-increasing annual gift tax exclusion amount of $15,000 per recipient in 2020, executing a succession plan could not come at a better time. Individuals should be aware of the scheduled sunset of the above referenced amounts in 2025 with reversion back to previous levels of $5.0 million (adjusted for inflation).

Building on future uncertainty, the 2020 presidential election is quickly approaching, as well as budget concerns from federal and state administrative agencies resulting from COVID-19. As it is unknown whether the current estate gift and estate tax exemptions will remain at these all-time highs, it may be an opportune time to leverage the current lifetime exemption or annual gift tax exclusion. 

Given the likely decline in value of closely held business interests or marketable securities combined with historically low interest rates currently, transferring assets now that will likely rebound in value later will provide transferors/donors with the most bang for their buck. 

Certain trust vehicles are often beneficial in a low-interest rate environments and provide varying forms of flexibility to the grantor or donor. When combined with the increase in the charitable deduction limits for taxpayers who itemize their deductions, this is an optimal time for transferring assets.  

One of the most important aspects of estate planning is to review and update your estate plan regularly for changes in your financial or family situation. Estate plans are not static and should be periodically reviewed to ensure they achieve your goals based upon your current situation.

Our mission at BerryDunn remains constant in helping each client create, grow, and protect value. If you have questions about your unique situation, or would like more information, please contact the team.

Blog
2020 estate strategies in times of uncertainty for privately held business owners

Read this if your organization, business, or institution is receiving financial assistance as a direct result of the COVID-19 pandemic.

Many for-profit and not-for-profit organizations are receiving financial assistance as a direct result of the COVID-19 pandemic. While there has been some guidance, there are still many unanswered questions. One unanswered question has been whether or not any of this financial assistance will be subject to the Single Audit Act. Good news―there’s finally some guidance:

  • For organizations receiving financial assistance through the Small Business Administration (SBA) Payroll Protection Program (PPP), the SBA made the determination that financial assistance is not subject to the Single Audit.
  • The other common type of financial assistance through the SBA is the Emergency Injury Disaster Loan (EIDL) program. The SBA has made the determination that as these are direct loans with the federal government, they will be subject to the Single Audit. 

It is unlikely there will be guidance within the 2020 Office of Management and Budget (OMB) Compliance Supplement related to testing the EIDL program as the Compliance Supplement anticipated in June 2020 will not have any specific information relative to COVID-19. The OMB announced they will likely be issuing an addendum to the June supplement information specific to COVID-19 by September 2020.

Small and medium-sized for-profit organizations have been able to access funds through the Main Street Lending Program, which is comprised of the Main Street New Loan Facility, the Main Street Priority Loan Facility, and the Main Street Expanded Loan Facility. We do not currently know how, or if, the Single Audit Act will apply to these loans. Term sheets and frequently asked questions can be accessed on the Federal Reserve web page for the Main Street Lending Program.

Not-for-profits have also received additional financial assistance to help during the COVID-19 pandemic, through Medicare and Medicaid, and through the Higher Education Emergency Relief Fund (HEERF). While no definitive guidance has been received, HEERF funds, which are distributed through the Department of Education’s Education Stabilization Fund, have been assigned numbers in the Catalog of Federal Domestic Assistance, which seems to indicate they will be subject to audit. We are currently awaiting guidance if these programs will be subject to the Single Audit Act and will update this blog as that information becomes available.

If you have questions about accounting for, or reporting on, funds that you have received as a result of the COVID-19 pandemic, please contact a member of our Single Audit Team. We’re here to help.

Blog
COVID-19: Single audit and uniform guidance clarifications

Read this if you are a business owner.

While recent articles within the exit planning community have noted a slowing of business transitions and exits, during times of uncertainty it may be even more important to focus on the opportunity at hand. Rather than waiting it out, we recommend that business owners try to be active, involved, and focus their efforts on improving their business.

The situation is similar to the ebb and flow of the tide. The current economy is the tide at an extreme low point. We know that the economy will recover, so what can be done in the meantime to take advantage of opportunities, and be ready to succeed when the tide rises?

Changing of tides

Suddenly, there has been a rapid and seismic shift in the landscape. Weaknesses and threats, rocks and hazards, may have emerged. How you choose to approach these perils will make a difference in the long term. Will you take the opportunity to discover, identify, assess, shore up, and mitigate these elements?

It is important to view this current state in the context of the larger, long-term perspective. Once the tide comes back, will you be able to set full sail ahead having built resiliency, redundancy, and strength into those areas while you had the opportunity? While the water is low, it presents a great opportunity for business owners to discover and understand: 

  • What broke first and why? 
  • How can you shore it up for better operations in the days ahead?
  • What weak spots you didn’t know about are now apparent?
  • How can you address those weaknesses?
  • How can you leverage existing resources differently to chart a path forward?

Models of priority

There are various stages or hierarchies of priority in thinking about the progress of a business. 

Each priority model features bases and pinnacles. The pinnacles of each model are realized in a long-term setting, after the remaining bases have been solidified. While continued development of a clear vision for your business is paramount, dynamic shifts in the landscape call for reassessment of the bases. In the long-term, self-fulfillment manifests from properly executed strategy, but in the near- and mid-term, these various frameworks force strategic planning back to assess and address the base components. 

The bases of each model should serve as safe havens for reversion. When facing uncertainty and failure, have you made your base strong enough to redirect your efforts in an actionable plan for the long-term?

Action Planning Pyramid and Value Maturity Index

Action Planning
Five Stages of Value Maturity

The Value Maturity Index, broken into five stages is a stepwise assessment of active exit and business strategy. Inherent in the value acceleration framework are the concepts of resiliency, redundancy, disaster recover, and actionable planning.

While we may have been fully entrenched in the build phase, setbacks due to dynamic changes in the landscape force us back to protect mode—the assessment and methodical shoring up of weaker points of the operation to protect against future downside risks.

Though this stepwise progression is linear in nature, keep in mind that flexibility and adaptability are paramount in changing course to address needs of your current state.

When we look at action planning, parallels can be drawn to the various models. Certainly, we are focused on continuing sales, marketing, and customer relationships, but it becomes a question of reversion to meeting the basic needs and serving client’s pain points rather than  beginning ground-breaking efforts. 

The current climate forces us to the base, with a focus on solidifying the exposed areas that may have been made apparent, and likely compounded, by the current realities. Concerns on management, metrics, core values, and priorities serve as the bases in need of coverage.

Maslow’s Hierarchy of Needs
 

Maslow's Hierarchy of Needs

Maslow’s Hierarchy of Needs1 is a well-known motivational theory in psychology that comprises a five-tiered model of human needs, whereby each successive tier must be fulfilled (beginning at the base) before rising to the next tier. It can be used to view similar information from a psychological perspective.

Value acceleration and creating successful outcomes are largely tied to a clear long-term vision. We typically reside in the Self-actualization level of the hierarchy of needs when undertaking the high-level view of the framework.

Based on the adaptability and call for sudden directional changes in today’s climate, we are not as concerned with these top levels. We have them in our back pocket for easy recall, but they are not the pressing issue staring us in the face.

If we think about shoring up bases (the Protect Stage), in considering this psychological model, our focus is on the “basic needs” level. That is, keeping people (self, family, and employees) safe and remaining connected for immediate continuity.

McKinsey & Company Event Horizons

McKinsey & Company Event Horizons

Many others in related fields are viewing the current situation in similar terms. In the McKinsey & Company Events Horizon view2:

  • Resolve addresses those immediate hurdles and challenges a business is currently facing.
  • Resilience focuses on near-term items to be addressed once the initial base is covered. 
  • Return views the mid-term horizon in understanding how to return to scale by focusing on understanding metrics and increasing the frequency of measurements for informed decision making. 
  • Reimagination and Reform typically go hand in hand, but without covering bases of needs, crafting a dynamic shift in operations to incorporate new environments may be counterproductive. 

However, once these bases have been clearly assessed and addressed, the path forward may appear dramatically different, in which case creative solutions to enhance opportunity should begin to form. Examples of this may include newly emerged revenue streams and opportunity areas, fully integrated systems and dashboards to capture timely decision making data points, or pivots in your business model adaptable and reactive to new environments.

One example that has been in the news recently involves CEOs being pleasantly surprised that productivity of employees has not dropped even though people are working from home. How sustainable is this productivity? What implications might this have for corporate real estate and office settings? The answers will vary widely, depending on your business and competitive environment.

Exposure, discover, and control

Back to our tides analogy for a moment. As the water receded, what new rocks were exposed or what existing challenges became more apparent? What is your plan to address these areas? Is this the time to make large investments in your company or the right investments? Now that the tide is out, it is time to shore up, move the rocks, and address elements of your business to prepare for long-term successes. Through our assessments, risk profiling, and benchmarking analyses, we help business owners discover the largest gaps across the company, prioritize the most impactful problem areas to address, and implement changes to enhance business value through continuous improvement. 

Taking stock of your company’s future through the incorporation of lessons learned will bolster value in the long-term by de-risking and developing new opportunities, methods, work, shifts in productivity, and shifts in mentality. That approach also brings lots of questions: If there are no early warning signs, why not? What should your indicators be? What metrics are crucial in identifying the pulse of your current situation? What is your business reliant on? How can you build information and indicators for rapid shifts in decision making? How strong are your current controls and how integrated are your management and information systems?

To answer these questions, you need to quantify and develop metrics that will aid in the early identification of future challenges, thus increasing your responsiveness with data-driven decision mechanisms. Having your fingers on the pulse of your company and understanding the impact of each input to your strategy will focus your attention on the information that matters most. This allows you to understand, position, and adapt to changes in your business and community environment in a proactive and agile manner. Measurements, forecasts, and dashboards should provide you with regular, valid, and relevant information you can use to take informed action in decision making.

Historical look backs during various points of time will allow you to key in on pivotal data indicators and inflection points. When looking at this from an operational view, industry and economic factors impacting your company can serve as corroborating pieces of evidence to further support data metrics analyzed.

As you perform look backs, it is also best practice to regularly study and update development, pipeline, and reliance metrics for feedback and information discovery with data integrated throughout your operations. This helps avoid lag time in reporting on stale information towards real-time actionable data points.  

Each metric is specific to your business and can be directly mapped back to increases in shareholder value. Understanding these drivers of business value will focus your attention and intention on improving in the right areas, while avoiding distracting and less impactful pain points.

Don’t fret over precision, rather build in flexibility and adaptability with scenario- and sensitivity-based criterion to understand changes, implications, and reliance of each input. Understanding these relationships in a broader scheme aid you in quick, impactful decision making guiding you towards enhanced value.

Resilience until the tides rise

This approach allows opportunity to fully assess the known and unknown problem areas, weaknesses, perils, and hazards your business may be facing. From that base you can begin to address these issues to scale effectively with lower overall risk when activity picks up.

Management metrics, core values, and priorities drive resilience for long-term continuity by shoring up the foundation to build for the future. Assembling evidence in troubled times provides opportunity to capitalize on and fulfill core values. Documenting these decisions and improvements memorialize your decision making, impact on value enhancement, and should serve as a playbook for future events.

What you make of the time you have now through identification, assessment, and addressing newly emerged risk areas provides the opportunity to increase success once the economy rebounds. We are here to help. If you have questions about your particular situation, or would like more information, please contact the business valuation consulting team

1Maslow’s Hierarchy of Needs, Saul McLeod, updated March 20, 2020. SimplyPsychology. www.simplypsychology.org/maslow.html.
2Beyond coronavirus: The path to the next normal, Kevin Sneader and Shubham Singhal, McKinsey & Company, March 23, 2020.  www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/beyond-coronavirus-the-path-to-the-next-normal. COVID-19: Briefing note, March 30, 2020, Our latest perspectives on the coronavirus pandemic. Matt Craven, Mihir Mysore, Shubham Singhal, Sven Smit, and Matt Wilson. McKinsey & Company. www.mckinsey.com/business-functions/risk/our-insights/covid-19-implications-for-business.

Blog
Value acceleration in times of uncertainty

The BerryDunn Recovery Advisory Team has compiled this guide to COVID-19 consulting resources for state and local government agencies and higher education institutions.

We have provided a list of our consulting services related to data analysis, CARES Act funding and procurement, and legislation and policy implementation. Many of these services can be procured via the NASPO ValuePoint Procurement Acquisition Support Services contract.

READ THE GUIDE NOW

We're here to help.
If you have any questions, please contact us at info@berrydunn.com

Blog
COVID-19 consulting resources

Read this if you are a CIO, CFO, Provost, or President at a higher education institution.

In my conversations with CIO friends over the past weeks, it is obvious that the COVID-19 pandemic has forced a lot of change for institutions. Information technology is the underlying foundation for supporting much of this change, and as such, IT leaders face a variety of new demands now and into the future. Here are important considerations going forward.

Swift impact to IT and rapid response

The COVID-19 pandemic has had a significant impact on higher education. At the onset of this pandemic, institutions found themselves quickly pivoting to work from home (WFH), moving to remote campus operations, remote instruction within a few weeks, and in some cases, a few days. Most CIOs I spoke with indicated that they were prepared, to some extent, thanks to Cloud services and online class offerings already in place—it was mostly a matter of scaling the services across the entire campus and being prepared for returning students and faculty on the heels of an extended spring break.

Services that were not in place required creative and rapid deployment to meet the new demand. For example, one CIO mentioned the capability to have staff accept calls from home. The need for softphones to accommodate student service and helpdesk calls at staff homes required rapid purchase, deployment, and training.

Most institutions have laptop loan programs in place but not scaled to the size needed during this pandemic. Students who choose to attend college on campus are now forced to attend school from home and may not have the technology they need. The need for laptop loans increased significantly. Some institutions purchased and shipped laptops directly to students’ homes. 

CIO insights about people

CIOs shared seeing positive outcomes with their staff. Almost all of the CIOs I spoke with mentioned how the pandemic has spawned creativity and problem solving across their organizations. In some cases, past staffing challenges were put on hold as managers and staff have stepped up and engaged constructively. Some other positive changes shared by CIOs:

  • Communication has improved—a more intentional exchange, a greater sense of urgency, and problem solving have created opportunities for staff to get engaged during video calls.
  • Teams focusing on high priority initiatives and fewer projects have yielded successful results. 
  • People feel a stronger connection with each other because they are uniting behind a common purpose.

Perhaps this has reduced the noise that most staff seem to hear daily about competing priorities and incoming requests that seem to never end.

Key considerations and a framework for IT leaders 

It is too early to fully understand the impact on IT during this phase of the pandemic. However, we are beginning to see budgetary concerns that will impact all institutions in some way. As campuses work to get their budgets settled, cuts could affect most departments—IT included. In light of the increased demand for technology, cuts could be less than anticipated to help ensure critical services and support are uninterrupted. Other future impacts to IT will likely include:

  • Support for a longer term WFH model and hybrid options
  • Opportunities for greater efficiencies and possible collaborative agreements between institutions to reduce costs
  • Increased budgets for online services, licenses, and technologies
  • Need for remote helpdesk support, library services, and staffing
  • Increased training needs for collaborative and instructional software
  • Increased need for change management to help support and engage staff in the new ways of providing services and support
  • Re-evaluation of organizational structure and roles to right-size and refocus positions in a more virtual environment
  • Security and risk management implications with remote workers
    • Accessibility to systems and classes 

IT leaders should examine these potential changes over the next three to nine months using a phased approach. The diagram below describes two phases of impact and areas of focus for consideration. 

Higher Education IT Leadership Phases

As IT leaders continue to support their institutions through these phases, focusing on meeting the needs of faculty, staff, and students will be key in the success of their institutions. Over time, as IT leaders move from surviving to thriving, they will have opportunities to be strategic and create new ways of supporting teaching and learning. While it remains to be seen what the future holds, change is here. 

How prepared are you to support your institution? 

If we can help you navigate through these phases, have perspective to share, or any questions, please contact us. We’re here to help.

Blog
COVID-19: Key considerations for IT leaders in Higher Ed

Read this if you are at a state Medicaid agency or CHIP agency.

CMS has posted additional Frequently Asked Questions (FAQs) to Medicaid.gov, to aid state Medicaid and Children’s Health Insurance Program (CHIP) agencies in their response to the coronavirus disease 2019 (COVID-19) pandemic.

These new FAQs have been integrated into the previously released COVID-19 FAQ document. The new FAQs cover a variety of Medicaid and CHIP topics, including:

  • Emergency Preparedness and Response
  • Eligibility and Enrollment Flexibilities
  • Benefit Flexibilities
  • Cost-Sharing Flexibilities
  • Financing Flexibilities  
  • Managed Care Flexibilities
  • Information Technology  
  • Data Reporting

Updated CMS processes for reviewing 2021 contracts between states and Medicare Dual Eligible Special Needs Plans (D-SNPs)

CMS has issued a reminder to states of the upcoming submission deadline for the Contract Year (CY) 2021 contracts with Medicare Advantage Dual Eligible Special Needs Plans (D-SNPs). The due date for D-SNPs to submit to CMS their CY 2021 contracts with the state Medicaid agencies is July 6, 2020.

  • CMS encourages state Medicaid agencies to review the November 14, 2019 Informational Bulletin that describes new requirements for CY 2021 D-SNP contracts, which CMS finalized in rulemaking to implement new statutory provisions of the Bipartisan Budget Act (BBA) of 2018.
  • The Integrated Care Resource Center (ICRC) continues to provide technical assistance to states to help with the implementation of these new requirements. CMS and ICRC have a number of important resources for states regarding the new requirements for contracts with D-SNPs. Additional resources for states can be found here.
  • As a result of COVID-19, CMS is extending the review and approval timelines to allow D-SNPs more time to work with states on the new CY 2021 requirements. As a result, D-SNPs will have until November 2, 2020 to resubmit revised state Medicaid agency contracts or contract amendments.

CMS announces rule changes to support healthcare workforce augmentation

CMS has taken steps to limit or remove potential barriers for hiring and retaining physicians, nurses, and other healthcare professionals in order to keep staffing levels high at healthcare facilities.

  • In response to the need for in-home services during the COVID-19 crisis, nurse practitioners, clinical nurse specialists, and physician assistants can now provide home health services. These changes are effective for both Medicare and Medicaid.
  • Prior to this, Medicare and Medicaid home health member were only able to receive home health services with the certification of a physician. 
  • Physicians and other practitioners whose privileges are expiring will be able to continue taking care of patients. Consistent with a change made for hospitals, CMS is waiving a requirement for ambulatory surgery centers to periodically reappraise medical staff privileges during the COVID-19 emergency declaration. 

Interim Final Rule Updating Requirements for Notification of Confirmed and Suspected COVID-19 Cases Among Residents and Staff in Nursing Homes 

CMS has issued a memo along with frequently asked questions which address the new requirement that nursing homes and long term care facilities report COVID-19 facility data to the Centers for Disease Control and Prevention (CDC).

  • CMS will be requiring nursing homes to report COVID-19 facility data to the CDC and to residents, their representatives, and families of residents in facilities. 
  • CMS has updated the COVID-19 Focused Survey for Nursing Homes, Entrance Conference Worksheet, COVID-19 Focused Survey Protocol, and Summary of the COVID-19 Focused Survey for Nursing Homes to reflect COVID-19 reporting requirements. 
  • CMS will begin posting data from the CDC National Healthcare Safety Network (NHSN) for viewing by facilities, stakeholders, or the general public. The COVID-19 public use file will be available on https://data.cms.gov/.
     

Increase hospital capacity - CMS Hospitals Without Walls

On April 30, CMS announced expansions of the Hospitals Without Walls initiative, granting flexibility for services to be provided outside of traditional venues.

  • CMS is encouraging the use of existing flexibilities that allow outpatient hospital services to be delivered outside of traditional settings, such as at expansion locations, converted hotels or parking lots, or patients’ homes.
  • Certain outpatient departments that relocate off-site can qualify to be paid under the Outpatient Prospective Payment System (OPPS), rather than the Physician Fee Schedule.
  • Hospitals may relocate outpatient departments to more than one off-campus location, or partially relocate while still furnishing care at the original site.
  • As part of the CARES Act, long-term acute-care hospitals can now accept patients from any acute-care hospital and be paid at a higher Medicare rate.

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
Additional Medicaid & CHIP COVID-19 FAQs

Read this if you are in administration at a college or university.

Colleges and universities have been working around the clock to convert their in-person academic programming to online learning and to quickly disburse grant funding to students in line with broad eligibility requirements, all while adjusting to their own new work environments. In the search for funding in a time when many institutions are refunding student payments at unexpected and unprecedented levels, many institutions have found themselves ineligible for the Payroll Protection Program (PPP) offered under the CARES Act if the federal work study students were included in the employee count. In a welcome change, a recent interim final rule issued by the US Small Business Administration (SBA) has been released that will change the eligibility criteria for the emergency relief offered under the PPP. One of the most notable changes in the interim rule will allow colleges and universities to exclude federal work study students in determining their eligibility. 

Student workers have historically counted as employees under SBA programs. This temporary change would provide relief for many small institutions, whose federal work study programs would otherwise drive up their employment pool over the 500 employee threshold and exclude them from participation in the PPP. While federal work study positions fill important roles throughout many campus facilities, this interim final rule recognizes the primary function of a federal work study program is to provide financial aid for students attending school and is incidental to the role of the student on campus. As expected, as these positions are mostly federally funded, the interim final rule excludes these expenditures in determining the available loan amount under the PPP.

These changes are consistent with other areas of existing federal law, as noted in the interim final rule, these workers are already generally exempt from other federal employment requirements, like Federal Unemployment taxes. In order to allow for swift action, the interim final rule is effective immediately upon posting to the federal register.

We’re here to help.
For more information, or if you have questions about your specific situation, please contact the higher education consulting team.

Blog
Federal Work-Study (FWS) excluded from PPP eligibility determination

Read this if you are a leader at a state Medicaid agency.

Leveraging Medicaid to support and fund state efforts
In infectious disease control and prevention, contact tracing is the process of identifying people who may have come into contact with an infected person and tracking with whom the infected person has been in contact. The intent is to halt the chain of transmission. State Medicaid Agencies (SMAs) may be able to leverage the Medicaid program to support state efforts with systems, training, and reimbursement for contact tracing. 

What is contact tracing?
Tracing the contacts of infected individuals throughout a community, testing their contacts for infection, and treating and quarantining the disease when it is found is a long-standing practice to address infectious diseases. While contact tracing may not be a service that is reimbursable by Medicaid, it may be possible for Medicaid to cover a broader package of services designed to slow the spread of COVID-19.

Contact tracing has three major components:

  1. Contact identification—Confirmation of an individual’s infection is the first step. Once identified, it is essential to identify any additional people with whom that person came into contact, including family, co-workers, community members, etc.
  2. Contact tracing—After conducting a complete review of the individual's contacts, outreach begins to inform them of their contact status and discuss critical next steps, starting with testing.
  3. Contact follow-up—Continued follow-up with identified contacts helps prevent the spread of infection by monitoring spread and/or additional symptoms.

Public health experts maintain that contact tracing is one of the tools needed to manage the pandemic. Medicaid can play a key role in supporting systems, training, and reimbursement for contact tracing. This is enabled through Medicaid’s unique role as a significant payer in the healthcare system, along with its role as a government partnership between federal and state governments. In addition, acting to implement contact tracing may offer an opportunity to increase employment at a time when the economy has shed countless jobs. 

Systems and training: Medicaid support for health IT system
To support contact tracing, Medicaid agencies can leverage 75% or 90% federal match or Federal Financial Participation (FFP) for the systems, training, and equipment. This match is applicable for the Medicaid population, while the remainder likely needs to be cost-allocated to other state programs. Activities that can qualify include:

  • Design, development, and installation (DDI) of Medicaid solutions. The Centers for Medicare and Medicaid Services (CMS) may allow this funding to apply to data-tracking systems or changes to support new reimbursement models. 
  • Provider outreach and training related to systems operation, such as training on claims submissions, claims processing, and eligibility inquiries related to case management and care coordination.
  • Training of vendor or state personnel directly engaged in the operation of an approved system, including workers processing claims or determining eligibility.

To obtain this type of funding, states must submit an advanced planning document (APD). 

Reimbursement: Services and authority options for contact tracing
For Medicaid to support contact tracing, SMAs need to identify both state plan services and authority to provide the service. Defining a service and authority may be challenging, as contact tracing is historically a public health intervention and not a medical service that directly benefits a Medicaid member. CMS does not typically allow this type of service under Medicaid. Given the flexibility afforded under current disaster declarations, however, CMS may have more flexibility than usual. Some options for services include: 

Case management

  • How it works 
    First, an individual tests positive and contact-tracing interviews occur. Then, a healthcare provider, such as a hospital, reaches out to the individual, facilitates testing and education, delivers results, and follows up for any care needed. This process applies to any Medicaid members or other individuals who have private insurance that is identified. The provider can discharge the member from case management once the individual recovers. Case management as a Medicaid service is unique in that a diagnosis requiring medical management is the impetus for providing the service.
  • Federal approval rationale
    Hospitals may be a good partner for this service due to CMS’s Hospital Without Walls guidance. If the hospital partners with the Public Health Entity for contact tracing, then the case management piece could—in theory—be billed by the staff providing case management through the hospital. The hospital would also be able to bill for testing and lab, care, etc. Public Health could track where there is capacity through the medical community for treatment, especially hospital beds, ventilators, and alternative testing sites. The case manager providing coordination of care for COVID-19 testing and treatment would have access to the hospital medical record system, and the hospital could bill for the service.

Health home

  • How it works
    A health home under the state plan could also serve as a vehicle for services for this population. To better care for Medicaid members with chronic conditions, the Affordable Care Act created an optional Medicaid state plan benefit to coordinate care. Health homes are designed to integrate all physical and behavioral healthcare. Participation in health homes is voluntary. In order for members to participate, they must possess at least one chronic condition (e.g., high blood pressure, asthma, obesity, diabetes, or any serious chronic condition) and be at risk for a second (e.g., COVID-19).
  • Federal approval rationale
    The health home may be a good support model, as it is eligible for FFP of 90% for the first two years—likely long enough to respond to the pandemic—making it economically attractive. 

The most flexible potential authority for a Medicaid agency to use for contact tracing is the 1115 waiver. As part of the Medicaid Disaster Response Toolkit, CMS made expedited review available. In addition, State Medicaid Director Letter (SMDL) #20-002 provides guidance on a new section 1115 waiver available to assist states in addressing the COVID-19 public health emergency. 

Section 1115 demonstration waiver
The 1115 waiver is the most dynamic option available, and states can access it through the 1115 disaster waiver option under the Medicaid toolkit. The state may be able to show that providing contact tracing will result in savings for services billed under Medicaid. These savings may be able to be justified by decreasing the number of people who test positive for the virus, leading to budget neutrality. The budget neutrality model would need to show “with” and “without waiver” scenarios that demonstrate to Medicaid the cost of the spread of the virus with and without contact tracing. A challenge to this approach is the time necessary to develop the waiver and budget neutrality model and gain CMS approval. 

Recently, CMS approved one of these new section 1115 waivers for the state of Washington. While Washington did not request to cover contact tracing, the speed of approval and the fact that CMS has indicated for the pandemic 1115 requests states will not be required to submit budget neutrality calculations, is a positive indicator for states to consider in envisioning creative models for leveraging Medicaid to minimize the impacts of COVID-19. 

Next steps

  • Check in with your CMS contacts. COVID-19 is new, and America’s response continues to evolve. Check in with your CMS contact for input on the latest guidance that may be applicable to your agency. 
  • Develop an APD. Develop your state’s APD to help fund the technology needs for tracking COVID-19, along with training for your SMA team and providers. 
  • Determine services. In partnership with CMS, determine if case management, a health home, or other service makes the most sense for your state to help trace contacts, reduce the spread of COVID-19, and encourage employment in this important work. 
  • Submit your waiver for state plan amendment. After working with CMS to determine the service that makes sense for your state, develop and submit the request to provide this service through a 1115 waiver, 1135 waiver, or if necessary, emergency state plan amendment. 

We’re here to help
If you have more questions or want to have an in-depth conversation about your specific situation, please contact the Medicaid consulting team

Blog
Contact tracing for COVID-19: What it is and how Medicaid can use it

Read this if you are a tax-exempt organization.

The IRS recently issued proposed regulations (REG-106864-18) related to Internal Revenue Code Section 512(a)(6), which requires tax-exempt entities to calculate unrelated business taxable income (UBTI) separately for each unrelated trade or business carried on by the organization.

For years beginning after December 31, 2017, exempt organizations with more than one unrelated trade or business are no longer permitted to aggregate income and deductions from all unrelated trades or businesses when calculating UBTI. In August 2018, the IRS issued Notice 2018-67, which discussed and solicited comments regarding various issues arising under Code Section 512(a)(6) and set forth interim guidance and transition rules relating to that section. 

The good news
The new proposed regulations expand upon Notice 2018-67 and provide for the following:

  • An exempt organization would identify each of its separate unrelated trades or businesses using the first two digits of the NAICS code that most accurately describes the trade or business. Activities in different geographic areas may be aggregated.
  • The total UBTI of an organization with more than one unrelated trade or business would be the sum of the UBTI computed with respect to each separate unrelated trade or business (subject to the limitation that UBTI with respect to any separate unrelated trade or business cannot be less than zero). 
  • An exempt organization with more than one unrelated trade or business would determine the NOL deduction allowed separately with respect to each of its unrelated trades or businesses.
  • An organization with losses arising in a tax year beginning before January 1, 2018 (pre-2018 NOLs), and with losses arising in a tax year beginning after December 31, 2017 (post-2017 NOLs), would deduct its pre-2018 NOLs from total UBTI before deducting any post-2017 NOLs with regard to a separate unrelated trade or business against the UBTI from such trade or business. 
  • An organization's investment activities would be treated collectively as a separate unrelated trade or business. In general, an organization's investment activities would be limited to its:
     
    1. Qualifying partnership interests
    2. Qualifying S corporation interests
    3. Debt-financed property or properties 

Organizations described in Code Sec. 501(c)(3) are classified as publicly supported charities if they meet certain support tests. The proposed regulations would permit an organization with more than one unrelated trade or business to aggregate its net income and net losses from all of its unrelated business activities for purposes of determining whether the organization is publicly supported. 

The missing news: Unaddressed items from the new guidance
With the changes provided by these proposed regulations we anticipate less complexity and lower compliance costs in applying Code Section 512(a)(6). While this new guidance is considered taxpayer friendly, the IRS still has more work to do. Items not yet addressed include:

  • Allocation of expenses among unrelated trade or businesses and between exempt and non-exempt activities.
  • The ordering rules for applying charitable deductions and NOLs.
  • Net operating losses as changed under the CARES Act.

The IRS is requesting comments on numerous key situations. Until the regulations are finalized, organizations can rely on either these proposed regulations, Notice 2018-67, or a reasonable good-faith interpretation of Code Sections 511-514 considering all the facts and circumstances.
We will keep you informed with the latest developments.

If you have any questions, please contact the not-for-profit consulting team

Blog
IRS unrelated business taxable income update: The good news and the missing news

Editor's note: Read this if you are a leader in higher education.

The Department of Education has released guidance to colleges and universities on how the CARES Act grants to institutions, under the Higher Education Emergency Relief Fund (HEERF), may be used. The guidance comes in the form of answers to frequently asked questions, which we recommend institutions read before accepting the funds. Some key answers included in the document:

  1. A school has to participate in the HEERF funding to be used for grants to students to get the institutional share.
  2. Schools can use these funds to cover the costs of refunds for room and board provided as a result of campus closure.
  3. These funds can be used to make additional emergency financial aid grants to students impacted by campus closure.

We urge schools to retain supporting documentation of the proper use of these funds to allow for a compliance audit, should that be required. 

Questions?
Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

Blog
The Higher Education Emergency Relief Fund (HEERF): Guidelines

Read this if you are a leader at a state Medicaid agency, Long-Term Care Hospital, Rural Health Clinic, Federally Qualified Health Center, or intermediate care facility.

New toolkit launches to help states navigate COVID-19 health workforce challenges 

In order to maximize workforce flexibility to help confront COVID-19, CMS and the Assistant Secretary of Preparedness and Response (ASPR) have released a new toolkit to assist state and local healthcare decision makers. The toolkits are available as a set of resource collections including:

Our team will be taking a closer look at these resource collections in the coming week and plan to have detailed information on the opportunities within.

Compliance flexibilities announced for implementation of interoperability final rules due to COVID-19

CMS and the Office of the National Coordinator for Health IT (ONC), in conjunction with the Health and Human Services (HHS) Office of Inspector General (OIG), have announced a policy of enforcement discretion to allow compliance flexibilities regarding the implementation of the interoperability final rules previously announced on March 9, 2020.

  • Announced in March, the Interoperability and Patient Access final rule (CMS-9115-F) is focused on the pursuit of interoperability and patient access to health information.
  • CMS-regulated payers, including Medicaid Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP FFS programs, and CHIP managed care entities are required to implement and maintain a secure, standards-based (HL7 FHIR Release 4.0.1) API that allows members access their claims and encounter information, as well as provider directory information available through third-party applications of their choice.
  • Due to the public health emergency posed by COVID-19, CMS is exercising the “enforcement discretion” to adopt a temporary policy of relaxed enforcement for the final rule.

CMS releases additional blanket waivers for Long-Term Care Hospitals (LTCHs), Rural Health Clinics (RHCs), Federally Qualified Health Centers (FQHCs) and intermediate care facilities

CMS is providing additional blanket waivers related to care for patients in LTCHs, temporary expansion locations of RHCs and FQHCs, staffing and training modifications in intermediate care facilities for individuals with intellectual disabilities, and the limit for substitute billing arrangements (locum tenens).

  • The new flexibilities do not require a waiver or any requests be sent to CMS electronically or any other notification to CMS regional offices.
  • The guidance includes flexibilities related to provider location, staffing, reporting requirements, discharge, patient rights and other areas regulated by CMS.
  • The blanket waiver authority exercised by CMS in this case applies only to federal requirements and does not apply to state requirements for licensure or conditions of participation.

State of Washington COVID-19-related section 1115(a) demonstration approval

Washington’s approval is the first section 1115(a) demonstration specifically intended to combat the effects of COVID-19 in a state.

  • CMS authorized a time-limited approval for several of the requests in Washington’s March 24, 2020 section 1115(a) demonstration with a retroactive effective date of March 1, 2020 through 60 days after the public health emergency declaration.
  • CMS approved two waiver authority requests, as well as six expenditure authority requests from Washington’s section 1115(a) demonstration. 
  • CMS did not require the state to submit budget neutrality calculations for the Washington COVID-19 section 1115(a) demonstration. 

CMS issues guidance allowing Independent Freestanding Emergency Departments (IFEDs) to provide care to Medicare and Medicaid beneficiaries during the COVID-19 Public Health Emergency

CMS issued guidance On April 21, 2020 which allows licensed IFEDs in the states of Colorado, Delaware, Rhode Island, and Texas to temporarily provide care to Medicare and Medicaid patients to address any surge.

  • IFEDs generally offer a range of services including basic imaging services, computed tomography (CT) scans, ultrasound, and basic on-site laboratory services. During this public health emergency these entities can temporarily bill Medicare and Medicaid as a certified hospital.
  • CMS is waiving certain conditions of participation for hospital operations to maximize patient care capabilities during this public health emergency. IFEDs may participate in Medicare and Medicaid in one of three ways: 
     
    • Becoming affiliated with a Medicare/Medicaid-certified hospital under the temporary expansion 1135 emergency waiver; 
    • Participating in Medicaid under the clinic benefit if permitted by the state; or
    • Enrolling temporarily as a Medicare/Medicaid-certified hospital to provide hospital services.

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
CMS launches toolkits, releases guidance, and loosens some restrictions to help states and others address COVID-19

Read this if your organization, business, or institution has leases and you’ve been eagerly awaiting and planning for the implementation of the new lease standards.

Ready? Set? Not yet. As we have prepared for and experienced delays related to Financial Accounting Standards Board (FASB) Accounting Standards Codification Topic 842, Leases, we thought the time had finally come for implementation. With the challenges that COVID-19 has brought to everyone, the FASB recognizes the significant impact COVID-19 has brought to commercial businesses and not-for-profits and is proposing a one-year delay in implementation, as described in this article posted to the Journal of Accountancy: FASB effective date delay proposals to include private company lease accounting.

But what about lease concessions? We all recognize many lessors are making concessions due to the pandemic. Under current guidance in Topics 840 and 842, changes to lease contracts that were not included in the original lease are generally accounted for as lease modifications and, therefore, a separate contract. This would require remeasurement of the new lease contract and related right-of-use asset. FASB recognized this issue and has published a FASB Staff Questions and Answers (Q&A) Document,  Topic 842 and Topic 840: Accounting for Lease Concessions Related to the Effects of the COVID-19 Pandemic. Under this new guidance, if lease concessions are made relating to COVID-19, entities do not need to analyze each contract to determine if a new contract has been entered into, and will have the option to apply, or not to apply, the lease modification provisions of Topics 840 and 842.

Implementation of the lease accounting standard will most likely be delayed for Governmental Accounting Standards Board (GASB) entities as well. On April 15, 2020, the GASB issued an exposure draft that would delay most GASB statements and implementation guides due to be implemented for fiscal years 2019 and later. Most notably, this includes Statement 84, Fiduciary Activities, and Statement 87, Leases. Comments on the proposal will be accepted through April 30, and the board plans to consider a final statement for issuance on May 8. More information may be found in this article from the Journal of Accountancy: GASB proposes postponing effective dates due to pandemic.

More information

Whether you are a FASB or GASB entity, you can expect a delay in the implementation of the lease standard. If you have questions, please contact a member of our financial statement audit team. For other COVID-19 related resources, please refer to BerryDunn’s COVID-19 Resources Page.

Blog
FASB and GASB news: Postponement of the lease accounting standards

Editor's note: Read this if you are a leader in higher education.

The Department of Education (ED) has released the first round of guidance to colleges and universities, with more detail to begin issuing much-needed emergency funding grants to students from the Higher Education Emergency Relief Fund (HEERF), provided as part of the CARES Act.

The guidance clarifies a variety of questions about the portion of the funding to be used for emergency financial aid grants to students, most notably:

  • These funds cannot be used to fund room and board refunds.
  • These funds cannot be used to cover overdue student bills at the institution.
  • Only students eligible to participate in Title IV programs may receive emergency financial aid grants. Students who have not filed a FAFSA but who are eligible to file a FAFSA may receive emergency financial aid grants.

A broader summary from NASFAA can be found here.

While not specifically addressed in this guidance, the HEERF has been provided a CFDA number which leads our team to believe there is a good likelihood these funds will be included in some fashion under the Uniform Guidance compliance audits. We urge schools to retain adequate documentation from their decision making process to allow for a compliance audit, should that be required. We anticipate additional guidance on the HEERF will be forthcoming as schools begin to award the grants to students.

Questions?
Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

Blog
Update from ED on CARES Act grants to students

As resources are released to help higher education institutions navigate the rapidly changing landscape, we will add important links and information to this blog post:

Industry resources:
US Department of Education (ED)

Guidance for colleges:

Guidance on leases:
FASB and GASB news: Postponement of the lease accounting standards

We are here to help
Please contact the BerryDunn higher education team if you have any questions, or would like to discuss your specific situation.

Blog
Resources for higher education institutions affected by COVID-19

Read this if you are a not-for-profit looking to learn more about tax filing deadlines.

State of New Hampshire: If your organization has a December 31 year-end, your annual report filing with the Charitable Trusts Unit and related payment are still due by May 15. If you are not ready to file, you may file Form NHCT-4 for an extension by May 15. If your organization has a June 30 year-end, you may email the State Attorney General to ask for additional time to July 15.

April 24, 2020, UPDATE: Commonwealth of Massachusetts: The Massachusetts Attorney General’s office has extended the Form PC filing requirement. All filing deadlines for annual charities filings for fiscal year 2019 have been extended by six months. This extension is in addition to the automatic six month extension that many not-for-profits receive. In addition, original signatures, photocopies of signatures, and e-signatures (e.g., DocuSign) will be accepted.

On April 9, 2020, the Internal Revenue Service (IRS) issued Notice 2020-23, its third round of tax filing relief guidance, which amplifies relief set forth in previously issued IRS notices providing relief to taxpayers affected by COVID-19. Notice 2020-23 also provides additional time to perform certain other actions. The Notice holds the special distinction of being the first to provide specific relief to not-for-profit organizations with return filing and tax payment obligations due between April 1 and July 15, 2020. The details are highlighted below:

Tax deadline extended to July 15, 2020
The Notice explicitly states that Form 990-T tax payment and filing obligations due during the period between April 1 and July 15 will be automatically extended to July 15, 2020. Additionally, Form 990-PF (and associated tax payments) as well as quarterly Federal estimated tax payments remitted via Form 990-W are also explicitly noted and are granted an extension to July 15.
    
While this is certainly good news, the more eagerly anticipated news is the Notice also includes “Affected Taxpayers” who are required to perform “Specified Time-Sensitive Actions” referenced in Revenue Procedure 2018-58. The Revenue Procedure specifically mentions exempt organizations as “Affected Taxpayers” required to perform “specified time-sensitive actions”—one such action being the filing of Form 990.

In summary (with the combined power of the Notice and Revenue Procedure), any entity with a Form 990, Form 990-EZ, Form 990-PF, Form 990-T, Form 990-W estimated tax filing requirement, Form 1120-POL or Form 4720 filing obligation due between April 1 and July 15, 2020 now have until July 15, 2020 to file. Needless to say this is very welcome news for an industry that like so many others, is being pushed to the brink during this turbulent and difficult time.

Additional extensions
Notice 2020-23 (with reference to Revenue Procedure 2018-58) also extends the due date of certain forms, notices, applications, and other exempt organization activities due between April 1 and July 15, 2020, until July 15, 2020 as noted below: 

  • Community health needs assessments (CHNAs) and Implementation Strategies
  • Application for Recognition of Exemption (Forms 1023 and 1024) 
  • Section 501(h) Elections and Revocations (Form 5768)
  • Information Return of US Persons with Respect to Certain Foreign Corporations (Form 5471)
  • Political Organization Notices and Reports (Forms 8871 and 8872)
  • Notification of Intent to Operate as a Section 501(c)(4) Organization (Form 8976) 

We are here to help
Please contact the BerryDunn not-for-profit tax team if you have any questions, or would like to discuss your specific situation.

Blog
Not-for-profit May 15 tax deadline extended

Read this if you work at a public health department and would like a brief summary of how you can maximize funding and meet new federal requirements.

Unpacking the trillions

In response to the COVID-19 pandemic, several pieces of legislation were passed by congress and signed into law. The three bills, H.R. 6074 Coronavirus Preparedness and Response Supplemental Appropriations Act, H.R. 6201 Families First Coronavirus Response Act, and H.R. 748 Coronavirus Aid, Relief, and Economic Security (CARES) Act, have provided funding for various federal agencies with different roles in responding to the crisis. Because of the urgency required, much of the guidance for use of funds and reporting requirements were released after passage of the bills or have yet to be released.

Here is a brief timeline and summary of the acts:

Implication and next steps for state public health departments

While little guidance has been provided for how state public health departments should prepare to access federal funds, BerryDunn will continue to monitor and release updates as they become available. 

While at this point HR 6074 has the greatest implications for public health departments, here are some actions that states should take now for their public health programs from the recent legislation:

  1. H.R. 6074: Provides appropriations to the CDC to be allocated to states for COVID-19 expenses.
    • To ensure maximum funding, prepare a spend plan to submit to CDC.
    • To ensure compliance, provide CDC with copies or access to COVID-19 data collected with these funds.
    • To maximize the impact of new funding, develop a COVID-19 community intervention plan.
    • To support streamlined operations, submit revised work plans to CDC.
    • To prevent missed deadlines, submit any requests for deadline extensions to the CDC.
  2. H.R. 6201: Provides guidance specific to the Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) programs.
    • To encourage social distancing and loosen administrative requirements, seek waivers through the USDA’s Food and Nutrition Service (FNS).
    • To ensure compliance, prepare to submit a report summarizing the use of waivers on population outcomes by March 2021.
  3. H.R. 748: Allocates $150 billion to a coronavirus relief fund for state, local, and tribal governments.
  • To secure funding, monitor the US Department of Health & Human Services (HHS) for guidance on using funds for:
    • Coronavirus prevention and preparation
    • Tools to build health data infrastructure
    • COVID-19 Public Health Emergency expenses
    • Developing countermeasures and vaccines for coronavirus
    • Telehealth and rural health activities
       
  • To ensure HIPAA compliance when sharing protected patient health information, monitor the US Department of Health & Human Services (HHS) for guidance.

For more information

For specific issues your agency has, or if you have other questions, please contact us. We’re here to help. 

Blog
COVID-19 laws and their impact on state public health agencies

Read this if you want more information about the Paycheck Protection Program (PPP).

Most likely you have heard of the PPP within the Coronavirus Aid Relief and Economic Security (CARES) Act that was passed into law March 27, 2020. Below, we’ve shared some of the questions we have heard from many of our clients. If you need more information or have questions regarding your specific question, please contact us

Question #1: What was the PPP designed for? 
Answer:
The PPP was designed with the goal of keeping American workers paid and employed. It aims to accomplish this by issuing loans to qualified businesses so that they can continue paying employees and other qualified expenses.

Question #2: Do you or your business qualify for this? 
Answer: There are several considerations when determining whether or not a business qualifies. For more information, see this recent blog post from Seth Webber, which address a number of these considerations. 

Question #3: What should the PPP loan be used to cover in your business?
Answer: The intent of allowable uses includes: (i) payroll costs, including (a) employee salaries, commissions, or similar compensations, (b) group health care benefits, (c) paid vacation, parental, sick, medical, or family leave, (d) allowances for dismissal or separation, (e) retirement benefits, and (f) state or local tax assessed on the compensation on employee;  (ii) payments of interest on any mortgage obligation, but not prepayment or payment of principal amounts; (ii) rent (including rent under a lease agreement); (iv) utilities; and (v) interest on any other debt obligations incurred before February 15, 2020. However, certain payroll costs are excluded, including salaries and wages which annualized amounts would result in compensation over $100,000 and sick and family leave wages for which a credit is allowed under the Families First Coronavirus Response Act.  

Additionally, you should consider the time period your allowable expenses are designated for. The Small Business Administration (SBA), in consultation with the Department of the Treasury (Treasury) issued a list of frequently asked questions (FAQs) and responses to these FAQs as of April 10, 2020, Paycheck Protection Program Loans FAQs. Within these FAQs, Question 20 asked, “The amount of forgiveness of a PPP loan depends on the borrower’s payroll costs over an eight-week period; when does that eight-week period begin?” The SBA and Treasury noted, “The eight-week period begins on the date the lender makes the first disbursement of the PPP loan to the borrower. The lender must make the first disbursement of the loan no later than ten (10) calendar days from the date of loan approval.” 

Question #4: What portion of the loan, if any, can be forgiven?
Answer:
The Treasury Department issued guidance on March 31, 2020 indicating that at least 75% of the forgiven amount should be used for qualified payroll costs. Although the covered period is specified as February 15, 2020 through June 30, 2020, forgiveness amounts of the loan are based on expenses (primarily payroll) during the eight-week period following the receipt of the loan. There are other aspects of the forgiveness provisions that impact the actual amount forgiven, including maintaining or quickly rehiring employees and maintaining salary levels, with the overall forgiveness amount being reduced if full-time headcount declines, or if salaries and wages decrease more than 25%.

Question #5: What about the portion of your loan that is not forgiven?
Answer:
For the portion of loan not forgiven, the life and terms of the residual loan appear favorable. Current guidance indicates a repayment period of two year loan at 1% interest. Included within this is a six-month deferral period on principal repayment. The loan does not require collateral or a personal guarantee.

Question #6: How should you keep track of the funding and allowable costs?
Answer
: Best practice would be to set up a separate banking account. This will allow you to bifurcate the funding source and offset that amount by costs tracked over the covered period directly. This allows you to use other cash reserves and funding sources to meet other expense needs during the covered period. The funds need to be brought over (into that separate banking account) within 10 days of the application being approved.

Question #7: What other resources are available if the PPP is not a good fit for you?
Answer:
There are additional programs available through the Small Business Administration (SBA) including the Economic Injury Disaster Loan (EIDL) program, which features an advance amount (EIDL Emergency Grant) of up to $10,000. Guidance remains outstanding on exact implications of the EIDL Emergency Grant amount with some SBA offices pointing to $1,000 per employee up to a total max of $10,000. This EIDL Emergency Grant does not have to be repaid, but if you subsequently receive funding through the PPP, your forgiveness amount will be reduced by the EIDL Emergency Grant amount. The EIDL program also features a max life of 30 year loan with interest rates of 3.75% and 2.75% for entities that are for-profit and non-profit, respectively. More information on this is detailed in Dave Erb’s recent blog post.

If you do not need to make use of the PPP and EIDL programs, but still face significant downturns in your revenue base, tax relief in the form of the Employee Retention Credit (ERC) may also be an option. The provisions of the ERC within the CARES Act specify eligibility as, an employer that does not participate in the PPP and: (i) a complete or partial shutdown in operations; or (ii) at least a 50% decline in gross receipts, based on quarterly comparison from 2020 to 2019. The ERC allows for a tax credit of 50% of qualified wages (max wages of $10,000 per employee and max credit of $5,000 per employee). For more information on the ERC provisions, see Bill Enck’s blog post.

As developments continue to unfold and changes in guidance continue to emerge, the BerryDunn Recovery Advisory Team can help you stay informed through the BerryDunn COVID-19 Resource Center.

Blog
Paycheck Protection Program: FAQs

Read this if you are a leader at a state Medicaid agency.

CMS has delivered nearly  $34 billion, later updated to $51 billion, in the past week to the healthcare providers on the frontlines battling the 2019 novel coronavirus

  • The process in which CMS is implementing requests has reduced times of an accelerated or advance payment to four to six days. Previously the timeframe was three to four weeks. 
  • To date, CMS has received over 25,000 requests from providers and suppliers for accelerated and advance payments. Of these, CMS has approved over 17,000 requests in the past week. 
  • It should be noted that this funding is separate and distinct from the $100 billion provided in the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

CMS issues new wave of infection control guidance based on CDC guidelines to protect patients and healthcare workers 

CMS has issued a series of updated guidance documents focused on infection control to prevent the spread of COVID-19 in a variety of inpatient and outpatient care settings.

  • The updated guidance includes a number of updates, notably the option of providing home dialysis training and support services. These are designed to help some dialysis patients stay home during the pandemic.
  • In particular, the guidance includes the establishment of Special Purpose Renal Dialysis Facilities (SPRDFs), which can allow dialysis facilities to isolate vulnerable or infected patients.
  • For hospitals, psychiatric hospitals and CAHs, the updated guidance provides recommendations on screening and visitation restrictions, discharge to subsequent care locations, as well as staff screening and testing.

CMS acts to ensure US healthcare facilities can maximize frontline workforces to confront COVID-19 crisis 

CMS has temporarily suspended a number of rules in order for hospitals, clinics, and other healthcare facilities to boost their frontline medical staffs.

The CMS guidance focuses on reducing supervision and certification requirements so that practitioners can both be hired rapidly and perform work to the extent of their licensure. CMS guidance allows the following:

  • Doctors can now directly care for patients in certain settings without having to be physically present.
  • Nurse practitioners may now perform some medical exams on Medicare patients at skilled nursing.

CMS approves additional state Medicaid waivers and amendments to give states flexibility to address coronavirus pandemic

CMS continues to deliver regulatory relief to a number of new states in the form of waivers and state plan amendments.

  • In total, CMS has now approved 49 emergency 1135 waivers, 26 state amendments, seven COVID-19 related Medicaid disaster amendments and the first CHIP COVID-related disaster amendment
  • The COVID-related Children’s Health Insurance Program (CHIP) disaster amendment is for the State of Maine. 
  • CMS has now approved COVID-related Medicaid disaster state plan amendments for North Dakota, Rhode Island, and Wyoming.

HHS authorizes licensed pharmacists to order and administer COVID-19 tests

On April 8, HHS released new guidance under the Public Readiness and Emergency Preparedness Act that authorizes licensed pharmacists to order and administer FDA-approved COVID-19 tests.

  • The guidance allows pharmacists to order and administer COVID-19 tests to their patients will provide easier access to testing and will expand testing for healthcare workers and first responders. 

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
CMS approves over $51 billion for providers with the accelerated/advance payment program for Medicare providers

Read this if you are an IT Leader, CFO, COO, or other C-suite leader responsible for selecting a new system.

Vendor demonstrations are an important milestone in the vendor selection process. Demonstrations allow you to validate what a vendor’s software is capable of, evaluate the usability with your own eyes, and confirm the fit to your organization’s objectives.

Our client found itself in a situation where, after many months of work developing requirements, issuing a request for proposal, and reviewing vendor proposals they were ready to conduct demonstrations. Despite a governor’s executive order for social distancing and limitations on non-essential travel, our client needed to conduct demonstrations to achieve an important project milestone. This presented an opportunity to help them plan, test, and facilitate remote vendor demonstrations with great success.

This brief case study shares some of the key success factors we found in conducting remote demonstrations and some lessons learned after they were complete.

  1. Prepare 
    Establish a clear agenda, schedule, script, and plan in advance of the demonstrations. This helps keep everyone coordinated throughout the demos.
  2. Test
    It is important to test the vendor’s video conference solution from all locations prior to the demonstrations. We tested with both vendors a week ahead of demos.
  3. Establish Ground Rules
    Establishing ground rules allows the meetings to go better, be more efficient, and stay on time. For example, is a moment of silence a consensus to move on or must you wait for someone to unmute their line to verbally confirm to proceed.
  4. Have clear roles by location
    Clear roles help to facilitate the demonstration. Designated time keepers, scribes, and local facilitators help the demonstration go smoothly, and decreases communication issues.
  5. Be close to the microphone
    Essential common sense, but when you can’t see everyone, loud, clear questions and answers make the demos more effective.
  6. Ask vendors to build in pauses to allow for questions
    Since vendors may not be able to see a hand raised, asking vendors to build specific pauses into their demonstrations allows space for questions to be asked easily.
  7. Do a virtual debrief 
    At the end of each vendor demonstration we had our own videoconferencing meeting set up to facilitate a virtual debrief. This allowed us to capture the evaluation notes of the day prior to the next demo. Planning these in advance and having them on people’s calendars made joining the meetings quick and seamless.

Observations and other lessons learned

Following the remote demonstrations we identified a few observations and lessons learned:

  1. Visibility was better
    By not having everyone crowded into one room, people were able to see the screen and the vendor’s software clearly.
  2. Different virtual platforms required orientation
    We wanted vendors to use the tools they were accustomed to using. This led to us using different products for different demonstrations. This was not insurmountable, but required orientation to get used to their tools at the start of each demo.
  3. Video helped debriefing
    Given the quick planning we did not have video capability from all locations for our virtual debrief. It was helpful to see the people sharing their comments following each demonstration. We will plan for video capabilities at all locations next time.
  4. Having a set order for people to provide feedback helped
    During the first debriefing, we established a set order for people to speak and share their thoughts. This limited talking over each other and allowed everyone to hear the thoughts of their peers clearly.
  5. Be patient with slowness
    For the most part we had successful demos with limited slowness. There were a couple points where slowness was encountered. We remained patient, adjusted the schedule, and in the worst case, added an extra break for people.
  6. Staying engaged takes effort
    Sitting all day on a remote demo and paying attention took effort to stay engaged. Building in specific times for Q&A, calling on people by name, and designing it so it wasn’t eight hours straight of presentation helped with engagement.

Restricted travel in response to COVID-19 has led our clients and our teams to be creative and agile in achieving objectives. The remote demonstrations proved highly successful, accomplished the goals, and met our client’s critical timing milestone. At the end of four days of demos, our client commented that the remote demos were perhaps even better than if they had been conducted onsite. As we look at the long view, we may find that clients prefer remote demonstrations even when social distancing and travel restrictions are lifted.

Blog
Social distancing case study: Hosting remote vendor demonstrations

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
     

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
     
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Blog
The three P's of improving your company's cybersecurity soft skills

Read this if you would like a refresher of common-sense approaches to protect against fraud while working remotely.

Coronavirus (COVID-19) has imposed many challenges upon us physically, mentally, and financially. Directly or indirectly, we all are affected by the outbreak of this life-threatening disease. Anxious times like this provide perfect opportunities for fraudsters. The fraud triangle is a model commonly used to explain the three components that may cause someone to commit fraud when they occur together:

  1. Financial pressure/motivation 
    In March 2020, the unemployment rate increased by 0.9 percent to 4.4 percent, and the number of unemployed persons rose by 1.4 million to 7.1 million.
  2. Perceived opportunity to commit fraud 
    Many people are online all day, providing more opportunities for internet crime. People are also desperate for something, from masks and hand sanitizers to coronavirus immunization and cures, which do not yet exist. 
  3. Rationalization 
    People use their physical, mental, or financial hardship to justify their unethical behaviors.

To combat the increasing coronavirus-related fraud and crime, the Department of Justice (DOJ) launched a national coronavirus fraud task force on March 23, 2020. It focuses on the detection, investigation, and prosecution of fraudulent activity, hoarding, and price gouging related to medical resources needed to respond to the coronavirus. US attorney’s offices are also forming local task forces where federal, state, and local law enforcement work together to combat the coronavirus related crimes. Things are changing fast, and the DOJ has daily updates on the task force activities. 

Increased awareness for increased threats

Given the increase in fraudulent activity during the COVID-19 outbreak, it’s important for employees now working from home to be aware of ways to protect themselves and their companies and prevent the spread of fraud. Here are some of the top COVID-19-related fraud schemes to be aware of. 

  • Phishing emails regarding virus information, general financial relief, stimulus payments, and airline carrier refunds
  • Fake charities requesting donations for illegitimate or non-existent organizations 
  • Supply scams including fake shops, websites, social media accounts, and email addresses claiming to sell supplies in high demand but then never providing the supplies and keeping the money 
  • Website and app scams that share COVID-19 related information and then insert malware that could compromise the device and your personal information
  • Price gouging and hoarding of scarce products
  • Robocalls or scammers asking for personal information or selling of testing, cures, and essential equipment
  • Zoom bombing and teleconference hacking

If you have encountered suspicious activity listed above, please report it to the FBI’s Internet Crime Complaint Center.

Staying vigilant

To protect yourself from these threats, remember to use proper security measures and follow these tips provided by the Federal Bureau of Investigation (FBI) and DOJ:

  • Verify the identity of the company, charity, or individual that attempts to contact you in regards to COVID-19.
  • Do not send money to any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail. 
  • Understand the features of your teleconference platform and utilize private meetings with a unique code or password that is not shared publicly.
  • Do not open attachments or click links within emails from senders you do not recognize.
  • Do not provide your username, password, date of birth, social security number, insurance information, financial data, or other personal information in response to an email or robocall.
  • Always verify the web address of legitimate websites and manually type them into your browser.
  • Check for misspellings or wrong domains within a link (for example, an address that should end in a ".gov" ends in .com" instead).

Stay aware, and stay informed. If you have specific concerns or questions, or would like more information, please contact our team. We’re here to help.
 

Blog
COVID-19 and fraud―a security measures refresher

Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

While COVID-19 has forced many of us into a remote work environment, we also have to deal with the challenges that come along with it. The stark contrast between an office environment and one that potentially involves working in isolation can be a difficult adjustment. Office kitchen conversations have evolved into conversations with pets, our newest co-workers. A quick, in-person question has now turned into an email, phone, or video call. And job responsibilities expand as we try to not only juggle work but also ensure our children focus on school work―and don’t destroy the house. 

Not only has this forced environment caused social challenges, it has also opened the door for internal control challenges, as  internal controls designed to operate effectively in an office environment may not be ideal for a remote workplace. Even ones that are appropriately designed, may prove to be operating ineffectively in this new environment. Let’s take a look at some internal control challenges, and potential solutions, faced by working in a remote environment.

Establishing a remote control environment

Exercising appropriate tone at the top and establishing appropriate oversight can be challenging with a remote workforce. Ethics and governance policies play an important role in setting clear expectations about workplace behaviors. But, a workforce is much more apt to follow a leadership team’s example rather than a policy. All of those office conversations, even the conversations that are not work related, help set an expectation of appropriate and inappropriate behaviors. These conversations often happen naturally in the office via a quick conversation in passing in the hallway or a late-Friday happy hour with your department. However, these interactions do not naturally occur in a remote workplace. Leadership and department heads should make an active effort to maintain communication with their workforce. Some things to consider:

  • Send out weekly emails to the entire department and possibly more personal, one-on-one videoconferences or phone calls between your department heads or managers and individual members of their teams.
  • These department-wide emails should stress the importance of communication as well as continuing to produce high quality work and maintaining accountability. 
  • One-on-one meetings should be used to check in with employees to ensure their work needs are being met. 

Employees will most likely have many suggestions to improve their new work environment, including suggestions on how to improve communication amongst team members. 

The power of video

Videoconferencing also provides a great opportunity to stay connected. Virtual happy hours simulate an in-person happy hour. This is a great way to check-in with team members and show that, although people are out of sight, they are not out of mind. Town hall-type meetings can also be explored. Your leadership team can solicit open discussion. Agenda items may include office status updates, technological considerations, and an opportunity for employees to openly discuss current challenges due to working in a remote environment. Employees are going to have anxiety about the current environment. These meetings can help put employees at ease.

Risk assessment

Internal control environments are constantly evolving. Employees leave. Software is updated.  Offered services and products change. The list goes on. However, it is unprecedented that an internal control environment has changed so rapidly. Given these unprecedented times, there is potential for higher risk of fraud, internally and externally. Those responsible for designing internal controls (control owners) should reassess your company’s environment. Although internal controls can be designed in a manner in which they operate effectively regardless of the circumstances, it is possible there are unintended changes to processes that have occurred. 

For instance, let’s say the employee responsible for reviewing loan file maintenance changes is now working an alternative work schedule due to personal obligations. This employee does not have the ability to make loan file changes; therefore, segregation of duties has never been an issue. An employee within loan servicing has agreed to take some of the employee’s responsibilities and is now reviewing some of the loan file maintenance changes, which has put this employee in a position to review some of their own changes. 

Furthermore, some internal controls that require employees be at a physical location to operate may also be compromised, such as inventory cycle counts. If these controls are unable to operate, control owners will need to consider the impacts on the affected transaction areas, and if there are compensating controls that can be designed to alleviate some of the control risk.

Control activities

Accounts payable and check signing

The accounts payable and cash disbursement process will most likely be upended as a result of your new remote environment. Bills received through the mail will need to be scanned to the accounts payable clerk for entry into the accounting system. Some offices have designated certain personnel responsible for checking mail on an infrequent basis, for instance, weekly. Check signing may also prove to be a challenge as blank check stock may be inaccessible. Electronic receipt of invoices and signing of checks, as well as the use of wire and ACH transfers, lend themselves as feasible solutions. Email approvals may suffice when multiple signers are needed to approve high dollar disbursements.

Segregation of duties

As mentioned above, it is possible processes have inadvertently changed, exposing certain internal controls to ineffectiveness. Segregation of duties may become difficult as employees shift to alternative work schedules or have other issues. Maintaining segregation of duties should be a top priority for control owners and is something that should be constantly assessed as circumstances change. Challenging times may make segregation of duties difficult and may force you to get creative by requesting employees perform duties they are not otherwise accustomed to performing.

Digital sign-offs

You should also consider the manner in which you document the completion of controls. Control owners should be cautious about the integrity of an employee’s initials simply typed onto a digital document, as any employee can perform this task. Digital signatures, which require an employee to enter credentials prior to signing, enhance the integrity of a sign-off and are often time stamped. Digital signatures may also “lock down” the document, prohibiting any changes to the signed document.

Timely review

Given the circumstances, it is not unreasonable that preparation and review may take longer than under normal circumstances. Even if additional time is granted for the preparation and review of documents, you should consider the implications this has on the transaction class as a whole. The longer it takes to complete a control, the greater the consequences may be if you identify an error. For instance, the impact of an incorrect change to a loan rate index can be substantial if not identified timely. If identified quickly, you can avoid consequences later.

Information and communication

For many companies that have moved from a paper to a digital environment, sharing of information should not be an issue. However, for those that still operate in a mostly paper environment, performing tasks and sharing information with team members may prove to be difficult. And, those without the capability of scanning and sending documents from home could compromise a specific internal control altogether. Being forced to work remotely may be the perfect excuse to move paper processes into a digital format.

Monitoring

Monitoring your internal control environment is of the utmost importance given these significant changes. Frequent conversations should be had with control owners to ensure changes to processes do not render controls ineffective. Identified gaps in internal controls should be addressed proactively. Provide control owners with the opportunity to discuss changes to control processes with Internal Audit or Risk Management so such departments can consider the impact of changes on internal control. This also gives these departments the opportunity to cover any resulting gaps.

Permanent changes

Once the remote workplace requirements end, the effects of working in such an environment will not. There are many benefits and efficiencies to be found in working remotely. As people have now been forced to work in such an environment, they will be more apt to continue to do so. Therefore, let’s take this opportunity to revise processes and internal controls to be “remote workplace” compatible. This will provide a long-lasting impact to your organization far beyond the pandemic. 
 

Blog
How does your control environment look in a remote world?

BerryDunn’s Healthcare/Not-for-Profit Practice Group members have been working closely with our clients as they navigate the effect the COVID-19 pandemic will have on their ability to sustain and advance their missions.

We have collected several of the questions we received, and the answers provided, so that you may also benefit from this information. We will be updating our COVID-19 Resources page regularly. If you have a question you would like to have answered, please contact Sarah Belliveau, Not-for-Profit Practice Area leader, at sbelliveau@berrydunn.com.

The following questions and answers have been compiled into categories: stabilization, cash flow, financial reporting, endowments and investments, employee benefits, and additional considerations.

STABILIZATION
Q: Is all relief focused on small to mid-size organizations? What can larger nonprofit organizations participate in for relief?
A:

We have learned that there is an as-yet-to-be-defined loan program for mid-sized employers between 500-10,000 employees. You can find information in the Loans Available for Nonprofits section (link below) of  the CARES Act as well as on the Independent Sector CARES Act web page, which will be updated regularly.

Q: Should I perform financial modeling so I can understand the impact this will have on my organization? Things are moving so fast, how do I know what federal programs are available to provide assistance?
A:

The first step in developing a short-term model to navigate the next few months is to gain an understanding of the programs available to provide assistance. These resources summarize some information about available programs:

Loans Available for Nonprofits in the CARES Act
Families First Coronavirus Response Act (FFCRA): FAQs for Businesses
CARES Act Tax Provisions for Not-for-Profit Organizations

The next step is to develop scenarios ranging from best case to worst case to analyze the potential impact of revenue and/or cost reductions on the organization. Modeling the various options available to you will help to determine which program is best for your organization. Each program achieves a different objective – for instance:

  • The Paycheck Protection Program can assist in retaining employees in the short term.
  • The Emergency Economic Injury Grants are helpful in covering a small immediate liquidity need.
  • The Small Business Debt Relief Program provides aid to those concerned with making SBA loan payments.

Additionally, consider non-federal options, such as discussing short-term deferrals with your current bank.

Q: How should I create a financial forecast/model for the next year?
A:

If you have the benefit of waiting, this is likely a time period in which it makes sense to delay significant in-depth forecasting efforts, particularly if your business environment is complicated or subject to significantly volatility as a result of recent events. The concern with beginning to model for future periods, outside of the next three-to-six months, is that you’ll be using information that is incomplete and ever-changing. This could lead to snap judgments that are short-term in nature and detrimental to long-term planning and success of your organization. 

With that said, we recognize that delaying this analysis will be unsettling to many CFOs and business managers who need to have a strategy moving forward. In developing this model for next year, consider the following elements of a strong model:

  1. Flexible and dynamic – Allow room for the model to adapt as more information is available and as additional insight is requested by your constituents (board members, department heads, lenders, etc.).
  2. Prioritize – Start with your big-ticket items. These should be the items that drive results for the organization. Determine what your top two to three revenue and expense categories are and focus on wrapping your arms around the future of those. From there, look for other revenue and expense sources that show correlation with one of the big two to three. Using a dynamic model, these should be automatically updated when assumptions on correlated items change. Don’t waste time on items that likely don’t impact decision making. Finally, build consensus on baseline assumptions, whether it be through management or accounting team, the board, or finance committee.
  3. Stress-test – Provide for the reality that your assumptions, and thus model, will be wrong. Develop scenarios that run from best-case to worst-case. Be honest with your assumptions.
  4. Identify levers – As you complete stress-testing, identify your action plan under different circumstances. What are expenditures that can be deferred in a worst-case scenario? What does staffing look like at various levels?
  5. Cash is king – The focus on forecasting and modeling is often on the net income of the organization and the cash flows generated. In a time such as this, the exercise is likely to focus on future liquidity. Remember to consider your non-income and expense items that impact cash flow, such as principal payments on debt service, planned additions to property & equipment, receipts on pledge payments, and others.  
CASH FLOW
Q: How can I alleviate cash flow strain in the near term?
A:

While the House and Senate have reacted quickly to bring needed relief to individuals and businesses across the country, the reality for most is that more will need to be done to stabilize. Operationally, obvious responses in the short term should be to eliminate all nonessential purchasing and maximize the billing and collection functions in accounts receivable. Another option is to utilize or increase an existing line of credit, or establish a new line of credit, to alleviate short term cash flow shortfalls. Organizations with investment portfolios can consider the prudence of increasing the spending draw on those funds. Rather than making a few drastic changes, organizations should take a multi-faceted approach to reduce the strain on cash flow while protecting the long term sustainability of the mission.

Q: How can I increase my organization’s reach to help with disaster relief? If we establish a special purpose fund, what should my organization be thinking about?
A:

Many organizations are looking for ways to increase their direct impact and give funding to individuals or organizations they may not have historically supported. For those who are want to expand their grant or gift making or want to establish a disaster relief fund, there are things to consider when doing so to help protect the organization. The nonprofit experts at Hemenway & Barnes share their thoughts on just how to do that.

FINANCIAL REPORTING
Q: What accounting standards have been delayed or are in the process of being delayed?
A:

FASB:
The $2.2 trillion stimulus package includes a provision that would allow banks the temporary option to delay compliance with the current expected credit losses (CECL) accounting standard. This would be delayed until the earlier end of the fiscal year or the end of the coronavirus national emergency.

GASB:
On March 26, 2020, the Governmental Accounting Standards Board (GASB) announced it has added a project to its current technical agenda to consider postponing all Statement and Implementation Guide provisions with an effective date that begins on or after reporting periods beginning after June 15, 2018. The GASB has received numerous requests from state and local government officials and public accounting firms regarding postponing the upcoming effective dates of pronouncements as these state and local government offices are closed and officials do not have access to the information needed to implement the Statements. Most notably this would include Statement No. 84, Fiduciary Activities, and Statement No. 87, Leases.

The Board plans to consider an Exposure Draft for issuance in April and finalize the guidance in May 2020.

ENDOWMENTS AND INVESTMENTS 
Q: What should I consider with regard to endowments?
A:

Many nonprofits with endowments are considering ways to balance an increased reliance on their investment portfolios with the responsibility to protect and preserve the spending power of donor-restricted gifts. Some things to think about include the existence (or absence) of true restrictions, spending variations under the Uniform Prudent Management of Institutional Funds Act (UPMIFA) applicable in your state, borrowing from an endowment, or requesting from the donor the release of restrictions. All need to be balanced with the intended duration and preservation of the endowment fund. Hemenway & Barnes shares their thoughts relative to the utilization of endowments during this time of need.

EMPLOYEE BENEFITS
Q: We are going to suspend our retirement plan match through June 30, 2020 and I picked a start date of April 1st. What we need help with is our bi-weekly payroll (which is for HOURLY employees). Their next pay date is April 3rd, for time worked through March 28th. Time worked March 29-31 would be paid on April 17th. How should we handle the match during this period for the hourly employees?
A:

The key for determining what to include for the matching calculation is when it is paid, not when it was earned. If the amendment is effective April 1st, then any amounts paid after April 1st would not have matching contributions calculated. This means that the amounts paid on April 3rd would not have any matching contributions calculated.

Q: Can you please provide guidance on the Families First Coronavirus Response Act (FFCRA) and how it may impact my organization?
A:

On March 30th, BerryDunn published a blog post to help answer your questions around the FFCRA.

If you have additional questions, please contact one of our Employee Benefit Plan professionals

ADDITIONAL CONSIDERATIONS
Q: I heard there was going to be an incentive for charitable giving in the new act. What's that all about?
A:

According to Sections 2204 and 2205 of the CARES Act:

  • Up to $300 of charitable contributions can be taken as a deduction in calculating adjusted gross income (AGI) for the 2020 tax year. This will provide a tax benefit even to those who do not itemize.
  • For the 2020 tax year, the tax cap has been lifted for:
    • Individuals-from 60% of AGI to 100%
    • Corporations-annual limit is raised from 10% to 25% (for food donations this is raised from 15% to 25%)
Q: Have you heard if the May 15th tax deadline will be extended?
A:

Unfortunately, we have not heard. As of April 6th, the deadline has not been extended.

Q: Could you please summarize for me the tax provisions in the CARES Act that you think are most applicable to not-for-profits?
A: Absolutely! Our not-for-profit tax professionals have compiled this document, which provides a high-level outline of tax provisions in the CARES Act that we believe would be of interest to our clients.

We are here to help
Please contact the BerryDunn not-for-profit team if you have any questions, or would like to discuss your specific situation.

Blog
COVID-19 FAQs—Not-for-Profit Edition

Editor's note: read this if you are a leader in higher education. 

The Department of Education’s Office of Postsecondary Education posted an Electronic Announcement on April 3, 2020, to provide an update to the policy and operational guidance issued in March as a result of the COVID-19 pandemic national emergency. 

In addition to extending the March 5, 2020 guidance to apply to payment periods or terms beginning between March 5, 2020 and June 1, 2020, the Department has confirmed the temporary closure will not result in loss of institutional eligibility or participation. A few other changes to note:

  • Leaves of absence due to COVID-19-related concerns or limitations (such as interruption of a travel-abroad program) can be requested after the date the leave has begun.
  • Updates to the academic calendar requirements will allow institutions to offer courses on a schedule that would otherwise cause the program to be considered a non-standard term if it allows students to complete the term.
  • Calculated expected family contribution amounts will exclude from income any grants or low-interest loans received by victims of an emergency from a federal or state entity as part of the needs analysis.

One trend that continues to permeate the Department’s guidance is for institutions to document, as contemporaneously as possible, actions taken as a result of COVID-19 (including professional judgment decisions, on a case-by-case basis). 

The Department will be issuing more guidance on the impact of the CARES Act on R2T4 calculations, satisfactory academic progress requirements, the extension of the single audit by the Office of Management and Budget, and the potential impact to future FISAP filings. We highly recommend you read the full announcement as it outlines a wide variety of important details. 

Questions? Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.


 

Blog
COVID-19: Department of Education operational guidance

Read this if you are a leader at a state Medicaid agency.

Here is a summary of information we have gleaned from the Center for Medicare and Medicaid Services (CMS) Administrator Verma’s recent call.

CMS is implementing new rules and waivers that increase provider flexibility and free up resources to deal with a surge in COVID-19 patients. CMS is working with the provider community to provide clarity around specific changes that impact their operations.

  • The rulemaking process has been dramatically expedited to accommodate recent and forthcoming regulatory changes
  • CMS is in the process of working out details to administer CARES Act provisions, including further regulatory flexibilities, expansion of accelerated payment program, and $100 billion appropriated to reimburse eligible health care providers
  • CMS clarifies that the 3-Day Rule Waiver for skilled nursing facilities applies throughout the country and to all patients, regardless of their COVID-19 status

Medicaid Substance Use Disorder Treatment via Telehealth, and Rural Health Care and Medicaid Telehealth Flexibilities Guidance

This informational bulletin is composed of two parts: Rural Health Care and Medicaid Telehealth Flexibilities and Medicaid Substance Use Disorder Treatment via Telehealth.

  • The informational bulletin identifies opportunities for telehealth delivery for services to increase access to Medicaid services. It is composed of two parts, Rural Health Care and Medicaid Telehealth Flexibilities and Medicaid Substance Use Disorder (SUD) Treatment Services Furnished via Telehealth
  • The bulletin provides SUD guidance around Medication Assisted Treatment (MAT), counseling, high risk populations, and other areas critical to providing SUD services.

Long-Term Care Nursing Homes Telehealth and Telemedicine Tool Kit

CMS is issuing an electronic toolkit regarding telehealth and telemedicine for Long Term Care Nursing Home Facilities.

  • The toolkit includes electronic links to sources of information regarding telehealth and telemedicine, including the changes made by CMS over the last week in response to the national health emergency.
  • Much of the toolkit’s information is intended for providers who may wish to establish a permanent telemedicine program, but there is information here that will help in the temporary deployment of a telemedicine program as well.
  • There are specific documents identified that may be useful in choosing telemedicine vendors, equipment, and software, initiating a telemedicine program, monitoring patients remotely, and developing documentation tools. 


CMS makes regulatory changes to help US healthcare system address COVID-19 patient surge

CMS has issued a number of temporary regulatory waivers and new rules to assist the nation’s healthcare system with improved flexibility.

  • Increased hospital capacity. CMS will allow communities to take advantage of local ambulatory surgery centers that have canceled elective surgeries, per federal recommendations.
  • Healthcare workforce expansion. CMS’s temporary requirements allow hospitals and healthcare systems to increase their workforce capacity by removing barriers for physicians, nurses, and other clinicians to be readily hired from the local community as well as those licensed from other states without violating Medicare rules.
  • Paperwork requirements. CMS is temporarily eliminating paperwork requirements.
  • Telehealth in Medicare. CMS will now allow for more than 80 additional services to be furnished via telehealth.

Additional COVID-19 FAQs for state Medicaid and Children's Health Insurance Program (CHIP) agencies

CMS released an update to the COVID-19 FAQs posted on March 18, 2020 related to emergency preparedness and response, eligibility and enrollment flexibilities, benefit flexibilities, cost sharing flexibilities, financial flexibilities, managed care flexibilities, fair hearing flexibilities, health information exchange flexibilities, and COVID-19 T-MSIS coding guidance. Notably:

  • States that have CHIP disaster provisions in their state plans can activate these provisions. CMS considers a significant outbreak of an infectious disease to be a disaster. CMS also recommends that states that do not have disaster relief provisions in their CHIP state plans include language that a federal- or governor-declared emergency is considered an event that can trigger the disaster provisions.

States may not suspend use of their AVS, however CMS reminds states that they can rely on self-attestation of assets and verify financial assets using their AVS post-enrollment in Medicaid.

  • CMS can help provide technical assistance regarding approaches states can use to rapidly scale telehealth technologies.
  • CMS clarified and provided COVID-19 T-MSIS coding guidance.

For more information

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
Takeaways from CMS national stakeholder call

Focus: Disaster Loan Program and Paycheck Protection Program (PPP)

Background

The Coronavirus Aid, Relief and Economic Security (CARES) Act will provide $562 million to cover administrative expenses and program subsidy for the US Small Business Administration (SBA) Economic Injury Disaster Loans and small business programs. 

Additionally, the CARES Act specifically provides the authorization for $349 billion for the SBA 7(a) program through December 31, 2020. 

SBA disaster loan program (updated for CARES Act) highlights


General
The US Small Business Administration is offering designated states and territories low-interest federal disaster loans for working capital to small businesses suffering substantial economic injury as a result of the coronavirus and COVID-19.

Eligibility 
Industry may be subject to different standards, but the general rule of thumb is that the SBA defines most small businesses as having less than 500 people, both calculated on a standalone basis and together with its affiliates (see PPP below for more information). A company’s average annual sales may also be used for the small business designation. 

Historically, businesses that are not eligible for this program included casinos, charitable organizations, religious organizations, agricultural enterprises and real estate developers that are primarily involved in subdividing real property into lots and developing it for resale for themselves (other real estate entities may apply, such as landlords). 

However, the CARES Act expanded eligibility to include (i) any individual operating as a sole proprietor or independent contractor; (ii) private non-profits and (iii) Tribal businesses, cooperatives and ESOPs with fewer than 500 employees during January 31, 2020 to December 31, 2020.

If the entity has bad credit or has defaulted on a prior SBA loan, the entity is not eligible. The CARES Act removed the credit elsewhere requirement (i.e., previously if the business had credit available through another source, such as a line of credit, it was ineligible). 

Basic terms

  • Loan amount
    The lesser of $2 million or an amount determined that that borrower can repay (i.e., underwriting requirement).
  • Maximum term
    Up to 30 years and all payments on these loans will be deferred for 12 months from disbursement date. Interest will accrue.
  • Interest rate
    3.75% for for-profit business and 2.75% for a non-profit entity.
  • Collateral
    Loans for under $25,000 do not require collateral.  Any person with an interest in the company worth 20% or more must be a guarantor; however the CARES Act eliminates the guaranty requirement on advances and loans under $200,000. 
  • Use of proceeds
    Loan proceeds may be used to pay fixed debts (including short-term notes and balloon payments that are due within the next 12 months), payroll, accounts payable, and other bills the borrower would have to pay that but for the disaster would have been paid, such as mortgage payments. Landlords and other passive entities are eligible. Agriculture-related entities are eligible, but farmers are not. Borrowers must maintain proof of how the loan proceeds were used for three years from the date of disbursement. Borrowers cannot use the proceeds to expand their business, buy assets, make repairs to real estate or refinance long-term debt. 
  • Forgiveness
    No forgiveness provision.

Applying
Loan applications are available here

Length of time for funding
Upon submittal of a completed application, it can take 18-21 days to be approved and another four to five business days for funding. However, the SBA has never dealt with this much volume so expect delays.  

If funding is needed immediately, contact any SBA partnering non-profit lender and request an SBA microloan up to $50,000 or contact a commercial lending partner to see if they offer SBA express loans up to $1,000,000 (CARES Act increases this from $350,000 to $1,000,000) and/or SBA 7(a) loans up to $5 million. The 7(a) loans are typically processed within 30 days, while microloans and express loans are processed even more quickly. 

The CARES Act has also established an emergency grant to allow eligible entities who have applied for a disaster loan because of COVID-19 to request an advance of up to $10,000 on that loan. The SBA is to distribute the advance within three days. 

This advance does not need to be repaid, even if the applicant is denied a Disaster Loan. ($10,000,000,000 is appropriated for this program and funds will be distributed on a first come, first served basis). An applicant must self-certify that it is an eligible entity prior to receiving such an advance. Advances may be used for providing sick leave to employees, maintaining payroll, meeting increased costs to obtain materials, rent or mortgage payments, and payment of business obligations that cannot be paid due to loss of revenues. Applicants must apply directly with the SBA for this program.

Other considerations
Each company should review any current loan obligations and confirm that it does not include a provision forbidding that applicant from acquiring additional debt. If the document does, the applicant will want to discuss a waiver of that provision with its current lender. The lender should be amenable to this waiver and the applicant will want the waiver verified in writing. The lender should be amenable because the SBA disaster loan can be used to satisfy monthly debt obligations and any collateral taken by the SBA would be subordinate, if the same collateral secures the lender’s loan.

Under the CARES Act, Congress has also directed the SBA to use funds to make principal and interest payments, along with associated fees that may be owed on an existing SBA 7(a), 504 or micro-loan program covered loan, for a period of six months from the next payment due date. Any loan that may currently be on deferment will receive the six months of covered payments once the deferral period has ended. This provision will also cover loans that are made up to six months after the enactment of the CARES Act. If the loan maturity date conflicts with benefiting from this amendment, the lender can extend the maturity date of the loan. 

Newly enacted Paycheck Protection Program (PPP)


General
This new program will be offered with a 100% SBA guaranty through December 31, 2020, to lenders, after which the guaranty percentage will return to 75% for loans above $150,000 and 85% for loans below that amount. 

Eligibility 
A business, including a qualifying nonprofit organization, that was in operation on February 15, 2020, and either had employees for whom it paid salaries and payroll taxes or paid independent contractors, is eligible for PPP loans if it (a) meets the applicable North American Industry Classification System (NAICS) Code-based size standard or other applicable 7(a) loan size standard, both alone and together with its affiliates; or (b) has an employee headcount that is lower than the greater of (i) 500 employees or (ii) the employee size standard, if any, under the applicable NAICS Code. 

Businesses that fall within NAICS Code 72, which applies to accommodations and food services, are also eligible if they employ no more than 500 people per physical location. Sole proprietorships, independent contractors, and self-employed individuals are also eligible. It is unclear as of what date the size test will be applied, but historically, SBA size tests have been applied on the date of application for financing. More information on the NAICS-Code-based size standards can be found here

Borrowers are required to provide a good faith certification that the loan is necessary due to economic conditions brought about because of COVID-19 and that the borrower will use the funds to retain workers, maintain payroll and pay utilities, lease and/or mortgage payments.

The credit elsewhere test is waived under this program. 

Lenders shall base their underwriting on whether a business was operational on February 15, 2020, and had employees for whom it was responsible for or paid for services from an independent contractor. The legislation has directed lenders not to base their determinations on repayment ability at the present time because of the effects of COVID-19.

Applicants for SBA loan programs, including PPP loans, typically must include their affiliates when applying size tests to determine eligibility. That means that employees of other businesses under common control would count toward the maximum number of permitted employees. A business that is controlled by a private equity sponsor would likely be deemed an affiliate of the other businesses controlled by that sponsor and could thus be ineligible for PPP loans. However, the CARES Act waives the affiliation requirement for the following applicants:  

  1. Businesses within NAICS Code 72 with no more than 500 employees
  2. Franchises with codes assigned by the SBA, as reflected on the SBA franchise registry
  3. Businesses that receive financial assistance from one or more small business investment companies (SBIC) 

Basic terms

  • Loan amount
    Lesser of $10 million or 2.5 times the applicant’s average monthly payroll costs of the business over the year prior to the making of the loan (practically, this may become the year prior to the loan application), excluding the prorated portion of any annual compensation above $100,000 for any person. Note that under the CARES Act, “payroll costs” include vacation, parental, family, medical, and sick leave; allowances for dismissal or separation; payments for group health care benefits, including insurance premiums; and retirement benefits. Calculations vary slightly for seasonal businesses and businesses that were not in operation between February 15 and June 30, 2019. To the extent that a SBA Disaster Loan was used for a purpose other than those permitted for PPP Loans, the Disaster Loans may be refinanced with proceeds of PPP loans, in which case the maximum available PPP loan amount is increased by the amount of the Disaster Loans being refinanced. 
  • Maximum term
    Payments will be deferred for a minimum of 6 months and a maximum of 12. SBA is directed to issue guidance on the terms of this deferral. Any portion of the PPP loan that is not forgiven (see below) on or before December 31, 2020, shall automatically be a term loan for a maximum of 10 years. For PPP loans, the SBA has waived prepayment penalties.
  • Fees
    SBA will waive the guaranty fee and annual fee applicable to other 7(a) loans. 
  • Interest rate
    Maximum rate of 4%.
  • Collateral
    The standard requirements of collateral and a personal guaranty are waived under this program. Accordingly, there will be no recourse to owners or borrowers for nonpayment, except to the extent proceeds are used for an unauthorized purpose.
  • Use of proceeds
    This loan can be used for: (i) payroll support, excluding the prorated portion of any compensation above $100,000 per year for any person; (ii) group healthcare benefits costs and insurance premiums; (iii) mortgage interest (but not prepayments or principal payments) and rent payments incurred in the ordinary course of business, and (iv) utility payments. 
  • Forgiveness
    A borrower will be eligible for loan forgiveness related to a PPP loan in an amount equal to 8 weeks of payroll costs, and the interest on mortgage payments (not principal) made in the ordinary course of business, rent payments, or utility payments so long as all payments were obligations of the borrower prior to February 15, 2020. Payroll costs are limited to compensation for a single employee to be no more than $100,000 in wages and the amount of forgiveness cannot exceed the principal loan amount. 

    The amount of loan forgiveness will be reduced proportionally by any reduction in the borrower’s workforce, based on the full-time equivalent employees versus the period from either February 15, 2019, through June 30, 2019, or January 1, 2020, through February 29, 2020, as selected by the borrower, or a reduction of more than 25% of any employee’s compensation, measured against the most recent full quarter. If a borrower has already had to lay off employees due to COVID-19, employers are encouraged to rehire them by not being penalized for having a reduced payroll at the beginning of the covered period, which means the initial 8 week period after the loan’s origination date. 

    Accordingly, reductions in the number of employees or compensation occurring between February 15, 2020, and 30 days after enactment of the CARES Act will generally be ignored to the extent reversed by June 30, 2020. Any additional wages that may be paid to tipped workers are also covered in the calculation of payroll forgiveness. Borrowers must keep accurate records and document their payments because lenders will need to verify the payments to allow for loan forgiveness. Borrowers will not have to include any forgiven indebtedness as taxable income. 

Applying
A company needs to apply on or before June 30, 2020, with a lender who is currently approved as a 7(a) lender or who is approved by the SBA and the Treasury Department to become a PPP lender. PPP lenders have delegated authority to make and approve PPP loan, with no additional SBA approval required. 

There are certain portions of the CARES Act that require SBA to provide further guidance so there may be some slight changes to the rules and procedures as best practices present themselves. 

We recommend contacting existing 7(a) lenders as soon as possible to learn what you will need to provide for underwriting and approving a PPP loan. 

We are here to help
Please contact a BerryDunn professional if you have any questions, or would like to discuss your specific situation.

Blog
Impact of CARES Act on SBA loans

On March 27, 2020, President Trump signed into law the Coronavirus Aid, Relief and Economic Security (CARES) Act, which provides relief to taxpayers affected by the novel coronavirus and COVID-19. The CARES Act is the third round of federal government aid related to COVID-19. We have summarized the top provisions in the new legislation below, with more detailed alerts on individual provisions to follow. Click here for a link to the full text of the bill.

Compensation, benefits, and payroll relief
The law temporarily increases the amount of and expands eligibility for unemployment benefits, and it provides relief for workers who are self-employed. Additionally, several provisions assist certain employers who keep employees on payroll even though the employees are not able or needed to work. 

The cornerstone of the payroll protection aid is a streamlined application process for SBA loans that can be forgiven if an eligible employer maintains its workforce at certain levels. 

Additionally, certain employers affected by the pandemic who retain their employees will receive a credit against payroll taxes for 50% of eligible employee wages paid or incurred from March 13 to December 31, 2020. This employee retention credit would be provided for as much as $10,000 of qualifying wages, including health benefits. Eligible employers may defer remitting employer payroll tax payments that remain due for 2020 (after the credits are deducted), with half being due by December 31, 2021, and the balance due by December 31, 2022. 

Employers with fewer than 500 employees are also allowed to give terminated employees access to the mandated paid federal sick and child care leave benefits for which the employer is 100% reimbursed by the government through payroll tax credits, if the employer rehires the qualifying employees.

Any benefit that is driven off the definition of “employee” raises the issue of partner versus employee. The profits interest member that is receiving a W-2 may not be eligible for inclusion in the various benefit computations.

Eligible individuals can withdraw vested amounts up to $100,000 during 2020 without a 10% early distribution penalty, and income inclusion can be spread over three years. Repayment of distributions during the next three years will be treated as tax-free rollovers of the distribution. The bill also makes it easier to borrow money from 401(k) accounts, raising the limit to $100,000 from $50,000 for the first 180 days after enactment, and the payment dates for any loans due the rest of 2020 would be extended for a year.

Individuals do not have to take their 2020 required minimum distributions from their retirement funds. This avoids lost earnings power on the taxes due on distributions and maximizes the potential gain as the market recovers.

Two long-awaited provisions allow employers to assist employees with college loan debt through tax free payments up to $5,250 and restores over-the-counter medical supplies as permissible expenses that can be reimbursed through health care flexible spending accounts and health care savings accounts.

Deferral of net business losses for three years
Section 461(l) limits non-corporate taxpayers in their use of net business losses to offset other sources of income. As enacted in 2017, this limitation was effective for taxable years beginning after 2017 and before 2026, and applied after the basis, at-risk, and passive activity loss limitations. The amount of deductible net business losses is limited to $500,000 for married taxpayers filing a joint return and $250,000 for all other taxpayers. These amounts are indexed for inflation after 2018 (to $518,000 and $259,000, respectively, in 2020). Excess business losses are carried forward to the next succeeding taxable year and treated as a net operating loss in that year.

The CARES Act defers the effective date of Section 461(l) for three years, but also makes important technical corrections that will become effective when the limitation on excess business losses once again becomes applicable. Accordingly, net business losses from 2018, 2019, or 2020 may offset other sources of income, provided they are not otherwise limited by other provisions that remain in the Code. Beginning in 2021, the application of this limitation is clarified with respect to the treatment of wages and related deductions from employment, coordination with deductions under Section 172 (for net operating losses) or Section 199A (relating to qualified business income), and the treatment of business capital gains and losses.

Section 163(j) amended for taxable years beginning in 2019 and 2020
The CARES Act amends Section 163(j) solely for taxable years beginning in 2019 and 2020. With the exception of partnerships, and solely for taxable years beginning in 2019 and 2020, taxpayers may deduct business interest expense up to 50% of their adjusted taxable income (ATI), an increase from 30% of ATI under the TCJA, unless an election is made to use the lower limitation for any taxable year. Additionally, for any taxable year beginning in 2020, the taxpayer may elect to use its 2019 ATI for purposes of computing its 2020 Section 163(j) limitation. 

This will benefit taxpayers who may be facing reduced 2020 earnings as a result of the business implications of COVID-19. As such, taxpayers should be mindful of elections on their 2019 return that could impact their 2019 and 2020 business interest expense deduction. With respect to partnerships, the increased Section 163(j) limit from 30% to 50% of ATI only applies to taxable years beginning in 2020. However, in the case of any excess business interest expense allocated from a partnership for any taxable year beginning in 2019, 50% of such excess business interest expense is treated as not subject to the Section 163(j) limitation and is fully deductible by the partner in 2020. The remaining 50% of such excess business interest expense shall be subject to the limitations in the same manner as any other excess business interest expense so allocated. Each partner has the ability, under regulations to be prescribed by Treasury, to elect to have this special rule not applied. No rules are provided for application of this rule in the context of tiered partnership structures.

Net operating losses carryback allowed for taxable years beginning in 2018 and before 2021
The CARES Act provides for an elective five-year carryback of net operating losses (NOLs) generated in taxable years beginning after December 31, 2017, and before January 1, 2021. Taxpayers may elect to relinquish the entire five-year carryback period with respect to a particular year’s NOL, with the election being irrevocable once made. In addition, the 80% limitation on NOL deductions arising in taxable years beginning after December 31, 2017, has temporarily been pushed to taxable years beginning after December 31, 2020. 

Several ambiguities in the application of Section 172 arising as a result of drafting errors in the Tax Cuts and Jobs Act have also been corrected. As certain benefits (i.e., charitable contributions, Section 250 “GILTI” deductions, etc.) may be impacted by an adjustment to taxable income, and therefore reduce the effective value of any NOL deduction, taxpayers will have to determine whether to elect to forego the carryback. Moreover, the bill provides for two special rules for NOL carrybacks to years in which the taxpayer included income from its foreign subsidiaries under Section 965. Please consider the impact of this interaction with your international tax advisors. 

However, given the potential offset to income taxed under a 35% federal rate, and the uncertainty regarding the long-term impact of the COVID-19 crisis on future earnings, it seems likely that most companies will take advantage of the revisions. This is a technical point, but while the highest average federal rate was 35% before 2018, the highest marginal tax rate was 38.333% for taxable amounts between $15 million and $18.33 million. This was put in place as part of our progressive tax system to eliminate earlier benefits of the 34% tax rate. Companies may wish to revisit their tax accounting methodologies to defer income and accelerate deductions in order to maximize their current year losses to increase their NOL carrybacks to earlier years.

Alternative minimum tax credit refunds
The CARES Act allows the refundable alternative minimum tax credit to be completely refunded for taxable years beginning after December 31, 2018, or by election, taxable years beginning after December 31, 2017. Under the Tax Cuts and Jobs Act, the credit was refundable over a series of years with the remainder recoverable in 2021.

Technical correction to qualified improvement property
The CARES Act contains a technical correction to a drafting error in the Tax Cuts and Jobs Act that required qualified improvement property (QIP) to be depreciated over 39 years, rendering such property ineligible for bonus depreciation. With the technical correction applying retroactively to 2018, QIP is now 15-year property and eligible for 100% bonus depreciation. This will provide immediate current cash flow benefits and relief to taxpayers, especially those in the retail, restaurant, and hospitality industries. Taxpayers that placed QIP into service in 2019 can claim 100% bonus depreciation prospectively on their 2019 return and should consider whether they can file Form 4464 to quickly recover overpayments of 2019 estimated taxes. Taxpayers that placed QIP in service in 2018 and that filed their 2018 federal income tax return treating the assets as bonus-ineligible 39-year property should consider amending that return to treat such assets as bonus-eligible. For C corporations, in particular, claiming the bonus depreciation on an amended return can potentially generate NOLs that can be carried back five years under the new NOL provisions of the CARES Act to taxable years before 2018 when the tax rates were 35%, even though the carryback losses were generated in years when the tax rate was 21%. With the taxable income limit under Section 172(a) being removed, an NOL can fully offset income to generate the maximum cash refund for taxpayers that need immediate cash. Alternatively, in lieu of amending the 2018 return, taxpayers may file an automatic Form 3115, Application for Change in Accounting Method, with the 2019 return to take advantage of the new favorable treatment and claim the missed depreciation as a favorable Section 481(a) adjustment.

Effects of the CARES Act at the state and local levels
As with the Tax Cuts and Jobs Act, the tax implications of the CARES Act at the state level first depends on whether a state is a “rolling” Internal Revenue Code (IRC) conformity state or follows “fixed-date” conformity. For example, with respect to the modifications to Section 163(j), rolling states will automatically conform, unless they specifically decouple (but separate state ATI calculations will still be necessary). However, fixed-date conformity states will have to update their conformity dates to conform to the Section 163(j) modifications. 

A number of states have already updated during their current legislative sessions (e.g., Idaho, Indiana, Maine, Virginia, and West Virginia). Nonetheless, even if a state has updated, the effective date of the update may not apply to changes to the IRC enacted after January 1, 2020 (e.g., Arizona). 

A number of other states have either expressly decoupled from Section 163(j) or conform to an earlier version and will not follow the CARES Act changes (e.g., California, Connecticut, Georgia, Missouri, South Carolina, Tennessee (starting in 2020), Wisconsin). Similar considerations will apply to the NOL modifications for states that adopted the 80% limitation, and most states do not allow carrybacks. Likewise, in fixed-dated conformity states that do not update, the Section 461(l) limitation will still apply resulting in a separate state NOL for those states. 

These conformity questions add another layer of complexity to applying the tax provisions of the CARES Act at the state level. Further, once the COVID-19 crisis is past, rolling IRC conformity states must be monitored, as these states could decouple from these CARES Act provisions for purposes of state revenue.

2020 recovery refund checks for individuals
The CARES Act provides eligible individuals with a refund check equal to $1,200 ($2,400 for joint filers) plus $500 per qualifying child. The refund begins to phase out if the individual’s adjusted gross income (AGI) exceeds $75,000 ($150,000 for joint filers and $112,500 for head of household filers). The credit is completely phased out for individuals with no qualifying children if their AGI exceeds $99,000 ($198,000 for joint filers and $136,500 for head of household filers).

Eligible individuals do not include nonresident aliens, individuals who may be claimed as a dependent on another person’s return, estates, or trusts. Eligible individuals and qualifying children must all have a valid social security number. For married taxpayers who filed jointly with their most recent tax filings (2018 or 2019) but will file separately in 2020, each spouse will be deemed to have received one half of the credit.

A qualifying child (i) is a child, stepchild, eligible foster child, brother, sister, stepbrother, or stepsister, or a descendent of any of them, (ii) under age 17, (iii) who has not provided more than half of their own support, (iv) who has lived with the taxpayer for more than half of the year, and (v) who has not filed a joint return (other than only for a claim for refund) with the individual’s spouse for the taxable year beginning in the calendar year in which the taxable year of the taxpayer begins.

The refund is determined based on the taxpayer’s 2020 income tax return but is advanced to taxpayers based on their 2018 or 2019 tax return, as appropriate. If an eligible individual’s 2020 income is higher than the 2018 or 2019 income used to determine the rebate payment, the eligible individual will not be required to pay back any excess rebate. However, if the eligible individual’s 2020 income is lower than the 2018 or 2019 income used to determine the rebate payment such that the individual should have received a larger rebate, the eligible individual will be able to claim an additional credit generally equal to the difference of what was refunded and any additional eligible amount when they file their 2020 income tax return.

Individuals who have not filed a tax return in 2018 or 2019 may still receive an automatic advance based on their social security benefit statements (Form SSA-1099) or social security equivalent benefit statement (Form RRB-1099). Other individuals may be required to file a return to receive any benefits.

The CARES Act provides that the IRS will make automatic payments to individuals who have previously filed their income tax returns electronically, using direct deposit banking information provided on a return any time after January 1, 2018.

Charitable contributions

  • Above-the-line deductions: Under the CARES Act, an eligible individual may take a qualified charitable contribution deduction of up to $300 against their AGI in 2020. An eligible individual is any individual taxpayer who does not elect to itemize his or her deductions. A qualified charitable contribution is a charitable contribution (i) made in cash, (ii) for which a charitable contribution deduction is otherwise allowed, and (iii) that is made to certain publicly supported charities.

    This above-the-line charitable deduction may not be used to make contributions to a non-operating private foundation or to a donor advised fund.
  • Modification of limitations on cash contributions: Currently, individuals who make cash contributions to publicly supported charities are permitted a charitable contribution deduction of up to 60% of their AGI. Any such contributions in excess of the 60% AGI limitation may be carried forward as a charitable contribution in each of the five succeeding years.

    The CARES Act temporarily suspends the AGI limitation for qualifying cash contributions, instead permitting individual taxpayers to take a charitable contribution deduction for qualifying cash contributions made in 2020 to the extent such contributions do not exceed the excess of the individual’s contribution base over the amount of all other charitable contributions allowed as a deduction for the contribution year. Any excess is carried forward as a charitable contribution in each of the succeeding five years. Taxpayers wishing to take advantage of this provision must make an affirmative election on their 2020 income tax return.

    This provision is useful to taxpayers who elect to itemize their deductions in 2020 and make cash contributions to certain public charities. As with the aforementioned above-the-line deduction, contributions to non-operating private foundations or donor advised funds are not eligible.

    For corporations, the CARES Act temporarily increases the limitation on the deductibility of cash charitable contributions during 2020 from 10% to 25% of the taxpayer’s taxable income. The CARES Act also increases the limitation on deductions for contributions of food inventory from 15% to 25%.

We are here to help
Please contact a BerryDunn professional if you have any questions, or would like to discuss your specific situation.

Blog
The CARES Act: Implications for businesses

Read this if you are a business owner, in management, or in HR at a company with less than 500 employees.

We have received many questions regarding the FFCRA and its provisions and how it affects different employers and their employees. Here are some of the questions our clients have asked the most. Please contact us if you have questions regarding your specific situation. We’re here to help.  

Besides compensation, what other costs paid by an employer are eligible for the credit (i.e., employer paid health insurance, employer payroll taxes)?
Employers can deduct the cost of providing continuing health care coverage, and the employer’s share of Medicare taxes related to the leave wages. Any compensation paid under the FFCRA is not subject to the employer’s portion of the Social Security tax.

How do you determine the total number of employees? 
In calculating the total number of employees, all full-time or part-time employees working within the US, including all US territories or possessions, are counted, including all employees on leave and temp employees who are jointly employed with another company as determined under the Fair Labor Standards Act (FLSA). 

How does a business know if it employs less than 500 employees and is subject to the FFCRA?
Generally, a private sector employer is subject to the Family and Medical Leave Act of 1993 (FMLA) if it employs 50 or more employees for each working day during each of 20 or more calendar workweeks in the current or preceding calendar year. The FAQs issued by the Department of Labor (DOL) indicate an employer has fewer than 500 employees if, at the time an employee’s leave is to be taken, there are fewer than 500 full-time and part-time employees within the United States, which includes any state of the United States, the District of Columbia, or any territory or possession of the United States. 

In making this determination, an employer should include employees on leave; temporary employees who are jointly employed by you and another employer (regardless of whether the jointly-employed employees are maintained on only your or another employer’s payroll); and day laborers supplied by a temporary agency (regardless of whether you are the temporary agency or the client firm if there is a continuing employment relationship). Workers who are independent contractors under the FLSA, rather than employees, are not considered employees for purposes of the 500-employee threshold.

Where a corporation has an ownership interest in another corporation, the two corporations are separate employers unless they are joint employers under the FLSA with respect to certain employees. In general, two or more entities are separate employers unless they meet the integrated employer test under the FMLA.

Please check with your advisors if you believe the integrated employer test may apply to your businesses.

Which employees are entitled to the $511 payment under sick leave?
For an employee who is unable to work because of the coronavirus quarantine or self-quarantine or has COVID-19 symptoms and is seeking a medical diagnosis, the employee may receive sick leave wages equal to the employee’s regular rate of pay, up to $511 per day and $5,111 in the aggregate, for a total of 10 days. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

Which employees are entitled to the $200 payment under sick leave?
For an employee who is caring for someone with COVID-19, or is caring for a child because the child’s school or child care facility is closed, or the child care provider is unavailable due to the coronavirus, the employee may receive sick leave wages equal to two-thirds of the employee’s regular rate of pay, up to $200 per day and $2,000 in the aggregate, for up to 10 days. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

Which employees are entitled to the $200 payment under the family leave portion of FFCRA?
For an employee who is unable to work because of a need to care for a child whose school or child care facility is closed or whose child care provider is unavailable due to the coronavirus, the employee may receive family leave wages equal to two-thirds of the employee’s regular rate of pay, capped at $200 per day or $10,000 in the aggregate. Up to 10 weeks of qualifying leave can be counted towards the child care leave credit. Note that only employers who employ less than 500 employer are required to provide sick leave payments. Such employees may also receive a refundable tax credit for sick leave paid to employees.

What is “regular rate of pay” for purposes of the FFCRA?
For purposes of the FFCRA, the regular rate of pay used to calculate paid leave is the average of the employee’s regular rate over a period of up to six months prior to the date on which leave is taken. If an employee has not worked for the current employer for six months, the regular rate used to calculate paid leave is the average regular rate of pay for each week the employee has worked for the current employer.

If an employee is paid with commissions, tips, or piece rates, these amounts will be incorporated into the above calculation to the same extent they are included in the calculation of the regular rate under the FLSA.

You can also compute this amount for each employee by adding all compensation that is part of the regular rate over the above period and divide that sum by all hours actually worked in the same period.

What is the effective date of the sick leave/family leave provisions?
Employers must comply with the FFCRA from April 1, 2020, until it expires on December 31, 2020. Paid leave prior to April1, 2020 will not count. The IRS recently issued guidance indicating the tax credits for qualified sick leave wages and qualified family leave wages required to be paid by the FFRCA will apply to wages paid for the period beginning on April 1, 2020, and ending on December 31, 2020.

Who is considered a “health care provider”?
For the purposes of employees who may be exempted from paid sick leave or expanded family and medical leave by their employer under the FFCRA, a health care provider is anyone employed at any doctor’s office, hospital, health care center, clinic, post-secondary educational institution offering health care instruction, medical school, local health department or agency, nursing facility, retirement facility, nursing home, home health care provider, any facility that performs laboratory or medical testing, pharmacy, or any similar institution, employer, or entity. This includes any permanent or temporary institution, facility, location, or site where medical services are provided that are similar to such institutions. 

This definition includes any individual employed by an entity that contracts with any of the above institutions, employers, or entities institutions to provide services or to maintain the operation of the facility. This also includes anyone employed by any entity that provides medical services, produces medical products, or is otherwise involved in the making of COVID-19 related medical equipment, tests, drugs, vaccines, diagnostic vehicles, or treatments. This also includes any individual that the highest official of a state or territory, including the District of Columbia, determines is a health care provider necessary for that state’s or territory’s or the District of Columbia’s response to COVID-19.

To minimize the spread of the virus associated with COVID-19, the DOL encourages employers to be judicious when using this definition to exempt health care providers from the provisions of the FFCRA.

For more information
If you have more questions, or have a specific question about your particular situation, please call us. We’re here to help. 

Blog
Families First Coronavirus Response Act (FFCRA): FAQs for businesses

On March 18, 2020, the SBA issued relaxed criteria for Economic Injury Disaster Loans (EIDLs).

The two immediate impacts:

  • States are now only required to certify that a minimum of five small businesses within the state/territory have suffered significant economic injury, as opposed to proof of five small businesses within each reporting county/parish.
  • Prior regulation only made disaster assistance loans available to small businesses within counties declared disaster areas by a governor. Relaxed standards state the EIDLs will be available statewide following an economic injury declaration. This applies to current and future disaster declarations related to COVID-19.

Some SBA loan specifics:

  • EIDL amounts range from $25,000 to $2,000,000, at interest rates of 3.75% for small businesses and 2.75% for not-for-profits.
  • Companies can use the loans to pay bills that can’t be paid due to the disaster’s impact, including but not limited to fixed debts, payroll, and accounts payable.
  • Loan terms are determined on a case-by-case basis, based on the borrower’s ability to repay. SBA is offering repayment terms up to a maximum of 30 years.
  • EIDLs are one facet of an expanded and coordinated federal government response.

Small businesses in need of economic assistance may apply for an EIDL here. We will update as more information becomes available.

If you have questions about SBA loans, please contact your BerryDunn tax consultant
 

Blog
Small Business Administration (SBA) eases criteria for disaster loans

Per CMS, all state Medicaid agencies, including territories, are eligible for the increased Federal Medical Assistance Percentage (FMAP), provided they adhere to the conditions outlined in the Families First Coronavirus Response Act (FFCRA). 

Key takeaways:

  • The increase in FMAP will be retroactive to January 1, 2020 and will be available to state Medicaid agencies through the end of the quarter in which the public health emergency for COVID-19 ends.
  • This guidance answers some of the following questions for states, including:
    • How long the funding will be available and when it begins
    • What costs are matchable under the enhanced funding 
    • The specific conditions under which states are eligible to claim the funds 
    • What documentation and processes will be needed in order to gain full access to funding

Trump administration releases COVID-19 checklists and tools to accelerate relief for state Medicaid & CHIP programs

In order to assist states as part of the COVID-19 outbreak, the Trump administration has released a number of tools and checklists that constitute a federal authority toolkit to support states in applying for and receiving federal waivers and other key flexibilities for their program. 

Key takeaways:
The tools released today include:

CMS issues FAQs on catastrophic health coverage and the coronavirus

A catastrophic health plan may not provide coverage of an essential health benefit prior to an enrollee meeting the deductible for that plan. In order to clarify treatment and coverage of COVID-19 for catastrophic health plans CMS has issued Frequently Asked Questions (FAQs).

Key takeaways:

  • Catastrophic plans currently include coverage for the diagnosis and treatment of COVID-19 as they must cover the essential health benefits (EHB) as required by the Patient Protection and Affordable Care Act (PPACA).
  • Issuers of catastrophic plans will be able to provide coverage for the diagnosis and treatment of COVID-19 for enrollees who have not yet met their deductible without CMS taking enforcing action.
  • The FAQ document encourages states to take an enforcement approach and CMS does not “consider a state to have failed to substantially enforce section 1302(e) of the PPACA if it takes such an approach.”

Relief for clinicians, providers, hospitals, and facilities participating in quality reporting programs in response to COVID-19

CMS is granting exceptions from reporting requirements and extensions for clinicians and providers participating in Medicare quality reporting programs.  

Key takeaways:

  • The exceptions include pending dates for measure reporting and data submission for related programs. 
  • For data submission deadlines in April and May of 2020, submission of those data will be optional, based on the facility’s choice to report.
  • 2019 data submission
    • Deadline extended from March 31, 2020 to April 30, 2020.
    • Deadlines for October 1, 2019 - December 31, 2019 (Q4) 
    • Data submission is optional for inpatient rehabilitation and hospital-acquired conditions.

CMS releases telehealth toolkits for general practitioners and End-Stage Renal Disease (ESRD) providers

CMS has released two toolkits on telehealth which follow the broadened access to Medicare telehealth services under the 1135 waiver authority and Coronavirus Preparedness and Response Supplemental Appropriations Act.

Key takeaways:

  • The toolkit consists of electronic links to sources of information pursuant to telehealth and telemedicine. 
  • Generally directed towards providers, particularly ones who may be considering a permanent telemedicine program.
  • CMS notes that most of the resources were established prior to the current COVID-19 crisis. As a result, there are likely references to rules and regulations whose requirements may have been waived for the duration of the outbreak.

Toolkits:

For more information

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the team

Blog
New guidance regarding enhanced Medicaid funding for states

Here is a summary of information we have gleaned from recent CMS updates and guidance. 

COVID-19 stakeholder call - March 16 

CMS held a National Stakeholder Call on March 16, 2020 to update the healthcare community on the rapidly evolving COVID-19 situation, which was declared a national emergency by President Trump on March 13, 2020.

Key takeaways:

  • Administrator Verma reaffirmed the goal of reducing administrative barriers in the way of healthcare workers and agencies and to support them as best CMS is able.
  • Acknowledging that there were questions on testing, Administrator Verma outlined that there will be a ramp-up in testing in conjunction with state and local governments. 
  • CMS is relaxing clinician enrollment requirements for Medicare and making the same option available to states in their Medicaid programs.
  • The administration has been clear that it wants agencies to focus on infection control efforts. CMS is designing a streamlined template to evaluate infection control.
  • CMS sends guidance to Programs of All-Inclusive Care for the Elderly (PACE) Organizations.

On March 17, 2020, CMS issued guidance to all Programs of All-Inclusive Care for the Elderly (PACE) Organizations (POs) on accepted policies and standard procedures with respect to infection control.

Key takeaways:

  • POs will need to create, apply, and sustain a documented infection control plan that involves procedures to recognize, examine, regulate, and avert infections in PACE centers
  • POs will need to work to prevent infections within each participant’s place of residence, as well as implement procedures to record and develop corrective actions related to incidents of infection.
  • CMS provides guidance that recognizes POs may need to undertake strategies that do not traditionally comply with CMS PACE program requirements in order to provide benefits while guarding from COVID-19. Some examples of this may include telehealth services.
  • President Trump expands telehealth benefits for Medicare beneficiaries during COVID-19 outbreak.

CMS is expanding Medicare’s telehealth benefits under the 1135 waiver authority and the Coronavirus Preparedness and Response Supplemental Appropriations Act.

Key takeaways:

  • Under the new 1135 waiver, Medicare can pay for office, hospital, and other visits provided via telehealth across the country and including in patient’s place of residence starting March 6, 2020. 
  • Medicare telehealth visits: These visits are considered the same as in-person visits and are paid at the same rate as regular, in-person visits.
  • Virtual check-ins: Virtual check-in services can only be reported when the billing practice has an established relationship with the member.  
  • E-visits: Such services can only be reported when the billing practice has an established relationship with the patient.  

CMS coronavirus partner virtual toolkit

CMS has released a virtual toolkit to help stakeholders stay up-to-date on CMS materials available on COVID-19. Here is specific guidance from the toolkit designed for states and health plans:

CMS approves first state request for 1135 Medicaid waiver in Florida and Washington

The 1135 waiver allows Florida and Washington to modify certain Medicaid program requirements, policies, operational procedures, and deadlines applicable to each state’s administration of its Medicaid program during the period of the national state of emergency to prevent further transmission of COVID-19. 

Key takeaways from Florida’s waiver

  • Provider participation flexibilities for Medicaid and CHIP Waiver of Service Prior Authorization (PA) Requirements for fee-for-service delivery systems
  • Waiver for Pre-Admission Screening and Annual Resident Review (PASRR) Level II Level II Assessments for 30 Days
  • Waiver to allow evacuating facilities to provide services in alternative settings, such as a temporary shelter when a provider’s facility is inaccessible
  • Waiver to temporarily delay scheduling for state fair hearing requests and appeal deadlines (NOTE: CMS was unable to waive all of Florida’s requested authorities in this area)

If you have questions or would like more information, we are here to help. Please contact us

Blog
CMS update for the healthcare community: Our takeaways

In early March 2020, the US Department of Education (ED) issued a Dear Colleague Letter, “Guidance for interruptions of study related to Coronavirus (COVID-19),” posting a subsequent update March 20 to include the document “Frequently Asked Questions Related to COVID-19.” The information below has been excerpted directly from the letter and compiled with the needs of our higher education clients in mind.

This electronic announcement addresses concerns regarding how higher education leaders should comply with Title IV, Higher Education Act (HEA) policies for students whose activities are impacted by the coronavirus and COVID-19:

  • Either directly because the student is ill or quarantined, or 
  • Indirectly because the student was recalled from travel-abroad experiences, can no longer participate in internships or clinical rotations, or attends a campus that has temporarily suspended operations.

This information provides some flexibility for schools working to help students complete the term in which they are currently enrolled. Some of the most important changes to note:

  • Federal Work Study (FWS)
    For students enrolled and performing FWS at a campus that must close due to COVID-19, or for a FWS student who works for an employer that closes as a result of COVID-19, the institution may continue paying the student federal work-study wages during that closure if it occurred after the beginning of the term, the institution is continuing to pay its other employees (including faculty and staff), and the institution continues to meet its institutional wage share requirement.
  • Length of academic year
    If at any point an institution determines it will close as the result of a campus health emergency, it may contact the school participation team to request a temporary reduction in the length of its academic year.
  • Professional judgement
    Financial aid administrators (FAA) have statutory authority to use professional judgement to make adjustments on a case-by-case basis to the cost of attendance or to the data elements used in calculating the EFC to reflect a student’s special circumstances. The use of professional judgement where students and/or their families have been affected by COVID-19 is permitted, such as in the case where an employer closes for a period of time as a result of COVID-19. 
  • Reentering the same payment period
    If an institution that has closed subsequently re-opens during the same payment period or period of enrollment, and permits students to continue coursework that they were taking at the time of the closure, students that return to class at that time are considered to have reentered the same period and retain eligibility for Title IV aid that they were otherwise eligible to receive before the closure.

We highly recommend you read the full letter, as it outlines additional important details and includes recently added FAQ documents.

Questions? Please contact Renee Bishop, Sarah Belliveau, or Mark LaPrade. We’re here to help.

For further reading
Guidance for interruptions of study related to Coronavirus (COVID-19) 
FAQs
COVID-19 ("Coronavirus") Information and Resources for Schools and School Personnel
 

Blog
Guidance from the US Department of Education Dear Colleague Letter

The President signed The Families First Coronavirus Response Act (hereinafter the “Act”) into law on March 18th and the provisions are effective April 2nd. You can read the congressional summary here. There are two provisions of the Act that deal with paid leave provisions for employees. Here are some highlights for employers.

The provisions of the Act are only required for employers with fewer than 500 employees. Employers with over 499 employees are not required to provide the sick/family leave contained in the Act, but could voluntarily elect to follow the new rules. The expectation is that employers with over 499 employees are providing some level of sick/family leave benefits already. In any case, employers with over 499 employees are not eligible for the tax credits. 

Employers with fewer than 500 employees are required to provide employees with up to 80 hours of paid sick leave over a two-week period if the employee:

  • Self-isolates because of a diagnosis with COVID-19, or to comply with a recommendation or order to quarantine;
  • Obtains a medical diagnosis or care if the employee is experiencing COVID-19 symptoms;
  • Needs to care for a family member who is self-isolating due to a COVID-19 diagnosis or quarantining due to COVID-19 symptoms; or
  • Is caring for a child whose school has closed, or childcare provider is unavailable, due to COVID-19.

These rules apply to all employees regardless of the length of time they have worked for the employer. The 80-hours would be pro-rated for those employees who do not normally work a 40-hour week. 

Employees who take leave because they themselves are sick (i.e., the first two bullets above) can receive up to $511 per day, with an aggregate limit of $5,110. If, on the other hand, an employee takes leave to care for a child or other family member (i.e., the last two bullets above), the employee will be paid two-thirds (2/3) of their regular weekly wages up to a maximum of $200 per day, with an aggregate limit of $2,000.

Days when an individual receives pay from their employer (regular wages, sick pay, or other paid time off) or unemployment compensation do not count as leave days for the purposes of this benefit.

Family and Medical Leave Act

Employees who have been employed for at least 30-days also have the right to take up to 12 weeks of job-protected leave under the Family and Medical Leave Act (FMLA). The Act requires that 10 of these 12 weeks (i.e., after the sick leave discussed above is taken) be paid at a rate of no less than two-thirds of the employee’s usual rate of pay. Any leave taken under this portion of the ACT will be limited to $200 per day with an aggregate limit of $10,000.

Exemptions

The Secretary of Labor has the authority to issue regulations exempting: (1) certain healthcare providers and emergency responders from taking leave under the Act; and (2) small businesses with fewer than 50 employees from the requirements of the Act if it would jeopardize the viability of the business.

Expiration

The provisions of the Act are set to expire on December 31, 2020, and unused time will not carry over from one year to the next.

Tax credits 

The Act provides for refundable tax credits to help an employer cover the costs associated with providing paid emergency sick leave or paid FMLA. The tax credits work as follows:

  • A refundable tax credit for employers equal to 100 percent of qualified family leave wages paid under the Act.
  • A refundable tax credit for employers equal to 100 percent of qualified paid sick leave wages paid under the Act. 
  • The tax credits are taken on Form 941 – Employer’s Quarterly Federal Income Tax Return filed for the calendar quarter when the leave is taken and reduce the employer’s portion of the Social Security taxes due. If the credit exceeds the employer’s total liability for Social Security taxes for all employees for any calendar quarter, the excess credit is refundable to the employer.

For more information

We are here to help. Please contact our benefit plan consultants if you have any questions or would like to discuss your specific situation. 

Blog
Highlights of the recently passed paid sick and family leave act: What you need to know

Editor's note: read this if you are a CFO, controller, accountant, or business manager.

We auditors can be annoying, especially when we send multiple follow-up emails after being in the field for consecutive days. Over the years, we have worked with our clients to create best practices you can use to prepare for our arrival on site for year-end work. Time and time again these have proven to reduce follow-up requests and can help you and your organization get back to your day-to-day operations quickly. 

  1. Reconcile early and often to save time.
    Performing reconciliations to the general ledger for an entire year's worth of activity is a very time consuming process. Reconciling accounts on a monthly or quarterly basis will help identify potential variances or issues that need to be investigated; these potential variances and issues could be an underlying problem within the general ledger or control system that, if not addressed early, will require more time and resources at year-end. Accounts with significant activity (cash, accounts receivable, investments, fixed assets, accounts payable and accrued expenses and debt), should be reconciled on a monthly basis. Accounts with less activity (prepaids, other assets, accrued expenses, other liabilities and equity) can be reconciled on a different schedule.
  2. Scan the trial balance to avoid surprises.
    As auditors, one of the first procedures we perform is to scan the trial balance for year-over-year anomalies. This allows us to identify any significant irregularities that require immediate follow up. Does the year-over-year change make sense? Should this account be a debit balance or a credit balance? Are there any accounts with exactly the same balance as the prior year and should they have the same balance? By performing this task and answering these questions prior to year-end fieldwork, you will be able to reduce our follow up by providing explanations ahead of time or by making correcting entries in advance, if necessary. 
  3. Provide support to be proactive.
    On an annual basis, your organization may go through changes that will require you to provide us documented contractual support.  Such events may include new or a refinancing of debt, large fixed asset additions, new construction, renovations, or changes in ownership structure.  Gathering and providing the documentation for these events prior to fieldwork will help reduce auditor inquiries and will allow us to gain an understanding of the details of the transaction in advance of performing substantive audit procedures. 
  4. Utilize the schedule request to stay organized.
    Each member of your team should have a clear understanding of their role in preparing for year-end. Creating columns on the schedule request for responsibility, completion date and reviewer assigned will help maintain organization and help ensure all items are addressed and available prior to arrival of the audit team. 
  5. Be available to maximize efficiency. 
    It is important for key members of the team to be available during the scheduled time of the engagement.  Minimizing commitments outside of the audit engagement during on site fieldwork and having all year-end schedules prepared prior to our arrival will allow us to work more efficiently and effectively and help reduce follow up after fieldwork has been completed. 

Careful consideration and performance of these tasks will help your organization better prepare for the year-end audit engagement, reduce lingering auditor inquiries, and ultimately reduce the time your internal resources spend on the annual audit process. See you soon. 

Blog
Save time and effort—our list of tips to prepare for year-end reporting

Editor’s note: read this if you work for, or are affiliated with, a charitable organization that receives donations. Even the most mature nonprofit organizations may miss one of these filings once in a while. Some items (e.g., the donor acknowledgement letter) may feel commonplace, but a refresher—especially at a particularly busy time of the year as it pertains to giving—can fend off fines.

As the holiday season is now in full swing, the season of giving is also upon us. Perhaps not surprisingly, the month of December is by far the most charitable month of the year, accounting for almost one-third of all charitable gifts made annually. And with all that giving comes the requirement of charitable organizations to provide donor acknowledgements, a formal “thank you” of the gift being received. Different gifts require differing levels of acknowledgement, and in some cases an additional IRS form (or two) may need to be filed. Doing some work now may save you time (and a fine or two) later. 

While children are currently busy making lists for Santa Claus, in the spirit of giving we present to you our list of donor acknowledgement requirements―and best practices―to help you gain control of this issue for the holiday season and beyond.

Donor acknowledgement letters

Charitable (i.e., 501(c)(3)) organizations are required to provide a donor acknowledgement letter to each donor contributing $250 or more to the organization, whether it be cash or non-cash items (i.e., publicly traded securities, real estate, artwork, vehicles, etc.) received. The letter should include the following: 

  1. Name of the organization
  2. Amount of cash contribution
  3. Description of non-cash items (but not the value) 
  4. Statement that no goods and services were provided (assuming this is the case)
  5. Description and good faith estimate of the value of goods and services provided by the organization in return for the contribution, if any
  6. Statement that goods or services provided by the organization in return for the contribution consisted entirely of intangible religious benefit, if any

It is not necessary to include either the donor’s social security number or tax identification number on the written acknowledgment and as a best practice should not be included in the letter.

In addition to including the elements above, the written acknowledgement is also required to be contemporaneous, that is, sent out in a timely fashion. According to the IRS, a donor must receive the acknowledgment by the earlier of:

  • The date on which the donor actually files his or her individual federal income tax return for the year of the contribution
  • The due date (including extensions) of the return in order to be considered contemporaneous

Quid pro quo disclosure statements

When a donor makes a payment greater than $75 to a charitable organization partly as a contribution and partly as a payment for goods and services, a disclosure statement is required to notify the donor of the value of the goods and services received in order for the donor to determine the charitable contribution component of their payment.

An example of this would be if the organization sold tickets to its annual fundraising dinner event. Assume the ticket costs $100 and at the event the ticketholder receives a dinner valued at $40. In this example, the donor’s tax deduction may not exceed $60. Because the donor’s payment (quid pro quo contribution) exceeds $75, the charitable organization must furnish a disclosure statement to the donor, even though the deductible amount doesn’t exceed $75.

It’s important to note that there are some exclusions to these requirements if the value received is considered to be de minimis (known as the Token Exception), but the value received needs to be relatively small (ex: receiving a coffee mug with a picture of the organization’s logo on it). Please consult your tax advisor for more details.

If the organization does not issue disclosure statements, the IRS can issue penalties of $10 per contribution, not to exceed $5,000 per fundraising event or mailing. An organization may be able to avoid the penalty if reasonable cause can be demonstrated.

Receiving or selling donated noncash property? Forms 8283 & 8282 may be required.

If a charitable organization receives noncash donations, it may be asked to sign Form 8283. This form is required to be filed by the donor and included with their personal income tax return. If a donor contributes noncash property (excluding publicly traded securities) valued at over $5,000, the organization will need to sign Form 8283, Section B, Part IV acknowledging receipt of the noncash item(s) received.

By signing Form 8283, the donee organization is not only acknowledging receipt, but is also affirming that if the property being received is sold, exchanged, or otherwise disposed of within three years of the original donation date, the organization will be required to file Form 8282. A copy of this form is filed with the IRS and must also be provided to the original donor. Form 8282 is not required for sales of donated publicly traded securities. The penalty for failure to file Form 8282 when required is generally $50 per form.

Cars, boats, and yes, even airplanes? That would be Form 1098-C.

An airplane? Yes, even an airplane can be donated, and the donee organization must file a separate Form 1098-C, Contributions of Motor Vehicles, Boats, and Airplanes, with the IRS for each contribution of a qualified vehicle that has a claimed value of more than $500. Contemporaneous written acknowledgement requirements apply here too, and Form 1098-C can act as acknowledgement for this purpose. An acknowledgment is considered contemporaneous if it is furnished to the donor no later than 30 days after the date of the contribution if you plan to use the item for a mission-related purpose, or 30 days after the date of the sale of the item to an unrelated third party.

Penalties for failure to provide contemporaneous written acknowledgement for qualified vehicles can be pretty stiff, generally calculated as a percentage of the sale price if sold, or a percentage of the claimed value if not sold. Should you have any questions or receive a request regarding any of the forms noted above, please consult your tax advisor.

As you can see, the rules around donor acknowledgements can seem a lot like Grandma’s fruitcake―complex and perhaps a bit on the nutty side. When issuing donor acknowledgements this holiday season and beyond, be sure to review the list above and check it twice. Doing so may end up keeping you off of the IRS’s naughty list!

Blog
Donor acknowledgements: We have to file what?

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on a State Medicaid Enterprise System (MES) certification effort.

On October 24, 2019, the Centers for Medicaid and Medicare Services (CMS) published the Outcomes-Based Certification (OBC) guidance for the Electronic Visit Verification (EVV) module. Now, CMS is looking to bring the OBC process to the rest of the Medicaid Enterprise. 

The shift from a technical-focused certification to a business outcome-focused approach presents a unique opportunity for states as they begin re-procuring—and certifying—their Medicaid Enterprise Systems (MES).

Once you have defined the scope of your MES project—and know you need to undertake CMS certification—you need to ask “what’s next?” OBC can be a more efficient certification process to secure Federal Financial Participation (FFP).

What does OBC certification entail?

Rethinking certification in terms of business outcomes will require agencies to engage business and operations units at the earliest possible point of the project development process to define the program goals and define what a successful implementation is. One way to achieve this is to consider MES projects in three steps. 

Three steps to OBC evaluation

Step 1: Define outcomes

The first step in OBC planning seems easy enough: define outcomes. But what is an outcome? To answer that, it’s important to understand what an outcome isn’t. An outcome isn’t an activity. Instead, an outcome is the result of the activity. For example, the activity could be procuring an EVV solution. In this instance, an outcome could be that the state has increased the ability to detect fraud, waste, and abuse through increased visibility into the EVV solution.

Step 2: Determine measurements

The second step in the OBC process is to determine what to measure and how exactly you will measure it. Deciding what metrics will accurately capture progress toward the new outcomes may be intuitive and therefore easy to define. For example, a measure might simply be that each visit is captured within the EVV solution.

Increasing the ability to detect fraud, waste, and abuse could simply be measured by the number of cases referred to a Medicaid fraud unit or dollars recovered. However, you may not be able to easily measure that in the short-term. Instead, you may need to determine its measurement in terms of an intermediate goal, like increasing the number of claims checked against new data as a result of the new EVV solution. By increasing the number of checked claims, states can ensure that claims are not being paid for unverified visits. 

Step 3: Frequency and reporting

Finally, the state will need to determine how often to report to measure success. States will need to consider the nuances of their own Medicaid programs and how those nuances fit into CMS’ expectations, including what data is available at what intervals.

OBC represents a fundamental change to the certification process, but it’s important to highlight that OBC isn’t completely unfamiliar territory. There is likely to be some carry-over from the certification process as described in the Medicaid Enterprise Certification Toolkit (MECT) version 2.3. The current Medicaid Enterprise Certification (MEC) checklists serve as the foundation for a more abbreviated set of criteria. New evaluation criteria will look and feel like the criteria of old but are likely to be a fraction of the 741 criteria present in the MECT version 2.3.

OBC offers several benefits to states as you navigate federal certification requirements:

  1. You will experience a reduction in the amount of time, effort, and resources necessary to undertake the certification process. 
  2. OBC refocuses procurement in terms of enhancements to the program, not in new functions. Consequently, states will also be able to demonstrate the benefits that each module brings to the program which can be integral to stakeholder support of each module. 
  3. Early adoption of the OBC process can allow you to play a more proactive role in certification efforts.

Continue to check back for a series of our project case studies. Additionally, if you are considering an OBC effort and have questions, please contact our team. You can read the OBC guidance on the CMS website here
 

Blog
Three steps to outcomes-based certification

Editor's note: Read this if you are a CTO, CIO, or administrator at a college or university. This is the first blog in a series on business lessons and best practices from American literature. For this series, interviewees select from a list of American literary quotes through which to view, and discuss, their focus or industry. The goal? To generate some novel insight.

The interviewees: David Houle and Joseph Traino, consultants at BerryDunn
The focus: Higher education
The quote: “Our inventions are wont to be pretty toys . . . They are but improved means to an unimproved end.”  -- Henry David Thoreau, Walden; or, Life in the Woods

Thoreau wrote this shortly after the Industrial Revolution. How does its cynicism apply to higher education during the Digital Revolution?

David Houle (DH): It speaks to my basic philosophy about applying technology to the needs of higher education clients. I’m not a “technology for the sake of technology” cheerleader. 

Joseph Traino (JT): People often believe that applying new technology to a business problem is going to solve the business problem. That rarely happens. For example, most higher education clients have a student information system. These clients often feel that, in order to resolve certain issues, they should update the system software, whereas the issues are often resolved by updating business practices to be more efficient and effective. 

DH: Right. We are often brought in to identify needed technology changes but end up stressing practices, processes, and people. If staff can’t correctly use a new technology, then the technology will not provide a real, valuable service.

When implementing a new technology, what’s the #1 thing that a higher education institution can do to prevent or avoid “an unimproved end”?

JT: Fully understand the technology’s impact on stakeholders, such as students, faculty, and staff, and answer the “why?”

DH: Keep people in mind and gain their buy-in when making technology decisions.

What technology, or technology-related change, is going to have the biggest effect on higher education over the next five years?

DH: Clients love to ask us this question (laughs). And if I truly knew the answer, I’d be on some Caribbean island right now, filthy rich and sipping a piña colada. That said, I think the technology demands of the new workforce are going to have the biggest effect. To paraphrase the new workforce: “I don’t want to stare at a green screen. And what in the world is DOS?” Conversely, the personnel who used to support these homegrown, in-house “green screen” products want to retire and leave the workforce. 

JT: I agree that the demands of the new workforce will continue to affect higher education and steer institutions away from term-based courses and programs and toward more flexible, student-centric courses and programs. From a technology standpoint, I think AI and bots are going to replace many of the manual processes that we still see today in higher education. These new technologies will create greater efficiencies—but also possibly reduce jobs—at institutions.

DH: Higher education leaders with vision have already grasped this idea of cutting administrative costs wherever possible, because those costs are not what place students in seats—or in front of screens. On the flip side, advising is currently an underserved area in higher education. So there is an opportunity for leaders to reallocate administrative resources to fulfill advising roles and to help students—such as at-risk and first-generation students—not just in the classroom, but through their learning journey.

Circling back to the Thoreau quote, I’m sure many higher education staff fear technology will lead to “unimproved ends” for their careers. How do you navigate those fears when working with clients? 

JT: It’s certainly a challenge. We currently face some of those fears when working with IT departments—more services are being moved to the cloud, and there is less of a need for on-site database administrators and system administrators, as an example. Alluding to what Dave said about advising, I think many higher education jobs can be shifted to provide interactive high-tech, high-touch services to students.

DH: And to be blunt, some people don’t want to shift, don’t want to change. The people part is the most challenging part of technology adoption. 

In this discussion about technology, we keep returning to people—and the people side of change. Are higher education clients typically responsive to the concept of change management?

JT: There’s typically some reticence, and a lack of understanding about the value of change management. In most cases, change management requires an investment beyond the technology investment. But change management is key to success. 

DH: Reticence is a good word. Yet I do think that views about change management are changing rapidly. Higher education leaders who have been through a significant system or process change now seem to understand the value of change management and know that change management is a necessity, not a luxury. 

In the end, are you confident that new technology is going to benefit students and their educational goals? 

DH: I’m unsure if technology improves the quality of education. However, I am sure that technology increases the options for the delivery of education. And greater flexibility in education delivery is certainly beneficial, especially because the traditional student is now non-traditional. Ongoing and 24/7 access demands in education are here to stay.

JT: I agree with Dave wholeheartedly. I think technology will help improve the means to the end, but I’m not sure if technology is going to improve the end. Technology is just one part of the education equation. 
 

Blog
Technology ≠ Education

Editor's note: read this blog if you are a state liquor administrator or at the C-level in state government. 

Surprisingly, the keynote address to this year’s annual meeting of the National Alcohol Beverage Control Association (NABCA) featured few comments on, well, alcohol. 

Why? Because cannabis is now the hot topic in state government, as consumers await its legalization. While the thought of selling cannabis may seem foreign to some state administrators, many liquor agencies are―and should be―watching. The fact is, state liquor agencies are already equipped with expertise and the technology infrastructure needed to lawfully sell a controlled substance. This puts them in a unique position to benefit from the industry’s continued growth. Common technology includes enterprise resource planning (ERP) and point-of-sale (POS) systems.

ERP

State liquor agencies typically use an ERP system to integrate core business functions, including finance, human resources, and supply chain management. Whether the system is handling bottles of wine, cases of spirits, or bags of cannabis, it is capable of achieving the same business goals. 

The existing checks and balances on controlled substances like alcohol in their current ERP system translate well to cannabis products. This leads to an important point: state governments do not need to procure a new IT system solely for regulating cannabis.

By leveraging existing ERP systems, state liquor agencies can sidestep much of the time, effort, and expense of selecting, procuring, and implementing a new system solely for cannabis sales and management. In control states, where the state has exclusively control of alcohol sales, liquor agencies are often involved in every stage of product lifecycle, from procurement to distribution to retailing.

With a few modifications, the spectrum of business functions that control states require for liquor—procuring new product, communicating with vendors and brokers, tracking inventory, and analyzing sales—can work just as well for cannabis.

POS

POS systems are necessary for most retail stores. If a state liquor agency decides to sell cannabis products in stores, they can use a POS system to integrate with the agency’s ERP system, though store personnel may require training to help ensure compliance with related regulations.

Cannabis is cash only (for now)

There is one major difference in conducting liquor versus cannabis sales at any level: currently states conduct all cannabis sales in cash. With cannabis illegal on the federal level, major banks have opted to decline any deposit of funds earned from cannabis-related sales. While some community banks are conducting cannabis-related banking, many retailers selling recreational cannabis in places like Colorado and California still deal in cash. While risky and not without challenges, these transactions are possible and less onerous to federal regulators. 

Taxes 

As markets develop, monthly tax revenue collections from cannabis continue to grow. Colorado and California have found cannabis-related tax revenue a powerful tool in hedging against uncertainty in year-over-year cash flows. Similar to beer sold wholesale, which liquor agencies tax even in control states, cannabis can be taxed at multiple levels depending on the state’s business model.

E-commerce

Even with liquor, few state agencies have adopted direct-to-consumer online sales. However, as other industries continue shifting toward e-commerce and away from brick and mortar retailing, private sector competition will likely feed increased consumer demand for online sales. Similar to ERP and POS systems, states can increase revenue by selling cannabis through e-commerce sales channels. In today’s online retail world, many prefer to buy products from their computer or smart phone instead of shopping in stores. State agencies should consider selling cannabis via the web to maximize this revenue opportunity. 

Applying expertise in the systems and processes of alcoholic beverage control can translate into the sale and regulation of cannabis, easing the transition states face to this burgeoning industry. If your agency is considering bringing in cannabis under management, you should consider strategic planning sessions and even begin a change management approach to ensure your agency adapts successfully. 

Blog
Considering cannabis: How state liquor agencies can manage the growing industry

This spring, I published a blog about the importance of data governance in higher education institutions. In the summer, a second blog covered implementing baseline principles for data governance. With fall upon us, it is time to transition to discussing three critical steps to create a data governance culture. 

1.    Understand the people side of change.

The culture of any organization begins and ends with its people. As you know, people are notoriously finicky when it comes to change (especially change like data governance initiatives that may alter the way we have to understand or interact with institutional data). I recommend that any higher education institution apply a change management methodology (e.g., Prosci®, Lewin’s Change Management Model) in order to gauge the awareness of, the desire for, and the practical realities of this change. If you apply your chosen methodology in an effective and consistent manner, change management will help you increase buy-in and break down resistance. 

2.    Identify and empower the right people for the right roles.

Higher education institutions often focus on data governance processes and technologies. While this is necessary, you can’t overlook the people part of data governance. In fact, you can argue it is the most important part, because without people, there will be no one to follow the processes you create or use the technologies you implement. 

To find the right people, you need to identify and establish three specific roles for your institution: data trustees, data stewards, and data managers. Once you have organized these roles and responsibilities, data governance becomes easier to manage. Some definitions:

Data trustees (the sponsors) – senior leadership (or designees) who oversee data policy, planning, and management. Their responsibilities include: 

  • Promoting data governance 
  • Approving and updating data policies​​
  • Assigning and overseeing data stewards
  • Being responsible for data governance

Data stewards (the owners) – directors, managers, associate deans, or associate vice presidents who manage one or more data types. Their responsibilities include:

  • Applying and overseeing data governance policies in their functional areas
  • Following legal requirements pertaining to data in their functional areas
  • Classifying data and identifying data safeguards
  • Being accountable for data governance

Data managers (the caretakers) – data system managers, senior data analysts, or functional users (registrar, financial aid, human resources, etc.) who perform day-to-day data collection and management operations. Their responsibilities include:

  • Implementing data governance policies in their functional areas
  • Resolving data issues in their functional areas 
  • Provide training and appropriate documentation to data users
  • Being informed and consulted about data governance

3.    Be consistent and hold people accountable.

Ultimately, your data governance team needs accountability in order to thrive. Therefore, it is up to data trustees, data stewards, and data managers to hold regular meetings, take and distribute meeting notes, and identify and follow up on meeting action items. Without this follow through, data governance initiatives will likely stall or stop altogether. 

More information on data governance 

Are you still curious about additional guiding principles of data governance in higher education? Please contact the team
 

Blog
People Power: Enacting Sustainable Data Governance

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Blog
Five IT risks everyone should be aware of

Editor’s note: If you are a higher education CFO, CIO, CTO or other C-suite leader, this blog is for you.

The Gramm-Leach-Bliley Act (GLBA) has been in the news recently as the Federal Trade Commission (FTC) has agreed to extend a deadline for public comment regarding proposed changes to the Safeguards Rule. Here’s what you need to know.

GLBA, also known as the Financial Modernization Act, is a 1999 federal law providing rules to financial institutions for protecting consumer information. Colleges and universities fall under this act because they conduct financial activities (e.g., administration of financial aid, loans, and other financial services).

Under the Safeguards Rule financial Institutions must develop, implement, and maintain a comprehensive information security program that consists of safeguards to handle customer information.

Proposed changes

The FTC is proposing five modifications to the Safeguards Rule. The new act will:

  • Provide more detailed guidance to impacted institutions regarding how to develop and implement specific aspects of an overall information security program.
  • Improve the accountability of an institution’s information security programs.
  • Exempt small business from certain requirements.
  • Expand the definition of “financial institutions” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
  • Propose to include the definition of “financial institutions” and related examples in the rule itself rather than cross-reference them from a related FTC rule (Privacy of Consumer Financial Information Rule).

Potential impacts for your institution

The Federal Register, Volume 84, Number 65, published the notice of proposed changes that once approved by the FTC would add more prescriptive rules that could have significant impact on your institution. For example, these rules would require institutions to:

  1. Expand existing security programs with additional resources.
  2. Produce additional documentation.
  3. Create and implement additional policies and procedures.
  4. Offer various forms of training and education for security personnel.

The proposed rules could require institutions to increase their commitment in time and staffing, and may create hardships for institutions with limited or challenging resources.

Prepare now

While these changes are not final and the FTC is requesting public comment, here are some things you can do to prepare for these potential changes:

  • Evaluate whether your institution is compliant to the current Safeguards Rule.
  • Identify gaps between current status and proposed changes.
  • Perform a risk assessment.
  • Ensure there is an employee designated to lead the information security program.
  • Monitor the FTC site for final Safeguard Rules updates.

In the meantime, reach out to us if you would like to discuss the impact GLBA will have on your institution or if you would like assistance with any of the recommendations above. You can view a comprehensive list of potential changes here.

Source: Federal Trade Commission. Safeguards Rule. Federal Register, Vol. 84, No. 65. FTC.gov. April 4, 2019. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

Blog
Higher ed: GLBA is the new four-letter word, but it's not as bad as you think

Read this if you are a police executive, city/county administrator, or elected government official, responsible for a law enforcement agency. 

“We need more cops!”  

Do your patrol officers complain about being short-staffed or too busy, or that they are constantly running from call to call? Does your agency struggle with backed-up calls for service (CFS) or lengthy response times? Do patrol staff regularly find themselves responding to another patrol area to handle a CFS because the assigned officer is busy on another call? Are patrol officers denied leave time or training opportunities because of staffing issues? Does the agency routinely use overtime to cover predictable shift vacancies for vacations, holidays, or training? 

If one or more of these concerns sound familiar, you may need additional patrol resources, as staffing levels are often a key factor in personnel deployment challenges. Flaws in the patrol schedule design may also be responsible, as they commonly contribute to reduced efficiency and optimal performance, and design issues may be partially responsible for some of these challenges, regardless of authorized staffing levels.
 
With community expectations at an all-time high, and resource allocations remaining relatively flat, many agencies have growing concerns about managing increasing service volumes while controlling quality and building/maintaining public trust and confidence. Amid these concerns, agencies struggle with designing work schedules that efficiently and optimally deploy available patrol resources, as patrol staff become increasingly frustrated at what they consider a lack of staff.

The path to resolving inefficiencies in your patrol work schedule and optimizing the effective deployment of patrol personnel requires thoughtful consideration of several overarching goals:

  • Reducing or eliminating predictable overtime
  • Eliminating peaks and valleys in staffing due to scheduled leave
  • Ensuring appropriate staffing levels in all patrol zones or beats
  • Providing sufficient staff to manage multiple and priority CFS in patrol zones or beats
  • Satisfying both operational and staff needs, including helping to ensure a proper work/life balance and equitable workloads for patrol staff

Scheduling alternatives

One common design issue that presents an ongoing challenge for agencies is the continued use of traditional, balanced work schedules, which spread officer work hours equally over the year. Balanced schedules rely on over-scheduling and overtime to manage personnel allocation and leave needs and, by design, are very rigid. Balanced work schedules have been used for a very long time, not because they’re most efficient, but because they’re common, familiar, and easily understood―and because patrol staff are comfortable with them (and typically reluctant to change). However, short schedules offer a proven alternative to balanced patrol work schedules, and when presented with the benefits of an alternative work schedule design (e.g., increased access to back-up, ease of receiving time off or training, consistency in staffing, less mandatory overtime), many patrol staff are eager to change.

Short schedules

Short schedules involve a more contemporary design that includes a flexible approach that focuses on a more adaptive process of allocating personnel where and when they are needed. They are significantly more efficient than balanced schedules and, when functioning properly, they can dramatically improve personnel deployments, bring continuity to daily staffing, and reduce overtime, among other operational benefits. Given the current climate, most agencies are unlikely to receive substantial increases in personnel allocations. If that is true of your agency, it may be time to explore the benefits of alternative patrol work schedules.

A tool you can use

Finding scheduling strategies that work in this climate requires an intentional approach, customized to your agency’s characteristics (e.g., staffing levels, geographic factors, crime rates, zone/beat design, contract/labor rules). To help guide you through this process, BerryDunn has developed a free tool for evaluating patrol schedules. Click here to measure your patrol schedule against key design components and considerations.

If you are curious about alternative patrol work schedules, our dedicated justice and public Safety consultants are available to discuss your organization’s needs.

Blog
Efficient police patrol work schedules―By design

In light of the recent cyberattacks in higher education across the US, more and more institutions are finding themselves no longer immune to these activities. Security by obscurity is no longer an effective approach—all  institutions are potential targets. Colleges and universities must take action to ensure processes and documentation are in place to prepare for and respond appropriately to a potential cybersecurity incident.

BerryDunn’s Rick Gamache recently published several blog articles on incident response that are relevant to the recent cyberattacks. Below I have provided several of his points tailored to higher education leaders to help them prepare for cybersecurity incidents at their institutions.

What are some examples of incidents that managers need to prepare for?

Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with higher education institutions. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons. Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest security teams include staff members outside of IT. When you’re responding to incidents, you want people who can look at a problem or situation from an external perspective, not just a technical or operational perspective within IT. These team members can help answer questions such as, what does the world see when they look at our institution? What institutional information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?

I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?

There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities, so your team can assign and track tasks.

Any other tips for developing incident response plans?

First, managers should work with, and solicit feedback from across the academic and administrative areas within the institution when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your institution’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your students and external stakeholders in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your institution. The last thing you want is students and stakeholders receiving conflicting messages about the incident. 

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?

Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should institutions have dedicated incident response teams?

Definitely. Institutions should identify and staff teams using internal resources. Some institutions may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, institutions should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every institution can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your institution about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?

Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a hackathon. The word can elicit negative or concerned reactions. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the institution for another, higher-paying job. I think you should be committed to the growth of your team members―it’ll only make your institution more secure.

What are some best practices managers should follow when reporting incidents to their leadership?

Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in an institutional context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the institution. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

How much institution-wide communication should there be about incidents?

That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole institution know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire institution about an incident, refer to your Legal Department. In general, institution-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: senior leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

What are the key takeaways for higher education leaders?

Here are key takeaways to help higher education leaders prepare for and respond appropriately to cybersecurity incidents:

  1. Understand your institution’s current cybersecurity environment. 
    Questions to consider: Do you have Chief Information Security Officer (CISO) and/or a dedicated cybersecurity team at your institution? Have you conducted the appropriate audits and assessments to understand your institution’s vulnerabilities and risks?
  2. Ensure you are prepared for cybersecurity incidents. 
    Questions to consider: Do you have a cybersecurity plan with the appropriate response, communication, and recovery plans/processes? Are you practicing your plan by walking through tabletop exercises? Do you have incident response teams?

Higher education continues to face growing threats of cybersecurity attacks – and it’s no longer a matter of if, but when. Leaders can help mitigate the risk to their institutions by proactively planning with incident response plans, communication plans, and table-top exercises. If you need help creating an incident response plan or wish to speak to us regarding preparing for cybersecurity threats, please reach out to us.
 

Blog
Cyberattacks in higher education—How prepared are you?

Phew! We did it—The Medicaid Enterprise Systems Conference (MESC) 2019 is one for the books! And, it was a great one. Here is my perspective on objectives and themes that will guide our work for the year.

Monday 

My day started in the fog—I live on an island in Maine, take a boat to get into Portland, and taxi to the airport. Luckily, I got to Portland, and, ultimately Chicago, on time and ready to go. 

Public Sector Technology Group (PSTG) meeting

At the PSTG meetings, we reviewed activities from the previous year and did some planning for the coming year. Areas for consideration included:

  • Modernization Schedule
  • Module Definitions
  • Request for Proposal (RFP) Requirements
  • National Association of State Procurement Officers

Julie Boughn, Centers for Medicare and Medicaid (CMS) Director, Data and Systems Group (DSG) introduced her new boss, Karen Shields, who is the Deputy Director for the Center for Medicaid and CHIP Services (CMCS) within CMS. Karen shared her words of wisdom and encouragement with us, while Julie reminded us that being successful in our work is about the people. CMS also underscored the goal of speeding up delivery of service to the Medicaid program and asking ourselves: “What is the problem we are trying to resolve?” 

CMS’ “You be the State” officer workshop

Kudos to CMS for creating this open environment of knowledge sharing and gathering input.  Areas for discussion and input included:

  • APD Processes
  • Outcomes-Based Certification
  • Increasing and Enhancing Accountability

Tuesday
Opening Plenary

I was very touched by the Girls Inc. video describing the mission of Girls Inc. to inspire girls to be strong, smart, and bold. With organizations like this, and our awareness and action, I am optimistic for the future. Thank you to NESCSO for including this in their opening program.

John Doerr, author of Measure What Matters: OKRs: The Simple Idea that Drives 10x Growth and famed investor, shared his thoughts on how to create focus and efficiency in what we do. Julie’s interview with him was excellent, and I appreciated how John’s Objectives and Key Results (OKR) process prompted Julie to create objectives for what we are trying to do. The objectives Julie shared with us:

  • Improve the quality of our services for users and other stakeholders 
  • Ensure high-quality data is available to manage the program and improve policy making 
  • Improve procurement and delivery of Medicaid technology projects

Sessions

The sessions were well attended and although I can't detail each specific session I attended, I will note that I did enjoy using the app to guide me through the conference. NESCSO has uploaded the presentations. 

Auxiliary meetings

Whether formal or informal, meetings are one of the big values of the conference—relationships are key to everyone’s success, and meeting with attendees in one-on-one environments was incredibly productive. 

Poster session

The poster sessions were excellent. States are really into this event, and it is a great opportunity for the MESC community to engage with the states and see what is going on in the Medicaid Enterprise space.

Wednesday

Some memorable phrases heard in the sessions:

  • Knowledge is power only if you share it
  • We are in this together and want the same outcomes, so let’s share more
  • Two challenges to partnering projects—the two “P”s—are purchasing and personnel
  • Don’t let perfection be the enemy of the good
  • Small steps matter
  • Sharing data is harder than it needs to be—keep in mind the reason for what you are doing

Our evening social event was another great opportunity to connect with the community at MESC and the view of Chicago was beautiful.

Julie Boughn challenged us to set a goal (objective) in the coming year, and, along with it, to target some key results in connection with that goal. Here are some of her conference reflections:

  • Awesome
    • Several State Program and Policy leaders participated at MESC—impressed with Medicaid Director presence and participation
    • Smaller scoped projects are delivering in meeting the desired improved speed of delivery and quality
    • Increased program-technology alignment
  • Not so awesome
    • Pending state-vendor divorces
    • Burden of checklists and State Self-Assessments (SS-As)—will have something to report next year
    • There are still some attempts at very large, multi-year replacement projects—there is going to be a lot of scrutiny on gaining outcomes. Cannot wait five years to change something.

OKRs and request for states and vendors

  • Objective: Improve the quality of services for our users and other stakeholders
    • Key Result (KR): Through test results and audits, all States and CMS can state with precision, the overall accuracy of Medicaid eligibility systems.
    • KR: 100% of State electronic visit verification (EVV) systems are certified and producing annual performance data.
    • KR: 100% of States have used CMS-required testing guidance to produce testing results and evidence for their eligibility systems.
  • Objective: Ensure high-quality data is available to manage the program and improve policy making
    • KR: Transformed Medicaid Statistical Information System (T-MSIS) data is of sufficient quality that it is used to inform at least one key national Medicaid policy decision that all states have implemented.
    • KR:  Eliminate at least two state reporting requirements because T-MSIS data can be used instead.
    • KR: At least five states have used national or regional T-MSIS data to inform their own program oversite and/or policy-making decisions.
  • Objective: Improve how Medicaid technology projects are procured and delivered
    • KR: Draft standard language for outcomes metrics for at least four Medicaid business areas.
    • KR:  Five states make use of the standard NASPO Medicaid procurement.
    • KR:  CMS reviews of RFPs and contracts using NASPO vehicle are completed within 10 business days.
    • KR:  Four states test using small incremental development phases for delivery of services.
  • Request: Within 30 days, states/vendors will identify at least one action to take to help us achieve at least one of the KRs within the next two years.

Last thoughts

There is a lot to digest, and I am energized to carry on. There are many follow-up tasks we all have on our list. Before we know it, we’ll be back at next year’s MESC and can check in on how we are doing with the action we have chosen to help meet CMS’s requirements. See you in Boston!

Blog
MESC 2019―Reflections and Daily Recap

Editor’s note: If you are a state government CFO, CIO, project or program manager, this blog is for you. 

This is the second blog post in the blog series: “Procuring Agile vs. Non-Agile Service”. Read the first blog. This blog post demonstrates the differences in Stage 1: Plan Project in the five stages of procuring agile vs. non-agile services.

Overview of Procurement Process for Agile vs. Non-Agile IT Services

What is important to consider in agile procurement?

Here are some questions that can help focus the planning for procurement of IT services for agile vs. non-agile projects.

Plan Project Considerations for Agile vs. Non-Agile IT Services

Why are these considerations important?

When you procure agile IT services, you can define the scope of your procurement around a vision of what your organization intends to become, as opposed to being restricted to an end-date for a final delivery.

In an agile project, you get results iteratively; this allows you to constantly reassess requirements throughout the project, including the project plan, the guiding principles, and the project schedule. Your planning is not restricted to considering the effect of one big result at the end of the project schedule. Instead, your plan allows for sequencing of changes and improvements that best reflect the outcomes and priorities your organization needs

Since planning impacts the people-aspect of your strategy, it is important to consider how various teams and stakeholders will provide input, and how you will make ongoing communication updates throughout the project. With an agile procurement project, your culture will shift, and you will need a different approach to planning, scheduling, communicating, and risk management. You need to communicate daily, allowing for reviewing and adjusting priorities and plans to meet project needs. 

How do you act on these considerations?

A successful procurement plan of agile IT services should include the following steps:

  1. Develop a project charter and guiding principles for the procurement that reflect a vision of how your organization’s teams will work together in the future
  2. Create a communication plan that includes the definition of project success and communicates project approach
  3. Be transparent about the development strategy, and outline how iterations are based on user needs, that features will be re-prioritized on an ongoing basis, and that users, customers, and stakeholders are needed to help define requirements and expected outcomes
  4. Provide agile training to your management, procurement, and program operation teams to help them accept and understand the project will present deliverables in iterations, to include needed features, functionality and working products
  5. Develop requirements for the scope of work that align with services and outcomes you want, rather than documented statements that merely map to your current processes 

What’s next? 

Now that you have gained insight into the approach to planning an agile project, consider how you may put this first stage into practice in your organization. Stay tuned for guidance on how to execute the second stage of the procurement process—how to draft the RFP. Our intention is that, following this series, your organization will better understand how to successfully procure and implement agile services. If you have questions or comments, please contact our team.
 

Blog
Plan agile projects: Stage 1

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on a State Medicaid Enterprise System (MES) certification effort.

Measuring performance of Medicaid Enterprise Systems (MES) is emerging as the next logical step in moving Medicaid programs toward modularity. As CMS continues to refine and implement outcomes-based modular certification, it is critical that states adapt to this next step in order to continue to meet CMS funding requirements.

This measurement, in terms of program outcomes, presents a unique set of challenges, many of which a state may not have considered before. A significant challenge is determining how and where to begin measuring program outcomes―to meet it, states can leverage a trusted, independent partner as they undertake an outcomes-based effort.

Outcomes-based planning can be thought of as a three-step process. First, and perhaps most fundamental, is to define outcomes. Second, you need to determine what measurements will demonstrate progress toward achieving those outcomes. And the final step is to create reporting measurements and their frequency. Your independent partner can help you answer these critical questions and meet CMS requirements efficiently by objectively guiding you toward realizing your goals.

  1. Defining Outcomes
    When defining an outcome, it is important to understand what it is and what it isn’t. An outcome is a benefit or added value to the Medicaid program. It is not an output, which is a new or enhanced function of a new MES module. An output is the product that supports the outcome. For example, the functionality of a new Program Integrity (PI) module represents an output. The outcome of the new PI module could be that the Medicaid program continuously improves based on data available because of the new PI module. Some outcomes may be intuitive or obvious. Others may not be as easy to articulate. Regardless, you need to direct the focus of your state and solution vendor teams on the outcome to uncover what the underlying goal of your Medicaid program is.
     
  2. Determining Measurements
    The second step is to measure progress. Well-defined Key Performance Indicators (KPIs) will accurately capture progress toward these newly defined outcomes. Your independent partner can play a key role by posing questions to help ensure the measurements you consider align with CMS’ goals and objectives. Additionally, they can validate the quality of the data to ensure accuracy of all measurements, again helping to meet CMS requirements.
     
  3. Reporting Measurements
    Finally, your state must decide how―and how often―to report on outcomes-based measurements. Your independent partner can collaborate with both your state and CMS by facilitating conversations to determine how you should report, based on a Medicaid program’s nuances and CMS’ goals. This can help ensure the measurements (and support information) you present to CMS are useful and reliable, giving you the best chance for attaining modular certification.

Are you considering an outcomes-based CMS modular certification, or do you have questions about how to best leverage an independent partner to succeed with your outcomes-based modular certification effort? BerryDunn’s extensive experience as an independent IV&V and Project Management Office (PMO) partner includes the first pilot outcomes-based certification effort with CMS. Please visit our IV&V and certification experts at our booth at MESC 2019 or contact our team now.

Blog
Three steps to measure Medicaid Enterprise Systems outcomes

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer.

As CMS moves away from the monolithic Medicaid Management Information System (MMIS) toward an outcomes-based approach that includes a modular Medicaid Enterprise System (MES), there is now more emphasis on system integration (SI). 

In the August 16, 2016 letter, State Medicaid Director (SMD) #16-010, CMS clarified the role of the system integrator (SI) by stating:

CMS envisions a discrete role for the system integrator (SI) in each state, with specific focus on ensuring the integrity and interoperability of the Medicaid IT architecture and cohesiveness of the various modules incorporated into the Medicaid enterprise. 

While the importance of the SI role is apparent, not all states have the resources to build the SI capability within their own organizations. Some state Medicaid IT teams try to solve this by delegating management roles to vendors or contractors. This approach has various risks. A state could lose:

  • Institutional knowledge, as vendors and contractors transition off the project
  • Control of governance, oversight, and leadership
  • The ability to enforce contractual requirements across each vendor, especially the SI

In addition, the ramifications of loss of state accountability can have wide-reaching implementation, operational, and financial impacts, including:

  • The loss of timely decision making, causing projects to fall behind schedule
  • State-specific policy needs not being met, impacting how the MMIS functions in production 
  • Poor integration into the state-specific Operation and Maintenance (O&M) support model, increasing the state’s portion of long-term O&M costs
  • Inefficient and ineffective contract management of each module vendor and contractor (including the SI), possibly leading to unneeded change requests and cost overruns
  • Lack of coordination with the state’s business or IT roadmap initiatives (i.e., system consolidation or cloud migration vendor/approach), possibly leading to rework and missed opportunities to reduce cost or improve interoperability 

Apply strong governance and IV&V to tackle risks

Because the SI vendor is responsible for the integration of multiple modules across multiple vendors, you may consider delegating oversight of module vendors to the SI vendor. 

The major benefit states get from using the SI vendor is efficiency. Having your vendor as the central point of contact can quickly resolve technical issues, while allowing easy coordination of project tasks across each module vendor on a continual basis. 

If you choose to use a vendor for the SI role, establish safeguards and governance to make sure your goals are being met:

  • Build a project-specific governance model (executive committee [EC]) to oversee the vendors and the project
  • Establish a regular meeting cadence for the EC to allow for status updates on milestones and discuss significant project risks and issues 
  • Allocate state resources into project leadership roles (i.e., project manager, vendor contract manager, security lead, testing/Quality Assurance lead, etc.)
  • Conduct regular (weekly) SI status meetings to track progress and address risks and issues 

You also need a strong, involved governance structure that includes teams of state senior leadership, state program managers, SI vendor engagement/contract managers, and Independent Verification and Validation (IV&V) vendors. By definition, one responsibility of IV&V is to identify and monitor project risks and issues that could arise from a lack of independence. 

Your governance teams can debate decisions and disputes, risks and issues, and federal compliance issues with their vendors to define direction and action plans. However, a state representative within these teams should always make the final management decisions, approve all SI scope items and changes, and approve all contractual deliverables from each vendor or contractor.

Your state staff (business and IT) provides project management decision, business needs, requirements (functional and non-functional), policy guidance, and continuity as the vendors and/or contractors change over time. 

The conclusion? In order to be successful, you must retain certain controls and expertise to deploy and operate a successful MMIS system. Our consultants understand the need to keep you in control of managing key portions of implementation projects/programs and operational tasks. If you have questions, please contact BerryDunn’s Medicaid team.  
 

Blog
Risks when using vendors to manage Medicaid system implementation projects

Read this if you are a City/County Administrator, Building Official, Community Development Director, Planning Director, Development Services Manager or work with customers providing a service for a fee.

Planning and development service fees are, for many municipalities, often discussed but rarely changed. There are a number of reasons you might need to consider or defend your fee structure―complaints from developers, rising costs of operation, and changes in code or process are just a few. 

But when is the right time for a formal review of your service fees? There are several key organizational factors that should prompt an in-depth study of your fees, either internally or with the assistance of an objective advisor. It may be time for an update if:

  • You’re considering a new permitting system. New technology may streamline your workflows, simplify processes for your customers, or necessitate changes in your staffing. All of these secondary changes can impact the cost of your services. In addition, if you’re anticipating significant changes to your fee structure or methodology (e.g., moving to full cost recovery), you’ll want to configure your new system to support that going forward.
  • You have an enterprise development fund. Development fees are collected to cover the cost of providing a service. The methodology you use to charge fees should be based on defensible formulas that can withstand the scrutiny of your customers and cover the cost to provide the service. In addition, reserve funds should be adequate to ensure your development service is funded through the completion of the project. 
  • The regulations in your municipality are changing. Perhaps your organization is moving to a unified or form-based code or making changes to the International Building or Fire Codes. Changes in the process and requirements for development may require a reevaluated fee structure.
  • It’s been a while. Even if your organization is not experiencing any significant or sweeping change, small shifts can accumulate over the years, resulting in significant fee adjustments that may be tough for you to implement and for your customers to understand. Periodically reviewing service demand and benchmarking your individual fees against those of neighboring communities can help to avoid sticker shock.

If any of these scenarios sound familiar, you may want to consider a fee review, which may consist of benchmarking against similar jurisdictions. Not sure what level of review your organization needs? Our dedicated government consultants include former planners and community development leaders who have walked in your shoes and can talk through the considerations with you.
 

Blog
When time is money: Reviewing your planning and development service fees

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, State Procurement Officer, or work in a State Medicaid Program Integrity Unit.

The Centers for Medicare & Medicaid Services (CMS) issued a Payment Error Rate Measurement (PERM) Final Rule on July 5, 2017, that made several changes to the PERM requirements. One important change was the updates to the Medicaid Eligibility Quality Control (MEQC) requirement. 

The Final Rule restructures the MEQC program into a pilot program that requires states to conduct eligibility reviews during the two years between PERM cycles. CMS has also introduced the potential for imposing disallowances or reductions in federal funding percentage (FFP) as a result of PERM eligibility error rates that do not meet the national standard. One measure states can use to lessen the chance of this happening is by successfully carrying out the requirements of the MEQC pilot. 

What states should know―important points to keep in mind regarding MEQC reviews:

  • Each state must have a team in place to conduct MEQC reviews. The individuals responsible for the MEQC reviews and associated activities must be separate from the state agencies and personnel responsible for Medicaid and Children’s Health Insurance Program (CHIP) policy and operations, including eligibility determinations.
  • States can apply for federal funding to help cover the costs of the MEQC activities. CMS encourages states to partner with a contractor in conducting the MEQC reviews.
  • The deadline to submit the state planning document to CMS is November 1 following the end of your state’s PERM cycle. If you are a Cycle 2 state, your MEQC planning document is due by November 1, 2019. 
  • If you are a Cycle 1 state, you are (or should be) currently undergoing the MEQC reviews.
  • There are minimum sample size requirements for the MEQC review period: 400 negative cases and 400 active cases (consisting of both Medicaid and CHIP cases) over a period of 12 months.
  • Upon conclusion of all MEQC reviews, states must submit a final findings report along with a corrective action plan that addresses all error findings identified during the MEQC review period.

CMS encourages states to utilize federal funding to carry out and fulfill MEQC requirements. BerryDunn has staff with experience in preparing Advanced Planning Documents (APD) and can assist your state in submitting an APD request to CMS for these MEQC activities. 

Check out the previously released blog, “PERM: Prepared or Not Prepared?” and stay tuned for upcoming blogs about specific PERM topics, including the financial impacts of PERM, and how each review phase will affect your state.   

For questions or to find out more, contact the team

Blog
PERM: Does MEQC affect states?

Read this if you are an Institutional Research (IR) Director, a Registrar, or are in the C-Suite.

In my last blog, I defined the what and the why of data governance, and outlined the value of data governance in higher education environments. I also asserted data isn’t the problem―the real culprit is our handling of the data (or rather, our deferral of data responsibility to others).

While I remain convinced that data isn’t the problem, recent experiences in the field have confirmed the fact that data governance is problematic. So much, in fact, that I believe data governance defies a “solid,” point-in-time solution. Discouraged? Don’t be. Just recalibrate your expectations, and pursue an adaptive strategy.

This starts with developing data governance guiding principles, with three initial points to consider: 

  1. Key stakeholders should develop your institution’s guiding principles. The team should include representatives from areas such as the office of the Registrar, Human Resources, Institutional Research, and other significant producers and consumers of institutional data. 
  2. The focus of your guiding principles must be on the strategic outcomes your institution is trying to achieve, and the information needed for data-driven decision-making.
  3. Specific guiding principles will vary from institution to institution; effective data governance requires both structure and flexibility.

Here are some baseline principles your institution may want to adopt and modify to suit your particular needs.

  • Data governance entails iterative processes, attention to measures and metrics, and ongoing effort. The institution’s governance framework should be transparent, practical, and agile. This ensures that governance is seen as beneficial to data management and not an impediment.
  • Governance is an enabler. The institution’s work should help accomplish objectives and solve problems aligned with strategic priorities.
  • Work with the big picture in mind. Start from the vantage point that data is an institutional asset. Without an institutional asset mentality it’s difficult to break down the silos that make data valuable to the organization.
  • The institution should identify data trustees and stewards that will lead the data governance efforts at your institution
    • Data trustees should have responsibility over data, and have the highest level of responsibility for custodianship of data.
    • Data stewards should act on behalf of data trustees, and be accountable for managing and maintaining data.
  • Data quality needs to be baked into the governance process. The institution should build data quality into every step of capture and entry. This will increase user confidence that there is data integrity. The institution should develop working agreements for sharing and accessing data across organizational lines. The institution should strive for processes and documentation that is consistent, manageable, and effective. This helps projects run smoothly, with consistent results every time.
  • The institution should pay attention to building security into the data usage cycle. An institution’s security measures and practices need to be inherent in the day-to-day management of data, and balanced with the working agreements mentioned above. This keeps data secure and protected for the entire organization.
  •  Agreed upon rules and guidelines should be developed to support a data governance structure and decision-making. The institution should define and use pragmatic approaches and practical plans that reward sustainability and collaboration, building a successful roadmap for the future. 

Next Steps

Are you curious about additional guiding principles? Contact me. In the meantime, keep your eyes peeled for a future blog that digs deeper into the roles of data trustees and stewards.
 

Blog
Governance: It's good for your data

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer.

When I was growing up, my dad would leave the Bureau of Motor Vehicles or hang up the phone after talking with the phone company and say sarcastically, “I’m from the government (or the phone company) and I’m here to help you. Yeah, right.” I could hear the frustration in his voice. As I’ve gotten older, I understand the hassle of dealing with bureaucracy, where the red tape can make things more difficult than they need to be, and where customers don’t come first. It doesn’t have to be that way.

In my role performing Independent Verification and Validation (IV&V) at BerryDunn, I hear the same skepticism in the voices of some of my clients. I can hear them thinking, “Let me get this straight… I’m spending millions of dollars to replace my old Medicaid Management Information System (MMIS), and the Centers for Medicare and Medicaid Services (CMS) says I have to hire an IV&V consultant to show me what I am doing wrong? I don’t even control the contract. You’re here to help me? Yeah, right.” Here are some things to assuage your doubt. 

Independent IV&V―what they should do for you and your organization

An independent IV&V partner that is invested in your project’s success can:

  • Enhance your system implementation to help you achieve compliance
  • Help you share best practice experience in the context of your organization’s culture to improve efficiency in other areas
  • Assist you in improving your efficiency and timeliness with project management capabilities.

Even though IV&V vendors are federally mandated from CMS, your IV&V vendor should also be a trusted partner and advisor, so you can achieve compliance, improve efficiency, and save time and effort. 

Not all IV&V vendors are equal. Important things to consider:

Independence―independent vendors are a good place to start, as they are solely focused on your project’s success. They should not be selling you software or other added services, push vendor affiliations, or rubber stamp CMS, nor the state. You need a non-biased sounding board, a partner willing to share lessons learned from experience that will help your organization improve.

Well-rounded perspective―IV&V vendors should approach your project from all perspectives. A successful implementation relies on knowledge of Medicaid policy and processes, Medicaid operations and financing, CMS certification, and project management.

“Hello, we are IV&V from BerryDunn, and we are here to help.”

BerryDunn offers teams that consist of members with complementary skills to ensure all aspects of your project receive expert attention. Have questions about IV&V? Contact our team.
 

Blog
We're IV&V and we are here to help you improve your Medicaid organization

Federal contractors with the Centers for Medicare & Medicaid Services (CMS) have begun performing Payment Error Rate Measurement (PERM) reviews under the Final Rule issued in July 2017—a rule that many states may not realize could negatively impact their Medicaid budgets.

PERM is a complex process—states must focus on several activities over a recurring three-year period of time—and states may not have the resources needed to make PERM requirements a priority. However, with the Final Rule, this PERM eligibility review could have financial implications. 

After freezing the eligibility measurement for four years while undergoing pilot review, CMS has established new requirements for the eligibility review component and made significant changes to the data processing and medical record review components. As part of the Final Rule, CMS may implement reductions in the amount of federal funding provided to a state’s Medicaid and Children’s Health Insurance Program (CHIP) programs based on the error rates identified from the eligibility reviews. 

Since the issuance of the Final Rule in July 2017, Cycle 1 states are the first group of states to undergo a PERM cycle, including reviews of the data processing, medical record, and eligibility components. These states are wrapping up the final review activities, and Cycle 2 states are in the early stages of their PERM reviews.

How can your state prepare?

Whether your state is a Cycle 1, Cycle 2, or Cycle 3 state, there are multiple activities your Medicaid departments should engage in throughout each three-year period of time during and between PERM cycles: 

  • Analyzing prior errors cited or known issues, along with the root cause of the error
  • Identifying remedies to reduce future errors
  • Preparing and submitting required questionnaires and documents to the federal contractors for an upcoming review cycle
  • Assisting federal contractors with current reviews and findings
  • Preparing for and undergoing Medicaid Eligibility Quality Control (MEQC) planning and required reviews
  • Corrective action planning

Is your state ready?

We’ve compiled a few basic questions to gauge your state’s readiness for the PERM review cycle:

  • Do you have measures in place to ensure all eligibility factors under review are identifiable and that all federal and state regulations are being met? The eligibility review contractor (ERC) will reestablish eligibility for all beneficiaries sampled for review. This process involves confirming all verification requirements are in the case file, income requirements are met, placement in an accurate eligibility category has taken place, and the timeframe for processing all determinations meets federal and state regulations. 
  • Do you have up-to-date policy and procedures in place for determining and processing Medicaid or CHIP eligibility of an individual? Ensuring eligibility policies and procedures meet federal requirements is just as important as ensuring the processing of applications, including both system and manual actions, meet the regulations. 
  • Do you have up-to-date policy, procedures, and system requirements in place to ensure accurate processing of all Medicaid/CHIP claims? Reviewers will confirm the accuracy of all claim payments based on state and federal regulations. Errors are often cited due to the claims processing system allowing claims to pay that do not meet regulations.
  • Do you have a dedicated team in place to address all PERM requirements to ensure a successful review cycle? This includes staff to answer questions, address review findings, and respond to requests for additional information. During a review cycle, the federal contractors will cite errors based on their best understanding of policies and/or ability to locate required documentation. Responding to requests for information or reviewing and responding to findings in a timely manner should be a priority to ensure accurate findings. 
  • Have you communicated all PERM requirements and updates to policy changes to all Medicaid/CHIP providers? Providers play two integral roles in the success of a PERM review cycle. Providers must understand all claims submission requirements in order to accurately submit claims. Additionally, the medical record review component relies on providers responding to the request for the medical records on a sampled claim. Failure to respond will result in an error. Therefore, states must maintain communication with providers to stress the importance of responding to these requests.
  • Have you begun planning for the MEQC requirement? Following basic requirements identified by CMS during your state’s MEQC period, your state must submit a case planning document to CMS for approval prior to the MEQC review period. After the MEQC review, your state should be prepared to issue findings reports, including a corrective action plan as it relates to MEQC findings.

Need help piloting your state’s PERM review process?

BerryDunn has subject matter experts experienced in conducting PERM reviews, including a thorough understanding of all three PERM review components—eligibility, data processing, and medical record reviews. 

We would love to work with your state to see that measures are in place that will help ensure the lowest possible improper payment error rate. Stay tuned for upcoming blogs where we will discuss other PERM topics, including MEQC requirements, the financial impacts of PERM, and additional details related to each phase of PERM. For questions or to find out more, please email me
 

Blog
PERM: Prepared or not prepared?

Proposed House bill brings state income tax standards to the digital age

On June 3, 2019, the US House of Representatives introduced H.R. 3063, also known as the Business Activity Tax Simplification Act of 2019, which seeks to modernize tax laws for the sale of personal property, and clarify physical presence standards for state income tax nexus as it applies to services and intangible goods. But before we can catch up on today, we need to go back in time—great Scott!

Fly your DeLorean back 60 years (you’ve got one, right?) and you’ll arrive at the signing of Public Law 86-272: the Interstate Income Act of 1959. Established in response to the Supreme Court’s ruling on Northwestern States Portland Cement Co. v. Minnesota, P.L. 86-272 allows a business to enter a state, or send representatives, for the purposes of soliciting orders for the sale of tangible personal property without being subject to a net income tax.

But now, in 2019, personal property is increasingly intangible—eBooks, computer software, electronic data and research, digital music, movies, and games, and the list goes on. To catch up, H.R. 3063 seeks to expand on 86-272’s protection and adds “all other forms of property, services, and other transactions” to that exemption. It also redefines business activities of independent contractors to include transactions for all forms of property, as well as events and gathering of information.

Under the proposed bill, taxpayers meet the standards for physical presence in a taxing jurisdiction, if they:

  1.  Are an individual physically located in or have employees located in a given state; 
  2. Use the services of an agent to establish or maintain a market in a given state, provided such agent does not perform the same services in the same state for any other person or taxpayer during the taxable year; or
  3. Lease or own tangible personal property or real property in a given state.

The proposed bill excludes a taxpayer from the above criteria who have presence in a state for less than 15 days, or whose presence is established in order to conduct “limited or transient business activity.”

In addition, H.R. 3063 also expands the definition of “net income tax” to include “other business activity taxes”. This would provide protection from tax in states such as Texas, Ohio and others that impose an alternate method of taxing the profits of businesses.

H.R. 3063, a measure that would only apply to state income and business activity tax, is in direct contrast to the recent overturn of Quill Corp. v. North Dakota, a sales and use tax standard. Quill required a physical presence but was overturned by the decision in South Dakota v. Wayfair, Inc. Since the Wayfair decision, dozens of states have passed legislation to impose their sales tax regime on out of state taxpayers without a physical presence in the state.

If enacted, the changes made via H.R. 3063 would apply to taxable periods beginning on or after January 1, 2020. For more information: https://www.congress.gov/bill/116th-congress/house-bill/3063/text?q=%7B%22search%22%3A%5B%22hr3063%22%5D%7D&r=1&s=2
 

Blog
Back to the future: Business activity taxes!

As the Project Management Body of Knowledge® (PMBOK®) explains, organizations fall along a structure and reporting spectrum. On one end of this spectrum are functional organizations, in which people report to their functional managers. (For example, Finance staff report to a Finance director.) On the other end of this spectrum are projectized organizations, in which people report to a project manager. Toward the middle of the spectrum lie hybrid—or matrix—organizations, in which reporting lines are fairly complex; e.g., people may report to both functional managers and project managers. 

Problem: Weak Matrix Medicaid System Vendors

This brings us to weak matrix organizations, in which functional managers have more authority than project managers. Many Medicaid system vendors happen to fall into the weak matrix category, for a number of different reasons. Yet the primary factor is the volume and duration of operational work—such as provider enrollment, claims processing, and member enrollment—that Medicaid system vendors perform once they exit the design, development, and implementation (DDI) phase.

This work spans functional areas, which can muddy the reporting waters. Without strong and clear reporting lines to project managers, project success can be seriously (and negatively) affected if the priorities of the functional leads are not aligned with those of the project. And when a weak matrix Medicaid system vendor enters a multi-vendor environment in which it is tasked with implementing a system that will serve multiple departments and bureaus within a state government, the reporting waters can become even muddier.


Solution: Using a Project Management Office (PMO) Vendor

Conversely, consulting firms that provide Project Management Office (PMO) services to government agencies tend to be strong matrix organizations, in which project managers have more authority over project teams and can quickly reallocate team members to address the myriad of issues that arise on complex, multi-year projects to help ensure project success. PMOs are also typically experienced at creating and running project governance structures and can add significant value in system implementation-related work across government agencies.

Additional benefits of a utilizing a PMO vendor include consistent, centralized reporting across your portfolio of projects and the ability to quickly onboard subject matter expertise to meet program and project needs. 
For more in-depth information on the benefits of using a PMO on state Medicaid projects, stay tuned for my second blog in this series. In the meantime, feel free to send your PMO- or Medicaid-related questions to me
 

Blog
The power of the PMO: Fixing the weak matrix

As your organization works to modernize and improve your Medicaid Enterprise System (MES), are you using independent verification and validation (IV&V) to your advantage? Does your relationship with your IV&V provider help you identify high-risk project areas early, or provide you with an objective view of the progress and quality of your MES modernization initiative? Maybe your experience hasn’t shown you the benefits of IV&V. 

If so, as CMS focuses on quality outcomes, there may be opportunities for you to leverage IV&V in a way that can help advance your MES to increase the likelihood of desired outcomes for your clients. 

According to 45 Code of Federal Regulations (CFR) § 95.626, IV&V may be required for Advanced Planning Document (APD) projects that meet specific criteria. That said, what is the intended role and benefit of IV&V? 

To begin, let’s look at the meaning of “verification” and “validation.” The Institute of Electrical and Electronics Engineers, Inc. (IEEE) Standard for Software Verification and Validation (1012-1998) defines verification as, “confirmation of objective evidence that the particular requirements for a specific intended use are fulfilled.” Validation is “confirmation of objective evidence that specified requirements have been fulfilled.” 

Simply put, verification and validation ensure the right product is built, and the product is built right. 
As an independent third party, IV&V should not be influenced by any vendor or software application. This objectivity means IV&V’s perspective is focused on benefiting your organization. This support includes: 

  • Project management processes and best practices support to help increase probability of project success
  • Collaboration with you, your vendors, and stakeholders to help foster a positive and efficient environment for team members to interact 
  • Early identification of high-risk project areas to minimize impact to schedule, cost, quality, and scope 
  • Objective examination of project health in order for project sponsors, including the federal government, to address project issues
  • Impartial analysis of project health that allows state management to make informed decisions 
  • Unbiased visibility into the progress and quality of the project effort to increase customer satisfaction and reduce the risk and cost of rework
  • Reduction of errors in delivered products to help increase productivity of staff, resulting in a more efficient MES 

Based on our experience, when a trusted relationship exists between state governments and IV&V, an open, collaborative dialogue of project challenges—in a non-threatening manner—allows for early resolution of risks. This leads to improved quality of MES outcomes.    

Is your IV&V provider helping you advance the quality of your MES? Contact our team.

Blog
Leveraging IV&V to achieve quality outcomes

Editor’s note: If you are a state government CFO, CIO, project or program manager, this blog is for you.

What is the difference in how government organizations procure agile vs. non-agile information technology (IT) services? (Learn more about agile here).

In each case, they typically follow five stages through the process as shown in Figure A:
 

Figure A: Overview of Procurement Process for Agile vs. Non-Agile IT Services

However, there are differences in how these stages are carried out if procuring agile vs. non-agile IT services. 

Unfortunately, most government organizations are unaware of these differences, which could result in unsuccessful procurements and ultimately not meeting your project’s needs and expectations. 
This blog series will illustrate how to strategically adjust the standard stages outlined in Figure A to successfully procure agile IT services.

Stage 1: Plan project
In Stage 1, you define the scope of the project by identifying what your organization wants, needs, and can achieve within the available timeframe and budget. You then determine the project’s objectives while strategically considering their impact on your organization before developing the RFP. Figure B summarizes the key differences between the impacts of agile vs. non-agile services to consider in this stage.


Figure B: Plan Project for Agile vs. Non-Agile IT Services

The nuances of planning for agile services reflect an organization’s readiness for a culture shift to a continuous process of development and deployment of software and system updates. 

Stage 2: Draft RFP
In Stage 2, as part of RFP drafting, define the necessary enhancements and functionality needed to achieve the project objectives determined in Stage 1. You then translate these enhancements and functionalities into business requirements. Requirement types might include business needs as functionality, services, staffing, deliverables, technology, and performance standards. Figure C summarizes the key differences between drafting the RFP for a project procuring agile vs. non-agile services.


Figure C: Draft RFP for Agile vs. Non-Agile IT Services

In drafting the RFP, the scope of work emphasizes expectations for how your team and the vendor team will work together, the terms of how progress will be monitored, and the description of requirements for agile tools and methods.

Stage 3: Issue RFP
In Stage 3, issue the RFP to the vendor community, answer vendor questions, post amendments, and manage the procurement schedule. Since this stage of the process requires you to comply with your organization’s purchasing and procurement rules, Figure D illustrates very little difference between issuing an RFP for a project procuring agile or non-agile services.


Figure D: Issue RFP for Agile vs. Non-Agile IT Services 

Stage 4: Review proposals
In Stage 4, you evaluate vendor proposals against the RFP’s requirements and project objectives to determine the best proposal response. Figure E summarizes the key differences in reviewing proposals for a project that is procuring agile vs. non-agile services.


Figure E: Reviewing Proposals for Agile vs. Non-Agile IT Services 

Having appropriate evaluation priorities and scoring weights that align with how agile services are delivered should not be under-emphasized. 

Stage 5: Award and implement contract
In Stage 5, you award and implement the contract with the best vendor proposal identified during Stage 4. Figure F summarizes the key differences in awarding and implementing the contract for agile vs. non-agile services.


Figure F:  Award and Implement Contract for Agile vs. Non-Agile Services 

Due to the iterative and interactive requirements of agile, it is necessary to have robust and frequent collaboration among program teams, executives, sponsors, and the vendor to succeed in your agile project delivery.

What’s next?
The blog posts in this series will explain step-by-step how to procure agile services through the five stages, and at the series conclusion, your organization will better understand how to successfully procure and implement agile services. If you have questions or comments, please contact our team.  

Blog
Procuring agile vs. non-agile projects in five stages: An overview

Focus on the people: How higher ed institutions can successfully make an ERP system change

The enterprise resource planning (ERP) system is the heart of an institution’s business, maintaining all aspects of day-to-day operations, from student registration to staff payroll. Many institutions have used the same ERP systems for decades and face challenges to meet the changing demands of staff and students. As new ERP vendors enter the marketplace with new features and functionality, institutions are considering a change. Some things to consider:

  1. Don’t just focus on the technology and make change management an afterthought. Transitioning to a new ERP system takes considerable effort, and has the potential to go horribly wrong if sponsorship, good planning, and communication channels are not in place. The new technology is the easy part of a transition—the primary challenge is often rooted in people’s natural resistance to change.  
  2. Overcoming resistance to change requires a thoughtful and intentional approach that focuses on change at the individual level. Understanding this helps leadership focus their attention and energy to best raise awareness and desire for the change.
  3. One effective tool that provides a good framework for successful change is the Prosci ADKAR® model. This framework has five distinct phases that align with ERP change:

These phases provide an approach for developing activities for change management, preparing leadership to lead and sponsor change and supporting employees through the implementation of the change.

The three essential steps to leveraging this framework:

  1. Perform a baseline assessment to establish an understanding of how ready the organization is for an ERP change
  2. Provide sponsorship, training, and communication to drive employee adoption
  3. Prepare and support activities to implement, celebrate, and sustain participation throughout the ERP transition

Following this approach with a change management framework such as the Prosci ADKAR® model can help an organization prepare, guide, and adopt ERP change more easily and successfully. 

If you’re considering a change, but need to prepare your institution for a healthy ERP transition using change management, chart yourself on this ADKAR framework—what is your organization’s change readiness? Do you have appropriate buy-in? What problems will you face?

You now know that this framework can help your changes stick, and have an idea of where you might face resistance. We’re certified Prosci ADKAR® practitioners and have experience guiding Higher Ed leaders like you through these steps. Get in touch—we’re happy to help and have the experience and training to back it up. Please contact the team with any questions you may have.

1Prosci ADKAR®from http://www.prosci.com

Blog
Perspectives of an Ex-CIO

Law enforcement, courts, prosecutors, and corrections personnel provide many complex, seemingly limitless services. Seemingly is the key word here, for in reality these personnel provide a set number of incredibly important services.

Therefore, it should surprise no one that justice and public safety (J&PS) IT departments should also provide a well-defined set of services. However, these departments are often viewed as parking lots for all technical problems. The disconnect between IT and other J&PS business units often stems from differences in organizational culture and structure, and differing department objectives and goals. As a result, J&PS organizations often experience misperception between business units and IT. The solution to this disconnect and misperception? Defining IT department services.

The benefits of defined IT services

  1. Increased business customer satisfaction. Once IT services align with customer needs, and expectations are established (e.g., service costs and service level agreements), customers can expect to receive the services they agreed to, and the IT department can align staff and skill levels to successfully meet those needs.
  2. Improved IT personnel morale. With clear definition of the services they provide to their customers, including clearly defined processes for customers to request those services, IT personnel will no longer be subject to “rogue” questions or requests, and customers won’t be inclined to circumvent the process. This decreases IT staff stress and enables them to focus on their roles in providing the defined services. 
  3. Better alignment of IT services to organizational needs. Through collaboration between the business and IT organizations, the business is able to clearly articulate the IT services that are, and aren’t, required. IT can help define realistic service levels and associated services costs, and can align IT staff and skills to the agreed-upon services. This results in increased IT effectiveness and reduced confusion regarding what services the business can expect from IT.
  4. More collaboration between IT and the organization. The collaboration between the IT and business units in defining services results in an enhanced relationship between these organizations, increasing trust and clarifying expectations. This collaborative model continues as the services required by the business evolve, and IT evolves to support them.
  5. Reduced costs. J&PS organizations that fail to strategically align IT and business strategy face increasing financial costs, as the organization is unable to invest IT dollars wisely. When a business doesn’t see IT as an enabler of business strategy, IT is no longer the provider of choice—and ultimately risks IT services being outsourced to a third-party vendor.

Next steps
Once a J&PS IT department defines its services to support business needs, it then can align the IT staffing model (i.e., numbers of staff, skill sets, roles and responsibilities), and continue to collaborate with the business to identify evolving services, as well as remove services that are no longer relevant. Contact us for help with this next step and other IT strategies and tactics for justice and public safety organizations.

Blog
The definition of success: J&PS IT departments must define services

This blog is the first in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with ERISA requirements.

On Labor Day, 1974, President Gerald Ford signed the Employee Retirement Income Security Act, commonly known as ERISA, into law. Prior to ERISA, employee pensions had scant protections under the law, a problem made clear when the Studebaker automobile company closed its South Bend, Indiana production plant in 1963. Upon the plant’s closing, some 4,000 employees—whose average age was 52 and average length of service with the company was 23 years—received approximately 15 cents for each dollar of benefit they were owed. Nearly 3,000 additional employees, all of whom had less than 10 years of service with the company, received nothing.

A decade later, ERISA established statutory requirements to preserve and protect the rights of employees to their pensions upon retirement. Among other things, ERISA defines what a plan fiduciary is and sets standards for their conduct.

Who is—and who isn’t—a plan fiduciary?
ERISA defines a fiduciary as a person who:

  1. Exercises discretionary authority or control over the management of an employee benefit plan or the disposition of its assets,
  2. Gives investment advice about plan funds or property for a fee or compensation or has the authority to do so,
  3. Has discretionary authority or responsibility in plan administration, or
  4. Is designated by a named fiduciary to carry out fiduciary responsibility. (ERISA requires the naming of one or more fiduciaries to be responsible for managing the plan's administration, usually a plan administrator or administrative committee, though the plan administrator may engage others to perform some administrative duties).

If you’re still unsure about exactly who is and isn’t a plan fiduciary, don’t worry, you’re not alone. Disagreements over whether or not a person acting in a certain capacity and in a specific situation is a fiduciary have sometimes required legal proceedings to resolve them. Here are some real-world examples.

Employers who maintain employee benefit plans are typically considered fiduciaries by virtue of being named fiduciaries or by acting as a functional fiduciary. Accordingly, employer decisions on how to execute the intent of the plan are subject to ERISA’s fiduciary standards.

Similarly, based on case law, lawyers and consultants who effectually manage an employee benefit plan are also generally considered fiduciaries.

A person or company that performs purely administrative duties within the framework, rules, and procedures established by others is not a fiduciary. Examples of such duties include collecting contributions, maintaining participants' service and employment records, calculating benefits, processing claims, and preparing government reports and employee communications.

What are a fiduciary’s responsibilities?
ERISA requires fiduciaries to discharge their duties solely in the interest of plan participants and beneficiaries, and for the exclusive purpose of providing benefits for them and defraying reasonable plan administrative expenses. Specifically, fiduciaries must perform their duties as follows:

  1. With the care, skill, prudence, and diligence of a prudent person under the circumstances;
  2. In accordance with plan documents and instruments, insofar as they are consistent with the provisions of ERISA; and
  3. By diversifying plan investments so as to minimize risk of loss under the circumstances, unless it is clearly prudent not to do so.

A fiduciary is personally liable to the plan for losses resulting from a breach of their fiduciary responsibility, and must restore to the plan any profits realized on misuse of plan assets. Not only is a fiduciary liable for their own breaches, but also if they have knowledge of another fiduciary's breach and either conceals it or does not make reasonable efforts to remedy it.

ERISA provides for a mandatory civil penalty against a fiduciary who breaches a fiduciary responsibility under ERISA or commits a violation, or against any other person who knowingly participates in such breach or violation. That penalty is equal to 20 percent of the "applicable recovery amount" paid pursuant to any settlement agreement with ERISA or ordered by a court to be paid in a judicial proceeding instituted by ERISA.

ERISA also permits a civil action to be brought by a participant, beneficiary, or other fiduciary against a fiduciary for a breach of duty. ERISA allows participants to bring suit to recover losses from fiduciary breaches that impair the value of the plan assets held in their individual accounts, even if the financial solvency of the entire plan is not threatened by the alleged fiduciary breach. Courts may require other appropriate relief, including removal of the fiduciary.

Over the coming months, we’ll share a series of blogs for employee benefit plan fiduciaries, covering everything from common terminology to best practices for plan documentation, suggestions for navigating fiduciary risks, and more.

Blog
What's in a name? A lot, if you manage a benefit plan.

“The world is one big data problem,” says MIT scientist and visionary Andrew McAfee.

That’s a daunting (though hardly surprising) quote for many in data-rich sectors, including higher education. Yet blaming data is like blaming air for a malfunctioning wind turbine. Data is a valuable asset that can make your institution move.

To many of us, however, data remains a four-letter word. The real culprit behind the perceived data problem is our handling and perception of data and the role it can play in our success—that is, the relegating of data to a select, responsible few, who are usually separated into hardened silos. For example, a common assumption in higher education is that the IT team can handle it. Not so. Data needs to be viewed as an institutional asset, consumed by many and used by the institution for the strategic purposes of student success, scholarship, and more.

The first step in addressing your “big” data problem? Data governance.

What is data governance?

There are various definitions, but the one we use with our clients is “the ongoing and evolutionary process driven by leaders to establish principles, policies, business rules, and metrics for data sharing.”

Please note that the phrase “IT” does not appear anywhere in this definition.

Why is data governance necessary? For many reasons, including:

  1. Data governance enables analytics. Without data governance, it’s difficult to gain value from analytics initiatives which will produce inconsistent results. A critical first step in any data analytics initiative is to make sure that definitions are widely accepted and standards have been established. This step allows decision makers to have confidence in the data being analyzed to describe, predict, and improve operations.
     
  2. Data governance strengthens privacy, security, and compliance. Compliance requirements for both public and private institutions constantly evolve. The more data-reliant your world becomes, the more protected your data needs to be. If an organization does not implement security practices as part of its data governance framework, it becomes easier to fall out of compliance. 
     
  3. Data governance supports agility. How many times have reports for basic information (part-time faculty or student FTEs per semester, for example) been requested, reviewed, and returned for further clarification or correction? And that’s just within your department! Now add multiple requests from the perspective of different departments, and you’re surely going through multiple iterations to create that report. That takes time and effort. By strengthening your data governance framework, you can streamline reporting processes by increasing the level of trust you have in the information you are seeking. Understanding the value of data governance is the easy part/ The real trick is implementing a sustainable data governance framework that recognizes that data is an institutional asset and not just a four-letter word.

Stay tuned for part two of this blog series: The how of data governance in higher education. In the meantime, reach out to me if you would like to discuss additional data governance benefits for your institution.

Blog
Data is a four-letter word. Governance is not.

If you’ve been tasked with leading a high-impact project for your organization, you may find managing the scope, budget and schedule is not enough to ensure project success—especially when you encounter resistance to change. When embarking on large-scale change projects spanning people, processes and technology, appointing staff as “coaches” to help support stakeholders through the change—and to manage resistance to the change—can help increase adoption and buy-in for a new way of doing things.

The first step is to identify candidates for the coaching role. These candidates are often supervisory staff who have credibility in the organization—whether as a subject matter expert, through internal leadership, or from having a history of client satisfaction. Next, you need a work plan to orient them to this role. One critical component is making sure the coaches themselves understand what the change means for their role, and have fully committed before asking them to coach others. They may exhibit initial resistance to the change you will need to manage before they can be effective coaches. According to research done by Prosci®, a leading change management research organization, some of the most common reasons for supervisor resistance in large-scale change projects are:

  • Lack of awareness about and involvement in the change
  • Loss of control or negative impact on job role
  • Increased work load (i.e., lack of time)
  • Culture of change resistance and past failures
  • Impact to their team

You should anticipate encountering these and other types of resistance from staff while preparing them to be coaches. Once coaches buy into the change, they will need ongoing support and guidance to fulfill their role. This support will vary by individual, but may be correlated to what managerial skills they already possess, or don’t. How can you focus on developing coaching skills among your staff for purposes of the project? Prosci® recommends a successful change coach take on the following roles:

  • Communicator—communicate with direct reports about the change
  • Liaison—engage and liaise with the project team
  • Advocate—advocate and champion the change
  • Resistance manager—identify and manage resistance
  • Coach—coach employees through the change

One of the initial tasks for your coaches will be to assess the existing level of change resistance and evaluate what resistance you may encounter. Prosci® identifies three types of resistance management work for your coaches to begin engaging in as they meet with their employees about the change:

  • Resistance prevention―by providing engagement opportunities for stakeholders throughout the project, building awareness about the change early on, and reinforcing executive-level support, coaches can often head off expected resistance.
  • Proactive resistance management―this approach requires coaches to anticipate the needs and understand the characteristics of their staff, and assess how they might react to change in light of these attributes. Coaches can then plan for likely forms of resistance in advance, with a structured mitigation approach.
  • Reactive resistance management―this focuses on resistance that has not been mitigated with the previous two types of resistance management, but instead persists or endures for an extended amount of time. This type of management may require more analysis and planning, particularly as the project nears its completion date.

Do you have candidates in your organization who may need support transitioning into coaching roles? Do you anticipate change resistance among your stakeholders? Contact us and we can help you develop a plan to address your specific challenges.

Blog
How to identify and prepare change management coaches

As a new year is upon us, many people think about “out with the old and in with the new”. For those of us who think about technology, and in particular, blockchain technology, the new year brings with it the realization that blockchain is here to stay (at least in some form). Therefore, higher education leaders need to familiarize themselves with some of the technology’s possible uses, even if they don’t need to grasp the day-to-day operational requirements. Here’s a high-level perspective of blockchain to help you answer some basic questions.

Are blockchain and bitcoin interchangeable terms?

No they aren’t. Bitcoin is an electronic currency that uses blockchain technology, (first developed circa 2008 to record bitcoin transactions). Since 2008, many companies and organizations utilize blockchain technology for a multitude of purposes.

What is a blockchain?

In its simplest terms, a blockchain is a decentralized, digital list (“chain”) of timestamped records (“blocks”) that are connected, secured by cryptography, and updated by participant consensus.

What is cryptography?

Cryptography refers to converting unencrypted information into encrypted information—and vice versa—to both protect data and authenticate users.

What are the pros of using blockchain?

Because blockchain technology is inherently decentralized, you can reduce the need for “middleman” entities (e.g., financial institutions or student clearinghouses). This, in turn, can lower transactional costs and other expenses, and cybersecurity risks—as hackers often like to target large, info-rich, centralized databases.

Decentralization removes central points of failure. In addition, blockchain transactions are generally more secure than other types of transactions, irreversible, and verifiable by the participants. These transaction qualities help prevent fraud, malware attacks, and other risks and issues prevalent today.

What are the cons of using blockchain technology?

Each blockchain transaction requires signature verification and processing, which can be resource-intensive. Furthermore, blockchain technology currently faces strong opposition from certain financial institutions for a variety of reasons. Finally, although blockchains offer a secure platform, they are not impervious to cyberattacks. Blockchain does not guarantee a hacker-proof environment.

How can blockchain benefit higher education institutions?

Blockchain technology can provide higher education institutions with a more secure way of making and recording financial transactions. You can use blockchains to verify and transfer academic credits and certifications, protect student personal identifiable information (PII) while simultaneously allowing students to access and transport their PII, decentralize academic content, and customize learning experiences. At its core, blockchain provides a fresh alternative to traditional methods of identity verification, an ongoing challenge for higher education administration.

As blockchain becomes less of a buzzword and begins to expand beyond the realm of digital currency, colleges and universities need to consider it for common challenges such as identity management, application processing, and student credentialing. If you’d like to discuss the potential benefits blockchain technology provides, please contact me.

Blog
Higher education and blockchain 101: It's not just for bitcoin anymore

Your government agency just signed the contract to purchase and implement a shiny new commercial off-the-shelf (COTS) software to replace your aging legacy software. The project plan and schedule are set; the vendor is ready to begin configuration and customization tasks; and your team is eager to start the implementation process.

You are, in a word, optimistic. But here comes the next phase of the project—the gap analysis, in which your project team and the vendor’s project team test the new software to see how well it fulfills your requirements. Spending sufficient time and energy on the gap analysis increases the likelihood the resulting software is configured to support the desired workflows and processes of the agency, while taking advantage of the software’s features and benefits. Yet this phase can be stressful because it will identify some gaps between what you want and what the software can provide.

While some of the gaps may be resolved by simple adjustments to software configuration, others may not—and can result in major issues impacting project scope, schedule, and/or cost. How do you resolve these major gaps?

Multiple Methods. Don’t let your optimism die on the vine. There are, in fact, multiple ways to address major gaps to keep you on schedule and on budget. They include:

Documenting a change request through a formal change control process. This will likely result in the vendor documenting the results of the new project scope. This, in turn, may impact the project’s schedule and cost. It promotes best practice by formally documenting approved changes to project scope, including any impact on schedule and cost. However, the change request process may take longer than you may originally anticipate, as it includes:

Documenting the proposed change
Scoping the change, including the impact on cost and schedule
Review of the proposed scope change with the project team and vendor
Final approval of the change before the vendor can begin work

Collaborating with the vendor on a solution that fits within the confines of the selected software. With no actual customization required, this may result in a functionality compromise, and may also involve compromise by the project team and the vendor. However, it does not require a formal process to document and approve a change in scope, schedule or cost, since there are no impacts on these triple constraints.

Collaborating with the vendor and internal project stakeholders to redefine business processes. This may or may not result in a change request. It also promotes best practice, as the business processes become more efficient, and are supported by the selected software product without customization. This will require a focus on organizational change management, since the resulting processes are not reflective of the “way things are done today.”

Accepting the gap—and doing nothing. If the gap has little or no impact on business process efficiency or effectiveness, this method is likely the least impactful on the project, as there are no changes to scope, schedule, or cost. However, the concept of “doing nothing” to address the gap may have the same organizational change ramifications as the previous point.

Of course, there are other methods for addressing major software gaps. The BerryDunn team brings experience in facilitating discussions with agencies and their vendors to discuss gaps, their root causes, and possible solutions. We leverage a combination of project management discipline, organizational change management qualifications, and deep expertise to help clients increase the success likelihood for COTS software implementations—while maintaining their vital relationships with vendors.

Blog
Grappling with software gaps

Modernization means different things to different people—especially in the context of state government. For some, it is the cause of a messy chain reaction that ends (at best) in frustration and inefficiency. For others, it is the beneficial effect of a thoughtful and well-planned series of steps. The difference lies in the approach to transition - and states will soon discover this as they begin using the new Comprehensive Child Welfare Information System (CCWIS), a case management information system that helps them provide citizens with customized child welfare services.

The benefits of CCWIS are numerous and impressive, raising the bar for child welfare and providing opportunities to advance through innovative technology that promotes interoperability, flexibility, improved management, mobility, and integration. However, taking advantage of these benefits will also present challenges. Gone are the days of the cookie-cutter, “one-size-fits-all” approach. Here are five facts to consider as you transition toward an effective modernization.

  1. There are advantages and challenges to buying a system versus building a system internally. CCWIS transition may involve either purchasing a complete commercial off-the-shelf (COTS) product that suits the state, or constructing a new system internally with the implementation of a few purchased modules. To decide which option is best, first assess your current systems and staff needs. Specifically, consider executing a cost-benefit analysis of options, taking into account internal resource capabilities, feasibility, flexibility, and time. This analysis will provide valuable data that help you assess the current environment and identify functional gaps. Equipped with this information, you should be ready to decide whether to invest in a COTS product, or an internally-built system that supports the state’s vision and complies with new CCWIS regulations.
     
  2. Employ a modular approach to upgrading current systems or building new systems. The Children’s Bureau—an office of the Administration for Children & Families within the U.S. Department of Health and Human Services—defines “modularity” as the breaking down of complex functions into separate, manageable, and independent components. Using this modular approach, CCWIS will feature components that function independently, simplifying future upgrades or procurements because they can be completed on singular modules rather than the entire system. Modular systems create flexibility, and enable you to break down complex functions such as “Assessment and Intake,” “Case Management,” and “Claims and Payment” into modules during CCWIS transition. This facilitates the development of a sustainable system that is customized to the unique needs of your state, and easily allows for future augmentation.
     
  3. Use Organizational Change Management (OCM) techniques to mitigate stakeholder resistance to change. People are notoriously resistant to change. This is especially true during a disruptive project that impacts day-to-day operations—such as building a new or transitional CCWIS system. Having a comprehensive OCM plan in place before your CCWIS implementation can help ensure that you assign an effective project sponsor, develop thorough project communications, and enact strong training methods. A clear OCM strategy should help mitigate employee resistance to change and can also support your organization in reaching CCWIS goals, due to early buy-in from stakeholders who are key to the project’s success.
     
  4. Data governance policies can help ensure you standardize mandatory data sharing. For example, the Children’s Bureau notes that a Title IV-E agency with a CCWIS must support collaboration, interoperability, and data sharing by exchanging data with Child Support Systems?Title IV-D, Child Abuse/Neglect Systems, Medicaid Management Information Systems (MMIS), and many others as described by the Children’s Bureau.

    Security is a concern due to the large amount of data sharing involved with CCWIS systems. Specifically, if a Title IV-E agency with a CCWIS does not implement foundational data security measures across all jurisdictions, data could become vulnerable, rendering the system non-compliant. However, a data governance framework with standardized policies in place can protect data and surrounding processes.
     
  5. Continuously refer to federal regulations and resources. With the change of systems comes changes in federal regulations. Fortunately, the Children’s Bureau provides guidance and toolkits to assist you in the planning, development, and implementation of CCWIS. Particularly useful documents include the “Child Welfare Policy Manual,” “Data Sharing for Courts and Child Welfare Agencies Toolkit,” and the “CCWIS Final Rule”. A comprehensive list of federal regulations and resources is located on the Children’s Bureau website.

    Additionally, the Children’s Bureau will assign an analyst to each state who can provide direction and counsel during the CCWIS transition. Continual use of these resources will help you reduce confusion, avoid obstacles, and ultimately achieve an efficient modernization program.

Modernization doesn’t have to be messy. Learn more about how OCM and data governance can benefit your agency or organization.

Blog
Five things to keep in mind during your CCWIS transition

Truly effective preventive health interventions require starting early, as evidenced by the large body of research and the growing federal focus on the role of Medicaid in addressing Social Determinants of Health (SDoH) and Adverse Childhood Experiences (ACEs).

Focusing on early identification of SDoH and ACEs, CMS recently announced its Integrated Care for Kids (InCK) model and will release the related Notice of Funding Opportunity this fall.

CMS describes InCK as a child-centered approach that uses community-based service delivery and alternative payment models (APMs) to improve and expand early identification, prevention, and treatment of priority health concerns, including behavioral health issues. The model’s goals are to improve child health, reduce avoidable inpatient stays and out-of-home placement, and create sustainable APMs. Such APMs would align payment with care quality and support provider/payer accountability for improved child health outcomes by using care coordination, case management, and mobile crisis response and stabilization services.

State Medicaid agencies have many things to consider when evaluating this funding opportunity. Building on current efforts and innovations, building or leveraging strong partnerships with community organizations, incentivizing evidence-based interventions, and creating risk stratification of the target population are critical parts of the InCK model. Here are three additional areas to consider:

1. Data. States will need information for early identification of children in the target population. State agencies?like housing, justice, child welfare, education, and public health have this information?and external organizations—such as childcare, faith-based, and recreation groups—are also good sources of early identification. It is immensely complicated to access data from these disparate sources. State Medicaid agencies will be required to support local implementation by providing population-level data for the targeted geographic service area.

  • Data collection challenges include a lack of standardized measures for SDoH and ACEs, common data field definitions, or consistent approaches to data classification; security and privacy of protected health information; and IT development costs.
  • Data-sharing agreements with internal and external sources will be critical for state Medicaid agencies to develop, while remaining mindful of protected health information regulations.
  • Once data-sharing agreements are in place, these disparate data sources, with differing file structures and nomenclature, will require integration. The integrated data must then be able to identify and risk-stratify the target population.

For any evaluative approach or any APM to be effective, clear quality and outcome measures must be developed and adopted across all relevant partner organizations.

2. Eligibility. Reliable, integrated eligibility and enrollment systems are crucial points of identification and make it easier to connect to needed services.

  • Applicants for one-benefit programs should be screened for eligibility for all programs they may need to achieve positive health outcomes.
  • Any agency at which potential beneficiaries appear should also have enrollment capability, so it is easier to access services.

3. Payment models. State Medicaid agencies may cover case management services and/or targeted case management as well as health homes; leverage Early and Periodic Screening, Diagnostic, and Treatment (EPSDT) services; and modify managed care organization contract language to encourage, incent, and in some cases, require services related to the InCK model and SDoH. Value-based payment models, already under exploration in numerous states, include four basic approaches:

  • Pay for performance—provider payments are tied directly to specific quality or efficiency indicators, including health outcomes under the provider organization’s control. 
  • Shared savings/risk—some portion of the organization’s compensation depends on the managed care entity achieving cost savings for the targeted patient population, while realizing specific health outcomes or quality improvement.
  • Pay for success—payment is dependent upon achieving desired outcomes rather than underlying services.
  • Capitated or bundled payments—managed care entities pay an upfront per member per month lump sum payment to an organization for community care coordination activities and link that with fee-for-service reimbursement for delivering value-added services.

By focusing on upstream prevention, comprehensive service delivery, and alternative payment models, the InCK model is a promising vehicle to positively impact children’s health. Though its components require significant thought, strategy, coordination, and commitment from state Medicaid agencies and partners, there are early innovators providing helpful examples and entities with vast Section 1115 waiver development and Medicaid innovation experience available to assist.

As state Medicaid agencies develop and implement primary and secondary prevention, cost savings can be achieved while meaningful improvements are made in children’s lives.

Blog
Three factors state medicaid agencies should consider when applying for InCK funding

Cloud services are becoming more and more omnipresent, and rapidly changing how companies and organizations conduct their day-to-day business.

Many higher education institutions currently utilize cloud services for learning management systems (LMS) and student email systems. Yet there are some common misunderstandings and assumptions about cloud services, especially among higher education administrative leaders who may lack IT knowledge. The following information will provide these leaders with a better understanding of cloud services and how to develop a cloud services strategy.

What are cloud services?

Cloud services are internet-based technology services provided and/or hosted by offsite vendors. Cloud services can include a variety of applications, resources, and services, and are designed to be easily scalable, cost effective, and fully managed by the cloud services vendor.

What are the different types?

Cloud services are generally categorized by what they provide. Today, there are four primary types of cloud services:

Cloud Service Types 

Cloud services can be further categorized by how they are provided:

  1. Private cloud services are dedicated to only one client. Security and control is the biggest value for using a private cloud service.
  2. Public cloud services are shared across multiple clients. Cost effectiveness is the best value of public cloud services because resources are shared among a large number of clients.
  3. Hybrid cloud services are combinations of on-premise software and cloud services. The value of hybrid cloud services is the ability to adopt new cloud services (private or public) slowly while maintaining on-premise services that continue to provide value.

How do cloud services benefit higher education institutions?

Higher education administrative leaders should understand that cloud services provide multiple benefits.
Some examples:

Cloud-Services-for-Higher-Education


What possible problems do cloud services present to higher education institutions?

At the dawn of the cloud era, many of the problems were technical or operational in nature. As cloud services have become more sophisticated, the problems have become more security and business related. Today, higher education institutions have to tackle challenges such as cybersecurity/disaster recovery, data ownership, data governance, data compliance, and integration complexities.

While these problems and questions may be daunting, they can be overcome with strong leadership and best-practice policies, processes, and controls.

How can higher education administrative leaders develop a cloud services strategy?

You should work closely with IT leadership to complete this five-step planning checklist to develop a cloud services strategy: 

1. 

Identify new services to be added or consolidated; build a business case and identify the return on investment (ROI) for moving to the cloud, in order to answer:

• 

What cloud services does your institution already have?

• 

What cloud services does your institution already have?

• 

What services should you consider replacing with cloud services, and why?

• 

How are data decisions being made?

2. 

Identify design, technical, network, and security requirements (e.g., private or public; are there cloud services already in place that can be expanded upon, such as a private cloud service), in order to answer:

• 

Is your IT staff ready to migrate, manage, and support cloud services?

• 

Do your business processes align with using cloud services?

• 

Do cloud service-provided policies align with your institution’s security policies?

• 

Do you have the in-house expertise to integrate cloud services with existing on-premise services?

3. 

Decide where data will be stored; data governance (e.g., on-premise, off-premise data center, cloud), in order to answer:

• 

Who owns the data in the institution’s cloud, and where?

• 

Who is accountable for data decisions?

4. 

Integrate with current infrastructure; ensure cloud strategy easily allows scalability for expansion and additional services, in order to answer:

• 

What integration points will you have between on-premise and cloud applications or services, and can the institution easily implement, manage, and support them?

5. 

Identify business requirements — budget, timing, practices, policies, and controls required for cloud services and compliance, in order to answer:

• 

Will your business model need to change in order to support a different cost model for cloud services (i.e., less capital for equipment purchases every three to five years versus a steady monthly/yearly operating cost model for cloud services)?

• 

Does your institution understand the current state and federal compliance and privacy regulations as they relate to data?

• 

Do you have a contingency plan if its primary cloud services provider goes out of business?

• 

Do your contracts align with institutional, state, and federal guidelines?

Need assistance?

BerryDunn’s higher education team focuses on advising colleges and universities in improving services, reducing costs, and adding value. Our team is well qualified to assist in understanding the cloud “skyscape.” If your institution seeks to maximize the value of cloud services or develop a cloud services strategy, please contact me.

Blog
Cloud services 101: An almanac for higher education leaders

The late science fiction writer (and college professor) Isaac Asimov once said: “I do not fear computers. I fear the lack of them.” Had Asimov worked in higher ed IT management, he might have added: “but above all else, I fear the lack of computer staff.”

Indeed, it can be a challenge for higher education institutions to recruit and retain IT professionals. Private companies often pay more in a good economy, and in certain areas of the nation, open IT positions at colleges and universities outnumber available, qualified IT workers. According to one study from 2016, almost half of higher education IT workers are at risk of leaving the institutions they serve, largely for better opportunities and more supportive workplaces. Understandably, IT leadership fears an uncertain future of vacant roles—yet there are simple tactics that can help you improve the chances of filling open positions.

Emphasize the whole package

You need to leverage your institution’s strengths when recruiting IT talent. A focus on innovation, project leadership, and responsibility for supporting the mission of the institution are important attributes to promote when recruiting. Your institution should sell quality of life, which can be much more attractive than corporate culture. Many candidates are attracted to the energy and activity of college campuses, in addition to the numerous social and recreational outlets colleges provide.

Benefit packages are another strong asset for recruiting top talent. Schools need to ensure potential candidates know the amount of paid leave, retirement, and educational assistance for employees and employee family members. These added perks will pique the interest of many candidates who might otherwise have only looked at salary during the process.

Use the right job title

Some current school vacancies have very specific job titles, such as “Portal Administrator” or “Learning Multimedia Developer.” However, this specificity can limit visibility on popular job posting sites, reducing the number of qualified applicants. Job titles, such as “Web Developer” and “Java Developer,” can yield better search results. Furthermore, some current vacancies include a number or level after the job title (e.g., “System Administrator 2”), which also limits visibility on these sites. By removing these indicators, you can significantly increase the applicant pool.

Focus on service, not just technology

Each year, institutions deploy an increasing number of Software as a Service (SaaS) and hosted applications. As higher education institutions invest more in these applications, they need fewer personnel for day-to-day technology maintenance support. In turn, this allows IT organizations to focus limited resources on services that identify and analyze technology solutions, provide guidance to optimize technology investments, and manage vendor relationships. IT staff with soft skills will become even more valuable to your institution as they engage in more people- and process-centric efforts.

Fill in the future

It may seem like science fiction, but by revising your recruiting and retention tactics, your higher education institution can improve its chances of filling IT positions in a competitive job market. In a future blog, I’ll provide ideas for cultivating staff from your institution via student workers and upcoming graduates. If you’d like to discuss additional staffing tactics, send me an email.

Blog
No science fiction: Tactics for recruiting and retaining higher education IT positions

People are naturally resistant to change. Employees facing organizational change that will impact day-to-day operations are no exception, and they can feel threatened or fearful of what that change will bring. Even more challenging are multiyear initiatives where the project’s completion is years away.

How can your agency or organization help employees prepare for change—and stay motivated for an outcome—many years in the making?


Start With the Individual

Organizational change requires individual change. For the change to be successful and lasting, an agency should apply organizational change management strategies that help lead people to your desired outcome.

With any new project or initiative, people need to understand why the project is happening before they support it. Communicate the reasons for the change—and the benefit to the employee (what’s in it for them)—so each individual is more inclined to actively support the project. Clearly communicating the why at the onset of the project can help employees feel vested in, and part of, the change. As Socrates said, “The secret of change is to focus all your energy, not on fighting the old, but building the new.” A clear vision can inspire each employee’s desire for the “new” to succeed.

Shift to Individual Goals

It’s a challenge to maintain your employees’ motivation for an organizational change occurring over the long haul. Below are some suggestions on how to sustain interest and enthusiasm for multi-year projects:

  1. Break the project down into smaller, specific milestones. Short-term goals highlight important deadlines and create tangible progress points to reach and celebrate. The master project schedule should be an integration of the organizational change management plan and the project management plan so any resource constraints you identify in the project management plan also become an input when identifying change management resources and activity levels. This integration also highlights the importance of key organizational change management milestones and activities in an effort to ensure they are on a parallel tack as traditional project tasks.
  2. Effectively communicate status updates and successes. In large, agency-wide projects, there are often a variety of stakeholders, each with different communication expectations and needs. The methods, content, and frequency of communication will vary accordingly. Develop a communications strategy as part of your organizational change management plan, to identify who will be responsible to send communications, when and how they will be sent, key messages of the communications, and what feedback mechanisms are in place to continue the conversation after initial delivery. For example, the project team needs a different level of detail than the legislature, or the public. Making the content relevant to each stakeholder group is important because it gives each group what they need to know so they don’t drown in a flood of unneeded information.
  3. Create buy-in by involving employees. A feeling of ownership naturally results from participation in a project, which helps increase enthusiasm. Often the time to do this is when discussing changes to business processes. Once you determine the mandatory features of the future state, (e.g., financial controls, legal requirements, legislative mandates) consider including stakeholder feedback on decisions more focused on preference. It is important for stakeholders to see their suggestions accepted and implemented, or if not implemented, that there was at least a structured process for thoughtfully considering their feedback, and a business case for why their suggestions didn’t make it into the project.
  4. Conduct lessons learned assessments after each major milestone. The purpose of conducting lessons learned activities is to capture what worked and what didn’t. Using surveys or other feedback systems, such as debrief meetings, allows stakeholders to voice their thoughts or concerns. By soliciting feedback after each milestone, leadership can quickly adapt to challenges, address any misunderstandings or concerns, and capitalize on successes.
  5. Reinforce how the project meets the goals of the agency or organization. Maintaining enthusiasm and support for a long-term goal takes a constant reminder of the overall organizational goals. It is important for senior leadership to communicate the impact of the project on the agency or organization and to stakeholders and keep the project at the forefront of people’s minds. Project goals may change during the duration of the project, but the project sponsor should continue to be active and visible in communicating the goals and leading the project.

Change is difficult—change that is years in the making is even more challenging. Applying a structured organizational change management process and using these tips can help keep employees energized and help ensure you reach the desired project goals.

Blog
Change management: Keeping employees motivated during multiyear projects

Over the course of its day-to-day operations, every organization acquires, stores, and transmits Protected Health Information (PHI), including names, email addresses, phone numbers, account numbers, and social security numbers.

Yet the security of each organization’s PHI varies dramatically, as does its need for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Organizations that meet the definition of a covered entity or business associate under HIPAA must comply with requirements to protect the privacy and security of health information.

Noncompliance can have devastating consequences for an organization, including:

  • Civil violations, with fines ranging from $100 to $50,000 per violation
  • Criminal penalties, with fines ranging from around $50,000 to $250,000, plus imprisonment

All it takes is just one security or privacy breach. As breaches of all kinds continue to rise, this may be the perfect time to evaluate the health of your organization’s HIPAA compliance. To keep in compliance and minimize your risk of a breach, your organization should have:

  • An up-to-date and comprehensive HIPAA security and privacy plan
  • Comprehensive HIPAA training for employees
  • Staff who are aware of all PHI categories
  • Sufficiently encrypted devices and strong password policies

HIPAA Health Check: A Thorough Diagnosis

If your organization doesn’t have these safeguards in place, it’s time to start preparing for the worst — and undergo a HIPAA health check.

Organizations need to understand what they have in place, and where they need to bolster their practice. Here are a variety of fact-finding methods and tools we recommend, including (but not limited to):

  • Administrative, technical, and physical risk analyses
  • Policy, procedure, and business documentation reviews
  • Staff surveys and interviews
  • IT audits and testing of data security

Once you have diagnosed your organization’s “as-is” status, you need to move your organization toward the “to-be” status — that is, toward HIPAA compliance — by:

  • Prioritizing your HIPAA security and privacy risks
  • Developing tactics to mitigate those risks
  • Providing tools and tactics for security and privacy breach prevention and minimization
  • Creating or updating policies, procedures, and business documents, including a HIPAA security and privacy plan

As each organization is different, there are many factors to consider as you go through these processes, and customize your approach to the HIPAA-compliance needs of your organization.

The Road to Wellness

An ounce of prevention is worth a pound of cure. Don’t let a security or privacy breach jump-start the compliance process. Reach out to us for a HIPAA health check. Contact us if you have any questions on how to get your organization on the road to wellness.

Blog
How healthy is your organization's HIPAA compliance?

As a leader in a higher education institution, you'll be familiar with this paradox: Every solution can lead to more problems, and every answer can lead to more questions. It’s like navigating an endless maze. When it comes to mobile apps, the same holds true. So, the question: Should your institution have a mobile app? The Answer? Absolutely.

Devices, not computers, are how millenials communicate, gather, inform, and engage. Millennials, on average, spend 90 hours per month on mobile apps, not including web searches and website visits.

Students are no exception. A 2016 Nielsen study showed that 98% of millennials aged 18 – 24, and 97% of millennials aged 25 – 34, owned a smartphone, while a 2017 comScore report stated that one out of five millennials no longer use desktop devices, including laptops. Mobile apps have quickly filled the desktop void, and as students grow more reliant on mobile technology, colleges and universities are in the mix, creating apps to bolster student engagement.

So should you create an app? Here are some questions you should answer before creating a mobile app. Welcome to the labyrinth! But don’t be frustrated—answer these questions to help you avoid dead ends and overspending.

1. Is a mobile app part of your IT Strategy? Including a mobile app in your IT strategy minimizes confusion at all levels about the objectives of mobile app implementation. It also helps dictate whether an institution needs multiple mobile apps for various functions, or a primary app that connects users with other functionality. If an institution has multiple campuses, should you align all campuses with a single app, or if will each campus develop their own?

2. What will the app do? Mobile apps can perform a multitude of functions, but for the initial implementation, select a few key functions in one main area, such as academics or student life. Institutions can then add functionality in the future as mobile adoption grows, and demand for more functions increases.

3. Who will use the app? Mobile apps certainly improve engagement throughout the student life cycle—from prospect to student to alumni—but they also present opportunities for increased faculty, staff, and community engagement. And while institutions should identify the immediate audience of the app, they should also identify future users, based upon functionality.

4. Who will manage the app? Institutions should determine who is going to manage the mobile app, and how. The discussion should focus on access, content, and functionality. Is the institution going to manage everything in house, from development to release to support, or will a mobile app vendor provide this support under contract? Depending on your institution, these discussions will vary.

5. What data will the app use? Like any new software system, an app is only as good as its supporting data. It’s important to assess the systems to integrate with the mobile app, and determine if the systems’ data is up-to-date and ready for integration. Consider the use of application program interfaces, or APIs. APIs allow apps and platforms to interact with one another. They can enable social media, news, weather, and entertainment apps to connect with your institution’s app, enhancing the user experience with more content for users.

6. How much data security does your app need? Depending on the functionality of the app you create, you will need varying degrees of security, including user authentication safeguards and other protections to keep information safe.

7. How much can you spend for the app? Your institution should decide how much you will spend on initial app development, with an eye toward including maintenance and development costs for future functionality. Complexity increases costs, so you will need to  budget accordingly. Include budget planning for updates and functionality improvements after launch.

You will also need to establish a timeline for the project and roll out. And note that apps deployed toward the end of the academic year experience less adoption than apps deployed at the beginning of the academic year.

Once your institution answers these questions, you will be off to a good start. And as I stated earlier, every answer to a question can lead to more questions. If your institution needs help navigating the mobile app labyrinth, please reach out to me

Blog
The mobile app labyrinth: Seven questions higher education institutions should ask

Most of us have been (or should have been) instructed to avoid using clichés in our writing. These overstated phrases and expressions add little value, and often only increase sentence length. We should also avoid clichés in our thinking, for what we think can often influence how we act.

Consider, for example, “death by committee.” This cliché has greatly — and negatively — skewed views on the benefits of committees in managing projects. Sure, sometimes committee members have difficulty agreeing with one another, which can lead to delays and other issues. In most cases, though, an individual can’t possibly oversee all aspects of a project, or represent all interests in an organization. Committees are vital for project success — and arguably the most important project committee is the steering committee.

What Exactly is a Steering Committee?
It is a group of high-level stakeholders that provides strategic direction for a project, and supports the project manager. Ideally, the group increases the chances for project success by closely aligning project goals to organizational goals. However, it is important to point out that the group’s top priority is project success.

The committee should represent the different departments and agencies affected by the project, but remain relatively small in size, chaired by someone who is not an executive sponsor of the project (in order to avoid conflicts of interest). While the project manager should serve on the steering committee, they should not participate in decision-making; the project manager’s role is to update members on the project’s progress, areas of concern, current issues, and options for addressing these issues.

Overall, the main responsibilities of a steering committee include:

  1. Approving the Project Charter
  2. Resolving conflicts between stakeholder groups
  3. Monitoring project progress against the project management plan
  4. Fostering positive communicating about the project within the organization
  5. Addressing external threats and issues emerging outside of the project that could impact it
  6. Reviewing and approving changes made to the project resource plan, scope, schedules, cost estimates, etc.

What Are the Pros and Cons of Utilizing a Steering Committee?
A group of executive stakeholders providing strategic direction should benefit any project. Because steering committee members are organizational decision-makers, they have the access and credibility to address tough issues that can put the project at a risk, and have the best opportunities to negotiate positive outcomes. In addition, steering committees can engage executive management, and make sure the project meshes with executive management’s vision, mission, and long-range strategic plan. Steering committees can empower project managers, and ensure that all departments and agencies are on the same page in regards to project status, goals, and expectations. In a 2009 article in Project Management Journal, authors Thomas G. Lechler and Martin Cohen concluded that steering committees are important to implementing and maintaining project management standards on an operational level — not only do steering committees directly support project success, they are instrumental in deriving value from an organization's investments in its project management system.

A steering committee is only as effective as it’s allowed to be. A poorly structured steering committee that lacks formal authority, clear roles, and clear responsibilities can impede the success of a project by being slow to respond to project issues. A proactive project manager can help the organization avoid this major pitfall by helping develop project documents, such as the governance document or project plan that clearly define the steering committee structure, roles, responsibilities and authority.

Steer Toward Success!
Steering committees can benefit your organization and its major projects. Yet understanding the roles and responsibilities — and pros and cons — is only a preliminary step in creating a steering committee. Need some advice on how to organize a steering committee? Want to learn more about steering committee best practices? Together, we can steer your project toward success.

Blog
Success by steering committee

The relationship between people, processes, and technology is as elemental as earth—and older than civilization. From the first sharpened rock to the Internet of Things, the three have been crucially intertwined and interdependent. There would have been no Industrial Revolution, for instance, without entrepreneurs who developed new tools to facilitate new manufacturing methods.

Of course, the increasing complexity of processes and the rapid innovations in technology tend to eclipse the present role that people play in progress. On the surface the trend seems understandable, even reasonable, when it comes to implementing a new Enterprise Resource Planning (ERP) system. Implementing a new ERP system is one of the most daunting projects an institution can undertake. Some sobering statistics—over 70% of all implementations take longer than planned, while over 50% go over budget—illustrate why many institutions focus on selecting the right ERP model and purchasing the right software. This is important, yet there are two excellent and connected reasons why your institution should focus on the “people component” of an ERP implementation.

Reason #1: The Technology is Tenable

Companies have improved and vetted ERP systems over time, so that today there’s little chance your institution will purchase poorly designed ERP software. And you have multiple options. For example, you could pursue a hosted ERP model in which a data center houses your ERP system, or a Software as a Service (SaaS) model, in which a third party administers your ERP software. These options help minimize hardware implementation, maintenance, and incomplete attempts at full system utilization—which in turn saves you time, money, and headaches.

In short: You won’t have to bear the full brunt of the tech burden, and the software and hardware you purchase should work. This enables you to concentrate on the people component of the system.

Reason #2: People Propel the Processes

A higher education institution can optimize an ERP system to complete countless processes: automating registration, onboarding staff, processing financial aid, improving self-service capabilities, simplifying record-keeping, etc. Yet a system can’t do all this on its own (not yet, at least). People—both functional and IT staff—propel these processes. For this to happen, your institution needs to secure buy-in and equip people with vision, training, and resources.

People are wary of ERP projects, for good reason. When an institution decides to tackle an ERP implementation the onus often falls on already busy staff, some of whom may rather find a new career than manage a new system implementation. Your staff and their institutional knowledge are your greatest assets. It is important to empower staff to define how future-state business processes should work—and for you to remember that a common reason for ERP implementation failure is lack of engagement. Sometimes, those at the executive level make decisions without adequate input from the people who actually do the work. You will need to sharpen your “people skills” in order to educate stakeholders on the value of a new ERP system, and how the software will make their day-to-day roles and responsibilities more efficient and effective. To ensure that staff have the bandwidth to engage in this change, it is advisable to provide backfill for key administrative functions.

Designing business processes of a future-state system is arguably the most challenging part of an ERP implementation. Often, stakeholders don’t understand the new functionality that a future system can offer because they have only used the prior system. It is important to engage the ERP vendor early and educate your staff to ensure that they understand the possibilities when designing future-state processes.

Once you have designed processes, training should take center stage. And once again, people play a pivotal role in this process. Modern ERP systems usually require staff to fundamentally conduct business differently; this can require training not only on the new system, but also on other foundational technologies (e.g., the office suite) not relied upon before. It is important to identify these needs and incorporate them into your institution’s training plan up front.

An effective training plan needs to balance multiple types of training, ranging from formal classroom sessions to online learning and train-the-trainer sessions. Tech-savvy staff will be able to train other staff in using the new ERP system, which will not only increase the skill sets of said staff, but will also help them better understand how their roles fit within the larger picture of the institution. This, in turn, will organically improve communication and workflow, as well as lead to more collaboration and teamwork. The result: positive institution-wide change.

Moving Forward

Think about your institution’s focus when implementing a new ERP system—and be aware of the benefits that it could have for your staff, your students, and your bottom line. You will face other ERP-related challenges, such as selecting the right third-party vendor and facilitating change management. If you’d like to discuss some strategies for tackling these challenges, this process is easy—just send me an email.

Blog
The people component: Why higher education institutions should focus on staff when implementing an ERP system

As more state and local government workers enter retirement, state and local agencies are becoming more dependent on millennial workers — the largest and most educated generation of workers in American history. But there is a serious gap between supply and demand.

As noted in a 2016 report by the Bureau of Labor Statistics titled 
Household Data Annual Averages 15, only 25.6% of current
government workers are between the ages of 18 and 35.

This trend isn’t necessarily shocking; many millennials choose higher-paying jobs in the private sector over lower-paying jobs in the public sector, especially when the days of a lifelong government career, and generous pensions, are dwindling. But it is a serious labor problem for government agencies — one that requires creative solutions. To entice these new workers, state and local governments need to adopt new recruiting and retaining methods.

Recruiting Methods

While money matters to millennials, they also want to live a life of adventure, try new things, embrace trailblazing technology, pursue meaningful goals, and gain a sense of both personal and civic accomplishment. In short, these new workers have values that differ from previous generations. You can help entice them by:

  • Highlighting your state and local agency’s mission and greater purpose. Many millennials want to affect change and find careers consistent with their values. Include information in your job descriptions about the positive environmental and social impact your agency makes.

  • Updating your technology. Millennials have grown up with technology (literally at their fingertips), can adapt to change as no other generation before them, and often strive to remain on the “cutting edge.” By updating your agency’s technology, you will not only improve your organization and benefit the public you serve, but also have a better chance of recruiting the best and brightest millennials.

  • Providing them with a work-life balance. Life outside of work is just as important to millennials as their careers. They don’t plan to wait for retirement to finally pursue their interests, so providing them with a level of flexibility is key to recruitment. Consider offering flexible workdays, remote working capabilities, extended parental leave, sabbatical opportunities, and “mental health days.” The more flexibility state and local agencies provide, the more incentive there is for millennials.

Retaining Methods

Recruiting millennials for government jobs is challenging enough, and retaining them can prove even harder, as job hopping is standard practice for many members of this generation. Nevertheless, there are certain methods your agency can adopt to prevent millennial turnover. We suggest:

  • Investing in employee development and training. Training and creating opportunities for promotion and career advancement are motivating incentives to millennials. Professional development excites millennials and investing in them will pay off for the agency — and the employees will be more engaged and likely to stay.

  • Showing employees they are valued. Recognition is the biggest motivator besides money — millennials want acknowledgement for the good work that they do. Communicate achievements and provide awards to recipients in front of their peers. This not only gives them credit, but also motivates others. Continuing to communicate to your employees how their work supports their values reminds them they made the right decision in joining the public sector in the first place.

Make Your Move

Millennials are worthy of your attention! To compete with the private sector — to recruit and retain them — your government agency has to take an innovative approach to capitalize on this ever-growing demographic. If your state or local agency needs help refreshing your technology, reviewing current policies and procedures, or taking a fresh look at your processes, contact BerryDunn. We would love to talk about your commitment to your future!

You may also be interested in: CFOs for Hire; How to Attract and Retain Workers in a Seller's Market

Blog
Getting millennial with it: How state and local governments can recruit and retain a new generation of workers

A year ago, CMS released the Medicaid Enterprise Certification Toolkit (MECT) 2.1: a new Medicaid Management Information Systems (MMIS) Certification approach that aligns milestone reviews with the systems development life cycle (SDLC) to provide feedback at key points throughout design, development, and implementation (DDI).

The MECT (recently updated to version 2.2) incorporates lessons learned from pilot certifications in several states, including the successful West Virginia pilot that BerryDunn supported. MECT updates have a direct impact on E&E systems—an impact that may increase in the near future. Here is what you need to know:         

Then: Initial Release

In February 2017, CMS introduced six Eligibility & Enrollment (E&E) checklists. Five were leveraged from the MECT, while the sixth checklist contained unique E&E system functionality criteria and provided a new E&E SDLC that—like the MECT—depicted three milestone reviews and increased the Independent Verification and Validation (IV&V) vendor’s involvement in the checklists completion process.

Now: Getting Started

Completing the E&E checklists will help states ensure the integrity of their E&E systems and help CMS guide future funding. This exercise is no easy task, particularly when a project is already in progress. Completion of the E&E checklists involves many stakeholders, including:

  • The state (likely more than one agency)
  • CMS
  • IV&V
  • Project Management Office (PMO)
  • System vendor(s)

As with any new processes, there are challenges with E&E checklists completion. Some early challenges include:

  • Completing the E&E checklists with limited state project resources
  • Determining applicable criteria for E&E systems, especially for checklists shared with the MMIS
  • Identifying and collecting evidence for iterative projects where criteria may not fall cleanly into one milestone review phase
  • Completing the E&E checklists with limited state project resources
  • Working with the system vendor(s) to produce evidence

What’s Next?

Additionally, working with system vendors may prove tricky for projects that already have contracts with E&E vendors, as E&E systems are not currently subject to certification (unlike the MMIS). This may lead to instances where E&E vendors are not contractually obligated to provide the evidence that would best satisfy CMS criteria. To handle this and other challenges, states should communicate risks and issues to CMS and work together to resolve or mitigate them.

As CMS partners with states to implement the E&E checklists, some questions are expected to be asked. For example, how much information can be leveraged from the MECT, and how much of the checklists completion process must be E&E-specific? Might certification be required in the near future for E&E systems?

While there will be more to learn and challenges to overcome, the first states completing the E&E checklists have an opportunity to lead the way on working with CMS to successfully build and implement E&E systems that benefit all stakeholders.

On July 31, 2017, CMS released the MECT 2.2 as an update to the MECT 2.1.1. As the recent changes continue to be analyzed, what will the impact be to current and future MMIS and E&E projects?

Check back here at BerryDunn Briefings in the coming weeks and we will help you sort it out.

Blog
Check this: CMS checklists aren't just for MMIS anymore.

Because we’ve been through this process many times, we’ve learned a few lessons and determined some best practices. Here are some tips to help you promote a positive post go-live experience.

The road to go-live is paved with good intentions. When an organization identifies a need to procure a new or upgraded system, that road can be long. It requires extensive planning, building a business case, defining requirements, procuring the system, testing it, and implementing it. Not to mention preparing your team to start using it. You’ve worked really hard to get to this point, and it feels like you’re about to cross the finish line. Well, grab some Gatorade because you’re not quite there yet. Post go-live is your cool-down, and it’s an important part of the race.

Preparation is key.
If you haven’t built a go-live plan into your overall implementation plan, you may see stress levels rise significantly in the days and weeks leading up to go-live. Like a runner prepares for a big race, a project lead must adequately prepare the team to begin using the new system, while still handling unexpected obstacles.  While there are many questions you should ask as you prepare to go live, you need to gain buy-in on the plan from the beginning and manage it to ensure follow-through.

Have your contract and deliverables handy.
Your system vendor implementation team will look to hand you off to their support team soon after go-live. It is crucial that you review all of the deliverables outlined in your contract to ensure all of the agreed-upon functionality is up and running, and all contracted deliverables have been provided and approved. Don’t transition to support until you’ve had enough time to see the system through significant processes (e.g. payroll, month-end close). In the period immediately after go-live, the vendor implementation team is your best resource to help address these issues, so it’s a good idea to have easy access to them.

Encourage use and feedback.
Functional leads and project champions need to continue communications past go-live to encourage use and provide a mechanism for addressing feedback. Employing change management best practices will go a long way in ensuring you use the system properly — and to its best capabilities.

Plan ahead for expanded use and future issues. 
Because a system implementation can be extremely resource-intensive, it is common to suppress or forgo functionality to implement at a later date (e.g., citizen and vendor self-service). In addition, we sometimes see issues arise during significant operational milestones (e.g., renewal processing, year-end close). Have a plan in place to decide how you will address known and unknown issues that arise.

While there is no silver bullet to solve all of the potential go-live woes, you can promote a smooth transition from a legacy system to a new system by implementing these tips. The time you spend up front will help offset many headaches down the road, promote end-user engagement, and ensure you’re getting the most from your investment.

Blog
We're live! Now what?

We all know them. In fact, you might be one of them — people who worry the words “go live” will lead to job loss (theirs). This feeling is not entirely irrational. When an organization is ready to go live from an existing legacy system to a new enterprise system, stress levels rise and doubts emerge: What can go wrong? How much time will be lost? Are we really ready for this?

We’re here to help. Here is a list of go-live essentials to help you mitigate stress and assess your readiness. While not all-encompassing, it’s a good place to start. Here’s what you need:

  1. A detailed project plan which specifies all of the implementation tasks
    A project plan is one of the most important parts of an implementation. A detailed plan that identifies all of the implementation tasks along with an assigned resource for each task is critical to success. The implementation vendor and the organization should develop this plan together to get buy-in from both teams.
  1. A completed system configuration
    New system configuration is one of the most time-consuming aspects of a technology implementation. If you don’t complete the implementation in a timely manner, it will impact your go-live date. Configure the new system based upon the best practices of the system — not how the existing system was — for timely implementation.
  1. External system interface identification
    While replacement of some external systems may be a goal of an implementation, there may be situations where external systems are not replaced or the organization has to send and/or receive data from external organizations. And while new systems have advanced interface technology capabilities, the external systems may not share these capabilities. Therefore it is imperative that you identify external system interfaces to avoid gaps in functionality.
  1. Testing, testing, testing
    End-to-end testing or User Acceptance Testing (UAT) is often overlooked. It involves completing testing scenarios for each module to ensure appropriate system configuration. While the timing of UAT may vary, allow adequate time to identify solutions to issues that may result from UAT.
  1. Data conversion validation
    When you begin using a new system, it’s best to ensure you’re working with clean, up-to-date data. Identify data conversion tasks in the project plan and include multiple data conversion passes. You must also determine if the existing data is actually worth converting. When you complete the data conversion, check for accuracy.
  1. End user training
    You must train all end users to ensure proper utilization across the organization. Don’t underestimate the amount of time needed for end user training. It is also important to provide a feedback mechanism for end users to determine if the training was successful.
  1. A go-live cutover plan
    The overall project plan may indicate go-live as an activity. List specific activities to complete as part of go-live. You can build these tasks into the project plan or maintain them as a separate checklist to promote a smooth transition.
  1. Support structure
    Establish an internal support structure when preparing for go-live to help address issues that may arise. Most organizations take time to configure and test the system and provide training to end users prior to go-live. Questions will arise as part of this process — establish a process to track and address these questions.

Technology implementations can significantly impact your organization, and it’s common for stress levels to rise during the go-live process. But with the right assessment and preparation, you can lessen their impact and reduce staff stress. Our experienced, objective advisors work with public and private sector organizations across the country to oversee large enterprise projects from inception to successful completion. Please reach out to us to learn more about preparing for your next big project.

Blog
Don't worry, just assess: Eight tips for reducing go-live stress

Electronic accessibility in every aspect of modern life has increased ten-fold, but government — and courts in particular — has been slow to follow.

History Lesson
The idea that criminal court proceedings are accessible by the public is a pillar of our justice system, rooted in the First Amendment. This public right to unrestricted access in criminal and civil court proceedings has been interpreted by many states to extend to court documents and court records (as long as not otherwise protected).

Traditionally, public access to court proceedings and records has been limited to those taking place in the courthouse, between the hours of 8:00 am and 4:00 pm. In most every other aspect of our lives, we have 24/7 access to everything from live streaming of our home security systems, to ordering our groceries or dinner from our mobile devices — while traveling at 30,000 feet! Government — and courts in particular — has been slow to follow in the rush to 24/7 electronic accessibility.

Part of the rationale behind the hesitation to jump on the electronic bandwagon, are the ethical issues surrounding unlimited electronic public access. So while the First Amendment provides for public access to information, conversely the Fourteenth Amendment interprets the definition of “liberty” to include a right to privacy. Deciding between these two semmingly contradictory rights becomes a challenge for courts when determining what form of electronic access is appropriate for court documents.

The pros
Unlimited electronic access to publicly available documents:

  • Serve a variety of public interests while eliminating the need to travel to the courthouse to research and copy documents.
  • Acts both as a deterrent to violating laws and as protection to those whose rights have been violated.
  • Tends to instill fairness, transparency, and equality of court proceedings.
  • Protects the community and allows the media to report on matters of public interest in a more convenient, timely, and streamlined manner.

The cons
While there are compelling reasons to provide electronic public access, they don’t take into account the potential for it to be used inappropriately. Risks include:

  • Increased chance of identity theft, leading to loss of property, finances, and credit
  • Exposure to sensitive information that may be harmful to all those involved
  • Negative impact on privacy
  • Deter public interest lawsuits for fear of overexposure
  • Mistakes or abuse of legal process can have far-reaching implications on individuals

What can states do?
Allowing unlimited remote electronic access to court documents could compromise the privacy rights and concerns of individuals and increase the risk of harm to those participating in court proceedings. This issue demands the full attention of the courts nationwide, but not with an “all-or-nothing” approach.

Many states struggle with striking this balance. To mitigate some of the potentially damning effects, states have taken different approaches. The National Center for State Courts (NCSC) has brought attention to the issues on several occasions. In 2002, the NCSC and the State Justice Institute funded the project, “Developing a Model Written Policy Governing Access to Court Records” and more recently the NCSC has published the “Privacy/Public Access to Court Records Resource Guide”.

Some states have redacted confidential information from electronic documents and some have limited what information or categories are available on the internet, only posting some combination of the following:

  • Appellate decisions
  • Final judgments, orders, and decrees
  • Basic information of the litigant or party to the case
  • Calendars and case docket lists

Our recommendation
States must agree upon the amount of access they will provide electronically. To tackle this, each state should:

  • Consider forming an access committee(s) to determine what guidelines are needed to balance the free access rights of the public with the privacy rights of individuals
  • Policy decisions should be publicly posted to the judiciary, legislators, and the public at large; and
  • Should be regularly revisited to ensure an appropriate balance is continually achieved

Interested in learning how your state can address this or similar issues? Reach out to BerryDunn's justice and public safety experts and we can discuss the particular issue facing your state and the best practices for approaching it.

Blog
Striking a balance: Public right of access to court records vs. the privacy rights of individuals

Online banking? Check.
Online shopping? You bet.
Online permit application submittal? What? Actually, yes.


As Americans are becoming more and more accustomed to performing everyday functions online, local governments are evolving and keeping up with the times. This online evolution is coming in the form of implementing modern enterprise applications with electronic workflow and a public-facing portal that allows residents to apply for permits, submit documentation, pay for, and collaborate with local government staff to perform a variety of processes.

One area of recent focus is the online submittal and routing of electronic planning and permit applications, and supporting plans and drawings. This effort is often driven by a desire to expand e-government offerings available to the public, while also realizing internal efficiencies through electronic workflow and simultaneous review, and a reduction in paper usage.

If you were to take a tour of most City or County Building, Planning, or Development Departments, in many instances you would see bins containing rolls of large (24”x36”) scale drawings that support planning (e.g., subdivision, rezoning, etc.) or permit (e.g., new family residential dwelling, accessory building, etc.) documents. With local government agencies receiving hundreds of paper applications each year, the internal driver for moving to an electronic submittal and review environment is evident. Additionally, when it is understood that the applicant develops these documents in a Computer Aided Design (CAD) system prior to printing, and are also required to submit applications in-person during business hours, the need for simplified online processes is even more pressing.

On the surface, moving to an electronic application submittal and review platform may appear pretty straightforward. However, like any major process and technology change there are several major considerations. Here are three that each agency should look at prior to starting an electronic application submittal and review project.

  1. Change to Current Business Processes
    Current processes related to application submittal, completeness review, routing to reviewers, consolidation of review comments, and return of comments and mark-ups to applicants are paper intensive.
    • Are current processes designed around paper submittals?
    • Will reviews be simultaneous or sequential? Should this change?
    • How will electronic copies be distributed to reviewers? How about third-party reviewers?
    • How will comments be consolidated and returned to the applicant?
    • Will plans be submitted online and/or in person via USB/CD?
  2. Change to Current Policies
    Current policies are most likely based on a paper plan set being received, routed, and archived. It is very likely that these policies will require updating with a change to electronic submittal and review.
    • Will plans be required to be submitted electronically? For some case types?
    • Will a hard copy plan set still be required?
    • How will final plans be archived?
    • Will an additional fee be charged to offset equipment and hardware costs?
    • Will the fee schedule incentivize electronic submittals?
    • Will staff be required to perform their mark-ups electronically?
  3. Change to Technology Tools
    Drafting tables, light tables, red pens, and rulers are common tools used to support a paper-based environment. Electronic submittal and review will require a different set of tools.
    • Does your current planning/permitting system have the tools to support an electronic workflow?
    • What software and hardware tools will staff use to complete their review?
    • Will all reviewers be required to complete their reviews electronically?
    • How will revised plans be provided to an applicant (e.g., portal, email, etc.)?
    • How will signatures and stamps be applied to electronic plans?
    • How will resubmittals and multiple versions of plans be managed?

Transitioning to an electronic plan submittal and review environment may seem overwhelming, but when done correctly the benefits can be significant. BerryDunn can assist with answering questions related to transitioning to an electronic plan submittal and review environment. Get more information on how BerryDunn can help your agency navigate this here.

Blog
Moving to electronic plan submittal and review: Three things to consider