Skip to Main Content

insightsarticles

Mitigating risk of grant funded healthcare programs

03.18.22

Read this if you are interested in grant compliance in healthcare. 

This is a companion article to the podcast, Mitigating the compliance and revenue integrity risk of grant funded healthcare programs.

The BerryDunn Healthcare Practice Group boasts professionals who have expertise all across the spectrum of healthcare, including regulatory, revenue, integrity, general compliance, and risk management issues. This article covers the very specific arena of grant compliance affecting many of BerryDunn’s healthcare, not-for-profit, and government clients.

After starting as a newly minted MBA financial analyst with an academic medical center in Northern New England, I (Markes) worked my way into the world of grants and contracts supported by my interest in federal regulations and the non-clinical revenue streams. Fascinated to navigate through waters where it seemed no one was the expert, or really had the time or patience to figure things out, I worked to stand up a grant office in finance on the hospital side, separate from the medical school which was the usual repository for grant funding. We moved this direction because hospital leadership realized grant funding was tipping toward the clinical setting and was less focused on bench or clinical research. Put another way, less NIH and more CDC, HRSA, and CMS.

BerryDunn Senior Manager Regina Alexander advises, “wherever there is complexity, there is compliance risk.” Whether from a federal agency like HHS, HRSA, NIH, or CDC, a state Medicaid program, foundation, or private source, grants always come with requirements, typically very specific requirements. Because the dollars are being ‘given’, those requirements for how the funds are used may be much more restrictive than loans.

Like other areas of regulatory compliance, it is reasonable to assume that grant programs often have compliance gaps that go unnoticed. For many of our clients, both in healthcare and not-for-profit, and in the government space, grant revenue has become a significant source of funding. Any kind of healthcare delivery organization, including academic medical centers, federally qualified health centers, community hospitals, behavioral health service organizations, home health providers, visiting nurse associations, and others can end up with significant portions of their income for the year being sourced by federal grants.

Grant compliance categories

We all can’t be experts in every domain of regulatory compliance, and grant compliance has a lot of breadth. Thankfully, at BerryDunn, we have a team of grant experts who work collaboratively across practice groups. When I was working on setting up the grant office and establishing a proprietary clinical FTE reporting process and system earlier in my career, I would have greatly benefited from the perspectives of other experts at the table.

When we think about grant compliance, four categories are helpful to keep in mind:

  1. Restricted funding
  2. Single audit
  3. Indirect rate
  4. Time and effort

Restricted funding

Firstly, and most universally understood and applied is that grant monies are, pretty much by definition, restricted. Aside from very specific and rare instances of monies being granted to beneficiaries who have no responsibility, all grant funding is awarded with the expectation that the funds will be expended in a specific way. 

Any funder, from the federal government to your local community organization like the Lions Club or the VFW, will likely require individuals and entities awarded a grant must promise to use the funds only for the purpose laid out in the award and proposal. Compliance with grant terms typically includes following the requested reporting requirements of that funder as well. Though this category may sound obvious, it's actually pretty far-reaching, as it usually affects sub-recipients (those entities who are partnered with the direct recipient to accomplish the grant purpose). For example, where the money goes after the initial awardee receives it, or rules about who can do the work, what type of organization, how you choose a vendor, etc.—all sorts of categories.

It should be noted that many of these grant award requirements are not dissimilar from work we already do in the healthcare compliance space to assist our clients in avoiding anti-kickback statutes and Stark risks. This is because grant compliance is grounded in the same basic concepts—no favoritism, no bribes or shady deals, and avoiding fraud, waste, and abuse. Especially if you're spending federal monies, you need to prove that you choose the vendor based on verifiable best practices, and consideration was afforded to organizations owned by women, veterans, and minorities.

Single audit 

The second category, Single Audit, is applicable to all federal funding of $750,000 or more annually. My colleague from BerryDunn’s Not-for-Profit practice group, Katie Balukas, explains: 

"The federal Single Audit Act is a requirement for entities to undergo an independent financial and compliance audit when the entity has expended over $750,000 in federal awards. These audits are conducted following guidance issued through the Governmental Auditing Standards and the United States Office of Management and Budgets' Uniform Guidance. The main focus of the compliance audit is to assess the entity's compliance with the requirements set forth by the federal agency that administered the grant funds. That includes, but is not limited to determining if the funds were utilized for allowable costs and activities and expanded within the proper grant period and that the reporting and performance objectives were met."

It is important to note that adequate, appropriately scaled internal resources are essential for any organization receiving grants and even more so with larger grants. Though the phrase has been overused, it really does “take a village”. Grant management isn't something an organization should do on the side, assigning grant accounting to someone who already has a full-time role, but unfortunately this is common and also unfortunate because under resourcing tends to lead to compliance concerns, as well as just plain old poor funding management. 

Indirect rate

Speaking of funding, the third type of grant compliance is very focused on a component of the grant world that really has a life of its own: The indirect rate. Though there is an accounting definition of ‘indirect’, the way it is defined regarding grant funding is pretty specific, and there is an entire body of work organizations undertake to get a federally approved indirect rate.

There's an awful lot to think about with the indirect rate. On the one hand, you could say it's pretty simple. For example, a lot of foundation funders and even some federal funders will offer you a 5% or 10% indirect rate without any need to make a calculation. That's because they know that if you take time to do the math, you'll come up with a number much higher than 5% or 10%. When it comes to federal grants and healthcare services organizations, the indirect rate is dependent on how an organization measures costs. For hospitals, of course, the method of measurement is driven by the Medicare cost report, and that's where we would do the fancy math to derive the indirect rate. But the reality is far from simple or straightforward. 

Time and effort

The fourth and final area of grant compliance, time and effort, is also the one I'm actually most passionate about and is probably the most minimized, or at the very least, misapplied. 

In one way, “time & effort” is exactly what it sounds like. Much of granted dollars, especially from the federal government, get appropriately spent on program staff. The challenge is to match time and effort to those dollars, but that isn't as clear as it sounds, because the standard way of measuring staff time is usually in a payroll system of some sort, which can't prove how time was spent.

Most payroll systems can be programmed to account for FTE (full-time equivalent) allocations; however, there is often a breakdown between theory and practice. Putting allocations into payroll, usually done without employee interaction, may show how an employee “should” spend their time, but it is really no guarantee that that's actually how they're spending their time.

So how does the organization typically go about assuring that? Now, I don't want to speak for everyone, but let's just say I happen to know that there's a place for two or three (or maybe 10,000) that basically put allocations into payroll, and then, unfortunately, often well after the fact and/or more than once, send that allocation to the employee to sign off on without really any option to disagree, or even to modify. We all know that is not compliant…but in the organization's defense, there really haven't been very good alternatives to that kind of woeful and frustrating process, at least none that have been widely shared or understood.

As often is the case in the compliance world, rules are not followed because there is no perceived risk, but that is not a winning strategy.

Though many people involved in grant management do not have any experience or even knowledge of time and effort violations meeting with any consequences, organization interest and grant compliance have more implications than just preventing front page news. What I find in the conversations with organizations, both large and small, is that loose time and effort management costs the organization in two major ways. 

Firstly, it is inefficient to scramble around at the close of each federal grant to fix time and effort allocations. The extra time spent by grant staff, project coordinators, managers, and the finance team to sort things out because they didn't get them right the first time is the worst kind of inefficient—poor use of time with an equally poor outcome. 

Secondly, loose time and effort is costly in direct salary dollars. Most grant staff are not dedicated to one project, so we need to consider the value of their other work. Whether that is on other grants or, for example, seeing patients in the clinic as many principal investigators in healthcare do, having inaccurate or fluctuating understandings of their ability costs the organization directly in wasted salary dollars or indirectly as the opportunity cost of those providers (or other roles in other organizations). 

Digging in and fixing these issues is the work I really enjoy. It's relatively simple to build a compliant model, whether that requires very little payroll redo and is just a simple recurring attestation process in built in Excel, or more complex integrated models with triggered attestations in PDF format in a database that manages the overall FTE of principal investigators. It might even drive the available clinical provider time. It can all be done. We just need to know what the goal is. 

Working in this space so rewarding, because like so much of compliance, it's about doing something better—not just being compliant—but setting organizations up to better meet their goals and fulfill their mission.

The compliance or accounting professional might still ask, “But why aren’t payroll allocations sufficient for meeting Uniform Guidance?” The truth is, when UG came into effect and superseded the A-110, 122, 133, and others, the bar was effectively lowered. Historically, organizations abiding by the old OMB circulars had to make an attestation at least twice a year, which doesn’t really seem helpful, as who can accurately allocate their time from 5 or 6 months ago? So UG did away with the timeframe reference, relying on the idea that the payroll allocations and distributions would be all that would be needed, and in the absence of those, a monthly ‘look back’ by professional staff would be in order.

I say all this, because as a result, the interpretation of ‘payroll allocations’ then becomes the standard and we have forgotten about the other elements spoken of in the regulation. Remember, for anyone salaried (the vast majority of physicians and most of the higher level grant personnel), the ‘payroll allocation’ doesn’t pass muster. It is a static allocation that has no mooring in actual activity. This is why UG calls for monthly “current and reasonable estimates” of time and effort.

So what can organizations do in response? They need to seek a solution, a process, and a method that will both pass audit muster, as well as help the organization properly manage their resources. Almost every organization manages their productivity and finances on a regular basis: monthly! That’s why the same standard should apply to grant time and effort management. It's much more reasonable to ask you how you spent your effort this month, asking you to make a reasonable estimate of your time allocations to the different efforts you worked on.

So to summarize, the four key areas of grant compliance are (1) grants are restricted funding, (2) single audit requirement for federal funding over $750,000 annually, (3) the indirect rate and related agreement, and (4) time and effort.

Of course, I would be remiss to not point out that undergirding all this is the organization’s approach to policy. Any organization that considers grant funding a regular piece of their annual income needs to have dedicated grant management policies, covering all of the above topics, with particular focus on those arenas that are unique to the world of federal funding, and being mindful to follow or otherwise update for changes in processes and/or regulations.

Final takeaways: 

  • First, what grant focused infrastructure do you have in place? If you are subject to a single audit, there should be dedicated administrative grant staff. And I don’t mean the programmatic people actually working on the grant, but people outside the grant funding—also why you have an indirect rate. 
  • Second, how are you handling time and effort? If the process relies on any long after-the-fact attestations or payroll-generated reporting, it is unlikely to be truly following the spirit…or the letter…of Uniform Guidance. 
  • Third, review your policies regarding grants. You may not actually have policies focused on grant activities, leaving them under ‘general finance’. That isn’t sufficient to cover federal funding requirements. Many have grant policies in place, but are they actually being followed through the lifecycle of your grant programs? 
  • Lastly, the grant world is a whole ball game unto itself. BerryDunn has some great resources internally to offer assistance in all phases of grant management and administration. 

Related Professionals

Principals

BerryDunn experts and consultants

Read this if your organization has to comply with HIPAA.

We have been monitoring HHS Office for Civil Rights (OCR) settlements as part of the HIPAA Right of Access Initiative (16 settlements and counting) and want to dispel some myths about HIPAA enforcement. Myths can be scary. It would be pretty frightening to run into Bigfoot while taking a stroll through the woods, but sometimes myths have the opposite effect, and we become complacent, thinking Bigfoot will never sneak up behind us. He’s just a myth, right?

As we offer our top five HIPAA myths, we invite you to decide whether to address gaps in compliance now, or wait until you are in the middle of the woods, facing Bigfoot, and wondering what to do next.

Myth #1: OCR doesn’t target organizations like mine.

The prevailing wisdom has been that the Office for Civil Rights only pursues settlements with large organizations. As we review the types of organizations that have been targeted in the recent past, we find that they include social services/behavioral health organizations, more than one primary care practice, a psychiatric medical group practice, and a few hospital/health systems. With settlements ranging from $10,000 to $200,000 plus up to two years of monitoring by the OCR, can you really afford to take a chance?

Myth #2: I have privacy policies, procedures, and training protocols documented, so I’m all set if OCR comes calling.

Are you really all set? When did you last review your policies and procedures? Are you sure what your staff actually does is HIPAA compliant? If you don’t regularly review your policies and procedures and train your staff, can you really say you’re all set?

Myth #3: HIPAA gives me 30 days to respond to a patient request, so it’s ok to wait to respond.

Did you try to ship a package during the 2020 holiday season? If so, do you remember checking your tracking number daily to see if your gift was any closer to its destination? Now imagine it was your health records you were waiting for. Frustration builds, goodwill wanes, and you start looking for a higher authority to get involved. 

And beware: if proposed Privacy Rule changes to HIPAA are finalized, the period of time covered entities will have to fulfill patient requests will be reduced from 30 to 15 days.

Myth #4: If I ignore the problem, it will go away.

Right of Access settlement #10 dispels this myth: A medical group was approached by OCR to resolve a complaint in March 2019. Then again in April 2019. This issue was not resolved until October 2020. Now, in addition to a monetary settlement, the group’s Corrective Action Plan (CAP) will be monitored by the OCR for two years. That’s a lot of time, energy, and money that could have been better spent if they worked to resolve the complaint quickly.

Myth #5: OCR will give me a “get out of jail free” card during the pandemic.

As one of our co-workers said, “Just because they are looking aside does not mean they are looking away.” The most recent settlement we have seen to OCR’s Right of Access Initiative was announced February 10, 2021, showing that the initiative is still a priority despite the pandemic.

Are you ready to assess or improve your compliance with HIPAA Right of Access rules now? Contact me and I will help you keep OCR settlements at bay. 

Article
Debunking the myths of HIPAA: Five steps to better compliance

Read this if your company is a benefit plan sponsor.

While plan sponsors have been able to amend their 401(k) plans to include a post-tax deferral contribution called Roth for more than a decade, only 86% of plan sponsors have made it available to participants, according to the Plan Sponsor Council of America. Meanwhile, despite the potential benefits of such plans, just a quarter of participants who have access to the Roth 401(k) option use it. Plan sponsors may want to consider adding a Roth 401(k) option to their lineup because of the potential tax benefits and other advantages for plan participants.

A well-designed Roth 401(k) may be an attractive option for many plan participants, and it is important for plan sponsors considering such a feature to design the plan with the needs of their workforce in mind. It is also critical to clearly communicate the differences from the pre-tax option, specific timing rules required, and the tax-free growth it offers. Additionally, plan sponsors should be mindful of potential administrative costs and other compliance requirements in connection with allowing the Roth option.

Roth 401(k)s: The basics

A Roth is a separate contribution source within a 401(k) or 403(b) plan that differs from traditional retirement accounts because it allows participants to contribute post-tax dollars. Since participants pay taxes on these contributions before they are invested in the account, plan participants may make qualified withdrawals of Roth monies on a tax-free basis, and their accounts grow tax-free as well.

Participants of any income level may participate in a Roth 401(k) and may contribute a maximum of $20,500 in 2022—the same limit as a pre-tax 401(k). Contributions and earnings in a Roth 401(k) may be withdrawn without paying taxes and penalties if participants are at least 59½ and it’s been at least five years since the first Roth contribution was made to the plan. Participants may make catch-up contributions after age 50, and they may split their contributions between Roth and pre-tax. Similar to pre-tax 401(k) accounts, Roth 401(k) assets are considered when determining minimum distributions required at age 72, or 70 ½ if they reached that age by Jan. 1, 2020.

Only employee elective deferrals may be contributed post-tax into Roth 401(k) accounts. Employer contributions made by the plan sponsor, such as matching and profit sharing, are always pre-tax contributions. If the plan allows, participants may convert pre-tax 401(k) assets into a Roth account, but it is critical to remember that doing so triggers taxable income and participants must be prepared to pay any required tax. In addition, plan sponsors must be careful to offer Roth 401(k)s equally to all participants rather than just a select group of employees.

Qualified distributions from a designated Roth account are excluded from gross income. A qualified distribution is one that occurs at least five years after the year of the employee’s first designated Roth contribution (counting the first year as part of the five) and is made on or after age 59½, on account of the employee’s disability, or on or after the employee’s death. Non-qualified distributions will be subject to tax on the earnings portion only, and the 10% penalty on early withdrawals may apply to the part of the distribution that is included in gross income. Participants may take out loans if permitted in the plan document. 

First steps for plan sponsors

A common misconception among plan sponsors is that a Roth offering requires a completely different investment vehicle. The feature is simply an added contribution option; therefore, no separate product is needed.

When considering the addition of a Roth 401(k) option, it is important for plan sponsors to check with service providers to determine whether payroll may be set up properly to add a separate deduction for the participant. Plan sponsors may also need to consider guidelines for conversions, withdrawals, loans, and other features associated with the Roth contribution source to ensure the plan document is prepared and followed accurately.

Education is an important component of any new plan feature or offering. Plan sponsors should check with service providers to see how they may help to explain the feature and optimize its rollout for the plan. One-on-one meetings with participants may be very helpful in educating them about a Roth account.

A word about conversions

If permitted by the plan document, participants may convert pre-tax 401(k) plan assets (deferrals and employer contributions) to the Roth source within their plan account. The plan document may allow for entire account conversions or just a stated portion. When assets are converted, participants must pay income taxes on the converted amount, and the additional 10% early withdrawal tax won’t apply to the rollover. Plan sponsors should educate participants on the benefits of converting to the Roth inside the company 401(k).

Collaborate with the right service providers to educate your participants

The right service providers may review your current plan design, set up accounts properly, actively engage and educate your participants, and offer financial planning based on individual circumstances to show how design features like a Roth account may benefit their situation. If you would like to start the conversation about adding a Roth option or enhancing your participant education program, contact our employee benefits team. We are here to help. 

Article
Plan sponsor alert: Roth 401(k) remains underutilized despite potential benefits

Read this if you are a Maine business or pay taxes in Maine.

Maine Revenue Services has created the new Maine Tax Portal, which makes paying, filing, and managing your state taxes faster, more efficient, convenient, and accessible. The portal replaces a number of outdated services and can be used for a number of tax filings, including:

  • Corporate income tax
  • Estate tax
  • Healthcare provider tax
  • Insurance premium tax
  • Withholding
  • Sales and use tax
  • Service provider tax
  • Pass-through entity withholding
  • BETR

The Maine Tax Portal is being rolled out in four phases, with two of the four phases already completed. Most tax filings for both businesses and individuals are now available. A complete listing can be found on maine.gov. Instructional videos and FAQs can also be found on this site.

In an effort to educate businesses and individuals on the use of the new portal, Maine Revenue Services has been hosting various training sessions. The upcoming schedule can be found on maine.gov

Article
New Maine Tax Portal: What you need to know

On November 8, 2022, Massachusetts voters approved a constitutional amendment to alter the state’s flat 5% income tax to add a 4% surtax on annual income exceeding $1 million. The so-called “millionaires tax,” also referred to as the “Fair Share Amendment,” is effective for tax years beginning on or after Jan. 1, 2023. The annual income level subject to the surtax would be adjusted yearly to reflect increases in the cost of living.

This measure is expected to bring in revenue of between $1.2 and $2 billion annually. The proceeds from the increased tax collections will support state budgets in the areas of education, roads, bridges, and public transportation. The measure passed with 52% voter support and is the sixth attempt to change the state’s flat income tax rate since 1962. This amendment is expected to affect about 0.6% of the state’s population, or about 20,000 taxpayers.

If you expect your income to exceed $1 million in 2023 and have questions regarding the recent legislation, please contact a member of our state and local tax team.

Article
Massachusetts voters pass "Millionaires tax"

Read this if you are responsible for cybersecurity or are a member of a board of directors.

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to the preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.

General

  • What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
  • Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
  • Has the cyber risk management plan been tested?
  • Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
  • Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
  • What percentage of our IT budget is dedicated to cybersecurity?
  • Does that allocation conform to industry standards?
  • Is it adequate based on our threat profile?
  • What are stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
  • What is the interaction model between senior management and the board for communications regarding cybersecurity?
  • Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

  • How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
  • Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
  • Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

  • Does the board play an active part in determining an organization’s cybersecurity strategy?
  • What are the key elements of a good cybersecurity strategy?
  • Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
  • How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
  • How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

  • What are the potential cyber threats to the organization?
  • Who is responsible for management oversight of cyber risk?
  • Has a formal cyber assessment been performed? Does it need to be updated?
  • Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
  • What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
  • Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

  • Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities?
  • Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
  • Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others with a direct or “dotted line” reporting to the CEO.)
  • Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

  • Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
  • What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
  • How effective are the organization’s risk management activities and controls identified in the assessment?
  • Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
  • Are there controls in place to ensure adequate, accurate and timely reporting of cybersecurity related content?
  • How does the company remain apprised of laws and regulations and ensure compliance?
  • What cloud services does our organization use and how risky are they?
  • How are we protecting sensitive data?

Threat intelligence and collaboration

  • What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
  • Does our organization share threat intelligence with law enforcement?
  • What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
  • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

  • Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
  • How regularly should a board obtain IT metric information?
  • Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
  • How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

  • How does management validate the type and volume of cyber-attacks?
  • Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
  • How does an incident response and recovery plan fit into the overall cybersecurity strategy?
  • Is the board’s response role clearly defined?
  • Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
  • Is there a culture of cyber awareness and reporting at all levels of the company?
  • Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

  • How does the board remain current on cybersecurity developments in the market and the regulatory environment?
  • Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
  • Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
  • Are directors provided with educational opportunities in this area?
  • Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

  • Has oversight of cybersecurity reporting been defined for management and the board?
  • Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, being included within the financial statement and proxy disclosures?
  • Does the company have a mechanism for timely reporting of material cybersecurity incidents?
  • Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Article
Board oversight of cybersecurity: Questions to ask

Read this if you think your organization may have to prepare an HRSA audit.

Many healthcare providers who have never done an audit before may be required by the Health Resources and Services Administration (HRSA) agency to do so this year because they received Provider Relief Funding (PRF). We’re helping you prepare by answering some common queries about the PRF audit:

Will my organization have to complete a PRF audit?

The HRSA requires organizations to complete a federal single audit when they expend more than $750,000 of federal funding in one year, regardless of whether those federally sourced funds came directly from the federal government or were passed from a state or local government. Healthcare providers who received $10,000 or more from the PRF during a given period must report on usage.

For many providers, this is the first time they’ve received over $750,000 in federal funding. As a result, these providers will need to complete the single audit for the first time.

Other providers, especially physician practices, may not meet the single audit expense threshold, but that doesn’t mean they’re free from audit obligations. While they may not have to complete a single audit, if they received funding from the PRF, they may need to complete a HRSA-required audit—and the data requests for these audits are, in some cases, more involved than those for the single audit.

What will the HRSA’s PRF audit look like?

The audit will address the data used by the providers to report on their usage of PRF money. That means they will need to provide support for lost revenue and expenses that justify the use of the funds that they received.

The HRSA is going to drill down on the revenue numbers, specifically looking at the general ledger (GL) and other select revenue tests. On the expenses side, they’re going to look at the GL, invoice dates, payments and more.

To complete this audit, HRSA will require a significant amount of supporting documentation. Ideally, most of these documents should already have been copied and set aside as support in anticipation of financial reporting requirements. Below is a partial list of items that could be requested during the audit:

  • General Ledger details
  • Listing of expenses reimbursed with PRF payments grouped into specified categories
  • Listing of patient care revenue by payer
  • Listing of other sources of assistance
  • Listing of expenses reimbursed with the other assistance received
  • Detailed inventory listing of IT supplies
  • Budget attestation from CEO or CFO and board minutes showing ratification of the budget before March 27, 2020
  • Documentation of lost revenue methodologies
  • Audit financial statements
  • CMS cost reports for Medicare and Medicaid
  • Other supporting documentation

If certain documentation isn’t available, providers will need to request copies from their vendors. Missing documentation may make it difficult to justify the use of funds, in which case, providers may have to repay a portion or all of their provider relief funding.

It’s possible that certain expenses were not allowable under PRF. However, that doesn’t necessarily mean providers will have to repay their funds. Providers may have other lost revenue or expenses that would be allowed under PRF—but only if they have the documentation to prove it. That’s why it’s crucial that providers have all relevant documentation for expenses and lost revenue over the periods they received provider relief funding.

What challenges should I anticipate when it comes to completing the audit?

According to the 2022 BDO Healthcare CFO Outlook Survey, 35% of respondents identified CARES Act/PRF reporting as a regulatory concern.

Much of this concern likely stems from a lack of resources as well as audit inexperience. Many providers who will have to complete an HRSA audit don’t have the necessary resources to dedicate to navigating the process. In addition, they may not know the type, scope, or time frame of documentation they need to pull. They may also struggle to locate certain documentation, especially documentation that’s more than two years old.

Finding the right people to sift through the information to ensure its accuracy can be extremely difficult, especially if the documents are not filed electronically. This problem is even greater right now, given the professional services labor shortage that makes it difficult to hire the right people for the job if they aren’t already employed at your organization.

What should my next steps be?

To get ready for a potential HRSA audit, there are at least three immediate steps you should take:

  1. Select a responsible point person. One person should be responsible for coordinating the process to ensure that nothing falls through the cracks or is overlooked.
  2. Keep your PRF filing reports on hand. Pull any related supporting documentation and collate it into one place if it isn’t already.
  3. Identify what support is needed by doing a gap analysis. Determine where you need additional support or expertise and seek to close these gaps before the notification of any audit process.

Insufficient documentation may result in the recapture of provider relief funding by the HRSA. Fortunately, a lack of documentation is preventable with the right support and resources in place.

Article
HRSA audit preparation: All you need to know

Read this if you use QuickBooks Online.

Let's talk about where records for products and services are used in QuickBooks Online.

To create a product or service record, you hover your mouse over Sales in the left vertical pane on the main page and click Products and services. Click New in the upper right corner and open a blank record for an Inventory or Non-inventory part, a Service, or a Bundle (assembly). Once you complete a record and save it, it will appear in the list back on the Product and services page.

Working with products and services

That’s where we’ll start today, on the Products and services screen. This is a comprehensive table, a dashboard (or home page) for your products and services. It displays real-time information about your items’ pricing and inventory levels, as well as their type and tax status. At the top of the page, you’ll see big, colorful buttons that provide a total of the number of items that are low on stock or out of stock. When you click on one, a list of those products appears.

QuickBooks Online’s Products and services page displays inventory levels and warns you when your stock is low and at zero.

Each row on this screen contains details about the item listed there, like Description, Sales Price and Cost, and Qty On Hand. If you look down at the end of the row, you’ll see options for several types of Actions: Edit, Make inactive, Run report, and Duplicate. Click the gear icon above the table to modify the columns in the table. 

The More menu at the top of the screen contains more options: Manage categories, Run reports, and Price rules. If you want to know what actions you can take on multiple items simultaneously, check the box in front of each and click the Batch actions menu, over to the right (Adjust quantity, Reorder, etc.).

Warning: Be very careful using the Adjust quantity option. There are legitimate reasons for employing it, but you need to make very sure that you understand how this will affect other areas of your accounting. Please ask us if you’re unsure.

Using products and services in transactions

Once you start using product and service records in transactions, you’ll see why we suggested that you create those early on and make them as comprehensive as possible. While you can add products and services in the process of creating an invoice, for example, it’s much easier if you have them ready to go.

Let’s look at a sales receipt to see how this works. Click +New in the upper right corner and select Sales receipt. Select a Customer in the first field and verify that the related fields on the form were filled out correctly. Check and make any changes necessary in the Sales receipt date, Payment method, and Deposit to fields. 

Once you’ve built up a list of products and services, they’ll be available when you create transactions.

Enter the Service Date, and then click the down arrow in the field under Product/Service. The top of the list has an entry labeled +Add new. Click it if you need to add a product or service on the fly, or just select the existing one that you want. QuickBooks Online will fill in the Rate, Amount, and Tax (status). You only have to enter the Qty (quantity) that you’re selling. 

If you have more items or services to add, you can do so on the next line(s). When you’re done, check the numbers in the lower right and save the transaction. QuickBooks Online will adjust your inventory to account for any items you just sold. You can see this change by going back to the Products and Services screen. Or you can run reports, including:

  • Sales by Product/Service
  • Product/Service List
  • Inventory Valuation Detail
  • Physical Inventory Worksheet

Supply chain woes?

It seems that the serious supply chain problems we were experiencing in previous months have eased up some, but you may still be having trouble stocking some items. We hope this isn’t affecting you too much. 

QuickBooks Online, though, can help ensure that you know ahead of time when you must reorder. Its inventory-tracking capabilities can also alert you to items that aren’t selling well, so you don’t get overstocked on anything. And the ability to pull up product and service records when you’re creating transactions saves time and keeps your inventory levels accurate. Please let the Outsourced Accounting team know if you need assistance with this element of your accounting or any of QuickBooks Online’s other tools.

Article
How QuickBooks Online tracks products and services

Thanks to a little-known law, eligible Massachusetts taxpayers will receive a tax credit in the form of a refund this fall—just in time for holiday shopping. Chapter 62F of the Massachusetts General Laws, a voter passed initiative from 1986, states that if state tax revenue collections exceed a cap tied to wage and salary growth, the surplus must be returned to the taxpayers. This tax credit was only triggered once before – 35 years ago.

According to the Mass.gov website, in Fiscal Year 2022, state tax revenues exceeded the cap by $2.941 billion—the sum of which will be returned to taxpayers by check or direct deposit in the coming months.

Governor Baker stated that a preliminary estimate of the refunds will be approximately 13% of the taxpayer’s personal income tax liability in 2021, though they will update that estimate in late October, once all 2021 tax returns have been filed.

More details on the tax refund:

  • Taxpayers, both resident and non-resident, who have filed a 2021 state tax return on or before September 15, 2023, are eligible for the refund.
  • The expected time frame for the issuance of refunds is expected to begin November 2022.
  • Individual refunds may be reduced by refund intercepts, such as unpaid child support or unpaid tax liability.
  • Massachusetts taxpayers can use this online refund estimator to calculate their estimated refund using information from their 2021 tax returns.

If you have questions, please contact a member of our state and local tax team.

Article
Chapter 62F law to give Massachusetts taxpayers a bonus refund