Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Challenges and Opportunities for Payers in the Changing Healthcare Payments Landscape
Published: June 2014
2 © 2014 InstaMed. All rights reserved.
CONTENTS
InstaMed1880 JFK Boulevard, 12th Floor
Philadelphia, PA 19103(866) INSTAMED
www.instamed.com
All content, including text, graphics, logos, icons, images and the selection and arrangement thereof, is the exclusive property of InstaMed and is protected by U.S. and international copyright laws. No portion of this document may be reproduced, modified, distributed, transmitted, posted or disclosed in any form or by any means without the express written consent of InstaMed.
3 | Executive Summary
4 | Enhancing the Consumer Payment Experience
6 | Maximizing the Value of ERA/EFT
7 | Challenges
13 | Ensuring Compliance
15 | Conclusion
15 | About InstaMed
3 © 2014 InstaMed. All rights reserved.
EXECUTIVE SUMMARY
Data on healthcare payments shows how drastically
the industry has shifted in recent years. Consumers
have become decision-makers who are sensitive to
healthcare costs, and payers and providers are moving
toward industry-standard, electronic transactions
due to regulatory mandates and high administrative
costs. These changes present both challenges and
opportunities for payers to focus on the consumer
and streamline processes to ultimately reduce costs.
This white paper will explore these challenges and
opportunities and discuss the risks, best practices
and topics for consideration as payers evolve their
processes, policies and offerings to accommodate for
the changing industry.
172%
4 © 2014 InstaMed. All rights reserved.
ENHANCING THE CONSUMER PAYMENT EXPERIENCE
A decade ago, the consumer’s role in the healthcare
decision-making process was drastically different.
Payers and employers managed virtually all of the
health benefit decisions for consumers. Consumers
were presented with one or two choices for a benefits
package, visited the providers in their network and
paid a minimal copay, if anything at all. Payment
associated with healthcare services generally was not a
focal point for consumers.
In recent years, the payment responsibility has
shifted (and continues to shift) to the consumer. This
changing landscape has forced consumers to become
decision-makers in the healthcare industry. Indeed,
consumers now face a wide variety of health plans to
choose from, and they have become sensitive to the
costs associated with healthcare, for both consumer-to-
provider and consumer-to-payer payments.
As a result, payers and providers need to focus on the
consumer experience now more than ever before.
Consumer Expectations
As consumer payments represent a growing portion
of provider revenue, providers must meet consumer
payment expectations set by other industries, such as
offering convenient payment options and the ability to
manage payments online.
However, consumers are confused by the disjointed
healthcare payments process. For example, examine
the consumer experience after a provider visit:
This common process is problematic for many
reasons. First, so much time has passed since the
initial provider visit that the consumer frequently has
forgotten about the payment due. Consequently, the
consumer commonly disregards this first statement.
Furthermore, the payment options available to the
consumer often are limited. The impacts to payers
and providers include consumer nonpayment,
high call volume and, most importantly, consumer
Over 15.5 million consumers have high-
deductible health plans2
Consumer-to-provider and consumer-to-payer payments
1. The consumer visits a healthcare provider
Weeks pass with no communication to the consumer regarding payment
The claims are adjudicated and the consumer receives an EOB (explanation of benefits) from the payer
Frequently, this results in phone calls from the consumer to the providerand/or payer
More time passes with no communication to the consumer regarding payment
The consumer receives a paper statement from the provider, which the consumer must pay
2.
3.
4.
5.
6.
5 © 2014 InstaMed. All rights reserved.
confusion and dissatisfaction. Payers have the
opportunity to collaborate with providers to improve
this process and the consumer payment experience in
healthcare payments.
Opportunities for Payers
Payers have a unique opportunity in this process
because they manage the first communication (the
EOB) with the consumer. Payers are able to improve
the communication regarding payment responsibility
and allow consumers to make a payment as soon as
they understand their payment responsibility. The
value of these opportunities to payers is to enhance
the way they engage with their consumers and
improve the consumer’s experience.
Best Practices
Payers can enable consumers to simplify their
healthcare finances by integrating payment
functionality within their member portals – for both
premium and provider payments. As a best practice,
payers should enable consumers to view payments
owed to all providers across multiple family members,
use their preferred payment method, securely
save payment information for future payments
and view how payments affect their deductibles,
all in one place. Payers also can simplify the
payment experience by supporting consumer-centric
features such as mobile/tablet support and email
communications for balance information and payment
receipts.
75% of patients are confused by the healthcare system3
See the security tips beginning on page 7 for details on ensuring
payments are secure.
79% of consumers would like to pay their healthcare
bills online1
6 © 2014 InstaMed. All rights reserved.
MAXIMIZING THE VALUE OF ERA/EFT
Healthcare reform and consumerism coupled with rising
administrative costs are drastically changing the payment
process between payers and providers. The traditional
process to disburse paper checks and remittances to
providers is costly, time consuming and error prone,
resulting in increasing overhead and call center volume.
Regulatory mandates require payers to implement
changes to support standardized electronic healthcare
transactions, such as electronic remittance advice (ERA)
and electronic funds transfer (EFT) as of January 2014.
The ERA/EFT mandate under the Patient Protection and
Affordable Care Act (PPACA) enables payers to reduce
administrative costs with electronic payments and help
to streamline the provider reconciliation process.
However, only 50 percent of payers surveyed meet the
requirements for the CAQH CORE Phase III Operating
Rules for ERA/EFT.1
Opportunities for Payers
The greatest opportunity of achieving ERA/EFT for
payers is the cost savings of moving from a manual,
paper-based process to one that is automated and
electronic. In addition, payers have the opportunity
to connect to their provider networks in a more
efficient way. They can improve provider satisfaction
by delivering access to payment reports to simplify
reconciliation and payment posting. By going electronic,
payers also can streamline provider communications,
payment monitoring and reporting.
Best Practices
Re-association. Payers must ensure that they support
ERA/EFT in a way that is compliant with the Operating
Rules developed by CAQH CORE. The ERA/EFT
mandate requires that payers include the EFT trace
number with the ERA to allow easy re-association
between the payment and remittance. By accepting
these transactions, providers reconcile payments and
remittances automatically, which reduces manual
administrative work and the risk of posting errors.
Provider Adoption. It is not enough just to support
ERA/EFT. Payers need to be able to easily reach
their providers to quickly enroll them in ERA/EFT,
which maximizes cost savings. A comprehensive
provider adoption plan includes an analysis of
how to best reach providers, messaging to educate
providers on the benefits of ERA/EFT, multiple ways
to enroll providers and resources to support provider
enrollment and training.
Third-Party Relationships. If payers choose to work
with a vendor to deliver ERA/EFT, they need to
make sure they know who they are buying from
and any downstream, third-party relationships
that the vendor may require to deliver a complete
solution. It is crucial for a payer to understand all of
the relationships in scope, which will help to assess
points of failure, risks and the continuity of service for
dealing with difficult issues that arise in an electronic
processing environment.
Virtual Payments. When considering the use of virtual
card payments, provider communication is especially
important. Providers need education on processing
a virtual card and the ability to enroll to receive the
payment directly deposited. It is important to note
that virtual card payments are not compliant with the
ERA/EFT mandate.
See the security tips beginning on page 7 for details on ensuring
payments are secure.
Payer-to-provider payments
7 © 2014 InstaMed. All rights reserved.
CHALLENGES
As online consumer payments and electronic payer-
to-provider payments become more common, and
even required for payers, there are many security
and compliance topics that payers need to be aware
of, presenting risks and challenges. Healthcare
transactions are highly regulated and subjected to
stringent HIPAA laws, and payment transactions are
among the most highly regulated and scrutinized
transactions in the U.S. When delivering payments
What is it?A money transmitter or money transfer service is a business entity that provides money transfer services or payment instruments. Money transmitters in the U.S. are part of a larger group of entities called Money Service Businesses (MSBs).
In healthcare, when the virtual card is a payment method, a money transmission license is required for all consumer-to-provider payments and, arguably, for payer-to-provider payments. A payer must ensure that any third party it partners with to disburse money to providers (virtual cards in particular) maintains appropriate licenses and certifications concerning money transmission, or the payer may face penalties.
In the U.S., absent limited exceptions, it is a felony to
provide money transfer services without registering with the
Financial Crimes Enforcement Network (FinCEN) of the U.S. Treasury Department. Many states (e.g., Florida and Vermont) require individual licenses for money transmission. Payment services using the internet also may need to maintain state money transmission licenses.
What are the challenges?The process to obtain money transmission licenses is exhaustive, and maintaining the licenses is expensive. A payer would need a dedicated resource to manage the application submission and other requirements, including credit checks and state-by-state surety bonds. The payer must also implement annual training programs for staff, monitor all money movement daily and maintain a rigorous KYC (Know Your Customer) program (see the Fraud Prevention section on page 11 for more details)
What are the risks?Since it is a felony to provide money transfer services without a license, the risks to organizations that do not follow the appropriate steps include fines, imprisonment and damages to reputation.
Example:In 2013, a large payments company received fines of $507,000 for operating a payment service for customers in the state of Florida without receiving the appropriate state license.
MONEY TRANSMISSION
directly deposited into provider bank accounts, and
when accessing consumer payment information,
payers expose themselves to huge security and
compliance risks. It is crucial for payers to have
dedicated resources to manage compliance on an
ongoing basis and to know the necessary questions
to ask any partners. The following glossary outlines
the security and compliance topics to consider when
working with electronic payments.
8 © 2014 InstaMed. All rights reserved.
What is it?Money laundering is the process in which the proceeds of crime are transferred into “legitimate money,” or into a bank account where someone can access the money. Common reasons for engaging in money laundering are terrorism financing, tax evasion and evasion of international sanctions.
Money laundering is a risk in regard to consumer-to-provider and payer-to-provider payments.
If a payer decides to build ERA/EFT capability internally rather than partnering with a third party, it is responsible for maintaining a comprehensive AML program to prevent, detect and report money laundering activities. The AML program must be compliant with all applicable Bank Secrecy Act (BSA) regulations.
What are the challenges?Maintaining a compliant AML program requires significant effort by a designated AML compliance resource. Key components of a successful AML program include:
• Delivering AML information to federal law enforcement agencies and other financial institutions (e.g., FinCEN, SARs [Suspicious Activity Reports] and NSL [National Security Letters])
• OFAC/SDN checks: ensuring any business receiving funds does not appear on the Office of Foreign Assets Control (OFAC) List or the Specially Designated Nationals (SDN) List, which list businesses that are prohibited by the U.S.
• Customer identification through automated KYC (see the Fraud Prevention section on page 11 for details)
• Monitoring money movement for suspicious activity
• Reporting on suspicious transactions
• Maintaining annual audits and AML Awareness training for staff
What are the risks?If an organization is prosecuted for money laundering, the penalties may include criminal fines and imprisonment of individuals involved. There are also state-by-state money laundering regulations, so an organization may face penalties on the state and federal levels.
Example:In 2012, a large international bank received fines of $1.9 million for inadequate documentation of AML processes.
ANTI-MONEY LAUNDERING (AML)
9 © 2014 InstaMed. All rights reserved.
What is it?Governed by the payment card networks (MasterCard, VISA, AMEX, Discover and JCB) the PCI DSS defines the requirements and best practices in order to reduce fraud and security breaches. PCI compliance is required in order to issue or process payment cards, primarily because the consequences of data breaches are significant.
PCI is in scope for a payer when accepting a consumer payment card and when generating virtual cards; therefore, PCI compliance is required for all payment types in healthcare: consumer-to-provider, consumer-to-payer and payer-to-provider (when using virtual card payments).
To deliver a streamlined consumer payment experience, payers have begun to allow consumers to pay providers and premium payments directly from their applicable member portals. In order to accept payment cards, a payer and its payment processor must be PCI Level One compliant. As a best practice, payers should encrypt payment cards from end to end for maximized security.
What are the challenges?To achieve PCI compliance, an organization must undergo an annual validation by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (RoC) for organizations handling large volumes of transactions. This assessment includes on-site audits and both internal and external network penetration tests. An organization will need to perform monthly vulnerability scans and continuous system patching and remediation to ensure ongoing compliance.
What are the risks?If an organization does not achieve the appropriate level of PCI compliance, the payment card networks may impose fines or even prohibit the organization from processing payment cards. However, the greatest risk to an organization is the threat of a data breach, which can result in significant fines, legal fees and loss of business.
Example:In 2013, a major retail corporation experienced a payment card breach that resulted in a 46 percent decline in profit.
PAYMENT CARD INDUSTRYDATA SECURITY STANDARD (PCI DSS)
In 2009, payment data breaches represented
98% of all data breaches4
10 © 2014 InstaMed. All rights reserved.
What is it?The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires national standards for privacy, security and electronic healthcare transactions. The Health Information Technology for Economic and Clinical Health (HITECH) Act gives more specific details on the meaningful use of health information technology.
While most payers have already achieved HIPAA compliance in a number of areas, as payers move to electronic payments and automation, there are additional requirements that they must meet for all payment types: consumer-to-provider, consumer-to-payer and payer-to-provider.
What are the challenges?Many organizations will claim that they are HIPAA compliant, but the only way to prove compliance is through independent, third-party certification. For example, EHNAC (the Electronic Healthcare Network Accreditation Commission) is an independent, federally recognized organization that certifies for EHNAC FSAP (Financial Services Accreditation Program) and HNAP (Healthcare Network Accreditation Program), both of which are important when dealing with healthcare payments.
In order to achieve third-party HIPAA certification, an organization must complete a self-assessment and undergo regular, on-site audits at all physical locations, including any of the organization’s partners. It is crucial that payers ensure that they work with HIPAA-certified vendors for payment processing.
What are the risks?The penalties for HIPAA violations vary widely depending on the type of violation, but in most cases, the penalty is a fine of thousands and even millions of dollars. In severe cases, a HIPAA violation can lead to imprisonment. Violators also face significant legal and consulting fees to remediate HIPAA breaches.
Example:In 2013, a large health system reported a HIPAA violation affecting more than four million patients when unencrypted laptops were stolen, resulting in a class-action lawsuit.
HIPAA AND HITECH
11 © 2014 InstaMed. All rights reserved.
What is it?When payers leverage electronic payments, there is a high risk of fraud when it comes to accessing a payee’s (the healthcare provider) bank account for direct deposit. For example, a staff member at a provider organization may complete enrollment to receive ERA/EFT, but enter a personal bank account to receive the funds in a fraudulent manner. In addition to payer-to-provider payments, fraud prevention is also important for consumer-to-provider and consumer-to-payer payments. It is the payer’s responsibility to ensure that it deposits funds into the correct bank account.
What are the challenges?It is crucial that a payer or its vendor has a rigorous underwriting process, automated KYC checks and ongoing monitoring in place for any bank accounts receiving funds.
• Underwriting: Assess the expected payment volume and any potential risks
• KYC: Complete KYC (including OFAC/SDN check, IRS TIN match, credit history, etc.) before moving funds to the bank account
• Real-time security profile monitoring: Monitor payment activity on a daily basis to detect suspicious activity
• Account changes: Manage changes requested to a provider’s account (including banking information, contact information or payment preferences) in a compliant manner
What are the risks? If an organization does not have a rigorous fraud-detection program in place, the potential risks include lawsuits, fines and loss of business due to distrust from providers and consumers. If fraudulent activity is found to be money laundering, there are additional penalties on the state and federal levels, which could include fines and imprisonment.
Example:In 2008, a major financial corporation received fines of $1 million for failing to document customer identification practices.
FRAUD PREVENTION
60% of U.S. organizations were
exposed to actual or attempted payment
fraud in 20135
12 © 2014 InstaMed. All rights reserved.
What is it?Under PPACA, the Phase III Operating Rules for ERA/EFT developed by CAQH CORE define the requirements that all payers must meet for delivering ERA/EFT transactions to providers, as of January 2014.
The Operating Rules include standards for ERA/EFT enrollment, claim adjustment reason codes (CARCs) and re-association, which requires the EFT trace number to be included with the ERA file to streamline payment reconciliation.
What are the challenges?Complying with the ERA/EFT mandate is a major undertaking for a payer, especially if the payer decides to use internal resources to build the capability rather than partnering with a vendor that is already compliant.
Regardless of the manner in which a payer implements ERA/EFT, key components must include:
• Comprehensive testing plan
• Provider support and training
• Daily monitoring and reconciliation of all payments
• Enrollment automation plan
• Provider adoption
• Provider KYC and bank account management
What are the risks?The risks of non-compliant ERA/EFT transactions are provider dissatisfaction and loss of revenue by continuing to use manual, payer-based processes. Furthermore, accessing provider bank accounts to deliver EFT payments exposes providers to all of the risks associated with fraud, HIPAA and AML.
For more information:www.instamed.com/wp-content/uploads/Implementation-Insights-Models-to-Deliver-EFT-ERA.pdf
PPACA ERA/EFT MANDATE
50% of payers do not meet the requirements
for the CAQH CORE Phase III Operating Rules for ERA/EFT 1
13 © 2014 InstaMed. All rights reserved.
ENSURING COMPLIANCE
COMPLIANCE CHECKLIST
This Compl iance Check l is t is a gu ide of quest ions that payers and/or
the i r downst ream vendors should answer when handl ing payments.
The requirements for achieving compliance are
complex, challenging and expensive to manage. It is
important to understand all of the key questions to
ensure that a vendor is fully compliant and certified.
The checklist below includes some of the important
questions to ask when ensuring that full compliance is
in place.
MONEY TRANSMISSION
; Are you registered with FinCEN?
; Have you obtained all state-specific licenses for money transmission?
; Do you have an annual staff training program on money transmission laws?
AML
; Describe your AML program.
; Do you have an automated KYC process? Describe all steps of this process.
; Do you monitor money movement on a daily basis to detect suspicious activity?
Describe this process.
; How do you document and report suspicious activity detected?
; Do you have an annual audit of your AML program?
; Do you have an annual staff training program on AML awareness?
PCI
; Are you PCI Level One certified?
; Do you have a staff training program on payment card security?
; Do you conduct monthly vulnerability scans?
; Do you support end-to-end encryption for payment cards?
14 © 2014 InstaMed. All rights reserved.
HIPAA & HITECH
; Are you independently certified for HIPAA compliance? List the certifications and vendor
names.
; Do you have regular, on-site audits at all of your organization’s physical locations? List
all physical locations with the date of the most recent on-site audit.
; List all organizations with whom you partner to deliver payment solutions.
; Do the partners listed above undergo regular, on-site audits at all of their physical
locations?
; Do you have a staff training program on HIPAA and HITECH?
FRAUD PREVENTION
; Do you maintain an automated KYC process? Describe all steps of this process.
; Do you monitor money movement on a daily basis to detect suspicious activity?
Describe this process.
; How do you document and report suspicious activity detected?
; Describe your process to manage requested changes to provider accounts (banking
information, contact information, payment preferences, etc.).
; Describe your underwriting process for new accounts.
ERA/EFT MANDATE
; Do you meet the requirements outlined in the CAQH CORE Operating Rules for ERA/EFT?
; Can you provide a sample project plan to implement ERA/EFT, including your testing plan?
; Do you support online and paper-based provider enrollment for ERA/EFT?
; Describe your standard provider adoption approach, including timing and communication
materials.
; How do you handle provider training and customer service inquiries for ERA/EFT before
and after provider enrollment?
; Do you maintain an automated KYC process? Describe all steps of this process.
; Do you monitor and reconcile funds on a daily basis? Describe this process.
; Describe your process to manage requested changes to provider accounts (banking
information, contact information, payment preferences, etc.).
15 © 2014 InstaMed. All rights reserved.
CONCLUSION
The healthcare payments industry is continuing
to change drastically, presenting opportunities
for payers within all three payment channels in
healthcare: consumer-to-provider, consumer-to-
payer and payer-to-provider. Payers gain significant
value in implementing electronic payments and
facilitating simpler payments management for
consumers, including enhanced consumer engagement
and reduced administrative costs. However, it is
important for payers to understand and apply the best
practices and the security requirements associated
with electronic payments. This is not only crucial to
increase the value of electronic payments, but also to
protect the payer’s business.
Sources:1 InstaMed Trends in Healthcare
Annual Report2 AHIP3 Deloitte Review4 Trustwave Global Security Report5 AFP Payments Fraud and Control
Survey
ABOUT INSTAMED
InstaMed simplifies every healthcare clearinghouse
and payment transaction for providers and payers, all
in one place. InstaMed allows payers to cut settlement
and disbursement costs with electronic payments.
InstaMed enables providers to collect more money, get
paid faster and reduce the time and costs to collect.
InstaMed’s single, integrated network simplifies the
healthcare payments process for 1,500+ hospitals,
60,000+ practices/clinics and 100+ billing services;
connects to 3,000+ payers; and integrates with 50+
practice management systems. InstaMed processes
tens of billions in healthcare payments each year at a
rate of more than $1,000 per second. Visit InstaMed
on the web at www.instamed.com or contact
[email protected] for more information.
1880 JFK Boulevard, 12th FloorPhiladelphia, PA 19103
(866) INSTAMEDwww.instamed.com