PAYOR ENTERPRISE RISK MANAGEMENT AND IMPLICATIONS OF THE AFFORDABLE CARE ACT
LINDA DUDASH CAREFIRST BLUECROSS BLUESHIELD
ERIC LOWY KPMG
AHIA 35th Annual Conference – September 11-14, 2016
www.ahia.org
1
Introductions2
Linda Dudash
Director, Operations and Corporate Audit
Audit & Advisory Services
Owings Mills, MD
Tel: (410) [email protected]
Eric Lowy
Director, Healthcare Advisory
Internal Audit & Regulatory Compliance
Baltimore, MD
Tel: (408) [email protected]
INSERT PICTURE
INSERT PICTURE
Agenda
Background on CareFirst BlueCross BlueShield and CAAS Overview of Payor Enterprise Risks and Risk Management Impact of Affordable Care Act on Payor Risks Questions
3
Introduction to Payor Enterprise Risk Management and Internal Audit
CareFirst BlueCross BlueShield4
CareFirst BlueCross BlueShield
In its 78th year of service, CareFirst BlueCross BlueShield (CareFirst) is a not-for-profit, non-stock health services company: Largest health care insurer in the Mid-Atlantic region, serving 3.2 million members. Employs approximately 5500 associates and contractors in MD, DC and VA. Largest provider network in the region, over 35k HMO and 40K PPO Providers. Maintains the nation’s largest Patient-Centered Medical Home (PCMH) program. Serves the nations largest Federal Employees Health Program (FEP), >571,000 members. ‘Best in Blue’ insurer for providing stellar customer service:
For 19 consecutive years for D.C. FEP members For 10 consecutive years for Maryland FEP members
In 2015, contributed $40 million to improve overall health, increase accessibility, affordability, safety and quality of healthcare throughout Maryland and the National Capital Area.
Ethisphere named CareFirst among the World’s Most Ethical Companies in 2013, 2014, 2015 & 2016.
5
Corporate Audit & Assurance Services
MISSION: “To deliver world class audit services to assist CareFirst in the effective management of risk and achievement of the company’s business and strategic objectives.” To successfully accomplish these goals, CAAS will:
Evaluate the adequacy and effectiveness of controls, Raise awareness and educate business owners, Maintain a strong collaboration with management, and Focus business insight on operational efficiencies and cost savings.
Reports to management and the Audit and Compliance Committee of the Board of Directors. Conducts audits in accordance with the “International Standards for the Professional Practice
of Internal Auditing” of the Institute of Internal Auditors, specifically: Adopted the following control frameworks:
COSO National Institute of Standards and Technology (NIST) .
6
Payor Enterprise Risk Structure7
BoD
Audit Committee
Sub-Committees
Internal AuditCAAS
2nd Line of Defense Risk Management, Monitoring & Compliance
1st Line of DefenseControl Environment and Internal Controls
Model Audit Rule
Centers for Medicare and
Medicaid Services
External Financial Auditor
Maryland Insurance
Administration
Dept. of Insurance, Securities and Banking (DC)
Virginia Board of Insurance
Insurance Regulators:External Auditors:
1st Line of Defense: Internal Controls8
Polic
ies
Proc
edur
es
Approvals
QA
Reconciliations
Supervision
Monitoring SDLC
User Access
SLAs
Passwords
SOWs
Security
FP&A
Fraud, Waste & Abuse
Reporting
The 1st level of defense, the control environment and internal controls, provide reasonable assurance that business objectives will be achieved.
1st Line of DefenseControl Environment and Internal Controls
*
*
* *
* * *
* Internal Controls impacted by the ACA
*** *
*
1st Line of Defense: Internal Controls9
People are the key to effective internal controls: Designing, implementing and maintaining properly functioning internal controls to protect the Company against risk is the responsibility of all associates to establish effective internal controls within their particular area of operations.
1st Line of DefenseControl Environment and Internal Controls
Fraud, Waste and Abuse (FWA)
Processes to vigilantly recognizing potential issues of fraud, waste, and abuse (FWA). The most effective way to protect against FWA is early detection through awareness, asking
questions, ensuring documentation and quickly sounding the alarm. Operational Managers and Associates receive training by Special Investigations (SI):
Updated Training and Listing of Current Fraud Trends Listing of Fraud Indicators and Potential Red Flags Guidelines on how to submit referrals for SI assistance
Fraud trends and schemes are constantly evolving… put out one fire, another starts Additional resources include:
A fraud hot line
24/7 support at [email protected]
Customized group training
10
1st Line of DefenseControl Environment and Internal Controls
2nd Line of Defense: Risk Management
Risk Management Under the leadership of the VP of Risk Management
Facilitates and monitors implementation of risk management practices and conducts
Conducts Enterprise Risk Assessment (ERA) to identify known and emerging issues
Assist management in development processes and controls to manage risks
Compliance and Ethics Program Under the direction of the VP Chief Compliance, Ethics and Privacy Officer
Establishes a consistent company-wide process to manage the constantly evolving and highly regulated industry.
Promote a corporate culture that encourages ethical conduct and compliance
Exercise due diligence to prevent, detect, and correct potential violations of the Program, applicable federal and state laws and regulations, and Company policies and procedures.
Risk and Control Monitoring – Model Audit Rule
11
2nd Line of Defense Risk Management, Monitoring & Compliance
Model Audit Rule 205
Annual Financial Reporting Model Regulation; Known as Model Audit Rule or MAR: Financial reporting regulation applicable to insurance companies; but adopted by state.
Borrows significantly from Sarbanes-Oxley of 2002.
Co-developed by the American Institute of Certified Public Accounting (AICPA) and National Association of Insurance Commissions (NAIC) and issued to:
Govern the submission of audited statutory financial statements by insurance companies
Drive Consistency Across Insurance Regulators
Improve ability of insurance departments to oversee the financial condition of insurers
Requires the following to be submitted by insurance companies:
An Annual Financial Statement Audit by an Independent CPA
Communication of Internal Control Related Matters Noted in the Audit
Managements Report of Internal Control over Financial Reporting
Responsibilities include: documentation, testing, remediation, SSAE16 oversight, external audit coordination and reporting.
12
2nd Line of Defense Risk Management, Monitoring & Compliance
Internal Audit
Internal Audit: CAAS
Provides the Audit and Compliance Committee and senior management with independent and objective assessments of the effectiveness of governance, risk and control processes.
CAAS delivers internal audit and special investigation services to provide results in an efficient manner utilizing four separate but integrated teams to provide assurance that business processes and internal controls are
Design and operating effectively; and
in accordance with corporate policies, laws and regulations.
Subject matter specific areas are co-sourced with professional services firms, ex. IT, ACA, etc.
13
Office General Auditor
Operations & Corporate Audit
Information Technology Audit
Special Investigations
FEP Audit & Advisory
Internal Audit
CAAS
Audit & Advisory Services
Audits – Conducts full scope audits in accordance with the annual Audit and Assurance Plan as approved by the Audit and Compliance Committee of the Board of Directors.
Corporate, Operational, Financial and IT audits, including SDLC
Federal Employees Program Audit & Advisory Services
Risk Assessments – Evaluation of risk associated with a governance framework based on an analysis of risk related to achieving defined strategies, processes and control objectives.
Advisory Services – Assurance and advisory services performed at the request of management, based on monitoring of corporate initiatives, or risk/control concerns identified, such as significant changes in regulations, processes or systems.
Advisory services may be performed by CAAS or co-sourced
Deliverable for these engagements is typically different than normal audit reports.
Special Investigations – Fraud prevention, detection, investigation and recoveries of FWA
Corporate Initiative Monitoring – Access and develop strategies to mitigate business risks, enhance controls and improve operational effectiveness. Ex. PCMH, CMS Outcomes
14
Internal Audit
CAAS
Special Investigations (SI)
Special Investigations (SI) works directly with business units and departments to: Provide fraud prevention, detection, investigation, and recoveries of FWA;
Help ensure compliance with mandatory local, state, and federal fraud reporting;
Manage professional and facility overpayment audit and recovery efforts;
Seek restitution of monies that have been improperly paid.
SI has many advanced tools and resources at its disposal to: Data mining, ex. STARS, to identify suspicious trends, schemes, and outliers.
Scoring potential fraud schemes, providers and trends.
SI also relies on other sources to develop leads that require investigation: Referrals from local, state, or federal law enforcement
On-going trends and schemes shared by industry groups
Tips
15
Internal Audit
CAAS
Over the past five years, SI savings and avoidances totaled over $300 million.
CareFirst Board Committees
Executive
Compensation
Finance and Investment
Governance and Nominating
Mission Oversight
Service and Quality Oversight
Strategic Planning
16
Sub-Committees
3rd Line of Defense: Headcount17
Internal Audit Function FTEs
Operations and Corporate Audit 10 FTEs
IT Audit 12 FTEs
FEP Audit & Advisory 15 FTEs
Special Investigations 27 FTEs
Model Audit Rule 10 FTEs
Internal Audit
CAASModel
Audit Rule
Serving over 3.2 Million members with an average Medical Care spending over $7 Billion, it takes a small army to “Protect the House.”
Changes and impacts on due to the Patient Protection and Affordable Care Act
Affordable Care Act18
Affordable Care Act19
Goal of the ACA – Healthcare reform, namely the Affordable Care Act (ACA), is meant to improve access to health insurance, improve cost controls of medical spend, and improve quality while reducing waste.
The goal of the ACA aligns closely with other industry initiatives, ex the “Triple Aim”.
The Triple Aim was implemented to:
1) Improve the overall well-being of insured populations
2) Improve patient experiences (including both quality and satisfaction)
3) Reduce health care costs
The Triple Aim1
Population Health
Per Capital CostExperience of Care
1. The Institute for Healthcare Improvement. http://www.ihi.org/Engage/Initiatives/TripleAim/Pages/default.aspx
Key Components of the ACA
Key Components of the Patient Protection and Affordable Care Act: Requires most U.S. citizens to have health insurance
Creates Federal and State Health Benefit Exchanges for individuals and small businesses to purchase coverage
Provides premium and cost sharing to individual/families with income 133 – 140% of FPL
Creates separate exchanges through which small business owners can purchase coverage
Imposes new regulations/qualifications on health plans in the exchange
Expands Medicaid, as many as 13 million additional beneficiaries
Direct resources to health, wellness, transparency and quality reporting
Significant cuts to Medicare Advantage reimbursement
Individual Mandate: Requires citizens and residents to have health coverage or a tax penalty
20
Highlights of the ACA
Highlights of the Plan as described in 2014:
The Congressional Budget Office (CBO) estimates the reform law will provide coverage to an additional 32 million Americans of the 47 million currently uninsured by 2019.
CBO estimated cost of coverage for the law to be $938 billion over 10 years.
The cost of the bill is to be financed by a combination of savings from Medicare and Medicaid, new taxes and fees, including taxes on high cost insurance.
CBO estimates the deficit will be reduced by $124 billion over 10 years.
21
Benefits of the ACA
More extensive coverage Individual and employer mandates Minimum essential coverage / essential health benefits First dollar coverage for preventive care/screenings Subsidized premiums and related cost sharing Elimination of pre-existing conditions exclusions Prohibitions on recessions of coverage No lifetime dollar limits on essential health benefits Health insurance exchanges Medicaid expansion
More efficient medical systems Electronic medical records Accountable Care Organizations (ACO)
22
Impact of Reform Based Initiatives
23
New Way of Doing Business
Selling directly to consumer New products & pricing Increased volume Business process changes Technology Changes
Brand awareness Go-to-market strategies Marketing programs Customer sentiment Mobile and Internet
Increased oversight & expanded focus HIPAA / OCR reviews Business Associates NAIC / ORSA Star ratings ICD-10
Changing payment models Financial planning/budgeting Performance measurements Data access & analytics Quality focus – Transparency
Products/Services Transformation Regulatory Compliance
Consumer Engagement Financial & Quality Reporting
Data Collection Advanced Data Analytics Predictive Modeling
Data & Technology Infrastructure
23
ACA’s Major Business Disruptions
ACA Requirement Business Disruption
Sales & Marketing Market to a new population for individual and SHOP
Fulfillment Meet new fulfillment requirements
System Capabilities Ability to send and receive files with state-based exchanges; new GL interfaces; system upgrades, CSR functionality, etc.
Enrollment Sources Ability to capture and process 834 enrollments for individual and SHOP members, send confirmations; and process audit files
Premiums Ability to capture and match 820 Premiums to enrollment;
Benefit Design Benefit plan re-design to offer Essential Health Benefits
Pricing Set Pricing for an uncertain underlying population / market
Actuarial Specific actuarial value requirements
Benefit Configuration New design requirements for individual and SHOP plans
Billing, Collections Reconcile member enrollee & subsidies; SHOP premium changes
Grace Period & Terminations Apply required 30 day grace period; appeals and terminations
27
ACA’s Major Business Disruptions (Continued)
ACA Requirement Business Disruption
Finance, Accounting & Actuarial Changes to financial accounting, reconciliations & reserves.
Member Subsidies Changes to processes and systems to account for:
Advanced Premium Tax Credit Ability to split premium billing between member and Gov.
Cost Share Reduction Requires adjudication of two claims (Standard / Shadow);Reconciliation of CSR paid to CSR incurred
Exchange based Fees Capture, pay and reconcile per member pay-in fees
3Rs Subsidies: Changes to accounting, finance and actuarial to account for:
Transitional Reinsurance Shared payment of claims exceeding a set threshold (ex $45k)
Risk Adjustment Redistribution of funds based on avg. actuarial risk score
Transitional Risk Corridor Limits losses and gains based on inaccurate pricing
EDGE Server Reporting Ability to report enrollment and claims to a shared server.
External Risks related to (i) Lack of Exchange Functionality (ex. 820), (ii) Voluminous Errors, (iii) evolving Requirements and (iv) Lack of Complete and Timely Payment of Subsidies.
28
ACA Expected Outcomes: Workers Comp
ACA revised the definition of a full-time employee Individual mandate and SHOP coverage expands access to workers Improved health may lead to lower frequency of injuries or less severe injuries Individuals with no health insurance or with poor coverage tended to file
Worker’s Comp claims2
Decreases in the uninsured population may drive decreased incidence rates Shifts to higher deductible plans may lower personal claims, and increase
Worker’s Comp claims
Potential Outcome: Reduction in Worker’s Compensation claims as access to health insurance becomes more available
2. Jain, Vikas. The Affordable Care Act and its Impact on workers compensation. https://www.cognizant.com/content/dam/Cognizant_Dotcom/article_content/insurance/the-affordable-care-act-and-its-impact-on-workers-compensation-codex1329.pdf
24
ACA Expected Outcomes: Morbidity
Improved health and mortality experience may be attributed to: Access to affordable care Preventive care and medical screening Coordination of care through Accountable Care Organizations (ACOs)
Morbidity may improve due to increasing participation3 which may be attributed to: Awareness and familiarity of insurance reforms, exchanges, and federal
subsidies Language accessibility requirements Federal tax penalties
Potential Outcome: Reduction in morbidity rates due to increased coverage, and greater awareness of health insurance coverage
3. Katterman, Scott. http://us.milliman.com/insight/2013/What-now-2015-individual-market-pricing-Morbidity-and-other-considerations/
25
ACA Expected Outcomes: Life Insurance
A Harvard Medical School study5 found that 45,000 annual deaths were attributed to lack of health coverage
Mortality rates have improved for the last century
Growing population see a need for life insurance
Potential life insurance interest from newly-insured (health) ACA populations
Surge in health insurance premium pricing may reduce life insurance purchasing
Individual life insurance ownership has reached record lows for the past 50 years6
Increase in the number of households with no life insurance
30% of households6 have no life insurance as of 2010, versus 22% in 2004
Potential Outcome: Reduction in life insurance participation due to the rise of health insurance premiums
5. Cecere, David. http://news.harvard.edu/gazette/story/2009/09/new-study-finds-45000-deaths-annually-linked-to-lack-of-health-coverage/
6. LIMRA. Ownership of Individual Life Insurance Falls to 50-Year Low, LIMRA Reports. http://www.limra.com/Posts/PR/News_Releases/Ownership_of_Individual_Life_Insurance_Falls_to_50-Year_Low,_LIMRA_Reports.aspx
26
low- and middle-income people,
The failure of co-ops has resulted in a debt,
in security incidence in healthcare,
in cyber related financial losses,
ACA: By the numbers
ACA Health insurers’ loss estimated at
CMS withhold of ACA advanced payments if 820 variances > 10%,
ACA health insurers sought and only received
OIG says nearly at risk,
ACA Enrollment was in subsidized ACA plans by
$2.5 billion,
25%
$362 million, $2.87 billion
$2.8 billion in APTC payments
57% of expectation
11 $1.2 billion
60% increase
282% increase
5 of the 8 Largest healthcare cybersecurity breaches occurred in 2015.
29
Our approach to ACA Assessments
Identify Regulatory Requirements,
Changes & Risks
– Regulatory Requirements– Objective, Scope and Approach– Risk Register
Map Processes and Policies to Regulatory
requirements
– Requirements Gap Assessment– Functional Process Flow Charts– Initial Risk and Control Matrix
Assess Internal Controls within Processes to
Mitigate Risks
– Risk and Control Matrix– Integrated Process Flow Charts– Policy Gap Assessment– Observations & Findings Log– Recommendations & Opportunities
Perform Control, Transaction and
Substantive Testing
– Testing Results– Observations & Findings Log– Recommendations & Opportunities– Corrective Action Plans
Drivers ofRisk-Based Criteria:
Regulatory Requirements
Impacted Processes
Systems Landscape
3rd Party Administrators
Audit Results
Goal of
Deliverables
Facilitate on-going auditing of control
activities and oversightof action plans.
30
Key ACA Takeaways
Not only are losses unsustainable, subsidy dollars that make the ACA bearable are at risk: APTC, CSR and 3Rs (Re-insurance, Risk Adjustment, Risk Corridor); however, Reinsurance and Risk Corridor transitional programs end with the 2017 plan benefit year.
Reporting is dependent on core competencies in enrollment and billing controls.
Enrollment is the source of (most) evils.
Data integrity, analysis and reconciliation is the key to streamline reporting efforts.
3rd party and vendor related risks (ex. F.D.R.) require risk-based protocols, auditing and monitoring.
The role of internal audit and risk in health care has never been more important.
Ultimately, it is too early to tell if health care quality impacts on the market are due to health care reform, but the impact on the medical trends of the ACA appears limited in the short-term.
The cost to play and comply, for Health Plans, as well as States is much higher than expected.
Cost reductions associated with reform-based initiatives may not be fully realized.
ACA initiatives may not ‘bend the curve’ in Workers Comp. experience.
Increase in ACA health insurance premiums may impact life insurance ownership.
31
32
Questions?
*CareFirst BlueCross BlueShield is an independent licensee of the Blue Cross Blue Shield Association,an association of independent BlueCross BlueShield Plans.
Save the DateAugust 27-30, 2017
36th AHIA Annual Conference