Health-care providers — and their internal audit departments — may wonder why some companies that provide health benefits for their employees are so worried about the U.S. Patient Protection and Affordable Care Act (ACA). As employers, they now face the same compliance deadlines as every other enterprise. But they are, for the most part, already intimately familiar with the law because they had to prepare for the Exchanges to open more than a year ago. Many have, as well, already managed the earliest ACA requirements — such as "meaningful use" of electronic health records and new rules on medical loss ratios. The risk assessment approaches they used provide a model for organizations just now encountering the massive law.
Preparing to Comply
"Our mantra was, 'Is our company audit-ready? Is it ready for the government to come in and audit us?'" notes Blue Cross Blue Shield of Michigan's Vice President, Corporate Audit, Sharon Gipson. To answer those questions, her department teamed with the compliance function there to make sure key ACA-related processes were documented. Compliance focused on making sure regulatory requirements were met, while internal audit "did a deeper dive" to examine the supporting internal controls. "That has worked well for us," she says. "And more efficient coverage offers greater value to our business clients."
For Gipson, an early ACA challenge came in the form of new rules on medical loss ratios (MLRs) — the amount of revenues that must go toward patient care. That's a smart area to focus on, comments Uwe Reinhardt, the James Madison professor of political economy and a professor of economics and public affairs at Princeton University in New Jersey. "MLR is one area that will be challenging for sure," he says. "It is difficult enough for honest people, and probably manipulatable by people with more flexible morals." Gipson's team performed audits around whether the health plan was meeting MLR requirements and, if not, whether it was paying rebates appropriately.
Last year, the plan went live to make assessments around enrollment and claims payment, including whether the benefit pays correctly and complies with government expectations. "The whole transaction cycle from enrollment to claims payment to revenue recognition will be a part of our audit plan," Gipson says. "Government regulations are still being defined and are changing. I'd say to anyone just beginning to operate in that environment that the regulations and the guidance can be slow in coming and can change any time. You want to always be aware of that so you're flexible."
A Moving Target
Similarly, CareFirst BlueCross BlueShield Inc.'s senior vice president and general auditor Gwendolyn Skillern used a risk-based approach to decide which audits to conduct. "When we first started with the ACA, the regulations were 'in flight,'" she says. "It wasn't always clear what would be expected of the insurers as the Exchanges were under development. We couldn't afford to wait until the final regulations were communicated." So her team looked at the structure of what it needed to accomplish under the Act, how that would impact the business, and which related controls would be required to mitigate the risk.
Skillern says the process started with determining the major components of the business, and that included interacting with the Exchanges; enrolling people and validating their eligibility; getting new products up and running; and making sure the company was paying people, premiums, and claims in accordance with applicable regulations. Then her team assessed what controls were needed to accomplish those aims — and their impact on the company's operational, financial, and reporting processes. "The risk shifted depending on where we were in the process," she says.
Early on, risk could magnify simply because there was often little clarity around the law's requirements. "At times," Skillern reports now, "we were building processes with limited guidance." As each step in preparing for the ACA was completed, the risk shifted to a question of whether the plan's business platform could perform in accordance with requirements. "For example, we have multiple claims platforms," she says, "so one area could be higher risk if it required greater remediation of the technology and lower risk if the system could be remediated quicker."
Then risk shifted to the processes that could impede operational readiness. "When Exchanges first opened, Maryland failed altogether," Skillern recalls, "so we added customer service representatives and expanded lines on our call center." The Exchanges represented a higher risk because of what was needed to gain the operational readiness required. Finally, internal audit looked at the adequacy of internal controls to assess risk. If business processes were implemented without the time to design and implement effective controls, risk would, naturally, increase.
Of course, risk audits are never really complete. And for this reason internal audit needs to stay apprised of further developments with the Act. "As more regulations come out further along the implementation curve," Skillern says, "what was high risk then may not be later."
For more information on addressing ACA-related risks, see "Untangling the ACA."