Skip to Main Content

Blog

Gain perspectivesOur blog

This spring, I published a blog about the importance of data governance in higher education institutions. In the summer, a second blog covered implementing baseline principles for data governance. With fall upon us, it is time to transition to discussing three critical steps to create a data governance culture. 

1.    Understand the people side of change.

The culture of any organization begins and ends with its people. As you know, people are notoriously finicky when it comes to change (especially change like data governance initiatives that may alter the way we have to understand or interact with institutional data). I recommend that any higher education institution apply a change management methodology (e.g., Prosci®, Lewin’s Change Management Model) in order to gauge the awareness of, the desire for, and the practical realities of this change. If you apply your chosen methodology in an effective and consistent manner, change management will help you increase buy-in and break down resistance. 

2.    Identify and empower the right people for the right roles.

Higher education institutions often focus on data governance processes and technologies. While this is necessary, you can’t overlook the people part of data governance. In fact, you can argue it is the most important part, because without people, there will be no one to follow the processes you create or use the technologies you implement. 

To find the right people, you need to identify and establish three specific roles for your institution: data trustees, data stewards, and data managers. Once you have organized these roles and responsibilities, data governance becomes easier to manage. Some definitions:

Data trustees (the sponsors) – senior leadership (or designees) who oversee data policy, planning, and management. Their responsibilities include: 

  • Promoting data governance 
  • Approving and updating data policies​​
  • Assigning and overseeing data stewards
  • Being responsible for data governance

Data stewards (the owners) – directors, managers, associate deans, or associate vice presidents who manage one or more data types. Their responsibilities include:

  • Applying and overseeing data governance policies in their functional areas
  • Following legal requirements pertaining to data in their functional areas
  • Classifying data and identifying data safeguards
  • Being accountable for data governance

Data managers (the caretakers) – data system managers, senior data analysts, or functional users (registrar, financial aid, human resources, etc.) who perform day-to-day data collection and management operations. Their responsibilities include:

  • Implementing data governance policies in their functional areas
  • Resolving data issues in their functional areas 
  • Provide training and appropriate documentation to data users
  • Being informed and consulted about data governance

3.    Be consistent and hold people accountable.

Ultimately, your data governance team needs accountability in order to thrive. Therefore, it is up to data trustees, data stewards, and data managers to hold regular meetings, take and distribute meeting notes, and identify and follow up on meeting action items. Without this follow through, data governance initiatives will likely stall or stop altogether. 

More information on data governance 

Are you still curious about additional guiding principles of data governance in higher education? Please contact the team
 

Blog
People Power: Enacting Sustainable Data Governance

Editors note: read this if you are a leader in an accountable care organization and interested in value-based contracting.

Accountable Care Organizations (ACOs) and value-based payments: an introduction

With the goal of slowing the rising cost of healthcare while maintaining the delivery of high-quality care, the Centers for Medicare & Medicaid Services (CMS) and private payers utilize a number of different provider payment models. The primary approach to address increasing healthcare costs has been to move away from fee-for-service payment models—which incentivize increasing the volume of care provided—to value-based payment models, which hold providers accountable for both the cost and quality of care they provide. The models have the potential to lead to reduced revenue for some providers, an outcome that can be avoided by successfully attracting larger patient populations. 

Value-based payment model options 

CMS has been a driver in this transition by moving physician reimbursement from being solely based on the Resource-Based Relative Value Scale (RBRVS) fee-for-service methodology to one that adds performance-based elements either through the Merit-based Incentive Payment System (MIPS) or Advanced Alternative Payment Models (Advanced APMs):

  • Providers that are MIPS eligible will have up to 9% of their RBRVS-based payments adjusted for four categories: quality, cost, clinical practice improvement activities, and promoting interoperability.
  • Providers in an Advanced APM may earn an incentive payment based on their participation in an innovative payment model―with more opportunity for incentive rewards being given to those who take downside financial risk. 

On the hospital side, CMS developed the Hospital Value-Based Purchasing (VBP) Program in order to move away from reimbursement based strictly on Diagnosis Related Groups (DRGs). The Hospital VBP Program rewards hospitals with incentive payments based on the quality of care they provide to Medicare beneficiaries. 

ACO value-based payment models are APMs that typically incorporate quality and the total cost of care for all services for a specific population, rather than just a specific clinical condition or care episode. Under the ACO model, CMS contracts with providers to assume increasing financial risk and reward opportunities while also being held accountable for their quality performance managing defined sub-populations they serve. These types of models are also employed by private payers.

How can ACOs succeed with payment models constantly changing?

ACOs should proceed with caution as they enter models with accountability for financial risk such as the newly finalized CMS Pathways to Success program and certain private payer commercial models. In order to be successful in any model, it is critical that ACOs have an adequate foundation in place and a provider network built to provide coordinated care. Some of the key elements for your success include:

  • Population data: Data for the ACO members that is a comprehensive record of their recent health utilization and spending history is critical.
  • Eligibility reporting: Require that eligibility files are provided on a monthly basis, and understand the way in which members are attributed or assigned. 
  • Claims data: Ensure accurate and complete claims data will be provided by payers monthly for the ACO members.
  • Financial/quality reporting: Ensure creation of infrastructure to generate reporting from the population data on a timely basis. Without timely reporting, the actual performance against benchmarks will not be known until it is too late to take any action.
  • Actuarial support: Validating spending targets and performance settlement should draw on the expertise of a qualified actuary.
  • Clinical documentation: Ambulatory clinical documentation categorizes patients based on the complexity of their diagnoses, which can be a predictor of future health care costs and used to identify at risk members for care management, disease management, and other programs. 
  • Population health management tools: Establish capabilities around population health management, specifically data aggregation and analysis that results in actionable recommendations
  • Audit capability: Verify the accuracy of payer financial and quality reports including the risk adjustment methodology.

Success in value-based payment models will require ACOs to understand changes to their population and quickly respond to address quality, utilization, and cost trends. 

WEBINAR
Demystifying Value-Based Contracting: Key Steps To Empower Your Organization

Want to learn more? Watch our value-based contracting webinar.

Blog
Success in value-based payment for ACOs

Follow these six steps to help your senior living organization improve cash flow, decrease days in accounts receivable, and reduce write offs.

From regulatory and reimbursement rule changes to new software and staff turnover, senior living facilities deal with a variety of issues that can result in eroding margins. Monitoring days in accounts receivable and creeping increases in bad debt should be part of a regular review of your facility’s financial indicators.

Here are six steps you and your organization can take to make your review more efficient and potentially improve your bottom line:

Step 1: Understand your facility’s current payer mix.

Understanding your payer mix and various billing requirements and reimbursement schedules will help you set reasonable goals and make an accurate cash flow forecast. For example, government payers often have a two-week reimbursement turn-around for a clean claim, while commercial insurance reimbursement may take up to 90 days. Discovering what actions you can take to keep the payment process as short as possible can lessen your average days in accounts receivable and improve cash flow.

Step 2: Gain clarity on your facility’s billing calendar.

Using data from Step 1, review (or develop) your team’s billing calendar. The faster you send a complete and accurate bill, the sooner you will receive payment.

Have a candid discussion with your billers and work on removing (or at least reducing) existing or perceived barriers to producing timely and accurate bills. Facilities frequently find opportunities for cash flow optimization by communicating their expectations for vendors and care partners. For example, some facilities rely on their vendors to provide billing logs for therapy and ancillary services in order to finalize Resource Utilization Groups (RUGs) and bill Medicare and advantage plans. Delayed medical supply and pharmacy invoices frequently hold up private pay billing. Working with vendors to shorten turnaround time is critical to receiving faster payments.

Interdependencies and areas outside the billers’ control can also negatively influence revenue cycle and contribute to payment delays. Nursing and therapy department schedules, documentation, and the clinical team’s understanding of the principles of reimbursement all play significant roles in timeliness and accuracy of Minimum Data Sets (MDSs) — a key component of Medicare and Medicaid billing. Review these interdependencies for internal holdups and shorten time to get claims produced.

Step 3: Review billing practices.

Observe your staff and monitor the billing logs and insurance claim acceptance reports to locate and review rejected invoices. Since rejected claims are not accepted into the insurer’s system, they will never be reflected as denied on remittance advice documents. Review of submitted claims for rejections is also important as frequently billing software marks claims as billed after a claim is generated. Instruct billers to review rejections immediately after submitting the bill, so rework, resubmission, and payment are timely.

Encourage your billers to generate pull communications (using available reporting tools on insurance portals) to review claim status and resolve any unpaid or suspended claims. This is usually a quicker process than waiting for a push communication (remittance advice) to identify unpaid claims.

Step 4: Review how your facility receives payments.

Challenge any delays in depositing money. Many insurance companies offer payment via ACH transfer. Discuss remote check deposit solutions with your financial institution to eliminate delays. If the facility acts as a representative payee for residents, make sure social security checks are directly deposited to the appropriate account. If you use a separate non-operating account to receive residents’ pensions, consider same day bill pay transfer to the operating account.

Step 5: Review industry benchmarks.

This is critical to understanding where your facility stands and seeing where you can make improvements. BerryDunn’s database of SNF Medicare cost reports filed for FY 2015 - 2018 shows:

Skilled Nursing Facilities: Days in Accounts Receivable

Step 6: Celebrate successes!

Clearly some facilities are doing it very well, while some need to take corrective action. This information can also help you set reasonable goals overall (see Step 1) as well as payer-specific reimbursement goals that make sense for your facility. Review them with the revenue cycle team and question any significant variances; challenge staff to both identify reasons for variances and propose remedial action. Helping your staff see the big picture and understanding how they play a role in achieving department and company goals are critical to sustaining lasting change AND constant improvement.

Change, even if it brings intrinsic rewards (like decreased days in accounts receivable, increased margin to facilitate growth), can be difficult. Acknowledge that changing processes can be tough and people may have to do things differently or learn new skills to meet the facility’s goal. By celebrating the improvements — even little ones — like putting new processes in place, you encourage and engage people to take ownership of the process. Celebrating the wins helps create advocates and lets your team know you appreciate their work. 

To learn more, contact one of our revenue cycle specialists.

Blog
Six steps to gain speed on collections

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Blog
Five IT risks everyone should be aware of

Editor’s note: If you are a higher education CFO, CIO, CTO or other C-suite leader, this blog is for you.

The Gramm-Leach-Bliley Act (GLBA) has been in the news recently as the Federal Trade Commission (FTC) has agreed to extend a deadline for public comment regarding proposed changes to the Safeguards Rule. Here’s what you need to know.

GLBA, also known as the Financial Modernization Act, is a 1999 federal law providing rules to financial institutions for protecting consumer information. Colleges and universities fall under this act because they conduct financial activities (e.g., administration of financial aid, loans, and other financial services).

Under the Safeguards Rule financial Institutions must develop, implement, and maintain a comprehensive information security program that consists of safeguards to handle customer information.

Proposed changes

The FTC is proposing five modifications to the Safeguards Rule. The new act will:

  • Provide more detailed guidance to impacted institutions regarding how to develop and implement specific aspects of an overall information security program.
  • Improve the accountability of an institution’s information security programs.
  • Exempt small business from certain requirements.
  • Expand the definition of “financial institutions” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
  • Propose to include the definition of “financial institutions” and related examples in the rule itself rather than cross-reference them from a related FTC rule (Privacy of Consumer Financial Information Rule).

Potential impacts for your institution

The Federal Register, Volume 84, Number 65, published the notice of proposed changes that once approved by the FTC would add more prescriptive rules that could have significant impact on your institution. For example, these rules would require institutions to:

  1. Expand existing security programs with additional resources.
  2. Produce additional documentation.
  3. Create and implement additional policies and procedures.
  4. Offer various forms of training and education for security personnel.

The proposed rules could require institutions to increase their commitment in time and staffing, and may create hardships for institutions with limited or challenging resources.

Prepare now

While these changes are not final and the FTC is requesting public comment, here are some things you can do to prepare for these potential changes:

  • Evaluate whether your institution is compliant to the current Safeguards Rule.
  • Identify gaps between current status and proposed changes.
  • Perform a risk assessment.
  • Ensure there is an employee designated to lead the information security program.
  • Monitor the FTC site for final Safeguard Rules updates.

In the meantime, reach out to us if you would like to discuss the impact GLBA will have on your institution or if you would like assistance with any of the recommendations above. You can view a comprehensive list of potential changes here.

Source: Federal Trade Commission. Safeguards Rule. Federal Register, Vol. 84, No. 65. FTC.gov. April 4, 2019. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

Blog
Higher ed: GLBA is the new four-letter word, but it's not as bad as you think

This site uses cookies to provide you with an improved user experience. By using this site you consent to the use of cookies. Please read our Privacy Policy for more information on the cookies we use and how you can manage them.