Skip to Main Content

insightsarticles

The three P's of improving your company's cybersecurity soft skills

By: Dan Vogt
04.13.20

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
     

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
     
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Related Professionals

Principals

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

  • What metrics will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to notify us or produce an alert?
  • What does exceeding a threshold mean to our business?
  • Who on our team will be notified if an alert is warranted?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Article
Oxymoron of the month: Outsourced accountability

Read this if you are an IT Leader, CFO, COO, or other C-suite leader responsible for selecting a new system.

Vendor demonstrations are an important milestone in the vendor selection process. Demonstrations allow you to validate what a vendor’s software is capable of, evaluate the usability with your own eyes, and confirm the fit to your organization’s objectives.

Our client found itself in a situation where, after many months of work developing requirements, issuing a request for proposal, and reviewing vendor proposals they were ready to conduct demonstrations. Despite a governor’s executive order for social distancing and limitations on non-essential travel, our client needed to conduct demonstrations to achieve an important project milestone. This presented an opportunity to help them plan, test, and facilitate remote vendor demonstrations with great success.

This brief case study shares some of the key success factors we found in conducting remote demonstrations and some lessons learned after they were complete.

  1. Prepare 
    Establish a clear agenda, schedule, script, and plan in advance of the demonstrations. This helps keep everyone coordinated throughout the demos.
  2. Test
    It is important to test the vendor’s video conference solution from all locations prior to the demonstrations. We tested with both vendors a week ahead of demos.
  3. Establish Ground Rules
    Establishing ground rules allows the meetings to go better, be more efficient, and stay on time. For example, is a moment of silence a consensus to move on or must you wait for someone to unmute their line to verbally confirm to proceed.
  4. Have clear roles by location
    Clear roles help to facilitate the demonstration. Designated time keepers, scribes, and local facilitators help the demonstration go smoothly, and decreases communication issues.
  5. Be close to the microphone
    Essential common sense, but when you can’t see everyone, loud, clear questions and answers make the demos more effective.
  6. Ask vendors to build in pauses to allow for questions
    Since vendors may not be able to see a hand raised, asking vendors to build specific pauses into their demonstrations allows space for questions to be asked easily.
  7. Do a virtual debrief 
    At the end of each vendor demonstration we had our own videoconferencing meeting set up to facilitate a virtual debrief. This allowed us to capture the evaluation notes of the day prior to the next demo. Planning these in advance and having them on people’s calendars made joining the meetings quick and seamless.

Observations and other lessons learned

Following the remote demonstrations we identified a few observations and lessons learned:

  1. Visibility was better
    By not having everyone crowded into one room, people were able to see the screen and the vendor’s software clearly.
  2. Different virtual platforms required orientation
    We wanted vendors to use the tools they were accustomed to using. This led to us using different products for different demonstrations. This was not insurmountable, but required orientation to get used to their tools at the start of each demo.
  3. Video helped debriefing
    Given the quick planning we did not have video capability from all locations for our virtual debrief. It was helpful to see the people sharing their comments following each demonstration. We will plan for video capabilities at all locations next time.
  4. Having a set order for people to provide feedback helped
    During the first debriefing, we established a set order for people to speak and share their thoughts. This limited talking over each other and allowed everyone to hear the thoughts of their peers clearly.
  5. Be patient with slowness
    For the most part we had successful demos with limited slowness. There were a couple points where slowness was encountered. We remained patient, adjusted the schedule, and in the worst case, added an extra break for people.
  6. Staying engaged takes effort
    Sitting all day on a remote demo and paying attention took effort to stay engaged. Building in specific times for Q&A, calling on people by name, and designing it so it wasn’t eight hours straight of presentation helped with engagement.

Restricted travel in response to COVID-19 has led our clients and our teams to be creative and agile in achieving objectives. The remote demonstrations proved highly successful, accomplished the goals, and met our client’s critical timing milestone. At the end of four days of demos, our client commented that the remote demos were perhaps even better than if they had been conducted onsite. As we look at the long view, we may find that clients prefer remote demonstrations even when social distancing and travel restrictions are lifted.

Article
Social distancing case study: Hosting remote vendor demonstrations

Texting has become a simple, convenient, and entrenched component of our everyday lives. We use it with family, friends, coworkers—and clients. My wife and I text to coordinate day care pickup and drop off of our kids every day. It is a quick and easy alternative to our large, and sometimes overwhelming, volume of email.

And with that convenience comes the temptation for clinicians, care teams, and healthcare providers to communicate sensitive content via text in the workplace. The ability to take a photograph of a wound and share with a colleague for a consult is convenient and effective. The number of patients who want to text a non-urgent question to their providers is also growing, particularly with younger patient populations. Population health teams who want to better engage patients may see texting as an easy format to achieve that.

The problem? Texting is not a secure communication method. The native SMS (short message service) used by many phones, including iPhones (at times), is not encrypted, and messages are sent in plain text over cellular networks. SMS messages are vulnerable to “man-in-the-middle” attacks, in which a third-party eavesdrops or potentially manipulates a conversation. The native message format of iPhones has security risks, too. And when a text message contains protected patient information or images, these risks become significant.

On December 28, 2017 CMS released clarification on text messaging. The highlights:

  • Texting is permissible between care team members if accomplished through a secure platform.
  • Texting of orders: prohibited.
  • Computerized Physician Order Entry (CPOE) is the preferred method of provider order entry.

The first bullet allows some consideration of text messaging but with an important caveat: you must use a secure platform. The last two bullets steer providers to using their EHR systems.

What should you do if you find yourself in a position where text messaging has crept into your culture?

  • Establish a policy to govern the use of text messaging and update your mobile device policy.
  • Determine whether you will implement (and allow your care team to use) a secure texting platform or prohibit texting all together.
  • Consider how secure texting impacts your policies and procedures related to data retention, discovery, and the legal health record. 
  • Educate your patients about secure messaging available on your patient portal.
  • Assess your organization’s usage and level of risk.

  • Stop using unsecure text messaging for patient related communications.

For more information, contact me.

Related content:

Watch our video on adopting technology for success
Read Dan's article on soft cybersecurity skills.

Article
Texting in healthcare? Best be secure.

Read this if you are working with an auditor.

The standard report an auditor issues on an entity’s financial statements was created in 1988, and has only had minor tweaking since. Amazing when we think about how the world has changed since 1988! Back then:

  • The World Wide Web hadn’t been invented
  • The Simpsons wasn’t yet on TV, and neither was Seinfeld
  • The Berlin Wall was still standing
  • The Single Audit Act celebrated its fourth birthday

The Auditing Standards Board (ASB), an independent board of the American Institute of CPAs (AICPA) that establishes auditing rules for not-for-profit organizations (as well as private company and federal, state, and local governmental entities) has decided it was high time to revisit the auditor’s report, and update it to provide additional information about the audit process that stakeholders have been requesting.

In addition to serving as BerryDunn’s quality assurance principal for the past 23 years, I’ve been serving on the ASB since January 2017, and as chair since May 2020. (And thanks to the pandemic our meetings during my tenure as chair have been conducted from my dining room table.)  We thought you might be interested in a high-level overview of the coming changes to the auditor’s report, which will be effective starting with calendar 2021 audits, from an insider’s perspective.

So what’s changing?

The most significant changes you’ll be seeing, based on feedback from various users of auditor’s reports, are:

  1. Opinion first
    The opinion in an audit report is the auditor’s conclusion as to whether the financial statements are in accordance with the applicable accounting standards, in all material respects. People told us this is the most important part of the report, so we’ve moved it to the first section of the report.
  2. Auditor’s ethical responsibilities
    We’ve pointed out that an auditor is required to be independent of the organization being audited, and to meet certain other ethical responsibilities in the conduct of the audit.
  3. “Going concern” responsibilities
    We describe management’s responsibility, under U.S. generally accepted accounting principles, and the auditor’s responsibility, under the auditing rules, for determining whether “substantial doubt” exists about the organization’s ability to continue in existence for at least one year following the date the financial statements are approved for issuance.
  4. Emphasis on professional judgment and professional skepticism
    We explain how an audit requires the auditor to exercise professional judgment (for example, regarding how much testing to perform), and to maintain professional skepticism, i.e., a questioning mind that is alert to the possibility the financial statements may be materially misstated, whether due to error or fraud.
  5. Communications with the board of directors
    We point out that the auditor is required to communicate certain matters to the board, such as difficulties encountered during the audit, material adjustments identified during the audit process, and which areas the auditor treated as “significant risks” in planning and performing the audit.
  6. Responsibility related to the “annual report”
    If the organization issues an “annual report” containing or referring to the audited financial statements, we explain the auditor is required to review it for consistency with the financial statements, and for any known misstatements of fact.
  7. Discussion of “key audit matters”
    While not required, your organization may request the auditor to discuss how certain “key audit matters” (those most significant to the audit) were addressed as part of the audit process. These are similar to the “critical audit matters” publicly traded company auditor’s reports are now required to include.

Yes, this means the auditor’s report will be longer; however, stakeholders told us inclusion of this information will make it more informative, and useful, for them.

Uniform Guidance standards also changing

Is your organization required to have a compliance audit under the federal Uniform Guidance standards? That report is also changing to reflect the items listed above to the extent they’re relevant.

What should you do?

Some actions to consider as you get ready for the first audit to which the new report applies (calendar 2021, or fiscal years ending in 2022) include:

  1. Ask your auditor what your organization’s auditor’s report will look like
    Your auditor can provide examples of auditor’s reports under the new rules, or even draft a pro forma auditor’s report for your organization (subject, of course, to the results of the audit).
  2. Outline and communicate your process for developing your annual report
    If your organization prepares an annual report, it will be important to coordinate its timing with that of the issuance of the auditor’s report, due to the auditor’s new reporting responsibility related to the annual report.
  3. Discuss with your board whether you would like the auditor to include a discussion of “key audit matters” in the auditor’s report
    While not required for not-for-profits, some organizations may decide to request the auditor include a discussion of such matters in the report, from the standpoint of transparency “best practices.”

If you have any questions about the new auditor’s report or your specific situation, please contact us. We’re here to help.
 

Article
A new auditor's report: Seven changes to know

Read this if you are a plan sponsor of employee benefit plans.

This article is the sixth in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here.

Plan sponsors have a fiduciary responsibility to provide oversight over the operations of employee benefit plans. This oversight involves a multitude of varying responsibilities. Failure to provide sufficient oversight can lead to non-compliance with rules and regulations. However, even if plan sponsors are providing sufficient oversight, lack of documentation of the oversight is arguably equally as severe as no oversight at all. Here are some common fiduciary responsibilities and how you should document them. 

Review of the report on service organization’s controls

Most employee benefit plans have outsourced a significant portion of the plan’s processes, and the internal controls surrounding those processes, to a service organization. Regardless of how certain plan-related processes are performed—internally or outsourced—the plan sponsor has a fiduciary responsibility to monitor the internal controls in place surrounding significant processes and to determine if these controls are suitably designed and effective. The most commonly outsourced processes of an employee benefit plan are the administration, including recordkeeping of the plan, through a third-party administrator; payroll processing; and actuarial calculations, if applicable to the plan.

When plan processes are outsourced to service organizations, generally the most efficient way to obtain an understanding of the outsourced controls is to obtain a report on controls issued by the service organization’s auditor. You should request the service organization’s latest System and Organization Controls Report (SOC 1 report). The SOC 1 report should be based on the Statement on Standards for Attestation Engagements No. 18, Reporting on the Controls at a Service Organization, frequently known as SSAE 18.

Plan sponsors should perform a documented review of the SOC 1 report for each of the plan’s service organizations. The documented review should most notably include discussion of any exceptions noted within the service auditor’s testing performed, identification of subservice organizations and consideration if subservice organization SOC 1 reports need to be obtained, and assessment of the complementary user entity controls outlined in the SOC 1 report. The complementary user entity controls are internal control activities that should be in place at the plan sponsor to provide reasonable assurance that the controls tested at the service organization provide the necessary level of internal control over the plan’s financial statements. Contact a BerryDunn professional to obtain our SOC report review template to assist in documenting your review.

Documentation of the plan within minutes

To provide general plan oversight, plan sponsors should have a group charged with the governance of the plan. This group should meet on a routine basis to review various aspects of the plan’s operations. Minutes of these meetings should contain evidence that certain matters that would be of interest to the Department of Labor (DOL) were discussed.

We recommend minutes of meetings document the following:

  • Investment performance—The plan sponsor has a fiduciary responsibility to ensure the investments offered by the plan are meeting certain performance expectations. Investment statements and the plan’s investment policy should be reviewed on a regular basis with documentation of this review retained in minutes of meetings. Any conclusions reached about the need to change investments or put an investment on a “watch-list” should also be documented in the minutes, including any additional steps that need to be taken.
  • SOC 1 report review—As noted above, the plan sponsor has a fiduciary duty to ensure all third-party service organizations utilized by the plan have suitably designed and effective internal controls. Plan sponsors should perform a documented review of the SOC 1 report for each of the plan’s service organizations. The results of these reviews should then be reported at plan oversight meetings with any subsequent actions or conclusions documented in the minutes to these meetings.
  • Reasonableness of fees—The DOL requires plan fiduciaries to determine if the fees charged under covered service provider agreements are reasonable in relation to the services provided. To determine the reasonableness of fees, the plan may (1) hire a consultant, (2) monitor industry trends regarding fees, (3) consult with peer companies, (4) use a benchmarking service, or (5) conduct a request for proposal. Failure to determine the reasonableness of the fees charged can result in a prohibited transaction. When doing such a review, the fiduciaries of the plan should document in the minutes the steps taken and conclusions reached.
  • Overall review of the plan—Plan sponsors have a fiduciary responsibility to review the activity of the plan as well as participant balances. We recommend plan sponsors implement and document monitoring procedures over the activities of the plan and participant balances. This review could be incorporated into documented self-testing procedures, by haphazardly selecting a sample of participants each quarter and reviewing their account activity and participant balances. The results of such self-testing should then be reported at plan oversight meetings with any subsequent actions or conclusions documented in the minutes to these meetings. Reach out to a BerryDunn professional to obtain our participant change review workbook to assist in performing this self-testing.

Retention of salary reduction agreements

During our audits of employee benefit plans, we often note that employee deferrals are not consistently supported by salary reduction agreements or other forms maintained in employees’ personnel files. Many third-party administrators allow participants to make changes to their elective deferral rates directly through the third-party administrators without the involvement of the plan sponsor.

We often recommend that you maintain all changes to employee elective deferral rates in employees’ personnel files using salary reduction agreements. We also recommend that employees’ elections to not participate in the plan be documented in their personnel file. If employees can elect to change their deferral rates directly with the third-party administrator, we typically recommend that management print support from the third-party administrator’s online portal as documentation to support the change in the employee’s deferral rate and retain this support in the employees’ personnel file. However, if the third-party administrator’s online portal provides adequate history of deferral election changes, the plan sponsor may be able to rely on this portal for documentation retention. In these instances, the plan auditor should request a deferral feedback report directly from the third-party administrator.  

Monitoring of inactive accounts

Inactive accounts should be monitored by the plan sponsor for unusual activity or excessive fees that may be posted to these accounts. To the extent that inactive accounts have not exceeded $5,000, consideration should be given to cashing out the accounts if allowed by the plan document. Plan sponsors should, on a periodic basis, review the accounts of inactive participants or those who have been separated from service to ascertain whether the changes and charges to those accounts appear reasonable.

Plan sponsors have many documentation responsibilities. This list is not meant to be all-inclusive. And, the facts and circumstances of each employee benefit plan will change the applicability of these items. However, this list should be used as a tool to help plan sponsors perform a deep dive of their current plan documentation processes. And, hopefully, a result of this deep dive will be a robust documentation process that deliberately documents all major decisions and review functions related to the plan.

Article
Plan documentation: Another key to successful oversight

Read this if your facility or organization has received Provider Relief Funds.

The rules over the use of the HHS Provider Relief Funds (PRF) have been in a constant state of flux and interpretation since the funds started to show up in your bank accounts back in April. Here is a summary of where we are as of June 14, 2021 on HHS’ reporting requirements. Key highlights:

These requirements apply to:

  • PRF General and Targeted Distributions
  • the Skilled Nursing Facilities (SNF) and Nursing Home Infection Control Distribution
  • and exclude:
    • the Rural Health Clinic COVID-19 Testing Program
    • claims reimbursements from HRSA COVID-19 Uninsured Program and the HRSA COVID-19 Coverage Assistance Fund (CAF)

This notice supersedes the January 15, 2021 reporting requirements.
Deadline for Use of Funds:

Payment Received Period

Deadline to Use Funds

Reporting Time Period

Period 1

4/10/20-6/30/20

6/30/21

7/1/21-9/30/21

Period 2

7/1/20-12/31/20

12/31/21

1/1/22-3/31/22

Period 3

1/1/21-6/30/21

6/30/22

7/1/22-9/30/22

Period 4

7/1/21-12/31/21

12/31/22

1/1/21-3/31/23

Recipients who received one or more payments exceeding $10,000 in the aggregate during each Payment Received Period above (rather than the previous $10,000 cumulative across all PRF payments) are subject to the above reporting requirements 

Responsibility for reporting:

  • The Reporting Entity is the entity that registers its Tax Identification Number (TIN) and reports payments received by that TIN and its subsidiary TINs.
  • For Targeted Distributions, the Reporting Entity is always the original recipient; a parent entity cannot report on the subsidiary’s behalf and regardless of transfer of payment.

Steps for reporting use of funds:

  1. Interest earned on PRF payments
  2. Other assistance received
  3. Use of SNF and Nursing Home Control Distribution Payments if applicable (any interest earned reported here instead), with expenses by CY quarter
  4. Use of General and Other Targeted Distribution Payments, with expenses by CY quarter
  5. Net unreimbursed expenses attributable to Coronavirus, net after other assistance and PRF payments by quarter
  6. Lost revenues reimbursement (not applicable to PRF recipients that received only SNF and Nursing Home Infection Control Distribution payments)

PORTAL WILL OPEN ON JULY 1, 2021!

Access the full update from HHS: Provider Post-Payment Notice of Reporting Requirements.

Article
Provider Relief Funds: HHS Post-Payment Notice of Reporting Requirements

Read this if you are a business owner.

As state and local governments look for new ways to stimulate their economies, incentivize employment and keep businesses afloat, the pressure for states to generate additional tax revenue continues. In response to this pressure, states are revisiting taxpayers’ compliance with their “nexus” rules and other tax policies and considering new taxes on digital services. In addition, many state governments are reconsidering the extent to which they are willing to conform to federal tax rules and legislation.

Taxpayers need to be aware of the tax rules in the states in which they operate. Taxpayers that cross state borders—even virtually—should review state nexus and other policies to understand their compliance obligations, identify ways to minimize their state tax liabilities, and eliminate any state tax exposure. The following are some of the state tax issues taxpayers should monitor and plan for in 2021:

  1. Passthrough entity (PTE) income tax elections
    It looks like the federal $10,000 “SALT cap” is sticking around, and more states are enacting a workaround in response. A growing number of states are allowing partnerships and S corporations to elect to be taxed at the entity level to help their resident owners get around the SALT cap. However, it is important that individuals understand the broad, long-term implications of the PTE tax election. Care needs to be exercised to avoid state tax traps, especially for nonresidents, that could exceed any federal tax savings.
  2. Impacts of federal income tax changes
    Federal tax legislation also has impact at the state level. While many states quickly settle on approaches to conform with or decouple from the federal legislation, other states have done nothing, leaving taxpayers to file state income tax returns with very little guidance on how or whether the federal changes apply.

    Now that tax years impacted by the Tax Cuts and Jobs Act are well into their audit cycles, state taxpayers that unknowingly did not correctly take federal changes into account when calculating their state taxes may be confronted by not only audit exposure, but in some cases refund opportunities. Taxpayers should review their state tax returns to identify opportunities to minimize exposure and identify refunds well in advance of state tax audits.
  3. Taxes on digital advertising services
    Maryland was the first state to enact a digital advertising services tax. Large tech companies immediately sued the state, and in response the legislature passed a bill to delay the implementation of the controversial tax until 2022. To date, several other states have introduced similar digital advertising taxes, and some states are proposing to include these services in their sales tax base. States will be closely following the litigation in Maryland as they consider their own legislation.

    The definition of digital advertising services can potentially be very broad and fact specific. Taxpayers should understand the various state proposals and plan for their potential impact.
  4. Sales and use tax nexus: Remote sellers and marketplaces
    Florida and Kansas have finally joined the ranks of states with a bright-line economic nexus threshold for remote retailers and marketplace providers. At this point, the only state without a bright-line standard or marketplace rules is Missouri.

However, retailers should not forget about physical presence. Even though most states have implemented economic nexus rules since Wayfair, the traditional physical presence rules are still alive and well. States are continuing to assess retailers that, sometimes unknowingly, have some form of physical presence in the state.

E-retailers should be sure they are in compliance with state sales and use tax laws and marketplace facilitator rules and have considered all planning opportunities. 

How we can help

We are experienced in income, franchise, gross receipts, sales and use, as well as credits and incentives. We can help taxpayers monitor state tax laws and nexus requirements, understand where they have state obligations and how to minimize them, identify and implement planning opportunities, identify and quantify tax exposures, and assist with state tax audits. 

For questions about your specific situation, please contact the State and Local Tax team. We’re here to help. 
 

Article
SALT watch: Four issues to consider in 2021

Read this if you are an employer in Massachusetts.

Governor Baker signed Bill H.3702 into law on May 28th (after vetoing an earlier version) that requires employers to provide emergency paid sick leave (up to 40 hours) for employees if they can’t work due to reasons related to the pandemic. MA EPSL is available from June 7, 2021 until Sept. 30, 2021 or until funds run out. Here are some things to know. 

Weekly cap

The law limits the weekly amount an employee may receive and an employer may be reimbursed. The law states “no employee shall receive, and no employer shall be eligible for reimbursement for such employee, COVID-19 emergency paid sick leave in excess of $850 per week.”

Specific, qualified reasons to receive benefit

Employers are required to provide up to 40 hours of MA EPSL to Massachusetts-based employees who are unable to work due to any of the following reasons:

  1. An employee’s need to: (i) self-isolate and care for oneself because of the employee’s COVID-19 diagnosis; (ii) seek or obtain medical diagnosis, care, or treatment for COVID-19 symptoms; or (iii) obtain immunization related to COVID-19 or the employee is recovering from an injury, disability, illness, or condition related to such immunization; 
  2. An employee’s need to care for a family member who: (i) is self-isolating due to a COVID-19 diagnosis; or (ii) needs medical diagnosis, care, or treatment for COVID-19 symptoms;
  3. A quarantine order, or other determination by a local, state or federal public official, a health authority having jurisdiction, the employee’s employer, or a health care provider that the employee’s presence on the job or in the community would jeopardize the health of others because of the employee’s exposure to COVID-19 or exhibiting of symptoms, regardless of whether the employee has been diagnosed with COVID-19;
  4. An employee’s need to care for a family member due to a quarantine order, or other determination by a local, state, or federal public official, a health authority having jurisdiction, the family member’s employer, or a health care provider that the family member’s presence on the job or in the community would jeopardize the health of others because of the family member’s exposure to COVID-19, regardless of whether the family member has been diagnosed with COVID-19; or
  5. An employee’s inability to telework because the employee has been diagnosed with COVID-19 and the symptoms inhibit the ability of the employee to telework.

Eligible employees

Employees that work 40 hours a week are entitled to the full amount per week (up to $850). Part-time employees, those working less than 40 hours per week, can receive an amount equal to the average number of hours they normally work in 14 days (maximum of $850 per week). Special rules must be followed for those employees who regularly work fewer than 40 hours per week with varying hours per week.

How to claim reimbursement

The state will develop an application employer’s may use to request reimbursement from the COVID-19 Emergency Paid Sick Leave Fund. It is anticipated that the application will require, but not be limited to, the following:

  • employee’s name;
  • date or dates for which leave is requested and taken;
  • statement of the COVID-19 related reason the employee is requesting leave and, written support for such leave; and
  • statement that the employee is unable to work, including by means of telework, for such reason.

Importantly, an employer cannot seek reimbursement from the State if the paid leave will be reimbursed under the federal Families First Coronavirus Response Act (FFCRA).

The law states reimbursement will be paid directly to eligible employers within 30 business days of the employer submitting the application.

Next Steps:

  • The new MA EPSL benefit is in addition to existing paid time-off benefits offered by an employer and required by law, subject to some limited exceptions.
  • Unlike the FFCRA, this requirement applies to all Massachusetts employers regardless of the number of employees.
  • Although MA EPSL is in addition to other required forms of paid time off, it may be reduced if the aggregate amount the employee receives would exceed the employee’s average weekly wage.
  • Employers are required to provide a Notice to all employees and post a notice regarding MA EPSL. The notice is expected to be available on or before June 14, 2021.
  • The state as allocation $75 million for this benefit. The requirement to provide these benefits would end prior to September 30th if the funds run out before September 30, 2021.

For more information

If you have more questions, or have a specific question about your situation, please call us. We’re here to help.

Article
Massachusetts emergency paid sick leave (MA EPSL)