Skip to Main Content

insightsarticles

COVID-
19 laws and their impact on state public health agencies

By:

Laura Hill is a Consultant with BerryDunn working in the State Government Practice Area. She specializes in public health. She has experience working with state and local government public health agencies, not-for-profit organizations, and healthcare systems on strategic planning and project implementation. In addition, she has specialized training and expertise in food security, outdoor play environments for children, and obesity prevention in children and teens.

 Laura Hill
04.16.20

Read this if you work at a public health department and would like a brief summary of how you can maximize funding and meet new federal requirements.

Unpacking the trillions

In response to the COVID-19 pandemic, several pieces of legislation were passed by congress and signed into law. The three bills, H.R. 6074 Coronavirus Preparedness and Response Supplemental Appropriations Act, H.R. 6201 Families First Coronavirus Response Act, and H.R. 748 Coronavirus Aid, Relief, and Economic Security (CARES) Act, have provided funding for various federal agencies with different roles in responding to the crisis. Because of the urgency required, much of the guidance for use of funds and reporting requirements were released after passage of the bills or have yet to be released.

Here is a brief timeline and summary of the acts:

Implication and next steps for state public health departments

While little guidance has been provided for how state public health departments should prepare to access federal funds, BerryDunn will continue to monitor and release updates as they become available. 

While at this point HR 6074 has the greatest implications for public health departments, here are some actions that states should take now for their public health programs from the recent legislation:

  1. H.R. 6074: Provides appropriations to the CDC to be allocated to states for COVID-19 expenses.
    • To ensure maximum funding, prepare a spend plan to submit to CDC.
    • To ensure compliance, provide CDC with copies or access to COVID-19 data collected with these funds.
    • To maximize the impact of new funding, develop a COVID-19 community intervention plan.
    • To support streamlined operations, submit revised work plans to CDC.
    • To prevent missed deadlines, submit any requests for deadline extensions to the CDC.
  2. H.R. 6201: Provides guidance specific to the Special Supplemental Nutrition Program for Women, Infants, and Children (WIC) programs.
    • To encourage social distancing and loosen administrative requirements, seek waivers through the USDA’s Food and Nutrition Service (FNS).
    • To ensure compliance, prepare to submit a report summarizing the use of waivers on population outcomes by March 2021.
  3. H.R. 748: Allocates $150 billion to a coronavirus relief fund for state, local, and tribal governments.
  • To secure funding, monitor the US Department of Health & Human Services (HHS) for guidance on using funds for:
    • Coronavirus prevention and preparation
    • Tools to build health data infrastructure
    • COVID-19 Public Health Emergency expenses
    • Developing countermeasures and vaccines for coronavirus
    • Telehealth and rural health activities
       
  • To ensure HIPAA compliance when sharing protected patient health information, monitor the US Department of Health & Human Services (HHS) for guidance.

For more information

For specific issues your agency has, or if you have other questions, please contact us. We’re here to help. 

Related Services

Consulting

Information Systems

Organizational and Governance

Related Professionals

BerryDunn experts and consultants

What the C-Suite should know about CECL and change management

Read this if you are at a financial institution. 

Some institutions are managing CECL implementation as a significant enterprise project, while others have assigned it to just one or two people. While these approaches may yield technical compliance, leadership may find they fail to realize any strategic benefits. In this article, Dan Vogt, Principal in BerryDunn’s Management and IT Consulting Practice, and Susan Weber, Senior Manager and CECL expert in BerryDunn’s Financial Services Practice, outline key actions leaders can take now to ensure CECL adoption success.  

Call it empathy, or just the need to take a break from the tactical and check in on the human experience, but on a recent call, I paused the typical readiness questions to ask, “How’s the mood around CECL adoption – what’s it been like getting others in the organization involved?” The three-word reply was simple, but powerful: “Kicking and screaming.”  

Earlier this year, by a vote of 5-2, the FASB (Financial Accounting Standards Board) closed the door to any further delays to CECL adoption, citing an overarching need to unify the industry under one standard. FASB’s decision also mercifully ended the on-again off-again cycle that has characterized CECL preparation efforts since early 2020. One might think the decision would have resulted in relief. But with so much change in the world over the past few years, is it any wonder institutions are instead feeling change-saturated?  

Organizational change

CECL has been heralded as the most significant change to bank accounting ever, replacing 40+ years of accounting and regulatory oversight practices. But the new standard does much more than that. Implementing CECL has an effect on everything from executive and board strategic discussions to interdepartmental workflows, systems, and controls. The introduction of new methods, data elements, and financial assets has helped usher in new software, processes, and responsibilities that directly affect the work of many people in the organization. CECL isn’t just accounting—it’s organizational change. 

Change management

Change management best practices often focus on leading from optimism—typically leadership and an executive sponsor talk about opportunities and the business reasons for change. Some examples of what this might sound like as it relates to CECL might include, by converting to lifetime loss expectations, the institution will be better prepared to weather economic downturns; or, by evolving data and modeling precision, an institution’s understanding and measure of credit risk is enhanced, resulting in more strategic growth, pricing, and risk management. 

But leading from optimism is sometimes hard to do because it isn’t always motivating—especially when the change is mandated rather than chosen.  

Perhaps a more judiciously used tactic is to focus on the risk, or potential penalty, of not changing. In the case of CECL, examples might include, your external auditor not being able to sign-off on your financials (or significant delays in doing so), regulatory criticism, inefficient/ineffective processes, control issues, tired and frustrated staff. These examples expose the institution to all kinds of key risks: compliance, operational, strategic, and reputational, among them.

CECL success and change management

With so much riding on CECL implementation and adoption going well, some organizations may be at heightened risk simply because the effort is being compartmentalized—isolated within a department, or assigned to only one or two people. How effectively leadership connects CECL implementation with tenets of change management, how quickly they understand, then together embrace, promote, and facilitate the related changes affecting people and their work, may prove to be the key factor in achieving success beyond compliance.  

One important step leaders can take is to perform an impact assessment to understand who in the organization is being affected by the transition to CECL, and how. An example of this is below. Identifying the departments and functions that will need to be changed or updated with CECL adoption might expose critical overlaps and reveal important new or enhanced collaborations. Adding in the number of people represented by each group gives leaders insight into the extent of the impact across the institution. By better understanding how these different groups are affected, leaders can work together to more effectively prioritize, identify and remove roadblocks, and support peoples’ efforts longer term.           

 
No matter where your institution is currently in its CECL implementation journey, it is not too late to course-correct. Leadership—unified in priority, message, and understanding—can achieve the type of success that produces efficient sustainable practices, and increases employee resilience and engagement.

For more information, visit the CECL page on our website. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions. For more tips on documenting your CECL adoption, stay tuned for our next article in the series, revisit past articles, or tune in to our CECL Radio podcast. You can also follow Susan Weber on LinkedIn.

Article
Implementing CECL: Kicking and screaming

Read this if your organization offers health insurance through a health insurance exchange.

When the Affordable Care Act (ACA) was passed in 2010, it contained a known gap which made healthcare premiums unaffordable for some families covered under Medicare or employer-sponsored health insurance plans. The gap in the law, commonly referred to as the family glitch, was formalized in 2013 as the result of a Final Rule issued by the IRS. 

The “family glitch” calculates the affordability of an employer-sponsored health insurance plan based on the cost for the employee, not additional family members. An article published in April 2022 on healthinsurance.org estimated that the cost of health insurance for a family covered by an employer-sponsored plan could end up being 25% or more of the household’s income, even if the plan was considered affordable (less than 9.61% of the household’s income) for the employee alone. Almost half of the people impacted by the family glitch are children.

The family glitch was allowed to stand in 2013 partly because of concerns that resolving the issue could push more people off employer-sponsored plans and onto marketplace qualified health plans, ultimately raising the cost of subsidies. Since then, several attempts have been made to fix the issue, which affects around five million Americans. The most recent attempt was an executive order issued by President Biden soon after taking office in January 2021. The Office of Management and Budget has been reviewing regulatory changes proposed by the Treasury Department and IRS, details of which were published in April 2022. 

These regulatory changes would alter the way health insurance exchanges calculate a family’s eligibility for subsidies when the family has access to an employer-sponsored health insurance plan. If the changes go into effect in 2023 as proposed, audits of the 2023 fiscal year will need to account for the new regulations and potentially conduct different testing protocols for different parts of the year. 

Our team is closely following these proposed changes to help ensure our clients are prepared to follow the new regulations. Earlier this week, we attended a public hearing held by the Treasury Department, where representatives of various groups spoke in support of, or in opposition to the proposed regulatory change. Supporters noted that families with plans that offer expensive coverage for dependents would benefit from this change through reduced costs and more coverage options, including provider networks that may more closely align with the family members’ needs. Those in favor of the change anticipate that families with children would see the most benefit. 

Those opposed to the change expressed that due to the way the law is currently written, they do not see the regulatory flexibility for the administration to make this change through administrative action. Additionally, concerns were raised that families covered by multiple health insurance plans could be faced with higher out-of-pocket-costs due to having separate deductibles that must be met on an annual basis. Lastly, not all families that have unaffordable insurance would see financial relief under this proposal. 

The Treasury Department is expected to announce its decision in time for open enrollment for plan year 2023 which is scheduled to begin on November 1, 2022. Our team will continue to monitor the situation closely and provide updates on how the changes may impact our clients. 

For more information

If you have more questions or have a specific question about your situation, please reach out to us. There is more information to consider when evaluating the effects these changes will have on the landscape of healthcare access and affordability, and we’re here to help.

Article
Fixing the "family glitch": How a proposed change to the ACA will affect healthcare subsidies 

Read this if you are at a state Medicaid agency.

The Covid-19 Public Health Emergency (PHE) placed US state and territory Medicaid programs on the front line of reorganizing what healthcare looks like for millions of Medicaid enrollees. Each Medicaid program shifted automation and manual procedures in order to comply with and benefit from the increased federal funding in early 2020. With the PHE winding down, every Medicaid program must look at how to return to regular operations and unwind, or undo, the continuous coverage requirement temporarily put in place by the Centers for Medicare and Medicaid Service (CMS). BerryDunn has collaborated with Medicaid programs to identify best practices and consider new opportunities to implement rollback methods in an effort to lower risk during the unwinding period and beyond. 

New learning programs considered

Administrators who have been assessing their staff and operational readiness to support the expected influx of renewals, policy changes, and staffing changes are considering launching learning programs ahead of the unwinding efforts. Using this time to engage with staff has uncovered the need to redeploy fundamental learning programs to prepare for the anticipated high volume of two-years of renewals. Administrators have also begun to engage with community leaders and health plan organizations in ways that provide coordinated and complete communication to beneficiaries. Many programs have looked at expanding benefits within the guidelines of CMS, such as extending post-partum coverage to a full 12 months and increasing reasonable compatibility to a larger percentage, recognizing the economy has evolved since 2020.

Other outreach efforts

During the pandemic, many beneficiaries moved without notifying the Medicaid program of the address change. Proactive Medicaid programs are working directly with health programs and medical facilities to ensure the most updated addresses are captured, and are using public transportation advertisements, online website reminders, and email notifications to encourage beneficiaries to update addresses.

In other locations with a high rate of unemployment in specific industries, Medicaid programs are working with identified outreach partners like unions and industry associations to communicate messaging of Medicaid benefits. Thousands of employees may have lost full-time employment during the pandemic and have returned to work with reduced hours and less benefits. As a sign of changing times, some programs are employing social media campaigns to connect with existing and new enrollees. 

Medicaid programs across the states and territories are finding creative ways to reach impacted communities. Program administrators are organizing staff and systems to be well positioned to undo the effects of the temporary policies. The dismantling of the two-plus years of PHE is expected to be performed within a 12-month period. As administrators eagerly anticipate the announcement of an extension or the pending PHE unwinding start date, one thing is certain: US states and territories are preparing to support an extensive population of Medicaid beneficiaries post pandemic.

BerryDunn is partnering with many states and territories to help ensure a successful unwind of temporary services and return to normal operations. If you would like to discuss how BerryDunn can support your needs, contact the Medicaid consulting team.
 

Article
How Medicaid programs are preparing for the operational challenges of the PHE unwinding

Read this if you are at a state Medicaid agency. 

As the end of the Public Health Emergency becomes more likely, much attention has been paid to the looming coverage cliff as state Medicaid agencies re-determine eligibility for their programs. The impacts can be mitigated in part by planning and taking proactive steps.

In the unsettling initial days of the COVID-19 Public Health Emergency (PHE), the Centers for Medicare and Medicaid Service (CMS) temporarily increased federal matching funds for state Medicaid programs. In exchange, states would suspend redeterminations of enrollees’ eligibility for the duration of the PHE. 

For Medicaid, states were in effect prohibited from disenrolling an individual from Medicaid programs. The result, according to CMS data, is 14.8 million more people were enrolled in Medicaid as of late 2021 than before the pandemic, reaching a total of nearly 79 million Medicaid enrollees.  According to one estimate, the end of the PHE could bring a decline in the number of Medicaid enrollees by as many as 15 million. This number includes an estimated 8.7 million adults and 5.9 million children. 

Local and state government eligibility staff will need to review the submitted documents and determine if these members qualify for continued Medicaid coverage. The potential exists for members to lose coverage, due to factors such as having moved, not realizing their circumstances have otherwise changed, or being unable or unaware to return the required paperwork within appropriate timeframes.

State Medicaid agencies strive to maintain an equitable program while remaining trusted stewards of public funds. With a large base of beneficiaries, this change is expected to impact the community and the healthcare market, with broad implications for public health. Similarly, the federal requirement for continuous health coverage has also helped state Medicaid agencies by easing the strain on organizations during pandemic-related disruptions. 

For these reasons state Medicaid agencies may search for routes to limit the loss of coverage. This can be accomplished through finding policy levers to retain members, establishing routes to alternative forms of insurance, and mitigating the risk of coverage loss for members. 

Mitigating the likelihood of becoming uninsured

State Medicaid agencies can reduce the risk that members lose their coverage and become uninsured through a number of steps. 

  • Designing comprehensive, multi-pronged, and targeted communication strategies. States can help Medicaid members understand the requirements and timelines required to maintain their coverage.
  • Updating systems to automate and reduce administrative burden. Maximizing ex parte renewals through the use of existing data that is stored in integrated systems.
  • Making key decisions early. States can minimize coverage loss by carefully planning the unwinding process and their approach to resuming Medicaid eligibility renewals.
  • Coordinating with other forms of coverage. Confirm or design user-friendly pathways by which a member is transferred or referred to other alternatives like the Marketplace or CHIP.
  • Leveraging their health plans. Particularly when it comes to coordinating outreach and updating member information. Managed care plans are also able to refer members who are losing coverage to other qualified health plans.

Policy levers for retaining members

States may consider reviewing emergency state plan amendments and appendix k amendments completed during the PHE to determine what flexibilities are possible to continue under existing authorities. At the same time, states should consider what other policy options may help retain coverage for existing members- for example:

  • Adopt 12 months continuous eligibility. This can be done for children via a State Plan Amendment (SPA), for adults through an 1115 waiver, and for individuals enrolled in BHP (via BHP Blueprint revision) 
  • Establish 12 months of postpartum coverage. This can be done through several paths, including SPAs 
  • Review operational policy for efficiencies. For example, a State could consider modifying the frequency of periodic data matching 

Next steps

The US Department of Health and Human Service has previously indicated its intention to provide notification to states of the end of the PHE 60 days before its scheduled end. The PHE was renewed in April 2022, and as of this writing will last until mid-July, meaning enrollees could lose Medicaid coverage as soon as August 1. The enhanced FMAP and the Maintenance of Eligibility (MOE) requirements are in place until the end of the quarter in which the PHE ends. In the case of a July 2022 end date to the PHE, the enhanced FMAP would last through September 30, 2022. 

Regardless, Medicaid agencies will need to begin reviewing all enrollees’ eligibility, performing outreach, and designing system updates this summer. In terms of next steps, states should consider the following:

  • Evaluate your program and identify initiatives to prioritize in the coming year. Ask your CMS contact about the latest applicable guidance. 
  • Develop Advanced Planning Documents (APDs) to help fund technology needs for initiatives, along with training your SMA team and providers. 
  • Implement a communications management approach to engage stakeholders, and inform affected Medicaid members.
  • Marshal project management resources and develop a realistic and achievable roadmap to success.  
  • Explore agency contracting vehicles, cooperative contracts, and other procurements tools. 

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the Medicaid consulting team.

Article
Medicaid coverage gap: Tools and strategies for Medicaid agencies to help retain members

Read this if you are a not-for-profit organization.

With springtime upon us, it may be difficult to start thinking about this upcoming fall, but that is exactly what many folks in the nonprofit sector are starting to do. The reason for this? It’s because 2022 brings with it the mid-term election cycle. While technically an off-year election, many congressional and gubernatorial races are being contested, in addition to a myriad of questions that will appear on ballots across the country. It is around this time of year we start to see many questions from clients in the nonprofit sector in the area of political campaign activities, lobbying (both direct and grassroots), and education/advocacy.

This article will discuss the three major types of activities nonprofit organizations may or may not undertake in this arena and will offer guidance to give organizations the vote of confidence they need to not run afoul of the potential pitfalls when it comes to undertaking these activities.

Political campaign activity

Political campaign activities include participating or intervening in any political campaign on behalf of (or in opposition to) any candidate for elective public office, be it at the federal, state, or local level. Examples of such activities include contributions to political campaigns as well as making public statements in favor of or in opposition to any candidate. The IRS explicitly prohibits section 501(c)(3) organizations from conducting political campaign activities, the consequence of doing so being loss of exempt status. However, other types of exempt organizations (such as 501(c)(4) organizations) are allowed to engage in such activities, so long as those activities are not the organization’s primary activity. Only Section 527 organizations may engage in political campaign activities as their primary purpose. 

Direct lobbying

Direct lobbing activities attempt to influence legislation by directly communicating with legislative members regarding specific legislation. Examples of direct lobbying include contacting members of Congress and asking them to vote for or against a specific piece of legislation.

Grassroots lobbying

Grassroots lobbying, on the other hand, attempts to influence legislation by affecting the opinions of the general public and include a call to action. Examples of grassroots lobbying include requesting members of the general public to contact their representatives to urge them to vote for or against specific legislation.  

A quick way to remember the difference:
Political = think “P” for People – advocating for or against a specific candidate 
Lobbying = think “L” for Legislation – advocating for or against a specific bill

Education/advocacy

Organizations may engage in activities designed to educate or advocate for a particular cause so long as it does not take a specific position. For example, telling members of Congress how grants helped constituents would be considered an educational activity. However, attempting to get a member of Congress to vote for or against specific piece of legislation that would affect grant funding would be considered lobbying. Another example would be educating or informing the general public about a specific piece of legislation. Organizations need to be mindful here as taking a specific position one way or the other would lend itself to the activity being deemed to be lobbying, and not merely education of the general public. There is no limit on how much education/advocacy activity a nonprofit organization may conduct.

Why does this matter?

As you can see, there is a very fine line between lobbying and education, so it is important to understand the differences so that an organization conducting educational activities does not inadvertently end up conducting lobbying activities.

Organizations exempt under Code Section 501(c)(3) can conduct only lobbying activities that are not substantial to its overall activities. A 501(c)(3) organization may risk losing its exempt status and may face excise taxes on the lobbying expenditures if it is deemed to be conducting excess lobbying, whereas section 501(c)(4), (c)(5), and (c)(6) organizations may engage in an unlimited amount of lobbying activity.

What is substantial?

Unfortunately, there is no bright line test for determining what is considered substantial versus insubstantial. As an industry standard, many practitioners have taken a position that insubstantial means five percent or less of total expenditures, but that position is not codified and could be challenged by the IRS. 

Section 501(c)(3) organizations that intend to conduct lobbying activities on a regular basis may want to consider making an election under Code Section 501(h). This election is only applicable to 501(c)(3) organizations and provides a defined amount of lobbying activity an organization may conduct without jeopardizing its exempt status or becoming subject to excise tax. The 501(h) election limit is based on total organization expenditures with a maximum allowance of $1 million for “large organizations” (defined as an organization with total expenditures over $17,000,000). 

While the 501(h) election provides some clarity as to how much lobbying activity can be conducted, it may be prohibitive for some organizations whose total expenditures greatly exceed the $17,000,000 threshold. Another item to be aware of is that the lobbying threshold applies to all members of an affiliated group combined, which means the entire group shares the maximum threshold allowed. 

Another option for those engaging in lobbying is to create a separate entity (such as a 501(c)(4) organization) which conducts all lobbying activities, insulating the 501(c)(3) organization from these activities. As previously mentioned, organizations exempt under Code Section 501(c)(4) can conduct an unlimited amount of lobbying activities but can only conduct limited political campaign activities.

What about political campaign activities?

Section 527 organizations, known as political action committees, are exempt organizations dedicated specifically to conducting political campaign activities. If a 501(c)(4), (c)(5), or (c)(6) organization makes a contribution to a 527 organization, it may be required to file a Form 1120-POL and be subject to tax at the corporate tax rate (currently a flat 21%) based on the lesser of the political campaign expenditures or the organization’s net investment income. State income taxes may also be applicable. Section 501(c)(3) organizations may not make contributions to 527 organizations. 

If your organization is considering participation in any of the above activities, we would recommend you reach out to your not-for-profit tax team for additional information. We’re here to help!

Article
Lobbying and politics and education, oh my!

Read this if you have a cybersecurity program.

This week President Joe Biden warned Americans about intelligence that indicated Russia may be preparing to conduct cyberattacks on our private sector businesses and infrastructure as retaliation for sanctions applied to the Russian government (and the oligarchs) as punishment for the invasion of Ukraine. Though there is no specific threat at this time, President Biden’s warning has been an ongoing message since the invasion began. There is no need to panic, but this is a great time to re-visit your current security controls. Focusing on basic IT controls goes can make a big difference in the event of an attack, as hackers tend to go after the easy, low hanging fruit. 

  1. Access controls
    Review and understand how all access to your networks is obtained by on-site employees, remote employees, and vendors and guests. Make sure that users are maintaining strong passwords and that no user is connecting remotely to any of your systems without some form of multi-factor authentication (MFA). MFA can come in the form of a token (in hand or built-in) or as one of those numerical codes you have delivered to your phone or email. Poor access controls are simply the difference between leaving your house unlocked versus locked when you leave to go somewhere. 
  2. Patching
    One of the most common audit findings we have to date and one of the biggest reasons behind successful attacks is related to unpatched systems. Software patches are issued by software providers to address vulnerabilities in systems that act as an unlocked door to a hacker, and allow hackers to leverage the vulnerability as a way to get into your systems. Ensuring your organization has a robust patch management program in place and that systems are up-to-date on needed patches is critical to your security operations. Think of an unpatched system like a car with a broken window—sure the door is locked, but any thief can reach through the broken window and unlock the car. 
  3. Logging 
    Account activity, network traffic, system changes—these are all things that can be easily logged and with the right tools, configured to alert you to suspicious activity. Logging that is done correctly can alert management to suspicious activity occurring on your network and notifies your security team to investigate the issue. Consider logging and alerting like your home’s security camera. It may alert you to the activity outside, but someone still needs to review the footage and react to it to mitigate the threat.  
  4. Test backups and more
    Making sure that your systems are successful backed up and kept separate from your production systems is a control we are all familiar with. Organizations should do more than just make sure their backups are performed nightly and maintained, but need to make sure that those data backups can be restored back to a useable state on a regular basis. More so than backups, we also often hear in the work we do that our client’s test only parts of their disaster recovery and failover plans—but have never tested a full-scale fail-over to their backup systems to determine if the failover would be successful in the event of an event or disaster. Organizations shouldn’t be scared to do a full-scale failover test, because when the time comes, you may not have the option to do a partial failover and just hope that it occurs successfully. Not testing your backups is like not test driving a car before you buy it. Sure it looks nice in the lot, but does it actually run? 
  5. Incident Management Plan 
    We often review Incident Management Plans as part of the work we do, and often note that the plans are outdated and contain incorrect information. This is an ideal time to make sure your plans are current and reflect changes that may have occurred, like your increasingly remote work force, or that systems have changed. An outdated Incident Management Plan is like being sick and trying to call your doctor for help only to find out your doctor has retired. 
  6. Training—phishing attacks
    Hackers’ most common approach to gain access to systems and deploy crippling ransomware attacks is through phishing campaigns via email. Phishing campaigns trick a user into either providing the hacker with credentials to log into systems or to download malware that could turn into ransomware through what appears to be legitimate business correspondence. Training end-users on what to look for in verifying an email’s authenticity is critical and should be seen as an opportunity that benefits the entire organization. Testing users is also critical so management understands the current risk and what is needed for additional training. Security teams should also have other supporting controls to help prevent phishing emails and detection tools in place in case a user does fall for an email. Not training your employees on security is like not coaching your little league team on how to play baseball and then being surprised you didn’t win the game because no one knew what to do. 

In the current environment, information security is an asset to any organization and needs to be supported so that you can protect your organization from cyberattacks of all kinds. While we can never guarantee that having controls in place will prevent an attack from occurring, they make it a lot more challenging for the hacker. One more analogy, and then I’m done, I promise. Basic IT controls are like speedbumps in a neighborhood. While they keep most people from speeding (and if you hit them too fast they do a number on your car), you can still get over them with enough motivation. 

If you have questions about your cybersecurity controls, or would like more information, please contact our IT security experts. We’re here to help.

Article
Cyberattack preparation: A basics refresher

Read this if you are interested in grant compliance in healthcare. 

This is a companion article to the podcast, Mitigating the compliance and revenue integrity risk of grant funded healthcare programs.

The BerryDunn Healthcare Practice Group boasts professionals who have expertise all across the spectrum of healthcare, including regulatory, revenue, integrity, general compliance, and risk management issues. This article covers the very specific arena of grant compliance affecting many of BerryDunn’s healthcare, not-for-profit, and government clients.

After starting as a newly minted MBA financial analyst with an academic medical center in Northern New England, I (Markes) worked my way into the world of grants and contracts supported by my interest in federal regulations and the non-clinical revenue streams. Fascinated to navigate through waters where it seemed no one was the expert, or really had the time or patience to figure things out, I worked to stand up a grant office in finance on the hospital side, separate from the medical school which was the usual repository for grant funding. We moved this direction because hospital leadership realized grant funding was tipping toward the clinical setting and was less focused on bench or clinical research. Put another way, less NIH and more CDC, HRSA, and CMS.

BerryDunn Senior Manager Regina Alexander advises, “wherever there is complexity, there is compliance risk.” Whether from a federal agency like HHS, HRSA, NIH, or CDC, a state Medicaid program, foundation, or private source, grants always come with requirements, typically very specific requirements. Because the dollars are being ‘given’, those requirements for how the funds are used may be much more restrictive than loans.

Like other areas of regulatory compliance, it is reasonable to assume that grant programs often have compliance gaps that go unnoticed. For many of our clients, both in healthcare and not-for-profit, and in the government space, grant revenue has become a significant source of funding. Any kind of healthcare delivery organization, including academic medical centers, federally qualified health centers, community hospitals, behavioral health service organizations, home health providers, visiting nurse associations, and others can end up with significant portions of their income for the year being sourced by federal grants.

Grant compliance categories

We all can’t be experts in every domain of regulatory compliance, and grant compliance has a lot of breadth. Thankfully, at BerryDunn, we have a team of grant experts who work collaboratively across practice groups. When I was working on setting up the grant office and establishing a proprietary clinical FTE reporting process and system earlier in my career, I would have greatly benefited from the perspectives of other experts at the table.

When we think about grant compliance, four categories are helpful to keep in mind:

  1. Restricted funding
  2. Single audit
  3. Indirect rate
  4. Time and effort

Restricted funding

Firstly, and most universally understood and applied is that grant monies are, pretty much by definition, restricted. Aside from very specific and rare instances of monies being granted to beneficiaries who have no responsibility, all grant funding is awarded with the expectation that the funds will be expended in a specific way. 

Any funder, from the federal government to your local community organization like the Lions Club or the VFW, will likely require individuals and entities awarded a grant must promise to use the funds only for the purpose laid out in the award and proposal. Compliance with grant terms typically includes following the requested reporting requirements of that funder as well. Though this category may sound obvious, it's actually pretty far-reaching, as it usually affects sub-recipients (those entities who are partnered with the direct recipient to accomplish the grant purpose). For example, where the money goes after the initial awardee receives it, or rules about who can do the work, what type of organization, how you choose a vendor, etc.—all sorts of categories.

It should be noted that many of these grant award requirements are not dissimilar from work we already do in the healthcare compliance space to assist our clients in avoiding anti-kickback statutes and Stark risks. This is because grant compliance is grounded in the same basic concepts—no favoritism, no bribes or shady deals, and avoiding fraud, waste, and abuse. Especially if you're spending federal monies, you need to prove that you choose the vendor based on verifiable best practices, and consideration was afforded to organizations owned by women, veterans, and minorities.

Single audit 

The second category, Single Audit, is applicable to all federal funding of $750,000 or more annually. My colleague from BerryDunn’s Not-for-Profit practice group, Katie Balukas, explains: 

"The federal Single Audit Act is a requirement for entities to undergo an independent financial and compliance audit when the entity has expended over $750,000 in federal awards. These audits are conducted following guidance issued through the Governmental Auditing Standards and the United States Office of Management and Budgets' Uniform Guidance. The main focus of the compliance audit is to assess the entity's compliance with the requirements set forth by the federal agency that administered the grant funds. That includes, but is not limited to determining if the funds were utilized for allowable costs and activities and expanded within the proper grant period and that the reporting and performance objectives were met."

It is important to note that adequate, appropriately scaled internal resources are essential for any organization receiving grants and even more so with larger grants. Though the phrase has been overused, it really does “take a village”. Grant management isn't something an organization should do on the side, assigning grant accounting to someone who already has a full-time role, but unfortunately this is common and also unfortunate because under resourcing tends to lead to compliance concerns, as well as just plain old poor funding management. 

Indirect rate

Speaking of funding, the third type of grant compliance is very focused on a component of the grant world that really has a life of its own: The indirect rate. Though there is an accounting definition of ‘indirect’, the way it is defined regarding grant funding is pretty specific, and there is an entire body of work organizations undertake to get a federally approved indirect rate.

There's an awful lot to think about with the indirect rate. On the one hand, you could say it's pretty simple. For example, a lot of foundation funders and even some federal funders will offer you a 5% or 10% indirect rate without any need to make a calculation. That's because they know that if you take time to do the math, you'll come up with a number much higher than 5% or 10%. When it comes to federal grants and healthcare services organizations, the indirect rate is dependent on how an organization measures costs. For hospitals, of course, the method of measurement is driven by the Medicare cost report, and that's where we would do the fancy math to derive the indirect rate. But the reality is far from simple or straightforward. 

Time and effort

The fourth and final area of grant compliance, time and effort, is also the one I'm actually most passionate about and is probably the most minimized, or at the very least, misapplied. 

In one way, “time & effort” is exactly what it sounds like. Much of granted dollars, especially from the federal government, get appropriately spent on program staff. The challenge is to match time and effort to those dollars, but that isn't as clear as it sounds, because the standard way of measuring staff time is usually in a payroll system of some sort, which can't prove how time was spent.

Most payroll systems can be programmed to account for FTE (full-time equivalent) allocations; however, there is often a breakdown between theory and practice. Putting allocations into payroll, usually done without employee interaction, may show how an employee “should” spend their time, but it is really no guarantee that that's actually how they're spending their time.

So how does the organization typically go about assuring that? Now, I don't want to speak for everyone, but let's just say I happen to know that there's a place for two or three (or maybe 10,000) that basically put allocations into payroll, and then, unfortunately, often well after the fact and/or more than once, send that allocation to the employee to sign off on without really any option to disagree, or even to modify. We all know that is not compliant…but in the organization's defense, there really haven't been very good alternatives to that kind of woeful and frustrating process, at least none that have been widely shared or understood.

As often is the case in the compliance world, rules are not followed because there is no perceived risk, but that is not a winning strategy.

Though many people involved in grant management do not have any experience or even knowledge of time and effort violations meeting with any consequences, organization interest and grant compliance have more implications than just preventing front page news. What I find in the conversations with organizations, both large and small, is that loose time and effort management costs the organization in two major ways. 

Firstly, it is inefficient to scramble around at the close of each federal grant to fix time and effort allocations. The extra time spent by grant staff, project coordinators, managers, and the finance team to sort things out because they didn't get them right the first time is the worst kind of inefficient—poor use of time with an equally poor outcome. 

Secondly, loose time and effort is costly in direct salary dollars. Most grant staff are not dedicated to one project, so we need to consider the value of their other work. Whether that is on other grants or, for example, seeing patients in the clinic as many principal investigators in healthcare do, having inaccurate or fluctuating understandings of their ability costs the organization directly in wasted salary dollars or indirectly as the opportunity cost of those providers (or other roles in other organizations). 

Digging in and fixing these issues is the work I really enjoy. It's relatively simple to build a compliant model, whether that requires very little payroll redo and is just a simple recurring attestation process in built in Excel, or more complex integrated models with triggered attestations in PDF format in a database that manages the overall FTE of principal investigators. It might even drive the available clinical provider time. It can all be done. We just need to know what the goal is. 

Working in this space so rewarding, because like so much of compliance, it's about doing something better—not just being compliant—but setting organizations up to better meet their goals and fulfill their mission.

The compliance or accounting professional might still ask, “But why aren’t payroll allocations sufficient for meeting Uniform Guidance?” The truth is, when UG came into effect and superseded the A-110, 122, 133, and others, the bar was effectively lowered. Historically, organizations abiding by the old OMB circulars had to make an attestation at least twice a year, which doesn’t really seem helpful, as who can accurately allocate their time from 5 or 6 months ago? So UG did away with the timeframe reference, relying on the idea that the payroll allocations and distributions would be all that would be needed, and in the absence of those, a monthly ‘look back’ by professional staff would be in order.

I say all this, because as a result, the interpretation of ‘payroll allocations’ then becomes the standard and we have forgotten about the other elements spoken of in the regulation. Remember, for anyone salaried (the vast majority of physicians and most of the higher level grant personnel), the ‘payroll allocation’ doesn’t pass muster. It is a static allocation that has no mooring in actual activity. This is why UG calls for monthly “current and reasonable estimates” of time and effort.

So what can organizations do in response? They need to seek a solution, a process, and a method that will both pass audit muster, as well as help the organization properly manage their resources. Almost every organization manages their productivity and finances on a regular basis: monthly! That’s why the same standard should apply to grant time and effort management. It's much more reasonable to ask you how you spent your effort this month, asking you to make a reasonable estimate of your time allocations to the different efforts you worked on.

So to summarize, the four key areas of grant compliance are (1) grants are restricted funding, (2) single audit requirement for federal funding over $750,000 annually, (3) the indirect rate and related agreement, and (4) time and effort.

Of course, I would be remiss to not point out that undergirding all this is the organization’s approach to policy. Any organization that considers grant funding a regular piece of their annual income needs to have dedicated grant management policies, covering all of the above topics, with particular focus on those arenas that are unique to the world of federal funding, and being mindful to follow or otherwise update for changes in processes and/or regulations.

Final takeaways: 

  • First, what grant focused infrastructure do you have in place? If you are subject to a single audit, there should be dedicated administrative grant staff. And I don’t mean the programmatic people actually working on the grant, but people outside the grant funding—also why you have an indirect rate. 
  • Second, how are you handling time and effort? If the process relies on any long after-the-fact attestations or payroll-generated reporting, it is unlikely to be truly following the spirit…or the letter…of Uniform Guidance. 
  • Third, review your policies regarding grants. You may not actually have policies focused on grant activities, leaving them under ‘general finance’. That isn’t sufficient to cover federal funding requirements. Many have grant policies in place, but are they actually being followed through the lifecycle of your grant programs? 
  • Lastly, the grant world is a whole ball game unto itself. BerryDunn has some great resources internally to offer assistance in all phases of grant management and administration. 
Article
Mitigating risk of grant funded healthcare programs

Read this if you are at a public health agency.

As public health workforce challenges worsen through retirements, burnout, and added need for public health workers highlighted by the COVID-19 pandemic, funding levels for public health remain increased for the time being. This provides opportunities for states to leverage federal programs and funding streams to help ensure a strong and capable public health workforce to meet the needs of all communities. An important consideration for states is the level of cultural competence among their public health workforce.

Cultural competence: Definition and benefits

Cultural competence refers to the capacity to function effectively, both as an individual and an organization, in relation to community members’ cultural beliefs, behaviors, and needs. It allows public health professionals to provide more effective public health services to individuals and communities with cultures different from their own—through awareness, respect, and willingness to learn about cultural differences. The necessity of cultural competence in public health is especially timely due to new and existing disparities that have been highlighted by COVID-19 outcomes and the ripple effects of the pandemic.

Benefits of a culturally competent public health workforce include greater public trust in the public health system, more equitable and effective public health services, improved understanding of existing barriers and community health status, and the potential to reduce disparities and improve both healthcare access and health outcomes in historically marginalized communities.

As many states face significant workforce gaps and challenges in recruiting, training, and retaining staff, it is important to leverage best practices and key indicators of success to inform a sustainable and effective approach for workforce development. States may benefit from assessing gaps in cultural competence and related skills, and by identifying specific cultural competency areas and abilities they aim to achieve in the workforce. A strategic approach is necessary for maximizing the sustainability and long-term benefit of federal funding opportunities, such as those for public health workforce development in rural areas. 

Strategies and best practices for developing a culturally competent public health workforce 

There are many steps you can take toward building cultural competence in your agency. Some of them include:

  • Develop and implement a periodic assessment of workforce cultural competence, and training to measure improvement and incorporate up-to-date best practices
  • Recruit diverse staff to reflect the culture and demographics of communities, including the provision of linguistic support
  • Create and improve pipeline training programs by collaborating with local colleges, universities, and schools of public health and identifying existing gaps in the workforce and in public health educational opportunities 
  • Support inter-professional education and teams for community-based interventions, to foster collaboration between public health and healthcare professionals in the community to better meet needs 

Important first steps to improve and foster cultural competence in the public health workforce include setting goals related to building community partnerships and what those partnerships will achieve. 

Other steps for building cultural competence 

Additionally, collecting diversity data and demographic characteristics of the public health workforce, measuring and evaluating performance of the public health workforce and public health services, and reflecting community diversity within the workforce are necessary for developing a workforce that supports community cohesion and trust of community members. These steps can help you assess where you can strengthen services and how communities can be better reflected in the public health services they receive. Effective communication and language access are also critical steps to improve and foster cultural competence in the public health workforce.

BerryDunn can provide state public health and human services agencies with strategic policy and programmatic guidance and management support to maximize the benefits of federal programs to facilitate public health workforce development. 

If you have any questions about your specific situation, or would like more information, please contact our Public Health Consulting team. We’re here to help.

Article
Developing a culturally competent public health workforce