Skip to Main Content

insightsarticles

Hospital price transparency compliance: It's a team sport

08.05.25

Executive Order (EO) 14221 released on February 25, 2025, directed the Secretaries of Labor, Health and Human Services (HHS), and the Treasury to implement changes to improve implementation and increase enforcement of the hospital price transparency (HPT) rule. On May 22, 2025, the agencies announced progress in implementing the EO, including issuance of a request for information (RFI), as well as providing updated guidance regarding requirements for machine readable files. 

HPT enforcement 

An HHS Office of Inspector General (OIG) audit report released in November 2024 estimated only 46% of hospitals were in compliance with HPT rule requirements. While the HHS OIG noted a variety of issues with shoppable services requirements, the most common areas of non-compliance observed related to the machine readable file (MRF), including: 

  • Failing to update the file annually 

  • Lack of appropriate naming conventions 

  • Providing negotiated charges by payer/plan

Civil monetary penalties (CMP) for HPT non-compliance range from $300 to $5,500 per day, depending on hospital bed count. From 2021 – 2024, CMS issued CMP notices totaling approximately $5 million.  

Based on reports from our clients and anecdotes shared by compliance and finance colleagues and from presenters at recent conferences, HPT-related complaints from patients have remained minimal, whereas the pace of CMS non-compliance warning letters has increased. 

Practical tips for HPT compliance 

The risks related to non-compliance with HPT rules can be mitigated through a multidisciplinary team approach, establishing accountability, and engaging external resources to fill gaps in expertise. 

  • Making certain to include the functions with an HPT role, such as finance, revenue cycle, revenue integrity, compliance, IT, and payer contracting 

  • Considering the vendor as part of the team if any aspect of HPT rule compliance is outsourced 

  • Designating an internal resource to monitor and advise your team on HPT-related announcements from regulators and CMS enforcement activity 

  • Linking chargemaster/CDM and fee schedule updates to MRF and shoppable services maintenance activities supports compliance with multiple HPT requirements 

  • Adding HPT-related audit items to the compliance work plan to demonstrate internal oversight 

BerryDunn’s healthcare compliance team incorporates deep, hands-on knowledge with industry best practices to help your organization manage compliance and revenue integrity risks. Learn more about BerryDunn’s team and services. 

Related Industries

Related Services

Consulting

Business Advisory

Related Professionals

Leaders

Read this if you are interested in grant compliance in healthcare. 

This is a companion article to the podcast, Mitigating the compliance and revenue integrity risk of grant funded healthcare programs.

The BerryDunn Healthcare Practice Group boasts professionals who have expertise all across the spectrum of healthcare, including regulatory, revenue, integrity, general compliance, and risk management issues. This article covers the very specific arena of grant compliance affecting many of BerryDunn’s healthcare, not-for-profit, and government clients.

After starting as a newly minted MBA financial analyst with an academic medical center in Northern New England, I (Markes) worked my way into the world of grants and contracts supported by my interest in federal regulations and the non-clinical revenue streams. Fascinated to navigate through waters where it seemed no one was the expert, or really had the time or patience to figure things out, I worked to stand up a grant office in finance on the hospital side, separate from the medical school which was the usual repository for grant funding. We moved this direction because hospital leadership realized grant funding was tipping toward the clinical setting and was less focused on bench or clinical research. Put another way, less NIH and more CDC, HRSA, and CMS.

BerryDunn Senior Manager Regina Mathieson advises, “wherever there is complexity, there is compliance risk.” Whether from a federal agency like HHS, HRSA, NIH, or CDC, a state Medicaid program, foundation, or private source, grants always come with requirements, typically very specific requirements. Because the dollars are being ‘given’, those requirements for how the funds are used may be much more restrictive than loans.

Like other areas of regulatory compliance, it is reasonable to assume that grant programs often have compliance gaps that go unnoticed. For many of our clients, both in healthcare and not-for-profit, and in the government space, grant revenue has become a significant source of funding. Any kind of healthcare delivery organization, including academic medical centers, federally qualified health centers, community hospitals, behavioral health service organizations, home health providers, visiting nurse associations, and others can end up with significant portions of their income for the year being sourced by federal grants.

Grant compliance categories

We all can’t be experts in every domain of regulatory compliance, and grant compliance has a lot of breadth. Thankfully, at BerryDunn, we have a team of grant experts who work collaboratively across practice groups. When I was working on setting up the grant office and establishing a proprietary clinical FTE reporting process and system earlier in my career, I would have greatly benefited from the perspectives of other experts at the table.

When we think about grant compliance, four categories are helpful to keep in mind:

  1. Restricted funding
  2. Single audit
  3. Indirect rate
  4. Time and effort

Restricted funding

Firstly, and most universally understood and applied is that grant monies are, pretty much by definition, restricted. Aside from very specific and rare instances of monies being granted to beneficiaries who have no responsibility, all grant funding is awarded with the expectation that the funds will be expended in a specific way. 

Any funder, from the federal government to your local community organization like the Lions Club or the VFW, will likely require individuals and entities awarded a grant must promise to use the funds only for the purpose laid out in the award and proposal. Compliance with grant terms typically includes following the requested reporting requirements of that funder as well. Though this category may sound obvious, it's actually pretty far-reaching, as it usually affects sub-recipients (those entities who are partnered with the direct recipient to accomplish the grant purpose). For example, where the money goes after the initial awardee receives it, or rules about who can do the work, what type of organization, how you choose a vendor, etc.—all sorts of categories.

It should be noted that many of these grant award requirements are not dissimilar from work we already do in the healthcare compliance space to assist our clients in avoiding anti-kickback statutes and Stark risks. This is because grant compliance is grounded in the same basic concepts—no favoritism, no bribes or shady deals, and avoiding fraud, waste, and abuse. Especially if you're spending federal monies, you need to prove that you choose the vendor based on verifiable best practices, and consideration was afforded to organizations owned by women, veterans, and minorities.

Single audit 

The second category, Single Audit, is applicable to all federal funding of $750,000 or more annually. My colleague from BerryDunn’s Not-for-Profit practice group, Katie Balukas, explains: 

"The federal Single Audit Act is a requirement for entities to undergo an independent financial and compliance audit when the entity has expended over $750,000 in federal awards. These audits are conducted following guidance issued through the Governmental Auditing Standards and the United States Office of Management and Budgets' Uniform Guidance. The main focus of the compliance audit is to assess the entity's compliance with the requirements set forth by the federal agency that administered the grant funds. That includes, but is not limited to determining if the funds were utilized for allowable costs and activities and expanded within the proper grant period and that the reporting and performance objectives were met."

It is important to note that adequate, appropriately scaled internal resources are essential for any organization receiving grants and even more so with larger grants. Though the phrase has been overused, it really does “take a village”. Grant management isn't something an organization should do on the side, assigning grant accounting to someone who already has a full-time role, but unfortunately this is common and also unfortunate because under resourcing tends to lead to compliance concerns, as well as just plain old poor funding management. 

Indirect rate

Speaking of funding, the third type of grant compliance is very focused on a component of the grant world that really has a life of its own: The indirect rate. Though there is an accounting definition of ‘indirect’, the way it is defined regarding grant funding is pretty specific, and there is an entire body of work organizations undertake to get a federally approved indirect rate.

There's an awful lot to think about with the indirect rate. On the one hand, you could say it's pretty simple. For example, a lot of foundation funders and even some federal funders will offer you a 5% or 10% indirect rate without any need to make a calculation. That's because they know that if you take time to do the math, you'll come up with a number much higher than 5% or 10%. When it comes to federal grants and healthcare services organizations, the indirect rate is dependent on how an organization measures costs. For hospitals, of course, the method of measurement is driven by the Medicare cost report, and that's where we would do the fancy math to derive the indirect rate. But the reality is far from simple or straightforward. 

Time and effort

The fourth and final area of grant compliance, time and effort, is also the one I'm actually most passionate about and is probably the most minimized, or at the very least, misapplied. 

In one way, “time & effort” is exactly what it sounds like. Much of granted dollars, especially from the federal government, get appropriately spent on program staff. The challenge is to match time and effort to those dollars, but that isn't as clear as it sounds, because the standard way of measuring staff time is usually in a payroll system of some sort, which can't prove how time was spent.

Most payroll systems can be programmed to account for FTE (full-time equivalent) allocations; however, there is often a breakdown between theory and practice. Putting allocations into payroll, usually done without employee interaction, may show how an employee “should” spend their time, but it is really no guarantee that that's actually how they're spending their time.

So how does the organization typically go about assuring that? Now, I don't want to speak for everyone, but let's just say I happen to know that there's a place for two or three (or maybe 10,000) that basically put allocations into payroll, and then, unfortunately, often well after the fact and/or more than once, send that allocation to the employee to sign off on without really any option to disagree, or even to modify. We all know that is not compliant…but in the organization's defense, there really haven't been very good alternatives to that kind of woeful and frustrating process, at least none that have been widely shared or understood.

As often is the case in the compliance world, rules are not followed because there is no perceived risk, but that is not a winning strategy.

Though many people involved in grant management do not have any experience or even knowledge of time and effort violations meeting with any consequences, organization interest and grant compliance have more implications than just preventing front page news. What I find in the conversations with organizations, both large and small, is that loose time and effort management costs the organization in two major ways. 

Firstly, it is inefficient to scramble around at the close of each federal grant to fix time and effort allocations. The extra time spent by grant staff, project coordinators, managers, and the finance team to sort things out because they didn't get them right the first time is the worst kind of inefficient—poor use of time with an equally poor outcome. 

Secondly, loose time and effort is costly in direct salary dollars. Most grant staff are not dedicated to one project, so we need to consider the value of their other work. Whether that is on other grants or, for example, seeing patients in the clinic as many principal investigators in healthcare do, having inaccurate or fluctuating understandings of their ability costs the organization directly in wasted salary dollars or indirectly as the opportunity cost of those providers (or other roles in other organizations). 

Digging in and fixing these issues is the work I really enjoy. It's relatively simple to build a compliant model, whether that requires very little payroll redo and is just a simple recurring attestation process in built in Excel, or more complex integrated models with triggered attestations in PDF format in a database that manages the overall FTE of principal investigators. It might even drive the available clinical provider time. It can all be done. We just need to know what the goal is. 

Working in this space so rewarding, because like so much of compliance, it's about doing something better—not just being compliant—but setting organizations up to better meet their goals and fulfill their mission.

The compliance or accounting professional might still ask, “But why aren’t payroll allocations sufficient for meeting Uniform Guidance?” The truth is, when UG came into effect and superseded the A-110, 122, 133, and others, the bar was effectively lowered. Historically, organizations abiding by the old OMB circulars had to make an attestation at least twice a year, which doesn’t really seem helpful, as who can accurately allocate their time from 5 or 6 months ago? So UG did away with the timeframe reference, relying on the idea that the payroll allocations and distributions would be all that would be needed, and in the absence of those, a monthly ‘look back’ by professional staff would be in order.

I say all this, because as a result, the interpretation of ‘payroll allocations’ then becomes the standard and we have forgotten about the other elements spoken of in the regulation. Remember, for anyone salaried (the vast majority of physicians and most of the higher level grant personnel), the ‘payroll allocation’ doesn’t pass muster. It is a static allocation that has no mooring in actual activity. This is why UG calls for monthly “current and reasonable estimates” of time and effort.

So what can organizations do in response? They need to seek a solution, a process, and a method that will both pass audit muster, as well as help the organization properly manage their resources. Almost every organization manages their productivity and finances on a regular basis: monthly! That’s why the same standard should apply to grant time and effort management. It's much more reasonable to ask you how you spent your effort this month, asking you to make a reasonable estimate of your time allocations to the different efforts you worked on.

So to summarize, the four key areas of grant compliance are (1) grants are restricted funding, (2) single audit requirement for federal funding over $750,000 annually, (3) the indirect rate and related agreement, and (4) time and effort.

Of course, I would be remiss to not point out that undergirding all this is the organization’s approach to policy. Any organization that considers grant funding a regular piece of their annual income needs to have dedicated grant management policies, covering all of the above topics, with particular focus on those arenas that are unique to the world of federal funding, and being mindful to follow or otherwise update for changes in processes and/or regulations.

Final takeaways: 

  • First, what grant focused infrastructure do you have in place? If you are subject to a single audit, there should be dedicated administrative grant staff. And I don’t mean the programmatic people actually working on the grant, but people outside the grant funding—also why you have an indirect rate. 
  • Second, how are you handling time and effort? If the process relies on any long after-the-fact attestations or payroll-generated reporting, it is unlikely to be truly following the spirit…or the letter…of Uniform Guidance. 
  • Third, review your policies regarding grants. You may not actually have policies focused on grant activities, leaving them under ‘general finance’. That isn’t sufficient to cover federal funding requirements. Many have grant policies in place, but are they actually being followed through the lifecycle of your grant programs? 
  • Lastly, the grant world is a whole ball game unto itself. BerryDunn has some great resources internally to offer assistance in all phases of grant management and administration. 
Article
Mitigating risk of grant funded healthcare programs

Read this if your organization has to comply with HIPAA.

We have been monitoring HHS Office for Civil Rights (OCR) settlements as part of the HIPAA Right of Access Initiative (16 settlements and counting) and want to dispel some myths about HIPAA enforcement. Myths can be scary. It would be pretty frightening to run into Bigfoot while taking a stroll through the woods, but sometimes myths have the opposite effect, and we become complacent, thinking Bigfoot will never sneak up behind us. He’s just a myth, right?

As we offer our top five HIPAA myths, we invite you to decide whether to address gaps in compliance now, or wait until you are in the middle of the woods, facing Bigfoot, and wondering what to do next.

Myth #1: OCR doesn’t target organizations like mine.

The prevailing wisdom has been that the Office for Civil Rights only pursues settlements with large organizations. As we review the types of organizations that have been targeted in the recent past, we find that they include social services/behavioral health organizations, more than one primary care practice, a psychiatric medical group practice, and a few hospital/health systems. With settlements ranging from $10,000 to $200,000 plus up to two years of monitoring by the OCR, can you really afford to take a chance?

Myth #2: I have privacy policies, procedures, and training protocols documented, so I’m all set if OCR comes calling.

Are you really all set? When did you last review your policies and procedures? Are you sure what your staff actually does is HIPAA compliant? If you don’t regularly review your policies and procedures and train your staff, can you really say you’re all set?

Myth #3: HIPAA gives me 30 days to respond to a patient request, so it’s ok to wait to respond.

Did you try to ship a package during the 2020 holiday season? If so, do you remember checking your tracking number daily to see if your gift was any closer to its destination? Now imagine it was your health records you were waiting for. Frustration builds, goodwill wanes, and you start looking for a higher authority to get involved. 

And beware: if proposed Privacy Rule changes to HIPAA are finalized, the period of time covered entities will have to fulfill patient requests will be reduced from 30 to 15 days.

Myth #4: If I ignore the problem, it will go away.

Right of Access settlement #10 dispels this myth: A medical group was approached by OCR to resolve a complaint in March 2019. Then again in April 2019. This issue was not resolved until October 2020. Now, in addition to a monetary settlement, the group’s Corrective Action Plan (CAP) will be monitored by the OCR for two years. That’s a lot of time, energy, and money that could have been better spent if they worked to resolve the complaint quickly.

Myth #5: OCR will give me a “get out of jail free” card during the pandemic.

As one of our co-workers said, “Just because they are looking aside does not mean they are looking away.” The most recent settlement we have seen to OCR’s Right of Access Initiative was announced February 10, 2021, showing that the initiative is still a priority despite the pandemic.

Are you ready to assess or improve your compliance with HIPAA Right of Access rules now? Contact me and I will help you keep OCR settlements at bay. 

Article
Debunking the myths of HIPAA: Five steps to better compliance

Nearly every type of business relies on external service providers to help keep operations running smoothly and to provide customers, clients, or patients with high-quality service and care. Whether it’s a cloud-based accounting or HR system, an outsourced medical billing provider, a financial services core system, or an investment management application, service providers can make your job easier and more efficient. But remember: You can outsource operational functions, but you cannot outsource responsibility.

Effective oversight of service provider vendors is essential for managing risk and potential adverse impacts to your reputation. For instance, patients don’t care that it was a third-party who didn’t patch a server that gave hackers access to their personal data; they care their data was exposed and they hold you, as the service provider, responsible for lack of oversight of your contracted third party (sub-service organization). Unlike functions that are performed in-house, when services are outsourced, you may have limited information on hand and less control over the process. A System and Organizational Controls (SOC) report can be an invaluable tool in helping you gain confidence about the controls at your service providers.

What is a SOC report?

A SOC report is a way to verify that an organization has designed sufficient controls and that those controls are in place and operating effectively. These controls are typically related to organization and management, operations, logical security, networking, access, application processing, privacy, and availability. These controls are tested for operating effectiveness by independent third-party auditors. Any exceptions are identified in the SOC report and may vary by severity from a report qualification to a minor issue. Based on the type of SOC report (explained below), it is up to you as a service organization to determine the impact on your business and customers of any noted exceptions and to act accordingly.

Which SOC report should you request?

There are primarily two different types of SOC reports. It is important to understand these types so that your organization can obtain the most relevant report to address your reporting and vendor due diligence needs. You may also have a need to require both reports from a service provider, which is very common.

  • SOC 1: Reports on controls at a service organization that may be relevant to user entities’ internal control over financial reporting. These would be ideal for organizations whose service organization provides a service that would impact financial reporting (ask yourself: Is the service provided impactful to your financial statements?)
    • Type 1: A design of controls report. This option evaluates and reports on the design of controls put into operation at a point in time. You can think of this as a “kicking the tires” report.
    • Type 2: Includes the design and testing of controls to report on the operational effectiveness of controls over a period of time. This is more of a “deep dive” report.
  • SOC 2: The purpose is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, or privacy. The SOC 2 has predefined criteria in which the service organization identifies internal controls they need to address the criteria. A SOC 2 audit is more prescriptive than a SOC 1.

It is not uncommon for service organizations, especially larger ones, to have many SOC reports covering many specific functions and systems. They may also have a SOC 1 and SOC 2 report for the same function or system. A SOC 1, Type 2 report is more valuable than a SOC 1, Type 1 report since it tests the operational effectiveness of controls over a period of time. A financial statement auditor will likely want to see a SOC 1, Type 2 report. Type 1 reports are typically done the first time a service organization undergoes a SOC exam, with the expectation that in subsequent years, a Type 2 report will be issued.

When should you request a SOC report?

Not all service providers need to be treated equally from a monitoring perspective. Perform a periodic risk assessment to determine how risky a service provider is to your organization. This risk assessment should consider items such as:

  • What functions are they providing to your organization?
  • Is the service organization’s service material to your financial statements?
  • Does the service organization have access to your systems and data?
  • Does the service organization have access to, process, manage, and maintain customer personally identifiable information (PII) or credit card information?
  • Have there been issues with this vendor in the past, including through review of their SOC report?

This risk assessment will drive the level of monitoring needed on an ongoing basis, including if review of a SOC report is necessary, and the frequency of this review.

How to conduct and document a SOC report review

For those service providers in which SOC reports will be reviewed, make sure you have a consistent review process that is followed each time. BerryDunn has a review checklist available on our website to ensure your review is consistent and captures the salient items. 

When you receive a SOC report, it should be thoroughly reviewed and documented, including the date of the review and who performed it. More so than reviewing the SOC report, you must also review user control considerations (UCCs). UCCs are controls that the service organization had included in the report as critical to the internal control cycle and are the responsibility of you, as their customer. The UCCs should be reviewed and determined if they are applicable to the services you receive from the service organization, and if they are, you should determine that controls are in place and should be tested internally for operating effectiveness.

There are certain items within a SOC report we recommend that you review and document:

  • System or function covered: Make sure the SOC report covers the function or system pertinent to your organization.
  • Type of report: Is it a SOC 1 or SOC 2? If a SOC 1, is it a Type 1 or Type 2?
  • Period covered in the report: What period does the report cover? If being used for a financial statement audit, is a bridge letter needed?
  • Service auditor: Who is the service auditor? Are they reputable, qualified, and independent from the service provider?
  • Opinion: Review the service auditor’s report. What opinion was provided? Were there any opinion exceptions?
  • Subservice organizations: Does the service provider rely on any third-party service providers?
  • Control objectives: Review the controls pertinent to your organization. Were there any testing exceptions identified?

The use of service providers, for most organizations, is unavoidable. It is important to have a thorough process to monitor these service providers to help ensure they don’t adversely impact your organization’s operations. Requesting and reviewing SOC reports from your service providers is one effective due diligence mechanism. We hope you will find our SOC review checklist helpful and, to learn more, please watch our video on how to effectively use this checklist.

Article
SOC reports: A critical tool for managing risks from service providers

Read this if you are at a senior living organization or Skilled Nursing Facility (SNF).

On September 1, 2023, the Centers for Medicare and Medicaid (CMS) released a much-anticipated proposed minimum staffing rule. The proposed rule would require nursing homes participating in Medicare and Medicaid to meet specific nurse staffing levels that promote safe, high-quality care for residents. The proposed rule represents the first time the federal government has proposed comprehensive nationwide nursing home staffing requirements. Various states have already enacted their own staffing requirements.

There are three major requirements under the proposed rule:

  1. Nursing homes would need to provide residents with a minimum of 0.55 registered nurse (RN) hours per resident per day
  2. An RN is required to be on-site 24 hours per day, seven days per week
  3. Each resident must receive 2.45 hours of care from a nursing aide per day, exceeding existing standards in nearly all states

In addition, the proposed rule includes additional reporting requirements regarding Medicaid payments for institutional long-term care support services and $75 million for nurse aide training.

CMS proposed minimum staffing rule challenges

The proposed rule is extremely problematic and seems impossible to implement. Here are just some of the issues of the proposed rule.

Lack of clarity

There is a lack of clarity in the rule as to what positions can be included in the nurse aide count and the rule does not include Licensed Practical Nurses (LPNs), of which there are approximately 120,000 nationwide.

Current staffing levels are insufficient

Based on Payroll Based Journal (PBJ) data through the first quarter of 2023, the American Health Care Association (AHCA) estimates that approximately 37% of all nursing facilities are currently unable to meet any of the three staffing requirements mentioned above and less than 7% of facilities nationwide are currently meeting all three of the requirements. 

Nursing employment shortage

The rule would require the industry to employ an additional 85,000 nursing assistants and 28,000 registered nurses. Where will these additional nurses come from given the post-COVID-19 pandemic workforce shortages?

Lack of funding for providers to implement this proposed rule

CMS estimates the proposed rule will cost $4 billion annually to implement, while the AHCA estimates $6.8 billion annually. We believe that some of the discrepancy in estimated costs to implement is the increased utilization of contract nursing. The AHCA estimate of nurses needed and cost to implement include the contract nursing that existed in the Q1 2023 PBJ data. 

Impact to states’ Medicaid budgets

AHCA estimates annual costs to states range from $6 million in states such as Maine and North Dakota to as high as $700 million in Texas, Florida, and New York. States that are already strapped by Medicaid budgets will likely not be able to increase reimbursement rates enough to pay for this proposed rule, which may ultimately lead to nursing home closures and lack of access to care for seniors.  

The proposed rule has phased-in implementation and hardship exemptions that take into consideration rural and underserved communities. However, many believe the phased implementation is not enough to compensate for the workforce shortage and the onerous exemption process will not benefit the rural providers it is intended to benefit.

There is strong opposition to this proposed rule as it could have a devastating impact on nursing facilities. On September 28, 2023, the US House of Representatives majority introduced House Bill 5796, which would prevent the Secretary of Health and Human Services from implementing and enforcing this proposed rule. AHCA has a grass-roots outreach campaign in which it seeks to have 10,000 individual comments sent to CMS by November 6, 2023.

Read more about the proposed rule: HHS Proposes Minimum Staffing Standards to Enhance Safety and Quality in Nursing Homes | CMS.

To submit a comment on CMS’ proposed minimum staffing, contact the AHCA: regulatory@ahca.org.

If you have any questions about the proposed rule, please contact our Senior Living team. We’re here to help.

Article
CMS' proposed minimum staffing rule: Requirements and challenges

What Medicaid agencies and Medicaid-participating managed care organizations need to know about new mandatory federal requirements for reporting on the core sets of quality measures.

Read this if you administer a Medicaid agency, a CHIP program, or a Medicaid-participating managed care organization. 

On August 31, 2023, the Centers for Medicare & Medicaid Services (CMS) issued its Final Rule, which establishes requirements for mandatory annual state reporting of the following Core Sets of Medicaid quality measures:

  • The Core Set of Children’s Health Care Quality Measures for Medicaid and the Children’s Health Insurance Program (CHIP)
  • The behavioral health measures on the Core Set of Adult Health Care Quality Measures for Medicaid
  • The Core Sets of Health Home Quality Measures for Medicaid  
  • The regulations associated with the Final Rule are effective January 1, 2024. The initial (2024) round of reporting must be submitted and certified by states by December 31, 2024


FAQs: Medicaid Core Sets reporting requirements  

  • Do these reporting requirements apply exclusively to the 50 states? 
    No. These requirements include the 50 states, the District of Columbia, Puerto Rico, the Virgin Islands, and Guam. American Samoa and the Mariana Islands could, but would not be required to, report Child Core Set and Adult Core Set measures. 
  • Do all Medicaid agencies operate health home programs?
    No. “Health homes” refers to two optional Medicaid benefits that states may elect to implement through their CMS State Plan Amendment (SPA). The Section 1945 health home benefit is for Medicaid-eligible individuals who have: a) two or more chronic conditions; b) at least one chronic condition and who are at risk of developing a second; or c) at least one serious and persistent mental health condition. The Section 1945A health home benefit is for Medicaid-eligible children with medically complex conditions. 
  • If a state’s CHIP is separate from the Medicaid program, do these reporting requirements also apply to CHIP? 
    Yes. The Medicaid agency must report on the measures for standalone CHIP-enrolled beneficiaries in addition to Medicaid-enrolled beneficiaries, according to each measure’s age range specifications. 
  • Are Medicaid agencies required to report on all Medicaid and CHIP beneficiaries, including those enrolled in fee-for-service and managed care?
    Yes. However, the Secretary of HHS could specify in CMS’ annual reporting guidance that a population is not required to be included. Also, the Secretary could grant a Medicaid agency an exemption from reporting on one or more measures for a specific population.
  • Is there a filing deadline for a Medicaid agency to request a reporting exemption?
    Yes. A request for an exemption must be submitted by September 1 of the applicable reporting year. A Medicaid agency may request a one-year exemption from reporting for a specific population. This request must demonstrate that the Medicaid agency is unable to obtain access to data required to report the measures for a population despite making reasonable efforts to do so. The request must also document a reasonable timeline of actions underway to resolve data access problems.
  • Will these requirements require a Medicaid agency to submit a change in its state plan? 
    Yes. The Medicaid agency must submit a state plan amendment, specifying that it will report on the Child Core Sets and Adult Core Sets in accordance with 42 CFR § 437.15.

    If the Medicaid agency offers either or both of the optional health home services, then the state plan will need to also address the health home reporting requirements in accordance with 42 CFR § 437.15. The Medicaid agency must also require health home service providers to report to the agency on all populations served by the health home provider and on the measures in the applicable Health Home Core Set as a condition of receiving payment for these services.
  • Can CMS withhold federal Medicaid payments, in whole or part, from a state that is non-compliant with these reporting requirements? 
    Yes. CMS has stated that graduated enforcement mechanisms for compliance with Core Sets reporting requirements due to issues with state data systems will align with existing CMS policy regarding state corrective action plans.
  • Will CMS modify the Core Sets measures on an annual basis?
    Yes. The Secretary of HHS will identify and annually update the quality measures beginning no later than January 1, 2024, and annually no later than January 1 thereafter. In issuing the annual guidance, the Secretary may consider the level of difficulty in accessing the data required for reporting and may provide that reporting will be voluntary for a specific year. 
  • Will CMS establish data stratification rules for these measures? 
    Yes. In considering which measures, and by which factors (such as race, ethnicity, sex, age, rural/urban status, disability, language, or other factors) states must report stratified measures, the Secretary of HHS will consider whether stratification can be accomplished based on valid statistical methods. Other considerations include whether stratification will not risk a violation of beneficiaries’ privacy and whether the original survey instrument collects the variables necessary to stratify the measures. The rollout of stratification requirements will begin by the second year of annual reporting after the effective date of these regulations and increase yearly. By the fifth year of annual reporting after the effective date of these regulations, 100% of measures will be stratified.      
  • Will CMS make the reporting information publicly available? 
    Yes. CMS will make the Core Sets information publicly available not later than September 30, 2025, and annually by September 30 thereafter. 

Centers for Medicare & Medicaid Services Core Set resources

If you have questions about the Core Measure Sets for Medicaid or need guidance in complying with these reporting requirements, please contact Robyn Hoffmann or Ethan Wiley.

Article
CMS: Requirements for mandatory annual state reporting of Medicaid Core Sets of Quality Measures

What happens when you put a group of healthcare experts in a room and let them talk? A lot of information coming at you fast! At our recent Healthcare Leadership Event, BerryDunn’s experts and guests covered a wide range of challenges and solutions for healthcare leaders. Here are just a few of the takeaways. View all the session recordings.

Revenue cycle optimization: Manage and minimize denials from all angles

In the revenue cycle roundtable, our diverse group of experts each had a different perspective on how to decrease, manage, and prevent denials.

  • On the front end, patient access teams should focus on being proactive about the collection of patient guarantor and insurance information in order to qualify patients for services ahead of time.
  • On the back end, you need a dedicated person or team focused on tracking and managing denials, with regular meetings with your revenue cycle team.
  • Both the end of the PHE as well as the influx of Medicare Advantage plans are causing a major uptick in denials. Many patients who were covered by Medicaid during the PHE are no longer covered (and may not even realize it). The diversity of Medicare Advantage plans can cause confusion over what services are covered due to the differences between each plan.
  • On the Home Health side, optimize technology to meet regulatory and billing requirements for Medicaid and other insurers, which would include Electronic Visit Verification. The right technology can help agencies gain efficiencies and decrease denials.

Get your credentialing and enrollment house in order to minimize risks

Credentialing and enrollment are critical areas within the revenue cycle. When it’s not done correctly, it can cost an organization hundreds of thousands of dollars in denials, non-compliance, and provider dissatisfaction (think recruitment costs).

Healthcare organizations should recognize that credentialing and enrollment requirements are variable by state, payer, accrediting bodies, and organizational standards. Understanding these varying requirements is key in staying compliant and maximizing revenue, particularly for multi-state organizations.

Involving representatives from legal, compliance, and risk can help you manage these challenges, as can a periodic outside review of an organization’s credentials verification, enrollment, and onboarding processes, particularly for newly-onboarded physicians.

Navigate labor market shifts in healthcare finance

Like nearly all industries, the healthcare field is losing leaders and experienced staff due to higher-than-normal attrition, aging out, and consolidations. Here are some tips to focus on for improving the culture of finance teams to help retain finance leaders and staff members, as well as minimize the disruption from a leadership departure.

  • Create an environment that incentivizes leaders to stay.
  • Keep the lines of communication open. Frequent communication between staff and management will allow everyone in the department to stay connected and build trust amongst each other. Answer emails in a timely fashion. Walk through the department weekly to say hello. During departmental meetings, ask staff to share and actively lead the agenda. Management should welcome questions from the staff and intentionally solve problems together. Employees want to feel appreciated and integral to the department, and if they do, they will have more reason to stay.
  • Provide education and training on a regular basis. Meet with your team monthly to review operational results and how the various metrics such as patient bed volumes and payor reimbursement mix correlate to the financial results. Encourage high-performing employees to participate in industry-specific associations and community events. Share knowledge and build relationships through formal mentoring and meetings with a trusted advisor. Healthcare organizations that provide valuable training will better retain their high-achieving finance leaders.

For business planning, focus on what is in your control

For organizations that may be thinking of acquiring or selling their business, be aware that in the current economic climate with rising interest rates, there may be a significant impact on your organization’s value. Did you know that every 1% rise in interest rates can equal a 10% decrease in value? In turbulent economies, it’s important to focus on what is in your control to add and protect business value, including:

  • Assess the maturity of your business systems. Improving your technology systems, for example, can help you get information quicker, which helps you make better decisions and be more efficient. This can positively impact your bottom line.
  • Examine your financing models. If you’re relying on lines of credit, higher interest rates are costing you. You may want to tighten up your expenses and lessen your reliance on lines of credit or generate cash to pay off higher-rate loans.
  • Readjust your staffing models. Is there a way to readjust staffing to reduce high expenses, such as the cost of travelers?
  • Be aware of the impact of interest rates on all of your operations.

Be proactive about patient communication as the PHE unwinds

As the public health emergency comes to an end, there will be a large impact on patient coverage. With Medicaid redeterminations underway, as many as 15 million people may lose coverage. It’s more important than ever to have processes around obtaining patient information, as well as educating patients on alternative options. For example, do your patients realize that there is a special enrollment period available for marketplace health insurance? For Medicare Disproportionate Share Hospitals (DSH), be prepared for a potential drop in Medicaid days and reimbursement. Be sure to monitor this closely to stay in compliance.

Get more insights, presentations, and recordings from our Healthcare Leadership Event 2023. 

Article
Five key takeaways for Healthcare Leaders

Healthcare system conversions are risky endeavors. But what is the alternative? Stay with a system you’ve outgrown and no longer meets your organizational needs? At BerryDunn, our healthcare consulting teams have worked with a substantial number of organizations as they’ve transitioned to new enterprise systems such as Electronic Health Records (EHR) systems and Enterprise Resource Planning (ERP) systems. Based on our experience, there are 10 key areas to focus on in order to have a successful conversion.   

1. Start preparing early 

If you know you’ll be bringing in a success partner like BerryDunn to help you through the conversion, bring them early in the planning as possible. The success of the entire project depends on how well you’ve planned and if you've brought in a strong methodology to approach the implementation.   

2. Assess your needs before you make a decision to change systems 

Before you even decide that you need a new EHR or ERP system, the first step is to conduct a thorough assessment of your current system and determine if you actually need a new system.  It’s possible that your current system could and will meet your needs if set up correctly.  

If you determine that you do need a new system, the next step is to conduct a thorough needs assessment that details exactly what your organization needs out of the system. It’s important not to think in terms of what your old system was capable of, but to focus on the problems that you want the new system to solve. Talking to other organizations or consultants like BerryDunn, who are solely focused on and have experience in this work, can help you determine what best-in-class systems can do.  

3. Understand and mitigate the risks 

There are risks at every stage of the process, from not identifying your needs correctly, not assessing the facility’s readiness for change, choosing a subpar vendor, having an incomplete contract, not monitoring the implementation very closely to meet the deadlines, and not addressing the risks as they appear. It’s important to manage the steps correctly at each phase, beginning with: 

  • Documenting detailed requirements for the EHR or ERP system 
  • Initiating a formal RFP process to include the system requirements in writing 
  • Thoroughly vetting and evaluating vendors consistently 
  • Negotiating a solid contract that holds the vendor accountable for support and a timeline 
  • Assessing what staffing changes and training are needed 
  • Providing sufficient time for testing pre- and post-go-live 
  • Understanding and planning for the impacts to your revenue cycle 

4. Manage the vendor 

The vendor may be managing the project, but who is managing the vendor? Whether you hire a consultant like BerryDunn or have in-house resources, managing the vendor can be a full-time job. In our experience, the vendor wants to have a successful implementation as much as you do, and they also want to go live on time so they can move on to their next project. You will need to advocate for your organization and be able to hold the vendor accountable to what was agreed on, even if that means taking more time. If your contract was thorough, you should have enough leverage to do so. The bottom line: Don’t feel rushed to go live until you know you are ready. 

Insist on a detailed implementation plan from the vendor that shows realistic timelines for the tasks needed to be accomplished to meet the go-live date. The project should include weekly communication meetings with the vendor to ensure any problems and delays identified can be addressed quickly. 

5. Make sure your internal project team is ready 

Just as it’s important to ensure your vendor is well-staffed, prepared, and held accountable, these factors are equally important for your internal project team. Take the time at the beginning of the project to create a plan for success that takes into account roles, communication, and contingency plans. A good plan will include:  

  • Establishing a project charter to formalize governance, teams, and roles and responsibilities 
  • Communicating and reinforcing the project as a mission-critical effort 
  • Establishing regular project meetings to follow up on and manage risks, actions, issues, and decisions 
  • Monitoring competing priorities and alleviating non-project efforts for staff where possible  
  • Anticipating project team turnover and having a plan for backfilling team members in advance 

6. Help your staff adopt the new system 

Even if you implement the best system in the world, if your nurses, doctors, and billing staff don’t use it (or don’t use it correctly), it won’t be effective. You need to be able to manage the people side of change, starting with building the case for why you are switching systems and how it will benefit the working staff. Having a thorough training plan and making sure people are ready for the conversion is a key step that shouldn’t be neglected. 

7. Allocate enough time and the right resources for testing 

Before you go live, you need to know the system is going to work for specific scenarios in every department that uses it. For EHR systems, that is every department that touches a patient. A solid testing plan begins with identifying the key, critical scenarios in each area and assigning the right people to be involved in testing – ideally, those who will be using the new system and have a firm grasp on the typical workflows. The plan should “follow” a patient from the point of registration to treatment, discharge, billing, and patient follow-up. A good testing plan will confirm if the system functions as intended and will drive issue resolution and any needed configuration changes. Ultimately, the result of testing will be to determine if you’re ready for go-live.  

8. Get your accounting systems in order  

Many healthcare organizations implement new accounting ERP systems at the same time they convert their EHR. It is important to determine concurrently how the operational and financial data from the EHR will be integrated into the general ledger and reporting dashboards. A study will need to be made on the ease with which the payroll information from the outside software application can be accurately uploaded. Your chart of accounts likely will need to be revamped.  Electronic invoice routing and approvals have become very sophisticated and can improve efficiency with the proper setups. Your new accounting ERP system should not be a “last minute thought” but carefully selected and planned as the EHR is being implemented to ensure accurate and state-of-the-art reporting to deliver to your internal and external audiences.   

9. Don’t neglect your revenue cycle 

Launching a new system is not business as usual. Most new EHRs introduce new complexity to the clinically driven revenue cycle. This requires different management skills and tighter coordination across the organization. Success requires advance planning around charge master structure changes, patient access, and other workflows that will heavily change. Attention needs to be paid to leveraging clearinghouse functionality, and testing plans should incorporate all charging and payor scenarios.  

In addition, no matter how prepared you thought you were, your clinicians are just not going to be able to do things as fast as usual when using a new tool. It takes time to build proficiency in any new system. When launching a new EHR, you’ll need to schedule lighter patient loads in the weeks after your go-live, allowing flexibility for fixing problems and for taking into account learning curves.  

Because of this lighter load, your revenue cycle will be impacted. Fewer patients will be cared for, and fewer patients will be billed. You need to consider these cash flow impacts and plan around legacy receivables well before launch day (ideally as much as two years prior) so you can plan for it and ensure that you’re accounting for, and finding ways around, any shortfalls.  

10. Manage the post-go-live transition 

So you went live with your new system. Congratulations! But this isn’t the end. The two weeks after your go-live date are very important. Are you meeting with the vendor to track defects? Are you getting everything out of the system that you dreamed of? Do you have a plan for addressing deficiencies and adding more functionality? Most vendors have a two-week window to help you post-go-live. You need to take advantage of that while you still have their attention. Once you transition to help desk support, you’re just not going to get the attention that you were before. Having a plan and a system in place for these post-go-live weeks is crucial.  

Is it time to bring in a success partner?  

To be successful, you need a partner who can address all of your needs and be your advocate, and expert, providing the support – and the answers – to questions you might not even know to ask. BerryDunn’s Healthcare team works with healthcare organizations every day, all year long, guiding them through EHR and ERP selection, vendor management, system implementation, testing, and beyond to mitigate risks and help ensure your investment pays off. We’re happy to discuss how we can help you with project and change management, interim or project staffing assistance, system report creation and dashboarding, and revenue cycle optimization. Contact a member of our team.                                                              

Article
10 tips for a successful healthcare IT system conversion

Read this if you participate in onboarding healthcare providers. 

The last several years have certainly been challenging for healthcare. Fueled by the COVID pandemic, increased provider burnout is a huge issue that has organizations grasping to keep staffing levels high enough to provide exceptional patient care. Physician turnover (per physician) has been estimated to cost an organization between $400,000 and $1,000,000 when factoring in recruiting costs and lost patient billing revenue. For smaller organizations, that can be a major challenge. 

The US Department of Labor Statistics estimates that by 2030 the healthcare industry will grow more than 16%, adding over 2.6 million new jobs. With 5% of physicians turning over each year (this number doubles when including physician assistants and physical therapists) and 61% reporting burnout, organizations should take steps now to minimize attrition and ensure a stable clinical workforce. 

Provider onboarding as a retention strategy

Provider onboarding is a window into an organization’s culture and is the foundation of the provider experience. During this period, action and inaction, both real or perceived, will set a new hire’s impressions of the organization. A positive experience can ensure early buy-in from new providers, helping employers improve retention rates and provider satisfaction. 

For many organizations, onboarding and orientation are the same. However, there are differences. Orientation is a one-time event for tasks (i.e., completing an I-9 form, new-hire paperwork, discussing benefits). Onboarding is an experience that begins once a provider has accepted the position and will last at least 90 to 120 days. The provider will have contact with human resources, IT, the medical staff office, and finance/revenue cycle departments to gather much of the same data (e.g., licensure, CV, NPI, and other demographic information).

A well-organized and coordinated organization can reduce the number of times a provider is asked for the same information or documents. Clear communication and centralized points of contact and processes are critical to a smooth process. To help organize onboarding, you can download our Provider Onboarding Checklist.

Ensuring you have all the information and documents your organization will need from the provider for privileging, third-party payer enrollments, HR, and IT has additional benefits beyond provider experience. Preparing new providers to participate on a payer panel linked to the organization can be an exceptionally lengthy process, often exceeding 90 to 120 business days. Additionally, if your organization participates with a large volume of managed Medicare and Medicaid payers, gathering the information and beginning the process early through an efficient onboarding can ensure you decrease write-offs of billable services to the dreaded ‘provider not credentialed’ denial code.

Provider onboarding and timely, quality patient care

Equally important is the connection to delivering timely and quality patient care, as the third-party payer process directly impacts these activities. An unenrolled provider lacks the ability to order, prescribe, and refer. This necessitates additional touches, resulting in breakdowns in the workflow that can lead to unnecessary expense and provider dissatisfaction. The provider enrollment process must be initiated early, and frequent communication with all involved parties can alleviate any issues. 

Organizations should offer providers robust revenue cycle-related clinical systems training as part of the onboarding process and create a mechanism to identify potential errors that may lead to write-offs and compliance risks. Provider entry errors can result in a claim ending up in a work queue, never to be identified, submitted, or paid. You can mitigate revenue loss by monitoring entry errors and providing additional training. Wasteful workforce expenditures are created through revenue cycle teams chasing information to be corrected, causing rework. Education for providers and everyone supporting them in operations will also go a long way toward reducing errors, increasing satisfaction, and minimizing barriers to care and collection challenges. 

If you would like more information or have questions about your specific situation, please reach out to our credentialing consulting team. We’re here to help. 
 

Article
Effective provider onboarding: Improve care, reduce turnover, and save money