Skip to Main Content

insightsarticles

PERM: Does MEQC affect states?

By:

As a senior consultant in the BerryDunn Government Consulting Group, Christy has valuable expertise in both Medicaid and the private insurance sector. Her experience and background with the Payment Error Rate Measurement (PERM) program has developed a passion for assisting states in identifying the need to prioritize the activities and resulting outcomes of a PERM cycle as well as offering and assisting with implementation of recommendations to mitigate known areas of concern that may otherwise result in PERM errors.

She has provided valuable contributions while working closely with states to evaluate and implement new processes and procedures to ensure federal compliance measures are in place before PERM reviews begin. Christy has a profound understanding of state and federal policies as they apply to PERM reviews and a broad experience working in and understanding the operation and limitation of many state eligibility systems.

Christy Schilling
07.22.19

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, State Procurement Officer, or work in a State Medicaid Program Integrity Unit.

The Centers for Medicare & Medicaid Services (CMS) issued a Payment Error Rate Measurement (PERM) Final Rule on July 5, 2017, that made several changes to the PERM requirements. One important change was the updates to the Medicaid Eligibility Quality Control (MEQC) requirement. 

The Final Rule restructures the MEQC program into a pilot program that requires states to conduct eligibility reviews during the two years between PERM cycles. CMS has also introduced the potential for imposing disallowances or reductions in federal funding percentage (FFP) as a result of PERM eligibility error rates that do not meet the national standard. One measure states can use to lessen the chance of this happening is by successfully carrying out the requirements of the MEQC pilot. 

What states should know―important points to keep in mind regarding MEQC reviews:

  • Each state must have a team in place to conduct MEQC reviews. The individuals responsible for the MEQC reviews and associated activities must be separate from the state agencies and personnel responsible for Medicaid and Children’s Health Insurance Program (CHIP) policy and operations, including eligibility determinations.
  • States can apply for federal funding to help cover the costs of the MEQC activities. CMS encourages states to partner with a contractor in conducting the MEQC reviews.
  • The deadline to submit the state planning document to CMS is November 1 following the end of your state’s PERM cycle. If you are a Cycle 2 state, your MEQC planning document is due by November 1, 2019. 
  • If you are a Cycle 1 state, you are (or should be) currently undergoing the MEQC reviews.
  • There are minimum sample size requirements for the MEQC review period: 400 negative cases and 400 active cases (consisting of both Medicaid and CHIP cases) over a period of 12 months.
  • Upon conclusion of all MEQC reviews, states must submit a final findings report along with a corrective action plan that addresses all error findings identified during the MEQC review period.

CMS encourages states to utilize federal funding to carry out and fulfill MEQC requirements. BerryDunn has staff with experience in preparing Advanced Planning Documents (APD) and can assist your state in submitting an APD request to CMS for these MEQC activities. 

Check out the previously released blog, “PERM: Prepared or Not Prepared?” and stay tuned for upcoming blogs about specific PERM topics, including the financial impacts of PERM, and how each review phase will affect your state.   

For questions or to find out more, contact the team

Related Industries

Related Services

Consulting

Information Systems

Organizational and Governance

Related Professionals

Principals

BerryDunn experts and consultants

Read this if your State Medicaid Agency is planning Medicaid Enterprise System enhancements.

Are you a system integrator (SI) or a State Medicaid Agency (SMA) implementing or enhancing a Medicaid system or specific module? Have you considered how decisions made during design and implementation could impact the federal Payment Error Rate Measurement (PERM) reviews for SMAs?

The goal of PERM is to measure and report an unbiased estimate of the true improper payment rate for Medicaid and Children’s Health Insurance Program (CHIP). Every state is reviewed once every three years using a sample that includes both fee for service (FFS) and managed care (MC) payments. A state assigned error rate is not the only consequence resulting from the PERM review; there are also financial implications.

Risk reduction from PERM review

Maintaining a focus on PERM review factors when making decisions during design and implementation can protect states by reducing the risk of:

  • Submitting change requests (CR) during implementation, which can result in additional cost and time
  • Implementing changes to existing Medicaid systems during maintenance and operations
  • Findings reported during certification efforts
  • Refunding federal dollars due to improperly paid claims
  • A reduction in federal match on all claims paid

It is also important to understand the benefits of a dedicated PERM team within the state organization that includes members from the system vendor and outside PERM experts. These benefits include providing states an additional level of security to help ensure a positive outcome to the federal PERM review, helping to protect federal funding.

Having a dedicated team will help ensure all decisions made during system updates and/or implementations are made while keeping focus on PERM requirements and the further impacts of PERM reviews, saving time and remaining compliant.

Plan ahead for best results

When planning for a new module or Medicaid system request for proposal (RFPs), consider PERM-related requirements to help ensure all PERM needs are met to prevent errors and repayment of federal funds. Including PERM requirements can also help your agency ensure federal compliance and successful PERM audits. Doing so will likely reduce the amount of time system integrators spend re-working earlier development decisions and help ensure claim payments are processed, and eligibility determinations are made in accordance with federal and state regulations.

If you have questions about PERM or your specific situation, please contact our Medicaid Consulting team. We’re here to help.

Article
PERM success for Medicaid agencies through system implementations

Read this if you are a state Medicaid or CHIP agency.

The Centers for Medicare & Medicaid Services (CMS) has temporarily suspended all Payment Error Rate Measurement (PERM) improper payment-related engagement/communication and data requests to providers and state agencies as a result of the COVID-19 nationwide public health emergency declaration. 

CMS has also adopted a temporary policy of relaxed enforcement regarding activities related to Medicaid Eligibility Quality Control (MEQC) until further notice.

CMS continues to provide state Medicaid and Children’s Health Insurance Program (CHIP) agencies with a number of methods to assist in each state’s approach and response to the COVID-19 pandemic. Some flexibilities offered to state Medicaid and CHIP agencies include:

  • Eligibility and enrollment 
  • Benefits 
  • Cost-sharing 
  • Financing 
  • Managed care 

While this has been communicated with state Medicaid and CHIP agencies, you should take some important steps to manage these flexibilities to ensure you don’t encounter issues when PERM and MEQC review activities resume. Reviews are conducted according to state and federal policies and regulations in force at the time of service on the sampled claims under review. 

CMS has issued guidance to identify whether or not each of the flexibilities requires an approved state plan amendment (SPA), waiver, or whether simply providing documentation in the individual case file will provide the required support when PERM and MEQC activities resume. 

Additionally, it is equally important to ensure the “pre-COVID” processes and procedures resume immediately upon expiration of the public health emergency declaration in order to remain in compliance with state and federal regulations. 

Here are a few key considerations to help reduce the number of errors identified once PERM resumes:

  • Management of new state-specific policies and procedures in effect during the COVID-19 pandemic is critical. You need to ensure all processes requiring CMS approval or notification have been enacted and that these temporary processes revert back to pre-COVID processes immediately upon termination of the public health emergency.
  • Continued training and guidance to Medicaid and CHIP staff during this time to ensure understanding of expectations and adherence to new processes. Applying and understanding eligibility and enrollment flexibilities for both members and providers is vital to meet all expectations and documentation requirements.

New updates continue to be announced by CMS to ensure Americans have access to the care they need during this time. This requires remaining diligent to the expectations of these flexibilities and preparing for the impact of PERM and MEQC outcomes when these activities resume. This is key to reducing improper payment error rates. 

For additional detailed information regarding the identified flexibilities above, please refer to the PERM cycle preparation tool we have prepared.

If you have questions regarding relaxed requirements or you would like to have an in-depth conversation with our PERM experts, please contact the Medicaid Consulting team.
 

Article
PERM is suspended―key considerations during COVID-19 

Federal contractors with the Centers for Medicare & Medicaid Services (CMS) have begun performing Payment Error Rate Measurement (PERM) reviews under the Final Rule issued in July 2017—a rule that many states may not realize could negatively impact their Medicaid budgets.

PERM is a complex process—states must focus on several activities over a recurring three-year period of time—and states may not have the resources needed to make PERM requirements a priority. However, with the Final Rule, this PERM eligibility review could have financial implications. 

After freezing the eligibility measurement for four years while undergoing pilot review, CMS has established new requirements for the eligibility review component and made significant changes to the data processing and medical record review components. As part of the Final Rule, CMS may implement reductions in the amount of federal funding provided to a state’s Medicaid and Children’s Health Insurance Program (CHIP) programs based on the error rates identified from the eligibility reviews. 

Since the issuance of the Final Rule in July 2017, Cycle 1 states are the first group of states to undergo a PERM cycle, including reviews of the data processing, medical record, and eligibility components. These states are wrapping up the final review activities, and Cycle 2 states are in the early stages of their PERM reviews.

How can your state prepare?

Whether your state is a Cycle 1, Cycle 2, or Cycle 3 state, there are multiple activities your Medicaid departments should engage in throughout each three-year period of time during and between PERM cycles: 

  • Analyzing prior errors cited or known issues, along with the root cause of the error
  • Identifying remedies to reduce future errors
  • Preparing and submitting required questionnaires and documents to the federal contractors for an upcoming review cycle
  • Assisting federal contractors with current reviews and findings
  • Preparing for and undergoing Medicaid Eligibility Quality Control (MEQC) planning and required reviews
  • Corrective action planning

Is your state ready?

We’ve compiled a few basic questions to gauge your state’s readiness for the PERM review cycle:

  • Do you have measures in place to ensure all eligibility factors under review are identifiable and that all federal and state regulations are being met? The eligibility review contractor (ERC) will reestablish eligibility for all beneficiaries sampled for review. This process involves confirming all verification requirements are in the case file, income requirements are met, placement in an accurate eligibility category has taken place, and the timeframe for processing all determinations meets federal and state regulations. 
  • Do you have up-to-date policy and procedures in place for determining and processing Medicaid or CHIP eligibility of an individual? Ensuring eligibility policies and procedures meet federal requirements is just as important as ensuring the processing of applications, including both system and manual actions, meet the regulations. 
  • Do you have up-to-date policy, procedures, and system requirements in place to ensure accurate processing of all Medicaid/CHIP claims? Reviewers will confirm the accuracy of all claim payments based on state and federal regulations. Errors are often cited due to the claims processing system allowing claims to pay that do not meet regulations.
  • Do you have a dedicated team in place to address all PERM requirements to ensure a successful review cycle? This includes staff to answer questions, address review findings, and respond to requests for additional information. During a review cycle, the federal contractors will cite errors based on their best understanding of policies and/or ability to locate required documentation. Responding to requests for information or reviewing and responding to findings in a timely manner should be a priority to ensure accurate findings. 
  • Have you communicated all PERM requirements and updates to policy changes to all Medicaid/CHIP providers? Providers play two integral roles in the success of a PERM review cycle. Providers must understand all claims submission requirements in order to accurately submit claims. Additionally, the medical record review component relies on providers responding to the request for the medical records on a sampled claim. Failure to respond will result in an error. Therefore, states must maintain communication with providers to stress the importance of responding to these requests.
  • Have you begun planning for the MEQC requirement? Following basic requirements identified by CMS during your state’s MEQC period, your state must submit a case planning document to CMS for approval prior to the MEQC review period. After the MEQC review, your state should be prepared to issue findings reports, including a corrective action plan as it relates to MEQC findings.

Need help piloting your state’s PERM review process?

BerryDunn has subject matter experts experienced in conducting PERM reviews, including a thorough understanding of all three PERM review components—eligibility, data processing, and medical record reviews. 

We would love to work with your state to see that measures are in place that will help ensure the lowest possible improper payment error rate. Stay tuned for upcoming blogs where we will discuss other PERM topics, including MEQC requirements, the financial impacts of PERM, and additional details related to each phase of PERM. For questions or to find out more, please email me
 

Article
PERM: Prepared or not prepared?

What the C-Suite should know about CECL and change management

Read this if you are at a financial institution. 

Some institutions are managing CECL implementation as a significant enterprise project, while others have assigned it to just one or two people. While these approaches may yield technical compliance, leadership may find they fail to realize any strategic benefits. In this article, Dan Vogt, Principal in BerryDunn’s Management and IT Consulting Practice, and Susan Weber, Senior Manager and CECL expert in BerryDunn’s Financial Services Practice, outline key actions leaders can take now to ensure CECL adoption success.  

Call it empathy, or just the need to take a break from the tactical and check in on the human experience, but on a recent call, I paused the typical readiness questions to ask, “How’s the mood around CECL adoption – what’s it been like getting others in the organization involved?” The three-word reply was simple, but powerful: “Kicking and screaming.”  

Earlier this year, by a vote of 5-2, the FASB (Financial Accounting Standards Board) closed the door to any further delays to CECL adoption, citing an overarching need to unify the industry under one standard. FASB’s decision also mercifully ended the on-again off-again cycle that has characterized CECL preparation efforts since early 2020. One might think the decision would have resulted in relief. But with so much change in the world over the past few years, is it any wonder institutions are instead feeling change-saturated?  

Organizational change

CECL has been heralded as the most significant change to bank accounting ever, replacing 40+ years of accounting and regulatory oversight practices. But the new standard does much more than that. Implementing CECL has an effect on everything from executive and board strategic discussions to interdepartmental workflows, systems, and controls. The introduction of new methods, data elements, and financial assets has helped usher in new software, processes, and responsibilities that directly affect the work of many people in the organization. CECL isn’t just accounting—it’s organizational change. 

Change management

Change management best practices often focus on leading from optimism—typically leadership and an executive sponsor talk about opportunities and the business reasons for change. Some examples of what this might sound like as it relates to CECL might include, by converting to lifetime loss expectations, the institution will be better prepared to weather economic downturns; or, by evolving data and modeling precision, an institution’s understanding and measure of credit risk is enhanced, resulting in more strategic growth, pricing, and risk management. 

But leading from optimism is sometimes hard to do because it isn’t always motivating—especially when the change is mandated rather than chosen.  

Perhaps a more judiciously used tactic is to focus on the risk, or potential penalty, of not changing. In the case of CECL, examples might include, your external auditor not being able to sign-off on your financials (or significant delays in doing so), regulatory criticism, inefficient/ineffective processes, control issues, tired and frustrated staff. These examples expose the institution to all kinds of key risks: compliance, operational, strategic, and reputational, among them.

CECL success and change management

With so much riding on CECL implementation and adoption going well, some organizations may be at heightened risk simply because the effort is being compartmentalized—isolated within a department, or assigned to only one or two people. How effectively leadership connects CECL implementation with tenets of change management, how quickly they understand, then together embrace, promote, and facilitate the related changes affecting people and their work, may prove to be the key factor in achieving success beyond compliance.  

One important step leaders can take is to perform an impact assessment to understand who in the organization is being affected by the transition to CECL, and how. An example of this is below. Identifying the departments and functions that will need to be changed or updated with CECL adoption might expose critical overlaps and reveal important new or enhanced collaborations. Adding in the number of people represented by each group gives leaders insight into the extent of the impact across the institution. By better understanding how these different groups are affected, leaders can work together to more effectively prioritize, identify and remove roadblocks, and support peoples’ efforts longer term.           

 
No matter where your institution is currently in its CECL implementation journey, it is not too late to course-correct. Leadership—unified in priority, message, and understanding—can achieve the type of success that produces efficient sustainable practices, and increases employee resilience and engagement.

For more information, visit the CECL page on our website. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions. For more tips on documenting your CECL adoption, stay tuned for our next article in the series, revisit past articles, or tune in to our CECL Radio podcast. You can also follow Susan Weber on LinkedIn.

Article
Implementing CECL: Kicking and screaming

Read this if you are at a state Medicaid agency.

The Covid-19 Public Health Emergency (PHE) placed US state and territory Medicaid programs on the front line of reorganizing what healthcare looks like for millions of Medicaid enrollees. Each Medicaid program shifted automation and manual procedures in order to comply with and benefit from the increased federal funding in early 2020. With the PHE winding down, every Medicaid program must look at how to return to regular operations and unwind, or undo, the continuous coverage requirement temporarily put in place by the Centers for Medicare and Medicaid Service (CMS). BerryDunn has collaborated with Medicaid programs to identify best practices and consider new opportunities to implement rollback methods in an effort to lower risk during the unwinding period and beyond. 

New learning programs considered

Administrators who have been assessing their staff and operational readiness to support the expected influx of renewals, policy changes, and staffing changes are considering launching learning programs ahead of the unwinding efforts. Using this time to engage with staff has uncovered the need to redeploy fundamental learning programs to prepare for the anticipated high volume of two-years of renewals. Administrators have also begun to engage with community leaders and health plan organizations in ways that provide coordinated and complete communication to beneficiaries. Many programs have looked at expanding benefits within the guidelines of CMS, such as extending post-partum coverage to a full 12 months and increasing reasonable compatibility to a larger percentage, recognizing the economy has evolved since 2020.

Other outreach efforts

During the pandemic, many beneficiaries moved without notifying the Medicaid program of the address change. Proactive Medicaid programs are working directly with health programs and medical facilities to ensure the most updated addresses are captured, and are using public transportation advertisements, online website reminders, and email notifications to encourage beneficiaries to update addresses.

In other locations with a high rate of unemployment in specific industries, Medicaid programs are working with identified outreach partners like unions and industry associations to communicate messaging of Medicaid benefits. Thousands of employees may have lost full-time employment during the pandemic and have returned to work with reduced hours and less benefits. As a sign of changing times, some programs are employing social media campaigns to connect with existing and new enrollees. 

Medicaid programs across the states and territories are finding creative ways to reach impacted communities. Program administrators are organizing staff and systems to be well positioned to undo the effects of the temporary policies. The dismantling of the two-plus years of PHE is expected to be performed within a 12-month period. As administrators eagerly anticipate the announcement of an extension or the pending PHE unwinding start date, one thing is certain: US states and territories are preparing to support an extensive population of Medicaid beneficiaries post pandemic.

BerryDunn is partnering with many states and territories to help ensure a successful unwind of temporary services and return to normal operations. If you would like to discuss how BerryDunn can support your needs, contact the Medicaid consulting team.
 

Article
How Medicaid programs are preparing for the operational challenges of the PHE unwinding

Read this if you are a Police Executive, City/County Administrator, or elected government official responsible for a law enforcement agency. 

Are your officers overwhelmed with workload? Have you been asked to do more with less? Is your agency struggling with maintaining sworn staffing levels? Has your community been questioning why the police respond to things that might be more appropriately handled by others?

If you answered yes to one or more of these questions, your agency might benefit from a comprehensive analysis of your police call-for-service (CFS) response model. 

Increasing CFS workloads

Many police agencies in the US have been struggling with increasing CFS workloads, while simultaneously facing ever-tightening budgets and unprecedented attrition and vacancy rates. As a result of these challenges and national trends calling for police response reform, many police departments have started to ask a very simple question: “Is there a better way?”

Considering alternatives to police CFS response is not new. In fact, many agencies already use some form of CFS diversion, whether through a telephone response unit (TRU), online reporting, mobile apps, or the use of non-sworn personnel. What is different and new in the most recent discussion is the understanding that this conversation is not simply about providing these alternatives as possible options.

It is about considering fundamental changes to how police departments do business, including identifying collaboration opportunities with other organizations and in some cases outsourcing certain CFS types entirely.

Despite growing interest among police agencies in identifying alternatives to the traditional police CFS model, many have struggled to deliver an objective process that can produce meaningful results, and in some cases, suggested revisions have met with resistance from staff, elected officials, and community members.   

Best-practices approach to call for service response model

The best-practices approach to conducting an Essential CFS Evaluation should be one that is highly collaborative, but also expand beyond the walls of the police department. The 21st Century Policing Task Force final report explains:

Law enforcement agencies should work with community residents to identify problems and collaborate on implementing solutions that produce meaningful results for the community… and do things with residents in the co-production of public safety rather than doing things to or for them. 

Determining possible alternatives to traditional CFS police response requires substantial data collection and analysis to inform and guide outcomes and recommendations. It also requires a thorough and comprehensive process that considers:

  • Legal mandates
  • Immediate response needs
  • Potential risk
  • Workload volumes by CFS type
  • Operational policies and training
  • Alternative resources, whether or not they currently exist
  • Community priorities and expectations
  • Fiscal impacts

The cost of providing consistent and effective public safety services is one of the more critical reasons for considering CFS response alternatives. Although officer salaries vary by state, region, or department, the cost of staffing a non-sworn position is typically 40%-45% of the cost of a sworn officer.  

There is a common reason why the legal profession has attorneys and paralegals, the medical profession has doctors and physician’s assistants, and why many ambulance companies have moved to a paramedic and emergency medical technician (EMT) team, as opposed to staffing two paramedics in one ambulance. Cost is a driving force in these examples and the same circumstances are present in the law enforcement industry (among others). A well-trained non-sworn police staff member can handle a variety of CFS that do not require the presence of a sworn officer—likely at half the cost. Shifting the work burden from sworn to non-sworn personnel benefits officers by freeing them up to perform tasks that require an officer to respond, and it benefits the department and community by reducing costs. 

Beyond the issue of cost, there is also increasing conversation about the effectiveness and appropriateness of using police personnel to manage a variety of CFS types, including mental health incidents and those involving the unhoused, for example. Regardless of the CFS type, it is critical to use a process that involves influential participation by both providers and consumers. 

Making changes to the traditional police CFS response model is involved and it requires a thoughtful approach. BerryDunn has developed an Essential CFS Evaluation process that considers numerous critical factors to produce data that police staff, community and elected leaders can rely upon in making critical decisions about future public safety needs. 

If you are curious or have questions about our Essential CFS Evaluation process, our dedicated Justice & Public Safety team is available to discuss your organization’s needs.

Article
Challenge accepted: Fixing the traditional call-for-service model

Read this if you are at a state Medicaid agency. 

As the end of the Public Health Emergency becomes more likely, much attention has been paid to the looming coverage cliff as state Medicaid agencies re-determine eligibility for their programs. The impacts can be mitigated in part by planning and taking proactive steps.

In the unsettling initial days of the COVID-19 Public Health Emergency (PHE), the Centers for Medicare and Medicaid Service (CMS) temporarily increased federal matching funds for state Medicaid programs. In exchange, states would suspend redeterminations of enrollees’ eligibility for the duration of the PHE. 

For Medicaid, states were in effect prohibited from disenrolling an individual from Medicaid programs. The result, according to CMS data, is 14.8 million more people were enrolled in Medicaid as of late 2021 than before the pandemic, reaching a total of nearly 79 million Medicaid enrollees.  According to one estimate, the end of the PHE could bring a decline in the number of Medicaid enrollees by as many as 15 million. This number includes an estimated 8.7 million adults and 5.9 million children. 

Local and state government eligibility staff will need to review the submitted documents and determine if these members qualify for continued Medicaid coverage. The potential exists for members to lose coverage, due to factors such as having moved, not realizing their circumstances have otherwise changed, or being unable or unaware to return the required paperwork within appropriate timeframes.

State Medicaid agencies strive to maintain an equitable program while remaining trusted stewards of public funds. With a large base of beneficiaries, this change is expected to impact the community and the healthcare market, with broad implications for public health. Similarly, the federal requirement for continuous health coverage has also helped state Medicaid agencies by easing the strain on organizations during pandemic-related disruptions. 

For these reasons state Medicaid agencies may search for routes to limit the loss of coverage. This can be accomplished through finding policy levers to retain members, establishing routes to alternative forms of insurance, and mitigating the risk of coverage loss for members. 

Mitigating the likelihood of becoming uninsured

State Medicaid agencies can reduce the risk that members lose their coverage and become uninsured through a number of steps. 

  • Designing comprehensive, multi-pronged, and targeted communication strategies. States can help Medicaid members understand the requirements and timelines required to maintain their coverage.
  • Updating systems to automate and reduce administrative burden. Maximizing ex parte renewals through the use of existing data that is stored in integrated systems.
  • Making key decisions early. States can minimize coverage loss by carefully planning the unwinding process and their approach to resuming Medicaid eligibility renewals.
  • Coordinating with other forms of coverage. Confirm or design user-friendly pathways by which a member is transferred or referred to other alternatives like the Marketplace or CHIP.
  • Leveraging their health plans. Particularly when it comes to coordinating outreach and updating member information. Managed care plans are also able to refer members who are losing coverage to other qualified health plans.

Policy levers for retaining members

States may consider reviewing emergency state plan amendments and appendix k amendments completed during the PHE to determine what flexibilities are possible to continue under existing authorities. At the same time, states should consider what other policy options may help retain coverage for existing members- for example:

  • Adopt 12 months continuous eligibility. This can be done for children via a State Plan Amendment (SPA), for adults through an 1115 waiver, and for individuals enrolled in BHP (via BHP Blueprint revision) 
  • Establish 12 months of postpartum coverage. This can be done through several paths, including SPAs 
  • Review operational policy for efficiencies. For example, a State could consider modifying the frequency of periodic data matching 

Next steps

The US Department of Health and Human Service has previously indicated its intention to provide notification to states of the end of the PHE 60 days before its scheduled end. The PHE was renewed in April 2022, and as of this writing will last until mid-July, meaning enrollees could lose Medicaid coverage as soon as August 1. The enhanced FMAP and the Maintenance of Eligibility (MOE) requirements are in place until the end of the quarter in which the PHE ends. In the case of a July 2022 end date to the PHE, the enhanced FMAP would last through September 30, 2022. 

Regardless, Medicaid agencies will need to begin reviewing all enrollees’ eligibility, performing outreach, and designing system updates this summer. In terms of next steps, states should consider the following:

  • Evaluate your program and identify initiatives to prioritize in the coming year. Ask your CMS contact about the latest applicable guidance. 
  • Develop Advanced Planning Documents (APDs) to help fund technology needs for initiatives, along with training your SMA team and providers. 
  • Implement a communications management approach to engage stakeholders, and inform affected Medicaid members.
  • Marshal project management resources and develop a realistic and achievable roadmap to success.  
  • Explore agency contracting vehicles, cooperative contracts, and other procurements tools. 

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the Medicaid consulting team.

Article
Medicaid coverage gap: Tools and strategies for Medicaid agencies to help retain members

Read this if you have a cybersecurity program.

This week President Joe Biden warned Americans about intelligence that indicated Russia may be preparing to conduct cyberattacks on our private sector businesses and infrastructure as retaliation for sanctions applied to the Russian government (and the oligarchs) as punishment for the invasion of Ukraine. Though there is no specific threat at this time, President Biden’s warning has been an ongoing message since the invasion began. There is no need to panic, but this is a great time to re-visit your current security controls. Focusing on basic IT controls goes can make a big difference in the event of an attack, as hackers tend to go after the easy, low hanging fruit. 

  1. Access controls
    Review and understand how all access to your networks is obtained by on-site employees, remote employees, and vendors and guests. Make sure that users are maintaining strong passwords and that no user is connecting remotely to any of your systems without some form of multi-factor authentication (MFA). MFA can come in the form of a token (in hand or built-in) or as one of those numerical codes you have delivered to your phone or email. Poor access controls are simply the difference between leaving your house unlocked versus locked when you leave to go somewhere. 
  2. Patching
    One of the most common audit findings we have to date and one of the biggest reasons behind successful attacks is related to unpatched systems. Software patches are issued by software providers to address vulnerabilities in systems that act as an unlocked door to a hacker, and allow hackers to leverage the vulnerability as a way to get into your systems. Ensuring your organization has a robust patch management program in place and that systems are up-to-date on needed patches is critical to your security operations. Think of an unpatched system like a car with a broken window—sure the door is locked, but any thief can reach through the broken window and unlock the car. 
  3. Logging 
    Account activity, network traffic, system changes—these are all things that can be easily logged and with the right tools, configured to alert you to suspicious activity. Logging that is done correctly can alert management to suspicious activity occurring on your network and notifies your security team to investigate the issue. Consider logging and alerting like your home’s security camera. It may alert you to the activity outside, but someone still needs to review the footage and react to it to mitigate the threat.  
  4. Test backups and more
    Making sure that your systems are successful backed up and kept separate from your production systems is a control we are all familiar with. Organizations should do more than just make sure their backups are performed nightly and maintained, but need to make sure that those data backups can be restored back to a useable state on a regular basis. More so than backups, we also often hear in the work we do that our client’s test only parts of their disaster recovery and failover plans—but have never tested a full-scale fail-over to their backup systems to determine if the failover would be successful in the event of an event or disaster. Organizations shouldn’t be scared to do a full-scale failover test, because when the time comes, you may not have the option to do a partial failover and just hope that it occurs successfully. Not testing your backups is like not test driving a car before you buy it. Sure it looks nice in the lot, but does it actually run? 
  5. Incident Management Plan 
    We often review Incident Management Plans as part of the work we do, and often note that the plans are outdated and contain incorrect information. This is an ideal time to make sure your plans are current and reflect changes that may have occurred, like your increasingly remote work force, or that systems have changed. An outdated Incident Management Plan is like being sick and trying to call your doctor for help only to find out your doctor has retired. 
  6. Training—phishing attacks
    Hackers’ most common approach to gain access to systems and deploy crippling ransomware attacks is through phishing campaigns via email. Phishing campaigns trick a user into either providing the hacker with credentials to log into systems or to download malware that could turn into ransomware through what appears to be legitimate business correspondence. Training end-users on what to look for in verifying an email’s authenticity is critical and should be seen as an opportunity that benefits the entire organization. Testing users is also critical so management understands the current risk and what is needed for additional training. Security teams should also have other supporting controls to help prevent phishing emails and detection tools in place in case a user does fall for an email. Not training your employees on security is like not coaching your little league team on how to play baseball and then being surprised you didn’t win the game because no one knew what to do. 

In the current environment, information security is an asset to any organization and needs to be supported so that you can protect your organization from cyberattacks of all kinds. While we can never guarantee that having controls in place will prevent an attack from occurring, they make it a lot more challenging for the hacker. One more analogy, and then I’m done, I promise. Basic IT controls are like speedbumps in a neighborhood. While they keep most people from speeding (and if you hit them too fast they do a number on your car), you can still get over them with enough motivation. 

If you have questions about your cybersecurity controls, or would like more information, please contact our IT security experts. We’re here to help.

Article
Cyberattack preparation: A basics refresher