When time is money: Reviewing your planning and development service fees

The COVID-19 emergency has caused CMS (Centers for Medicare & Medicaid Services) to expand eligibility for expedited payments to Medicare providers and suppliers for the duration of the public health emergency.

Accelerated payments have been available to providers/suppliers in the past due to a disruption in claims submission or claims processing, mainly due to natural disasters. Because of the COVID-19 public health emergency, CMS has expanded the accelerated payment program to provide necessary funds to eligible providers/suppliers who submit a request to their Medicare Administrative Contractor (MAC) and meet the required qualifications.

Eligibility requirements―Providers/suppliers who:

1. Have billed Medicare for claims within 180 days immediately prior to the date of signature on the provider’s/supplier’s request form,
2. Are not in bankruptcy,
3. Are not under active medical review or program integrity investigation, and
4. Do not have any outstanding delinquent Medicare overpayments.

Amount of payment:
Eligible providers/suppliers will request a specific amount for an accelerated payment. Most providers can request up to 100% of the Medicare payment amount for a three-month period. Inpatient acute care hospitals and certain other hospitals can request up to 100% of the Medicare payment amount for a six-month period. Critical access hospitals (CAHs) can request up to 125% of the Medicare payment for a six-month period.

Processing time:
CMS has indicated that MACs will work to review and issue payment within seven calendar days of receiving the request.

Repayment, recoupment, and reconciliation:
The December 2020 Bipartisan-Bicameral Omnibus COVID Relief Deal revised the repayment, recoupment and reconciliation timeline on the Medicare Advanced and Accelerated Payment Program as identified below. 

Application:
Applications for accelerated payments can be found on each MACs' website. CMS has established COVID-19 hotlines at each MAC that are operational Monday through Friday to assist providers with accelerated or advance payment concerns. Access your designated MACs' website here.

The MAC will review the application to ensure the eligibility requirements are met. The provider/supplier will be notified of approval or denial by mail or email. If the request is approved, the MAC will issue the accelerated payment within seven calendar days from the request.

When funding is approved, the requested amount is compared to a database with amounts calculated by Medicare and provides funding at the lessor of the two amounts. The current form allows the provider to request the maximum payment amount as calculated by CMS or a lesser specified amount.

We are here to help
If you have questions or need more information about your specific situation, please contact the healthcare consulting team. We’re here to help.

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

1. People: Create and maintain a vigilant workforce
   Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
    

   According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

   Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.
   
   So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.

2. Plan: Implement a disaster recovery and incident response plan 
   Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.
   
   It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
    
   1. How will we communicate internally with our staff about the incident?
   2. How will we communicate with our clients? Our patients? Our community?
   3. When should we call our insurance company? Our attorney?
   4. Is reception prepared to describe what is going on if someone visits our office?
   5. Do we have the technical expertise to diagnose the issue?
   6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
   7. When the press gets wind of the situation, who will communicate with them and what will we share?
   8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

3. Practice: Prepare your team with table top exercises  
   Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.
   
   A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.
   
   Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

CARES Act update:

As anticipated, the House of Representatives approved the CARES Act on March 27, 2020, and the President has signed the measure. The provisions highlighted in our prior summary remain intact in the final measure. 

So…how are the emergency relief funds in the legislation accessed by healthcare providers?

• Public Health & Social Services Emergency Fund (PHSSEF): The guidance on how hospitals will access the $100 billion in PHSSEF funds to offset “COVID-19 related expenses and lost revenue” is expected to be released shortly. Keep an eye on this space for further updates as information becomes available.
• Medicare Advanced Lump Sum or Periodic Interim Payments: Application is made through the Fiscal Intermediary (FI). It should be noted that healthcare organizations do not qualify if they are in bankruptcy, under active medical review or program integrity investigation, or have outstanding, delinquent Medicare overpayments.
• SBA Paycheck Protection Program (PPP): This application process begins with your local lender. Do not hesitate—contact your lender immediately as it is anticipated that application volume will be tremendous. For more specifics on this program compiled by BerryDunn experts, visit our blog.

We will continue to provide updates as more information becomes available. In the meantime, please feel free to contact the hospital consulting team. Despite the current circumstances we remain available to support your needs. 

On March 25, 2020 the US Senate unanimously approved the $2 trillion Coronavirus Aid, Relief, and Economic Security (CARES) Act (The “Act”). The White House has signaled that it will sign the measure as approved by the Senate. 

Major provisions of the proposed legislation include:

• $100 billion for hospital “COVID-19 related expenses and lost revenue”
• $275 million for rural hospitals, telehealth, poison control centers, and HIV/AIDS programs
• $250 million for hospital capacity expansion and response
• $150 million for modifications of existing hospital, nursing home, and “domiciliary facilities” undertaken as part of COVID-19 response

The CARES Act also includes the following targeted relief and payment modifications under the Medicare and Medicaid programs:

• The Medicare 2% sequester will be suspended from May 1, 2020 through December 31, 2020. 
• “Through the duration of the COVID-19 emergency period”, the Act will increase by 20% hospital payments for the treatment of patients admitted with COVID-19. The add-on applies to hospitals paid through the Inpatient Prospective Payment System.
• $4 billion in scheduled cuts to Medicaid Disproportionate Share Hospital payments will be further delayed from May 22, 2020 to November 30, 2020.
• Certain hospitals, including those designated as rural or frontier, have the option to request up to a six month advanced lump sum or periodic interim payments from Medicare. The payments will:
  1. Be based upon net payments represented by unbilled discharges or unpaid bills,
  2. Equal up to 100% of prior period payments, 125% for Critical Access Hospitals
  3. In terms of paying down the “no interest loans”, hospitals will be given a four month grace period to begin making payments and at least 12 months to fully liquidate the obligation.

Non-financing provisions contained in the Act that will impact hospital operations include:

• Providing acute care hospitals the option to transfer patients out of their facilities and into alternative care settings to "prioritize resources needed to treat COVID-19 cases." That flexibility will come through the waiver of the Inpatient Rehabilitation Facility (IRF) three-hour rule, which requires patients to need at least three hours of intensive rehabilitation at least five days per week to be admitted to an IRF.
• Allowing Long-Term Care Hospitals (LTCH) to maintain their designation even if more than 50% of their cases are less intensive and would temporarily pause LTCH site-neutral payments.
• Suspending scheduled Medicare payment cuts for durable medical equipment during the length of the COVID-19 emergency period, to help patients transition from hospital to home.
• Disallow Medicare beneficiary cost-sharing payments for any COVID-19 vaccine.
• Ensuring that uninsured individuals could receive free COVID-19 tests "and related service" through any state Medicaid program that elects to enroll them.

Other emergency-period provisions that directly affect other entities but have implications for hospitals:

• Affording $150 billion to states, territories, and tribal governments to cover their costs for responding to the coronavirus public health emergency.
• Physician assistants, nurse practitioners, and other professionals will be allowed to order home health services for Medicare beneficiaries, to increase "beneficiary access to care in the safety of their home."
• Requiring HHS to clarify guidance encouraging the use of telecommunications systems, including remote patient monitoring, for home health services.
• Allowing qualified providers to use telehealth technologies to fulfill the hospice face-to-face recertification requirement.
• Eliminating the requirement that a nephrologist conduct some of the required periodic evaluations of a home-dialysis patient face-to-face.
• Allowing federally qualified health centers and rural health clinics to serve as a distant site for telehealth consultations.
• Eliminating the telehealth requirement that physicians or other professionals have treated a patient in the past three years.
• Allowing high-deductible health plans with a health savings account (HSA) to cover telehealth services before a patient reaches the deductible.
• Allowing patients to use HSA and flexible spending accounts to buy over-the-counter medical products without a prescription.

For more information
If you have questions or need more information about your specific situation, please contact the hospital consulting team. We’re here to help. 
 

Editor’s note: Please read this if you are a not-for-profit board member, CFO, or any other decision maker within a not-for-profit.

In a time where not-for-profit (NFP) organizations struggle with limited resources and a small back office, it is important not to overlook internal audit procedures. Over the years, internal audit departments have been one of the first to be cut when budgets are tight. However, limited resources make these procedures all the more important in safeguarding the organization’s assets. Taking the time to perform strategic internal audit procedures can identify fraud, promote ethical behavior, help to monitor compliance, and identify inefficiencies. All of these lead to a more sustainable, ethical, and efficient organization. 

Internal audit approaches

The internal audit function can take on many different forms, depending on the size of the organization. There are options between the dedicated internal audit department and doing nothing whatsoever. For example:

• A hybrid approach, where specific procedures are performed by an internal team, with other procedures outsourced. 
• An ad hoc approach, where the board or management directs the work of a staff member.

The hybrid approach will allow the organization to hire specialists for more technical tasks, such as an in-depth financial analysis or IT risk assessment. It also recognizes internal staff may be best suited to handle certain internal audit functions within their scope of work or breadth of knowledge. This may add costs but allows you to perform these functions otherwise outside of your capacity without adding significant burden to staff. 

The ad hoc approach allows you to begin the work of internal audit, even on a small scale, without the startup time required in outsourcing the work. This approach utilizes internal staff for all functions directed by the board or management. This leads to the ad-hoc approach being more budget friendly as external consultants don’t need to be hired, though you will have to be wary of over burdening your staff.

With proper objectivity and oversight, you can perform these functions internally. To bring the process to your organization, first find a champion for the project (CFO, controller, compliance officer, etc.) to free up staff time and resources in order to perform these tasks and to see the work through to the end. Other steps to take include:

1. Get the audit/finance committee on board to help communicate the value of the internal audit and review results of the work
2. Identify specific times of year when these processes are less intrusive and won’t tax staff 
3. Get involved in the risk management process to help identify where internal audit can best address the most significant risks at the organization
4. Leverage others who have had success with these processes to improve process and implementation
5. Create a timeline and maintain accountability for reporting and follow up of corrective actions

Once you have taken these steps, the next thing to look at (for your internal audit process) is a thoughtful and thorough risk assessment. This is key, as the risk assessment will help guide and focus the internal audit work of the organization in regard to what functions to prioritize. Even a targeted risk assessment can help, and an organization of any size can walk through a few transaction cycles (gift receipts or payroll, for example) and identify a step or two in the process that can be strengthened to prevent fraud, waste, and abuse.  

Here are a few examples of internal audit projects we have helped clients with:

• Payroll analysis—in-depth process mapping of the payroll cycle to identify areas for improvement
• Health and education facilities performance audit—analysis of various program policies and procedures to optimize for compliance
• Agreed upon procedures engagement—contract and invoice/timesheet information review to ensure proper contractor selection and compliant billing and invoicing procedures 

Internal audits for companies of all sizes

Regardless of size, your organization can benefit from internal audit functions. Embracing internal audit will help increase organizational resilience and the ability to adapt to change, whether your organization performs internal audit functions internally, outsources them, or a combination of the two. For more information about how your company can benefit from an internal audit, or if you have questions, contact us. 

Editor’s note: Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

Last month, the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2019. The report addresses key issues facing banks and focuses on those that pose threats to their safety and soundness. According to the report:

• Bank financial performance is strong due to a favorable credit environment and the longest economic expansion in U.S. history.
• Capital levels have reached historical highs.
• Return on equity was above its 2006 pre-crisis level for the first time at 12.7%.
• Net income grew 8.22% from the same period a year ago; however, net interest income grew only 4%, as loan growth is below historical averages and an increasing number of banks are facing a flat or declining net interest margin.
• There is continued weakness in residential and commercial real estate loan growth.
• Delinquent and nonperforming loans remain below their long-term averages.

Banks can thrive even with economic uncertainty

While these trends indicate that 2019 was by and large an excellent year, banks cannot afford to be complacent, as 2019 also saw increasing risks to the industry. For instance, in 2019 there was much discussion of the future cessation of the London InterBank Offer Rate (LIBOR). The OCC has indicated it will increase its regulatory oversight regarding the anticipated cessation, to ensure banks assess their exposure to LIBOR and are appropriately planning their transition from the widely used benchmark rate. The Financial Accounting Standards Board (FASB) is also working on a project to address accounting issues that could arise from the transition from LIBOR.

And, although 2019 continued the longest economic expansion in US history, economic uncertainty exists due to, in part, the US-China trade conflict and ongoing Brexit discussions. This economic uncertainty has caused volatility in the interest rate environment. Aside from the yield curve inverting in 2019, banks also saw the Federal Funds target rate increase 25 basis points prior to decreasing 50 basis points. Given the typically asset-sensitive nature of banks’ balance sheets, the current interest rate environment will also put pressure on net interest margins. The current volatility of interest rates has caused the OCC to conclude interest rate risk is currently at heightened levels. 

Net interest income continues to be the most significant driver of net revenues for community banks, comprising nearly 80% of net revenues. With a difficult interest rate environment and lackluster loan growth in residential and commercial real estate, banks may face a difficult path ahead. Banks should tread cautiously, especially if this uncertainty persists. Asset-liability management will need be a significant focus (more than usual) as banks try to position themselves to not only maintain profitability through this uncertainty, but also come out stronger than before. Specifically, if lower rates persist, asset growth will need be a priority over deposit growth to maintain profitability at lower net interest margins. If loan growth continues to wane, this will prove to be difficult.

Innovations to compete with new lending sources

Adding to the list of threats to performance is the increasing amount of alternative financial resources available to borrowers. Banks have traditionally been the only source of credit for borrowers. However, technology has rapidly changed that landscape. Person-to-person (P2P) lending (also known as crowd lending, or social lending), allows people to borrow funds directly from another person, cutting out traditional lending sources (banks). Additionally, blockchain technology, if the hype is accurate, has the potential to eliminate the need of a financial intermediary altogether. 

Banks are adapting to this competition and to customers looking for more convenience and alternative services by offering new, unique services that differentiate themselves from others and provide added value to the customer. Banks have delivered through remote deposit, ATMs, and interactive teller machines (ITMs). Banks will need to continue to adopt innovative services to remain competitive. 

For instance, banks could offer video conferencing services, in which customers could have a live conversation with a bank representative through their smartphone. This convenience would allow a customer to conduct a transaction, such as apply for a loan, from the convenience of their home, while still maintaining human interaction throughout the transaction. Such a service would help banks compete with digital channels offered by non-banks, such as Quicken Loans, which is now the largest mortgage originator in the United States.

Strategies to protect against technological risks

These services all require the use of existing and new technologies, which have caused banks to hold more personally identifiable information (PII) digitally across an increasing number of digital platforms. As noted by the OCC, this digital exposure has created persistent cybersecurity risks for banks. Adopting a robust cybersecurity framework is no longer an option. 

Banks should bring cybersecurity to the forefront of their strategic planning. Any strategic plan must consider cybersecurity implications, as a single disaster can be detrimental to a bank’s reputation. And, given this rapidly changing environment, the cybersecurity conversation must be ongoing through relevant bank committees and the board of directors.

Furthermore, these technological solutions require partnerships with businesses that banks would not traditionally partner with. Financial technology (fintech) companies don’t just pose as a competitor to traditional banks. Many fintech companies are offering their technological solutions to traditional banks. However, outsourcing technological solutions to fintech companies and other businesses does not relieve a bank from performing its own due diligence and ensuring those companies meet the bank’s standards. 

Banks should evaluate potential vendors to ensure they comply with the bank’s vendor management policy. Since environments are constantly changing, this evaluation should be ongoing. Many vendors now provide System and Organization Controls (SOC) reports which detail the control environment at the vendor and involve independent third-party testing of those controls that exist at the vendor. SOC reports can provide a useful starting point for evaluating a vendor’s ongoing compliance with the bank’s vendor management policy. However, it is not a substitute for ongoing communication with a vendor.

There is no doubt 2019 was a successful year for banks. But past performance is not a guarantee of future success. Banks face many challenges, risks, and uncertainties, of which only a few have been outlined above. The current landscape may be challenging but it is also filled with opportunity. Banks should consider expanding their services, adopting new technologies, and partnering with other companies to leverage their strengths. Doing so should help position themselves for an exciting decade ahead.

If you have specific concerns about challenges facing your institution, please contact the team. 

Read this if you are a state Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, State Procurement Officer, or work in a State Medicaid Program Integrity Unit.

The Centers for Medicare & Medicaid Services (CMS) issued a Payment Error Rate Measurement (PERM) Final Rule on July 5, 2017, that made several changes to the PERM requirements. One important change was the updates to the Medicaid Eligibility Quality Control (MEQC) requirement. 

The Final Rule restructures the MEQC program into a pilot program that requires states to conduct eligibility reviews during the two years between PERM cycles. CMS has also introduced the potential for imposing disallowances or reductions in federal funding percentage (FFP) as a result of PERM eligibility error rates that do not meet the national standard. One measure states can use to lessen the chance of this happening is by successfully carrying out the requirements of the MEQC pilot. 

What states should know―important points to keep in mind regarding MEQC reviews:

• Each state must have a team in place to conduct MEQC reviews. The individuals responsible for the MEQC reviews and associated activities must be separate from the state agencies and personnel responsible for Medicaid and Children’s Health Insurance Program (CHIP) policy and operations, including eligibility determinations.
• States can apply for federal funding to help cover the costs of the MEQC activities. CMS encourages states to partner with a contractor in conducting the MEQC reviews.
• The deadline to submit the state planning document to CMS is November 1 following the end of your state’s PERM cycle. If you are a Cycle 2 state, your MEQC planning document is due by November 1, 2019. 
• If you are a Cycle 1 state, you are (or should be) currently undergoing the MEQC reviews.
• There are minimum sample size requirements for the MEQC review period: 400 negative cases and 400 active cases (consisting of both Medicaid and CHIP cases) over a period of 12 months.
• Upon conclusion of all MEQC reviews, states must submit a final findings report along with a corrective action plan that addresses all error findings identified during the MEQC review period.

CMS encourages states to utilize federal funding to carry out and fulfill MEQC requirements. BerryDunn has staff with experience in preparing Advanced Planning Documents (APD) and can assist your state in submitting an APD request to CMS for these MEQC activities. 

Check out the previously released blog, “PERM: Prepared or Not Prepared?” and stay tuned for upcoming blogs about specific PERM topics, including the financial impacts of PERM, and how each review phase will affect your state.   

For questions or to find out more, contact the team. 

Federal contractors with the Centers for Medicare & Medicaid Services (CMS) have begun performing Payment Error Rate Measurement (PERM) reviews under the Final Rule issued in July 2017—a rule that many states may not realize could negatively impact their Medicaid budgets.

PERM is a complex process—states must focus on several activities over a recurring three-year period of time—and states may not have the resources needed to make PERM requirements a priority. However, with the Final Rule, this PERM eligibility review could have financial implications. 

After freezing the eligibility measurement for four years while undergoing pilot review, CMS has established new requirements for the eligibility review component and made significant changes to the data processing and medical record review components. As part of the Final Rule, CMS may implement reductions in the amount of federal funding provided to a state’s Medicaid and Children’s Health Insurance Program (CHIP) programs based on the error rates identified from the eligibility reviews. 

Since the issuance of the Final Rule in July 2017, Cycle 1 states are the first group of states to undergo a PERM cycle, including reviews of the data processing, medical record, and eligibility components. These states are wrapping up the final review activities, and Cycle 2 states are in the early stages of their PERM reviews.

How can your state prepare?

Whether your state is a Cycle 1, Cycle 2, or Cycle 3 state, there are multiple activities your Medicaid departments should engage in throughout each three-year period of time during and between PERM cycles: 

• Analyzing prior errors cited or known issues, along with the root cause of the error
• Identifying remedies to reduce future errors
• Preparing and submitting required questionnaires and documents to the federal contractors for an upcoming review cycle
• Assisting federal contractors with current reviews and findings
• Preparing for and undergoing Medicaid Eligibility Quality Control (MEQC) planning and required reviews
• Corrective action planning

Is your state ready?

We’ve compiled a few basic questions to gauge your state’s readiness for the PERM review cycle:

• Do you have measures in place to ensure all eligibility factors under review are identifiable and that all federal and state regulations are being met? The eligibility review contractor (ERC) will reestablish eligibility for all beneficiaries sampled for review. This process involves confirming all verification requirements are in the case file, income requirements are met, placement in an accurate eligibility category has taken place, and the timeframe for processing all determinations meets federal and state regulations. 
• Do you have up-to-date policy and procedures in place for determining and processing Medicaid or CHIP eligibility of an individual? Ensuring eligibility policies and procedures meet federal requirements is just as important as ensuring the processing of applications, including both system and manual actions, meet the regulations. 
• Do you have up-to-date policy, procedures, and system requirements in place to ensure accurate processing of all Medicaid/CHIP claims? Reviewers will confirm the accuracy of all claim payments based on state and federal regulations. Errors are often cited due to the claims processing system allowing claims to pay that do not meet regulations.
• Do you have a dedicated team in place to address all PERM requirements to ensure a successful review cycle? This includes staff to answer questions, address review findings, and respond to requests for additional information. During a review cycle, the federal contractors will cite errors based on their best understanding of policies and/or ability to locate required documentation. Responding to requests for information or reviewing and responding to findings in a timely manner should be a priority to ensure accurate findings. 
• Have you communicated all PERM requirements and updates to policy changes to all Medicaid/CHIP providers? Providers play two integral roles in the success of a PERM review cycle. Providers must understand all claims submission requirements in order to accurately submit claims. Additionally, the medical record review component relies on providers responding to the request for the medical records on a sampled claim. Failure to respond will result in an error. Therefore, states must maintain communication with providers to stress the importance of responding to these requests.
• Have you begun planning for the MEQC requirement? Following basic requirements identified by CMS during your state’s MEQC period, your state must submit a case planning document to CMS for approval prior to the MEQC review period. After the MEQC review, your state should be prepared to issue findings reports, including a corrective action plan as it relates to MEQC findings.

Need help piloting your state’s PERM review process?

BerryDunn has subject matter experts experienced in conducting PERM reviews, including a thorough understanding of all three PERM review components—eligibility, data processing, and medical record reviews. 

We would love to work with your state to see that measures are in place that will help ensure the lowest possible improper payment error rate. Stay tuned for upcoming blogs where we will discuss other PERM topics, including MEQC requirements, the financial impacts of PERM, and additional details related to each phase of PERM. For questions or to find out more, please email me.