Skip to Main Content

insightsarticles

The three P's of improving your company's cybersecurity soft skills

By: Dan Vogt
04.13.20

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
     

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
     
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Related Professionals

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

  • What metrics will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to notify us or produce an alert?
  • What does exceeding a threshold mean to our business?
  • Who on our team will be notified if an alert is warranted?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Article
Oxymoron of the month: Outsourced accountability

Read this if you are an IT Leader, CFO, COO, or other C-suite leader responsible for selecting a new system.

Vendor demonstrations are an important milestone in the vendor selection process. Demonstrations allow you to validate what a vendor’s software is capable of, evaluate the usability with your own eyes, and confirm the fit to your organization’s objectives.

Our client found itself in a situation where, after many months of work developing requirements, issuing a request for proposal, and reviewing vendor proposals they were ready to conduct demonstrations. Despite a governor’s executive order for social distancing and limitations on non-essential travel, our client needed to conduct demonstrations to achieve an important project milestone. This presented an opportunity to help them plan, test, and facilitate remote vendor demonstrations with great success.

This brief case study shares some of the key success factors we found in conducting remote demonstrations and some lessons learned after they were complete.

  1. Prepare 
    Establish a clear agenda, schedule, script, and plan in advance of the demonstrations. This helps keep everyone coordinated throughout the demos.
  2. Test
    It is important to test the vendor’s video conference solution from all locations prior to the demonstrations. We tested with both vendors a week ahead of demos.
  3. Establish Ground Rules
    Establishing ground rules allows the meetings to go better, be more efficient, and stay on time. For example, is a moment of silence a consensus to move on or must you wait for someone to unmute their line to verbally confirm to proceed.
  4. Have clear roles by location
    Clear roles help to facilitate the demonstration. Designated time keepers, scribes, and local facilitators help the demonstration go smoothly, and decreases communication issues.
  5. Be close to the microphone
    Essential common sense, but when you can’t see everyone, loud, clear questions and answers make the demos more effective.
  6. Ask vendors to build in pauses to allow for questions
    Since vendors may not be able to see a hand raised, asking vendors to build specific pauses into their demonstrations allows space for questions to be asked easily.
  7. Do a virtual debrief 
    At the end of each vendor demonstration we had our own videoconferencing meeting set up to facilitate a virtual debrief. This allowed us to capture the evaluation notes of the day prior to the next demo. Planning these in advance and having them on people’s calendars made joining the meetings quick and seamless.

Observations and other lessons learned

Following the remote demonstrations we identified a few observations and lessons learned:

  1. Visibility was better
    By not having everyone crowded into one room, people were able to see the screen and the vendor’s software clearly.
  2. Different virtual platforms required orientation
    We wanted vendors to use the tools they were accustomed to using. This led to us using different products for different demonstrations. This was not insurmountable, but required orientation to get used to their tools at the start of each demo.
  3. Video helped debriefing
    Given the quick planning we did not have video capability from all locations for our virtual debrief. It was helpful to see the people sharing their comments following each demonstration. We will plan for video capabilities at all locations next time.
  4. Having a set order for people to provide feedback helped
    During the first debriefing, we established a set order for people to speak and share their thoughts. This limited talking over each other and allowed everyone to hear the thoughts of their peers clearly.
  5. Be patient with slowness
    For the most part we had successful demos with limited slowness. There were a couple points where slowness was encountered. We remained patient, adjusted the schedule, and in the worst case, added an extra break for people.
  6. Staying engaged takes effort
    Sitting all day on a remote demo and paying attention took effort to stay engaged. Building in specific times for Q&A, calling on people by name, and designing it so it wasn’t eight hours straight of presentation helped with engagement.

Restricted travel in response to COVID-19 has led our clients and our teams to be creative and agile in achieving objectives. The remote demonstrations proved highly successful, accomplished the goals, and met our client’s critical timing milestone. At the end of four days of demos, our client commented that the remote demos were perhaps even better than if they had been conducted onsite. As we look at the long view, we may find that clients prefer remote demonstrations even when social distancing and travel restrictions are lifted.

Article
Social distancing case study: Hosting remote vendor demonstrations

Texting has become a simple, convenient, and entrenched component of our everyday lives. We use it with family, friends, coworkers—and clients. My wife and I text to coordinate day care pickup and drop off of our kids every day. It is a quick and easy alternative to our large, and sometimes overwhelming, volume of email.

And with that convenience comes the temptation for clinicians, care teams, and healthcare providers to communicate sensitive content via text in the workplace. The ability to take a photograph of a wound and share with a colleague for a consult is convenient and effective. The number of patients who want to text a non-urgent question to their providers is also growing, particularly with younger patient populations. Population health teams who want to better engage patients may see texting as an easy format to achieve that.

The problem? Texting is not a secure communication method. The native SMS (short message service) used by many phones, including iPhones (at times), is not encrypted, and messages are sent in plain text over cellular networks. SMS messages are vulnerable to “man-in-the-middle” attacks, in which a third-party eavesdrops or potentially manipulates a conversation. The native message format of iPhones has security risks, too. And when a text message contains protected patient information or images, these risks become significant.

On December 28, 2017 CMS released clarification on text messaging. The highlights:

  • Texting is permissible between care team members if accomplished through a secure platform.
  • Texting of orders: prohibited.
  • Computerized Physician Order Entry (CPOE) is the preferred method of provider order entry.

The first bullet allows some consideration of text messaging but with an important caveat: you must use a secure platform. The last two bullets steer providers to using their EHR systems.

What should you do if you find yourself in a position where text messaging has crept into your culture?

  • Establish a policy to govern the use of text messaging and update your mobile device policy.
  • Determine whether you will implement (and allow your care team to use) a secure texting platform or prohibit texting all together.
  • Consider how secure texting impacts your policies and procedures related to data retention, discovery, and the legal health record. 
  • Educate your patients about secure messaging available on your patient portal.
  • Assess your organization’s usage and level of risk.

  • Stop using unsecure text messaging for patient related communications.

For more information, contact me.

Related content:

Watch our video on adopting technology for success
Read Dan's article on soft cybersecurity skills.

Article
Texting in healthcare? Best be secure.

Read this if you are a business owner or interested in upcoming changes to current tax law.

As Joe Biden prepares to be inaugurated as the 46th President of the United States, and Congress is now controlled by Democrats, his tax policy takes center stage.

Although the Democrats hold the presidency and both houses of Congress for the next two years, any changes in tax law may still have to be passed through budget reconciliation, because 60 votes in the Senate generally are needed to avoid that process. Both in 2017 and 2001, passing tax legislation through reconciliation meant that most of the changes were not permanent; that is, they expired within the 10-year budget window. Here is a comparison of current tax law with Biden’s proposed tax plan.

Current Tax Law
(TCJA–present)
Biden’s stated goals
Corporate tax rates and AMT

Corporations have a flat 21% tax rate and no corporate alternative minimum tax (AMT), which were both changed by the TCJA.

These do not expire.

Biden would raise the flat rate to the pre-TCJA level of 28% and reinstate the corporate AMT, requiring corporations to pay the greater of their regular corporate income tax or the 15% minimum tax (while still allowing for net operating loss (NOL) and foreign tax credits).

Capital gains and Qualified Dividend Income

The top tax rate is 20% for income over $441,450 for individuals and $496,600 for married filing jointly. There is an additional 3.8% net investment income tax.

Biden would eliminate breaks for long-term capital gains and dividends for income above $1 million. Instead, these would be taxed at ordinary rates.

Payroll taxes

The 12.4% payroll tax is divided evenly between employers and employees and applies to the first $137,700 of an individual’s income (scheduled to go up to $142,400 in 2020). There is also a 2.9% Medicare Tax which is split equally between the employer and the employee with no income limit.

Biden would maintain the 12.4% tax split between employers and employees and keep the $142,400 cap but would institute the tax on earned income above $400,000. The gap between the two wage levels would gradually close with annual inflationary increases.

International taxes (GILTI, offshoring)

GILTI (Global Intangible Low-Tax Income): Established by the TCJA, U.S. multinationals are required to pay a foreign tax rate of between 10.5% and 13.125%.

A scheduled increase in the effective rate to 16.406% is scheduled to begin in 2026.

Offshoring taxes: The TCJA includes a tax deduction for corporations that manufacture in the U.S. and sell overseas.

GILTI: Biden would double the tax rate to 21% and assess a minimum tax on a country-by-country basis.

Offshoring taxes: Biden would establish a 10% penalty surtax on profits for goods and services manufactured offshore and a 10% advanceable “Made in America” tax credit to create U.S. manufacturing jobs. Biden would also close offshoring tax loopholes in the TCJA.

Estate taxes

The estate tax exemption for 2020 is $11,580,000. Transfers of appreciated property at death get a step-up in basis.

The exemption is scheduled to revert to pre-TCJA levels.

Biden would return the estate tax to 2009 levels, eliminate the current step-up in basis on inherited assets, and eliminate the step-up at death provision for inherited property passed along by the decedent.

Individual tax rates

The top marginal rate is 37% for income over $518,400 for individuals and $622,050 for married filing jointly. This was lowered from 39.6% pre-TCJA.

Biden would restore the 39.6% rate for taxable income above $400,000. This represents only the top rate.

Individual tax credits

Currently, individuals can claim a maximum of $2,000 Child Tax Credit (CTC) plus a $500 dependent credit.

Individuals may claim a maximum dependent care credit of $600 ($1,200 for two or more children).

The CTC is scheduled to revert to pre-TCJA levels ($1,000) after 2025.

Biden would expand the CTC to $3,000 for children age 17 and under and offer a $600 bonus for children age 6 and under. It would also be fully refundable.

He has also proposed increasing the child and dependent care tax credit to $8,000 ($16,000 for two or more children), and he has proposed a new tax credit of up to $5,000 for informal caregivers.

Separately, Biden has also proposed a $15,000 tax credit for first-time homebuyers.

Qualified Business Income Deduction under Section 199A

As previously discussed, many businesses qualify for a 20% qualified business income tax deduction lowering the effective rate of tax for S corporation shareholders and partners in partnerships to 29.6% for qualifying businesses.

Biden would phase out the tax benefits associated with the qualified business income deduction for those making more than $400,000 annually.

Education

Forgiven student loan debt is included in taxable income.

There is no tax credit for contributions to state-authorized organizations that sponsor scholarships.

Biden would exclude forgiven student loan debt from taxable income.

Small businesses

There are current tax credits for some of the costs to start a retirement plan.

Biden would offer tax credits for businesses that adopt a retirement savings plan and offer most workers without a pension or 401(k) access to an “automatic 401(k)”.

Itemized deductions

For 2020, the standard deduction is $12,400 for single/married filing separately and $24,800 for married filing jointly.

After 2025, the standard deduction is scheduled to revert to pre-TCJA amounts, or $6,350 for single /married filing separately and $12,700 for married filing jointly.

The TCJA suspended the personal exemption and most individual deductions through 2025.

It also capped the SALT deduction at $10,000, which will remain in place until 2025, unless repealed.

Biden would enact a provision that would cap the tax benefit of itemized deductions at 28%.

SALT cap: Senate minority leader Charles Schumer has pledged to repeal the cap should Biden win in November (the House of Representatives has already passed legislation to repeal the SALT cap).

Opportunity Zones

Biden has proposed incentivizing - opportunity zone funds to partner with community organizations and have the Treasury Department review the program’s regulations of the tax incentives. He would also increase reporting and public disclosure requirements.
Alternative energy Biden would expand renewable energy tax credits and credits for residential energy efficiency and restore the Energy Investment Tax Credit (ITC) and the Electric Vehicle Tax Credit.


If you have questions about your specific situation, please contact us. We’re here to help.

Article
Biden's tax plan and what may change from current tax law

Read this if your company is seeking guidance on PPP loans.

The Consolidated Appropriations Act, 2021 (H.R. 133) was signed into law on December 27, 2020. This bill contains guidance on the existing Paycheck Protection Program (PPP) and guidelines for the next round of PPP funding.

Updates on existing PPP loans

Income and expense treatment of PPP loans. Forgiven PPP loans will not be included in taxable income and eligible expenses paid with PPP funds will be tax-deductible. This tax treatment applies to both current and future PPP loans.

Tax attributes and basis adjustments. Tax attributes such as net operating losses and passive loss carryovers, and basis increases generated from the result of the PPP loans will not be reduced if the loans are forgiven.

Economic Injury Disaster Loans (EIDL). Any previous or future EIDL advance will not reduce PPP loan forgiveness. Any borrowers who already received forgiveness of their PPP loans and had their EIDL subtracted from the forgiveness amount will be able to file an amended forgiveness application to have their PPP forgiveness amount increased by the amount of the EIDL advance. The SBA has 15 days from the effective date of this bill to produce an amended forgiveness application. 

Simplified forgiveness application for loans under $150,000. Borrowers who received PPP loans for $150,000 or less will now be able to file a simplified one-page forgiveness application and will not be required to submit documentation with the application. The SBA has 24 days from the effective date of this bill to make this new forgiveness application available. 

Use of PPP funds. Congress expanded the types of expenses that may be paid with PPP funds. Prior eligible expenses were limited to payroll (including health benefits), rent, covered mortgage interest, and utilities. Additional expenses now include software and cloud computing services to support business operations, the purchase of essential goods from suppliers, and expenditures for complying with government guidance relating to COVID-19.

These additional expenses apply to both existing and new PPP loans, but they do not apply to existing loans if forgiveness has already been obtained.
 
In addition, the definition of "payroll costs" has been expanded to include costs for group life, disability, dental, and vision insurance. These additions also apply to both existing and new loans.

Information for new PPP loans

Application deadline. March 31, 2021 

Eligibility for first-time borrowers. A business that did not previously apply for or receive a PPP loan may apply for a new loan. The same requirements apply from the first round of loans. The business must employ fewer than 500 employees per physical location and the borrower must certify the loan is necessary due to economic uncertainty.

Eligibility for second-time borrowers. Businesses that received a prior PPP loan may apply for a second loan, however the eligibility requirements are a little more stringent. The business must have fewer than 300 employees per physical location (down from 500 previously) and it must have experienced a decline in gross revenue of at least 25% in any quarter in 2020 as compared to the same quarter in 2019. The business must have also expended (or will expend) their initial PPP loan proceeds. 

Maximum loan amount. Lesser of $2 million or 2.5x average monthly payroll for either calendar 2019 or the 12-month period prior to the date of the loan. Businesses operating in the accommodations and food service industry (NAICS code 72) can use a 3.5x average monthly payroll multiple. If the business previously received a loan less than the new amount allowed, or if it returned a portion or all of the previous loan, it can apply for additional funds up to the maximum loan amount. 

New types of businesses eligible for loans.

  • Broadcast news stations, radio stations, and newspapers that will use the proceeds to support the production and distribution of local and emergency information 
  • Certain 501(c)(6) organizations with fewer than 300 employees and that are not significantly involved in lobbying activities 
  • Housing cooperatives with fewer than 300 employees 
  • Companies in bankruptcy if the bankruptcy court approves

Ineligible businesses. A business that was ineligible to receive a PPP loan during the first round is still ineligible to receive a loan in the new round. The new legislation also prohibits the following businesses from receiving a loan in the second round:

  • Publicly traded companies 
  • Businesses owned 20% or more by a Chinese or Hong Kong entity or have a resident of China on its board 
  • Businesses engaged primarily in political or lobbying activities
  • Businesses required to register under the Foreign Agents Registration Act 
  • Businesses not in operation on February 15, 2020 

Forgiveness qualifications. New PPP loans will be eligible for forgiveness if at least 60% of the proceeds are used on payroll costs. Partial forgiveness will still be available if less than 60% of the funds are used on payroll costs. 

Covered period. The borrower may choose a covered period (i.e., the amount of time in which the PPP funds must be spent) between 8 and 24 weeks from the date of the loan disbursement.

Employee Retention Tax Credit. The CARES Act prohibited a business from claiming the Employee Retention Tax Credit if they received a PPP loan. The new legislation retroactively repeals that prohibition, although it is unclear how an employer can claim retroactive relief. The new bill also expands the tax credit for 2021. 

Additional guidance is expected from the SBA in the coming weeks on many of these items and we will provide updates when the information is released.

We’re here to help.
If you have questions about PPP loans, contact a BerryDunn professional.

Article
Paycheck Protection Program: Updates on new and existing loans

Read this if your facility or organization has received provider relief funds.

The rules over the use of the provider relief funds (PRF) have been in a constant state of flux since the funds started to show up in your bank accounts back in April. Here is a summary of where we are as of November 30, 2020 with allowable uses of the funds.
 
The most recent Post-Payment Notice of Reporting Requirements is dated November 2, 2020. In accordance with the notice, PRF may be used for two purposes:

  1. Healthcare-related expenses attributable to coronavirus that another source has not reimbursed and is not obligated to reimburse
  2. Lost revenue, up to the amount of the difference between 2019 and 2020 actual patient care revenue

The Department of Health and Human Services (HHS) has issued FAQs as recently as November 18, 2020.  The FAQs include the following clarifications on the allowable uses:

Healthcare related expenses attributable to the coronavirus

  1. PRF may be used for the marginal increased expenses or incremental expenses related to coronavirus.
  2. Expenses cannot be reimbursed by another source or another source cannot be obligated to reimburse the expense.
  3. Other sources include, but are not limited to, direct patient billing, commercial insurance, Medicare/Medicaid/Children’s Health Insurance Program (CHIP), or other funds received from the Federal Emergency Management Agency (FEMA), the Provider Relief Fund COVID-19 Claims Reimbursement to Health Care Providers and Facilities for Testing, Treatment, and Vaccine Administration for the Uninsured, and the Small Business Administration (SBA) and Department of Treasury’s Paycheck Protection Program (PPP). This would also include any state and federal grants received as a result of the coronavirus.
  4. Providers should apply reasonable assumptions when estimating the portion of costs that are reimbursed from other sources.
  5. The examples in the FAQs for increased cost of an office visit and patient billing seem to point to only supplemental coronavirus related reimbursement needing to be offset against the increased expense.
  6. PRF may be used for the full cost of equipment or facility projects if the purchase was directly related to preventing, preparing for and responding to the coronavirus; however, if you claim the full cost, you cannot also claim the depreciation for any items capitalized.
  7. PRF cannot be used to pay salaries at a rate in excess of Executive Level II which is currently set at $197,300.

Lost revenues attributable to the coronavirus

  1. Lost revenues attributable to coronavirus are calculated based upon a calendar year comparison of 2019 to 2020 actual revenue/net charges from patient care (prior to netting with expenses).
  2. Any unexpended PRF at 12/31/20 is then eligible for use through June 30, 2021 and calculated lost revenues in 2021 are compared to January to June 2019.
  3. Reported patient care revenue is net of uncollectible patient service revenue recognized as bad debts and includes 340B contract pharmacy revenue.
  4. This comparison is cumulative, for example, if your net income improves in Q4, it will reduce lost revenues from Q2.
  5. Retroactive cost report settlements or other payments received that are not related to care provided in 2019 or 2020 can be excluded from the calculation.

Whether you are tracking expenses or lost revenues, the accounting treatment for both is to be consistent with your normal basis of accounting (cash or accrual).
 
As a reminder, the first reporting period (through December 31, 2020) is due February 15, 2021. The reporting portal is supposed to open January 15, 2021. Any unexpended PRF at December 31, 2020 can be used from January 1, 2021 through June 30, 2021, with final reporting due July 31, 2021.

The guidance continues to change rapidly and new FAQs are issued each week. Please check back here for any updates, or contact Mary Dowes for more information.

Article
Provider relief funds: Allowable uses 

Read this if you are an employee benefit plan fiduciary.

The COVID-19 pandemic has challenged individuals and organizations to continue operating during a time where face-to-face interaction may not be plausible, and access to organizational resources may be restricted. However, life has not stopped, and participants in your employee benefit plan may continue to make important decisions based on their financial needs. This article looks at distributions from your plan, specifically focusing on required minimum distributions (RMD) and coronavirus-related distributions.

Required minimum distributions

If an employee benefit plan is subject to the RMD rules of Code Section 401(a)(9), then distributions of a participant’s accrued benefits must commence April 1 of the calendar year following the later of 1) the participant attaining age 70½, or 2) the participant’s severance from employment. Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, RMDs have been temporarily waived for retirement plans for 2020. This change applies to direct contribution plans, such as 401(k), 403(b), 457(b) plans, and IRAs. In addition, RMDs were waived for IRA owners who turned 70½ in 2019 and were required to take an RMD by April 1, 2020 and have not yet done so. Note: the waiver will not alter a participant’s required beginning date for purposes of applying the minimum distribution rules in future periods.

Coronavirus-related distributions

Under section 2202 of the CARES Act, qualified participants who are diagnosed with coronavirus, whose spouse or dependent is diagnosed with coronavirus, or who experience adverse financial consequences due to certain virus-related events including quarantine, furlough, layoff, having hours reduced, or losing child care are eligible to receive a coronavirus-related distribution.

These distributions are considered coronavirus-related distributions if the participant or his/her spouse or dependent has experienced adverse effects noted above due to the coronavirus, the distributions do not exceed $100,000 in the aggregate, and the distributions were taken on or after January 1, 2020 and on or before December 30, 2020.  

Such distributions are not subject to the 10% penalty tax under Internal Revenue Code (IRC) § 72(t), and participants have the option of including their distributions in income ratably over a three year period, or the entire amount, starting in the year the distribution was received. Such distributions are exempt from the IRC § 402(f) notice requirement, which explains rollover rules, as well as the effects of rolling a distribution to a qualifying IRA and the effects of not rolling it over. Also, participants can be exempt from owing federal taxes by repaying the coronavirus-related distribution. 

Participants receiving this distribution have a three-year window, starting on the distribution date, to contribute up to the full amount of the distribution to an eligible retirement plan as if the contribution were a timely rollover of an eligible rollover distribution. So, if a participant were to include the distribution amount ratably over the three-year period (2020-2022), and the full amount of the distribution was repaid to an eligible retirement plan in 2022, the participant may file amended federal income tax returns for 2020 and 2021 to claim a refund for taxes paid on the income included from the distributions. The participant will not be required to include any amount in income in 2022. We recommend the plan sponsor maintain documentation supporting the participant was eligible to receive the coronavirus-related distribution. 

There is much uncertainty due to the COVID-19 pandemic. A result of this uncertainty has been changes to guidance and treatment of plan transactions, which has forced many of our clients to review and alter their control environments. We have provided our current understanding of the guidance the IRS has provided for the treatment surrounding distributions, specifically RMDs and coronavirus-related distributions. If you and your team have any additional questions specific to your organization or plan, please contact us

Article
Impacts of the CARES Act on employee benefit plan distributions

Read this if your senior living facility is receiving Medicare payments.

A year ago the senior living industry was challenged with the transition to the Patient-Driven Payment Model (PDPM). In the months leading up to the implementation of PDPM providers prepared for new regulations, conducted employee training, and forecasted financial performance. By all accounts the implementation of PDPM went off with very few glitches. 

That all changed in the beginning of 2020 when the coronavirus (COVID-19) pandemic upended the industry and Medicare occupancy levels diminished. COVID-19 overturned the way providers were providing care at their facilities. Providers have seen a decrease in utilization of therapy services and an increase in medical management cases. Providers anticipated delivering more concurrent physical therapy, which has become impossible with COVID-19. We understand how demanding COVID-19 related change management has been for skilled nursing facilities, and want to help you re-focus your attention on the critical tasks and procedures driving your Medicare reimbursement.

New federal fiscal year, new rates

The Medicare Final Rule for fiscal year 2021 did not contain any major policy changes to PDPM but did contain routine updates to coding and Medicare billing rates effective October 1, 2020. After changing Medicare billing rates, you should test your system by carefully reviewing a remittance advice and the accounts receivable report for October service dates. Look for any balances, big or small, to help ensure billing rates and contractuals are correct for all payers following Medicare rules. Note:

  • Small balances may indicate errors in system configuration, such as PDPM rates, sequestration, or value-based purchasing adjustment.
  • Larger balances may indicate a claim missed in the facility's triple-check meeting and billed at an incorrect PDPM rate. View the FFY2021 Medicare Rate Calculator.
  • Providers should review ICD-10 mappings on an annual basis for new and discontinued ICD-10 codes. 

Medicare Advantage plan enrollment is growing. What does it mean for your facility?

With the continuing growth of Medicare Managed Care/Advantage plans, it is important to review your facility’s contracts. 

  • Most Medicare Advantage programs have adopted PDPM, but have differing requirements for pre-authorizations and payment rates, so be sure you understand how each of these contracts reimburses your facility
  • If there are new Medicare Advantage plans in your area, evaluate the need to negotiate a contract to admit patients covered by the new plan. 
  • Update the list of plans your facility contracts with:
     
    • Carefully review contract rates and request rate changes if the payor does not follow the Medicare fee schedule. 
    • To avoid denied claims, update contact information and understand preauthorization requirements and any patient status updates. Distribute the updated list to your admissions and case management teams.

Check on your MDS coordinator

  • With the COVID-related shift in responsibilities, we see an increase in MDS position turnover. We recommend reviewing or developing a backup for your MDS coordinator, as completion of MDS is critical for billing and regulatory compliance. 
  • If your facility has limited resources for backup, evaluate sub-contracting options or reach out to your state’s Health Care Association for available resources. 

Update your consolidated billing resources

Consolidated billing errors could result in significant reductions of your bottom line. CMS updates guidance on consolidated billing regularly. We recommend checking the CMS listing and ensuring your admissions, clinical, and medical records teams use up-to-date information for admission decisions and coordination of care with external health care providers. Get more information.

COVID-19 impact

  • CMS provided a number of flexibilities to help facilities with COVID-related care. Please note, a number of these provisions are temporary, and are only effective during the state of emergency. We recommend at least a monthly review of regulatory guidance to help ensure compliance. Get more information.
  • While the COVID-19 diagnosis and codes were not specifically incorporated into PDPM in the 2021 final rule, be sure to appropriately code isolation stays in the nursing component, and document additional costs of testing, PPE, and labor, as well as support of skilled status need to protect against audit risk.

Have questions? Our Senior Living revenue cycle team is here to help. 

Article
Patient Driven Payment Model―A year later