Challenges and Opportunities for Payers in the Changing Healthcare Payments Landscape

Published: June 2014

2 © 2014 InstaMed. All rights reserved.

CONTENTS

InstaMed1880 JFK Boulevard, 12th Floor

Philadelphia, PA 19103(866) INSTAMED

www.instamed.com

All content, including text, graphics, logos, icons, images and the selection and arrangement thereof, is the exclusive property of InstaMed and is protected by U.S. and international copyright laws. No portion of this document may be reproduced, modified, distributed, transmitted, posted or disclosed in any form or by any means without the express written consent of InstaMed.

3 | Executive Summary

4 | Enhancing the Consumer Payment Experience

6 | Maximizing the Value of ERA/EFT

7 | Challenges

13 | Ensuring Compliance

15 | Conclusion

15 | About InstaMed

3 © 2014 InstaMed. All rights reserved.

EXECUTIVE SUMMARY

Data on healthcare payments shows how drastically

the industry has shifted in recent years. Consumers

have become decision-makers who are sensitive to

healthcare costs, and payers and providers are moving

toward industry-standard, electronic transactions

due to regulatory mandates and high administrative

costs. These changes present both challenges and

opportunities for payers to focus on the consumer

and streamline processes to ultimately reduce costs.

This white paper will explore these challenges and

opportunities and discuss the risks, best practices

and topics for consideration as payers evolve their

processes, policies and offerings to accommodate for

the changing industry.

172%

4 © 2014 InstaMed. All rights reserved.

ENHANCING THE CONSUMER PAYMENT EXPERIENCE

A decade ago, the consumer’s role in the healthcare

decision-making process was drastically different.

Payers and employers managed virtually all of the

health benefit decisions for consumers. Consumers

were presented with one or two choices for a benefits

package, visited the providers in their network and

paid a minimal copay, if anything at all. Payment

associated with healthcare services generally was not a

focal point for consumers.

In recent years, the payment responsibility has

shifted (and continues to shift) to the consumer. This

changing landscape has forced consumers to become

decision-makers in the healthcare industry. Indeed,

consumers now face a wide variety of health plans to

choose from, and they have become sensitive to the

costs associated with healthcare, for both consumer-to-

provider and consumer-to-payer payments.

As a result, payers and providers need to focus on the

consumer experience now more than ever before.

Consumer Expectations

As consumer payments represent a growing portion

of provider revenue, providers must meet consumer

payment expectations set by other industries, such as

offering convenient payment options and the ability to

manage payments online.

However, consumers are confused by the disjointed

healthcare payments process. For example, examine

the consumer experience after a provider visit:

This common process is problematic for many

reasons. First, so much time has passed since the

initial provider visit that the consumer frequently has

forgotten about the payment due. Consequently, the

consumer commonly disregards this first statement.

Furthermore, the payment options available to the

consumer often are limited. The impacts to payers

and providers include consumer nonpayment,

high call volume and, most importantly, consumer

Over 15.5 million consumers have high-

deductible health plans2

Consumer-to-provider and consumer-to-payer payments

1. The consumer visits a healthcare provider

Weeks pass with no communication to the consumer regarding payment

The claims are adjudicated and the consumer receives an EOB (explanation of benefits) from the payer

Frequently, this results in phone calls from the consumer to the providerand/or payer

More time passes with no communication to the consumer regarding payment

The consumer receives a paper statement from the provider, which the consumer must pay

2.

3.

4.

5.

6.

5 © 2014 InstaMed. All rights reserved.

confusion and dissatisfaction. Payers have the

opportunity to collaborate with providers to improve

this process and the consumer payment experience in

healthcare payments.

Opportunities for Payers

Payers have a unique opportunity in this process

because they manage the first communication (the

EOB) with the consumer. Payers are able to improve

the communication regarding payment responsibility

and allow consumers to make a payment as soon as

they understand their payment responsibility. The

value of these opportunities to payers is to enhance

the way they engage with their consumers and

improve the consumer’s experience.

Best Practices

Payers can enable consumers to simplify their

healthcare finances by integrating payment

functionality within their member portals – for both

premium and provider payments. As a best practice,

payers should enable consumers to view payments

owed to all providers across multiple family members,

use their preferred payment method, securely

save payment information for future payments

and view how payments affect their deductibles,

all in one place. Payers also can simplify the

payment experience by supporting consumer-centric

features such as mobile/tablet support and email

communications for balance information and payment

receipts.

75% of patients are confused by the healthcare system3

See the security tips beginning on page 7 for details on ensuring

payments are secure.

79% of consumers would like to pay their healthcare

bills online1

6 © 2014 InstaMed. All rights reserved.

MAXIMIZING THE VALUE OF ERA/EFT

Healthcare reform and consumerism coupled with rising

administrative costs are drastically changing the payment

process between payers and providers. The traditional

process to disburse paper checks and remittances to

providers is costly, time consuming and error prone,

resulting in increasing overhead and call center volume.

Regulatory mandates require payers to implement

changes to support standardized electronic healthcare

transactions, such as electronic remittance advice (ERA)

and electronic funds transfer (EFT) as of January 2014.

The ERA/EFT mandate under the Patient Protection and

Affordable Care Act (PPACA) enables payers to reduce

administrative costs with electronic payments and help

to streamline the provider reconciliation process.

However, only 50 percent of payers surveyed meet the

requirements for the CAQH CORE Phase III Operating

Rules for ERA/EFT.1

Opportunities for Payers

The greatest opportunity of achieving ERA/EFT for

payers is the cost savings of moving from a manual,

paper-based process to one that is automated and

electronic. In addition, payers have the opportunity

to connect to their provider networks in a more

efficient way. They can improve provider satisfaction

by delivering access to payment reports to simplify

reconciliation and payment posting. By going electronic,

payers also can streamline provider communications,

payment monitoring and reporting.

Best Practices

Re-association. Payers must ensure that they support

ERA/EFT in a way that is compliant with the Operating

Rules developed by CAQH CORE. The ERA/EFT

mandate requires that payers include the EFT trace

number with the ERA to allow easy re-association

between the payment and remittance. By accepting

these transactions, providers reconcile payments and

remittances automatically, which reduces manual

administrative work and the risk of posting errors.

Provider Adoption. It is not enough just to support

ERA/EFT. Payers need to be able to easily reach

their providers to quickly enroll them in ERA/EFT,

which maximizes cost savings. A comprehensive

provider adoption plan includes an analysis of

how to best reach providers, messaging to educate

providers on the benefits of ERA/EFT, multiple ways

to enroll providers and resources to support provider

enrollment and training.

Third-Party Relationships. If payers choose to work

with a vendor to deliver ERA/EFT, they need to

make sure they know who they are buying from

and any downstream, third-party relationships

that the vendor may require to deliver a complete

solution. It is crucial for a payer to understand all of

the relationships in scope, which will help to assess

points of failure, risks and the continuity of service for

dealing with difficult issues that arise in an electronic

processing environment.

Virtual Payments. When considering the use of virtual

card payments, provider communication is especially

important. Providers need education on processing

a virtual card and the ability to enroll to receive the

payment directly deposited. It is important to note

that virtual card payments are not compliant with the

ERA/EFT mandate.

See the security tips beginning on page 7 for details on ensuring

payments are secure.

Payer-to-provider payments

7 © 2014 InstaMed. All rights reserved.

CHALLENGES

As online consumer payments and electronic payer-

to-provider payments become more common, and

even required for payers, there are many security

and compliance topics that payers need to be aware

of, presenting risks and challenges. Healthcare

transactions are highly regulated and subjected to

stringent HIPAA laws, and payment transactions are

among the most highly regulated and scrutinized

transactions in the U.S. When delivering payments

What is it?A money transmitter or money transfer service is a business entity that provides money transfer services or payment instruments. Money transmitters in the U.S. are part of a larger group of entities called Money Service Businesses (MSBs).

In healthcare, when the virtual card is a payment method, a money transmission license is required for all consumer-to-provider payments and, arguably, for payer-to-provider payments. A payer must ensure that any third party it partners with to disburse money to providers (virtual cards in particular) maintains appropriate licenses and certifications concerning money transmission, or the payer may face penalties.

In the U.S., absent limited exceptions, it is a felony to

provide money transfer services without registering with the

Financial Crimes Enforcement Network (FinCEN) of the U.S. Treasury Department. Many states (e.g., Florida and Vermont) require individual licenses for money transmission. Payment services using the internet also may need to maintain state money transmission licenses.

What are the challenges?The process to obtain money transmission licenses is exhaustive, and maintaining the licenses is expensive. A payer would need a dedicated resource to manage the application submission and other requirements, including credit checks and state-by-state surety bonds. The payer must also implement annual training programs for staff, monitor all money movement daily and maintain a rigorous KYC (Know Your Customer) program (see the Fraud Prevention section on page 11 for more details)

What are the risks?Since it is a felony to provide money transfer services without a license, the risks to organizations that do not follow the appropriate steps include fines, imprisonment and damages to reputation.

Example:In 2013, a large payments company received fines of $507,000 for operating a payment service for customers in the state of Florida without receiving the appropriate state license.

MONEY TRANSMISSION

directly deposited into provider bank accounts, and

when accessing consumer payment information,

payers expose themselves to huge security and

compliance risks. It is crucial for payers to have

dedicated resources to manage compliance on an

ongoing basis and to know the necessary questions

to ask any partners. The following glossary outlines

the security and compliance topics to consider when

working with electronic payments.

8 © 2014 InstaMed. All rights reserved.

What is it?Money laundering is the process in which the proceeds of crime are transferred into “legitimate money,” or into a bank account where someone can access the money. Common reasons for engaging in money laundering are terrorism financing, tax evasion and evasion of international sanctions.

Money laundering is a risk in regard to consumer-to-provider and payer-to-provider payments.

If a payer decides to build ERA/EFT capability internally rather than partnering with a third party, it is responsible for maintaining a comprehensive AML program to prevent, detect and report money laundering activities. The AML program must be compliant with all applicable Bank Secrecy Act (BSA) regulations.

What are the challenges?Maintaining a compliant AML program requires significant effort by a designated AML compliance resource. Key components of a successful AML program include:

• Delivering AML information to federal law enforcement agencies and other financial institutions (e.g., FinCEN, SARs [Suspicious Activity Reports] and NSL [National Security Letters])

• OFAC/SDN checks: ensuring any business receiving funds does not appear on the Office of Foreign Assets Control (OFAC) List or the Specially Designated Nationals (SDN) List, which list businesses that are prohibited by the U.S.

• Customer identification through automated KYC (see the Fraud Prevention section on page 11 for details)

• Monitoring money movement for suspicious activity

• Reporting on suspicious transactions

• Maintaining annual audits and AML Awareness training for staff

What are the risks?If an organization is prosecuted for money laundering, the penalties may include criminal fines and imprisonment of individuals involved. There are also state-by-state money laundering regulations, so an organization may face penalties on the state and federal levels.

Example:In 2012, a large international bank received fines of $1.9 million for inadequate documentation of AML processes.

ANTI-MONEY LAUNDERING (AML)

9 © 2014 InstaMed. All rights reserved.

What is it?Governed by the payment card networks (MasterCard, VISA, AMEX, Discover and JCB) the PCI DSS defines the requirements and best practices in order to reduce fraud and security breaches. PCI compliance is required in order to issue or process payment cards, primarily because the consequences of data breaches are significant.

PCI is in scope for a payer when accepting a consumer payment card and when generating virtual cards; therefore, PCI compliance is required for all payment types in healthcare: consumer-to-provider, consumer-to-payer and payer-to-provider (when using virtual card payments).

To deliver a streamlined consumer payment experience, payers have begun to allow consumers to pay providers and premium payments directly from their applicable member portals. In order to accept payment cards, a payer and its payment processor must be PCI Level One compliant. As a best practice, payers should encrypt payment cards from end to end for maximized security.

What are the challenges?To achieve PCI compliance, an organization must undergo an annual validation by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (RoC) for organizations handling large volumes of transactions. This assessment includes on-site audits and both internal and external network penetration tests. An organization will need to perform monthly vulnerability scans and continuous system patching and remediation to ensure ongoing compliance.

What are the risks?If an organization does not achieve the appropriate level of PCI compliance, the payment card networks may impose fines or even prohibit the organization from processing payment cards. However, the greatest risk to an organization is the threat of a data breach, which can result in significant fines, legal fees and loss of business.

Example:In 2013, a major retail corporation experienced a payment card breach that resulted in a 46 percent decline in profit.

PAYMENT CARD INDUSTRYDATA SECURITY STANDARD (PCI DSS)

In 2009, payment data breaches represented

98% of all data breaches4

10 © 2014 InstaMed. All rights reserved.

What is it?The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires national standards for privacy, security and electronic healthcare transactions. The Health Information Technology for Economic and Clinical Health (HITECH) Act gives more specific details on the meaningful use of health information technology.

While most payers have already achieved HIPAA compliance in a number of areas, as payers move to electronic payments and automation, there are additional requirements that they must meet for all payment types: consumer-to-provider, consumer-to-payer and payer-to-provider.

What are the challenges?Many organizations will claim that they are HIPAA compliant, but the only way to prove compliance is through independent, third-party certification. For example, EHNAC (the Electronic Healthcare Network Accreditation Commission) is an independent, federally recognized organization that certifies for EHNAC FSAP (Financial Services Accreditation Program) and HNAP (Healthcare Network Accreditation Program), both of which are important when dealing with healthcare payments.

In order to achieve third-party HIPAA certification, an organization must complete a self-assessment and undergo regular, on-site audits at all physical locations, including any of the organization’s partners. It is crucial that payers ensure that they work with HIPAA-certified vendors for payment processing.

What are the risks?The penalties for HIPAA violations vary widely depending on the type of violation, but in most cases, the penalty is a fine of thousands and even millions of dollars. In severe cases, a HIPAA violation can lead to imprisonment. Violators also face significant legal and consulting fees to remediate HIPAA breaches.

Example:In 2013, a large health system reported a HIPAA violation affecting more than four million patients when unencrypted laptops were stolen, resulting in a class-action lawsuit.

HIPAA AND HITECH

11 © 2014 InstaMed. All rights reserved.

What is it?When payers leverage electronic payments, there is a high risk of fraud when it comes to accessing a payee’s (the healthcare provider) bank account for direct deposit. For example, a staff member at a provider organization may complete enrollment to receive ERA/EFT, but enter a personal bank account to receive the funds in a fraudulent manner. In addition to payer-to-provider payments, fraud prevention is also important for consumer-to-provider and consumer-to-payer payments. It is the payer’s responsibility to ensure that it deposits funds into the correct bank account.

What are the challenges?It is crucial that a payer or its vendor has a rigorous underwriting process, automated KYC checks and ongoing monitoring in place for any bank accounts receiving funds.

• Underwriting: Assess the expected payment volume and any potential risks

• KYC: Complete KYC (including OFAC/SDN check, IRS TIN match, credit history, etc.) before moving funds to the bank account

• Real-time security profile monitoring: Monitor payment activity on a daily basis to detect suspicious activity

• Account changes: Manage changes requested to a provider’s account (including banking information, contact information or payment preferences) in a compliant manner

What are the risks? If an organization does not have a rigorous fraud-detection program in place, the potential risks include lawsuits, fines and loss of business due to distrust from providers and consumers. If fraudulent activity is found to be money laundering, there are additional penalties on the state and federal levels, which could include fines and imprisonment.

Example:In 2008, a major financial corporation received fines of $1 million for failing to document customer identification practices.

FRAUD PREVENTION

60% of U.S. organizations were

exposed to actual or attempted payment

fraud in 20135

12 © 2014 InstaMed. All rights reserved.

What is it?Under PPACA, the Phase III Operating Rules for ERA/EFT developed by CAQH CORE define the requirements that all payers must meet for delivering ERA/EFT transactions to providers, as of January 2014.

The Operating Rules include standards for ERA/EFT enrollment, claim adjustment reason codes (CARCs) and re-association, which requires the EFT trace number to be included with the ERA file to streamline payment reconciliation.

What are the challenges?Complying with the ERA/EFT mandate is a major undertaking for a payer, especially if the payer decides to use internal resources to build the capability rather than partnering with a vendor that is already compliant.

Regardless of the manner in which a payer implements ERA/EFT, key components must include:

• Comprehensive testing plan

• Provider support and training

• Daily monitoring and reconciliation of all payments

• Enrollment automation plan

• Provider adoption

• Provider KYC and bank account management

What are the risks?The risks of non-compliant ERA/EFT transactions are provider dissatisfaction and loss of revenue by continuing to use manual, payer-based processes. Furthermore, accessing provider bank accounts to deliver EFT payments exposes providers to all of the risks associated with fraud, HIPAA and AML.

For more information:www.instamed.com/wp-content/uploads/Implementation-Insights-Models-to-Deliver-EFT-ERA.pdf

PPACA ERA/EFT MANDATE

50% of payers do not meet the requirements

for the CAQH CORE Phase III Operating Rules for ERA/EFT 1

13 © 2014 InstaMed. All rights reserved.

ENSURING COMPLIANCE

COMPLIANCE CHECKLIST

This Compl iance Check l is t is a gu ide of quest ions that payers and/or

the i r downst ream vendors should answer when handl ing payments.

The requirements for achieving compliance are

complex, challenging and expensive to manage. It is

important to understand all of the key questions to

ensure that a vendor is fully compliant and certified.

The checklist below includes some of the important

questions to ask when ensuring that full compliance is

in place.

MONEY TRANSMISSION

; Are you registered with FinCEN?

; Have you obtained all state-specific licenses for money transmission?

; Do you have an annual staff training program on money transmission laws?

AML

; Describe your AML program.

; Do you have an automated KYC process? Describe all steps of this process.

; Do you monitor money movement on a daily basis to detect suspicious activity?

Describe this process.

; How do you document and report suspicious activity detected?

; Do you have an annual audit of your AML program?

; Do you have an annual staff training program on AML awareness?

PCI

; Are you PCI Level One certified?

; Do you have a staff training program on payment card security?

; Do you conduct monthly vulnerability scans?

; Do you support end-to-end encryption for payment cards?

14 © 2014 InstaMed. All rights reserved.

HIPAA & HITECH

; Are you independently certified for HIPAA compliance? List the certifications and vendor

names.

; Do you have regular, on-site audits at all of your organization’s physical locations? List

all physical locations with the date of the most recent on-site audit.

; List all organizations with whom you partner to deliver payment solutions.

; Do the partners listed above undergo regular, on-site audits at all of their physical

locations?

; Do you have a staff training program on HIPAA and HITECH?

FRAUD PREVENTION

; Do you maintain an automated KYC process? Describe all steps of this process.

; Do you monitor money movement on a daily basis to detect suspicious activity?

Describe this process.

; How do you document and report suspicious activity detected?

; Describe your process to manage requested changes to provider accounts (banking

information, contact information, payment preferences, etc.).

; Describe your underwriting process for new accounts.

ERA/EFT MANDATE

; Do you meet the requirements outlined in the CAQH CORE Operating Rules for ERA/EFT?

; Can you provide a sample project plan to implement ERA/EFT, including your testing plan?

; Do you support online and paper-based provider enrollment for ERA/EFT?

; Describe your standard provider adoption approach, including timing and communication

materials.

; How do you handle provider training and customer service inquiries for ERA/EFT before

and after provider enrollment?

; Do you maintain an automated KYC process? Describe all steps of this process.

; Do you monitor and reconcile funds on a daily basis? Describe this process.

; Describe your process to manage requested changes to provider accounts (banking

information, contact information, payment preferences, etc.).

15 © 2014 InstaMed. All rights reserved.

CONCLUSION

The healthcare payments industry is continuing

to change drastically, presenting opportunities

for payers within all three payment channels in

healthcare: consumer-to-provider, consumer-to-

payer and payer-to-provider. Payers gain significant

value in implementing electronic payments and

facilitating simpler payments management for

consumers, including enhanced consumer engagement

and reduced administrative costs. However, it is

important for payers to understand and apply the best

practices and the security requirements associated

with electronic payments. This is not only crucial to

increase the value of electronic payments, but also to

protect the payer’s business.

Sources:1 InstaMed Trends in Healthcare

Annual Report2 AHIP3 Deloitte Review4 Trustwave Global Security Report5 AFP Payments Fraud and Control

Survey

ABOUT INSTAMED

InstaMed simplifies every healthcare clearinghouse

and payment transaction for providers and payers, all

in one place. InstaMed allows payers to cut settlement

and disbursement costs with electronic payments.

InstaMed enables providers to collect more money, get

paid faster and reduce the time and costs to collect.

InstaMed’s single, integrated network simplifies the

healthcare payments process for 1,500+ hospitals,

60,000+ practices/clinics and 100+ billing services;

connects to 3,000+ payers; and integrates with 50+

practice management systems. InstaMed processes

tens of billions in healthcare payments each year at a

rate of more than $1,000 per second. Visit InstaMed

on the web at www.instamed.com or contact

info@instamed.com for more information.

1880 JFK Boulevard, 12th FloorPhiladelphia, PA 19103

(866) INSTAMEDwww.instamed.com