Challenges and Opportunities for Payers in the Changing Healthcare Payments Landscape

Challenges and Opportunities for Payers in the Changing Healthcare Payments Landscape Published: June 2014

CONTENTS 3 Executive Summary 4 Enhancing the Consumer Payment Experience 6 Maximizing the Value of ERA/EFT 7 Challenges 13 Ensuring Compliance 15 Conclusion 15 About InstaMed InstaMed 1880 JFK Boulevard, 12th Floor Philadelphia, PA 19103 (866) INSTAMED www.instamed.com All content, including text, graphics, logos, icons, images and the selection and arrangement thereof, is the exclusive property of InstaMed and is protected by U.S. and international copyright laws. No portion of this document may be reproduced, modified, distributed, transmitted, posted or disclosed in any form or by any means without the express written consent of InstaMed. 2

EXECUTIVE SUMMARY Data on healthcare payments shows how drastically the industry has shifted in recent years. Consumers have become decision-makers who are sensitive to healthcare costs, and payers and providers are moving toward industry-standard, electronic transactions due to regulatory mandates and high administrative costs. These changes present both challenges and opportunities for payers to focus on the consumer and streamline processes to ultimately reduce costs. This white paper will explore these challenges and opportunities and discuss the risks, best practices and topics for consideration as payers evolve their processes, policies and offerings to accommodate for the changing industry. 72 % 1 3

ENHANCING THE CONSUMER PAYMENT EXPERIENCE Consumer-to-provider and consumer-to-payer payments A decade ago, the consumer s role in the healthcare decision-making process was drastically different. 1. The consumer visits a healthcare provider Payers and employers managed virtually all of the health benefit decisions for consumers. Consumers were presented with one or two choices for a benefits package, visited the providers in their network and paid a minimal copay, if anything at all. Payment associated with healthcare services generally was not a focal point for consumers. In recent years, the payment responsibility has shifted (and continues to shift) to the consumer. This changing landscape has forced consumers to become decision-makers in the healthcare industry. Indeed, consumers now face a wide variety of health plans to choose from, and they have become sensitive to the costs associated with healthcare, for both consumer-toprovider and consumer-to-payer payments. As a result, payers and providers need to focus on the consumer experience now more than ever before. Over 15.5 million consumers have highdeductible health plans 2 2. 3. 4. 5. 6. Weeks pass with no communication to the consumer regarding payment The claims are adjudicated and the consumer receives an EOB (explanation of benefits) from the payer Frequently, this results in phone calls from the consumer to the provider and/or payer More time passes with no communication to the consumer regarding payment The consumer receives a paper statement from the provider, which the consumer must pay Consumer Expectations As consumer payments represent a growing portion of provider revenue, providers must meet consumer payment expectations set by other industries, such as offering convenient payment options and the ability to manage payments online. This common process is problematic for many reasons. First, so much time has passed since the initial provider visit that the consumer frequently has forgotten about the payment due. Consequently, the consumer commonly disregards this first statement. Furthermore, the payment options available to the However, consumers are confused by the disjointed healthcare payments process. For example, examine the consumer experience after a provider visit: consumer often are limited. The impacts to payers and providers include consumer nonpayment, high call volume and, most importantly, consumer 4

confusion and dissatisfaction. Payers have the opportunity to collaborate with providers to improve this process and the consumer payment experience in healthcare payments. 75% of patients are confused by the healthcare system 3 Opportunities for Payers Payers have a unique opportunity in this process because they manage the first communication (the EOB) with the consumer. Payers are able to improve the communication regarding payment responsibility and allow consumers to make a payment as soon as they understand their payment responsibility. The value of these opportunities to payers is to enhance the way they engage with their consumers and improve the consumer s experience. Best Practices Payers can enable consumers to simplify their healthcare finances by integrating payment functionality within their member portals for both premium and provider payments. As a best practice, payers should enable consumers to view payments owed to all providers across multiple family members, use their preferred payment method, securely save payment information for future payments and view how payments affect their deductibles, all in one place. Payers also can simplify the payment experience by supporting consumer-centric features such as mobile/tablet support and email communications for balance information and payment receipts. See the security tips beginning on page 7 for details on ensuring payments are secure. 79% of consumers would like to pay their healthcare bills online 1 5

MAXIMIZING THE VALUE OF ERA/EFT Payer-to-provider payments Healthcare reform and consumerism coupled with rising administrative costs are drastically changing the payment process between payers and providers. The traditional process to disburse paper checks and remittances to providers is costly, time consuming and error prone, resulting in increasing overhead and call center volume. Regulatory mandates require payers to implement changes to support standardized electronic healthcare transactions, such as electronic remittance advice (ERA) and electronic funds transfer (EFT) as of January 2014. The ERA/EFT mandate under the Patient Protection and Affordable Care Act (PPACA) enables payers to reduce administrative costs with electronic payments and help to streamline the provider reconciliation process. However, only 50 percent of payers surveyed meet the requirements for the CAQH CORE Phase III Operating Rules for ERA/EFT. 1 Opportunities for Payers The greatest opportunity of achieving ERA/EFT for payers is the cost savings of moving from a manual, paper-based process to one that is automated and electronic. In addition, payers have the opportunity to connect to their provider networks in a more efficient way. They can improve provider satisfaction by delivering access to payment reports to simplify reconciliation and payment posting. By going electronic, payers also can streamline provider communications, payment monitoring and reporting. Best Practices Re-association. Payers must ensure that they support ERA/EFT in a way that is compliant with the Operating Rules developed by CAQH CORE. The ERA/EFT mandate requires that payers include the EFT trace number with the ERA to allow easy re-association between the payment and remittance. By accepting these transactions, providers reconcile payments and remittances automatically, which reduces manual administrative work and the risk of posting errors. Provider Adoption. It is not enough just to support ERA/EFT. Payers need to be able to easily reach their providers to quickly enroll them in ERA/EFT, which maximizes cost savings. A comprehensive provider adoption plan includes an analysis of how to best reach providers, messaging to educate providers on the benefits of ERA/EFT, multiple ways to enroll providers and resources to support provider enrollment and training. Third-Party Relationships. If payers choose to work with a vendor to deliver ERA/EFT, they need to make sure they know who they are buying from and any downstream, third-party relationships that the vendor may require to deliver a complete solution. It is crucial for a payer to understand all of the relationships in scope, which will help to assess points of failure, risks and the continuity of service for dealing with difficult issues that arise in an electronic processing environment. Virtual Payments. When considering the use of virtual card payments, provider communication is especially important. Providers need education on processing a virtual card and the ability to enroll to receive the payment directly deposited. It is important to note that virtual card payments are not compliant with the ERA/EFT mandate. See the security tips beginning on page 7 for details on ensuring payments are secure. 6

CHALLENGES As online consumer payments and electronic payerto-provider payments become more common, and even required for payers, there are many security and compliance topics that payers need to be aware of, presenting risks and challenges. Healthcare transactions are highly regulated and subjected to stringent HIPAA laws, and payment transactions are among the most highly regulated and scrutinized transactions in the U.S. When delivering payments directly deposited into provider bank accounts, and when accessing consumer payment information, payers expose themselves to huge security and compliance risks. It is crucial for payers to have dedicated resources to manage compliance on an ongoing basis and to know the necessary questions to ask any partners. The following glossary outlines the security and compliance topics to consider when working with electronic payments. MONEY TRANSMISSION What is it? A money transmitter or money transfer service is a business entity that provides money transfer services or payment instruments. Money transmitters in the U.S. are part of a larger group of entities called Money Service Businesses (MSBs). In healthcare, when the virtual card is a payment method, a money transmission license is required for all consumer-toprovider payments and, arguably, for payer-to-provider payments. A payer must ensure that any third party it partners with to disburse money to providers (virtual cards in particular) maintains appropriate licenses and certifications concerning money transmission, or the payer may face penalties. In the U.S., absent limited exceptions, it is a felony to provide money transfer services without registering with the Financial Crimes Enforcement Network (FinCEN) of the U.S. Treasury Department. Many states (e.g., Florida and Vermont) require individual licenses for money transmission. Payment services using the internet also may need to maintain state money transmission licenses. What are the challenges? The process to obtain money transmission licenses is exhaustive, and maintaining the licenses is expensive. A payer would need a dedicated resource to manage the application submission and other requirements, including credit checks and state-bystate surety bonds. The payer must also implement annual training programs for staff, monitor all money movement daily and maintain a rigorous KYC (Know Your Customer) program (see the Fraud Prevention section on page 11 for more details) What are the risks? Since it is a felony to provide money transfer services without a license, the risks to organizations that do not follow the appropriate steps include fines, imprisonment and damages to reputation. Example: In 2013, a large payments company received fines of $507,000 for operating a payment service for customers in the state of Florida without receiving the appropriate state license. 7

ANTI-MONEY LAUNDERING (AML) What is it? Money laundering is the process in which the proceeds of crime are transferred into legitimate money, or into a bank account where someone can access the money. Common reasons for engaging in money laundering are terrorism financing, tax evasion and evasion of international sanctions. Money laundering is a risk in regard to consumer-to-provider and payer-to-provider payments. If a payer decides to build ERA/EFT capability internally rather than partnering with a third party, it is responsible for maintaining a comprehensive AML program to prevent, detect and report money laundering activities. The AML program must be compliant with all applicable Bank Secrecy Act (BSA) regulations. What are the challenges? Maintaining a compliant AML program requires significant effort by a designated AML compliance resource. Key components of a successful AML program include: Delivering AML information to federal law enforcement agencies and other financial institutions (e.g., FinCEN, SARs [Suspicious Activity Reports] and NSL [National Security Letters]) OFAC/SDN checks: ensuring any business receiving funds does not appear on the Office of Foreign Assets Control (OFAC) List or the Specially Designated Nationals (SDN) List, which list businesses that are prohibited by the U.S. Customer identification through automated KYC (see the Fraud Prevention section on page 11 for details) Monitoring money movement for suspicious activity Reporting on suspicious transactions Maintaining annual audits and AML Awareness training for staff What are the risks? If an organization is prosecuted for money laundering, the penalties may include criminal fines and imprisonment of individuals involved. There are also state-by-state money laundering regulations, so an organization may face penalties on the state and federal levels. Example: In 2012, a large international bank received fines of $1.9 million for inadequate documentation of AML processes. 8

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) What is it? Governed by the payment card networks (MasterCard, VISA, AMEX, Discover and JCB) the PCI DSS defines the requirements and best practices in order to reduce fraud and security breaches. PCI compliance is required in order to issue or process payment cards, primarily because the consequences of data breaches are significant. PCI is in scope for a payer when accepting a consumer payment card and when generating virtual cards; therefore, PCI compliance is required for all payment types in healthcare: consumer-toprovider, consumer-to-payer and payer-to-provider (when using virtual card payments). To deliver a streamlined consumer payment experience, payers have begun to allow consumers to pay providers and premium payments directly from their applicable member portals. In order to accept payment cards, a payer and its payment processor must be PCI Level One compliant. As a best practice, payers should encrypt payment cards from end to end for maximized security. What are the challenges? To achieve PCI compliance, an organization must undergo an annual validation by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (RoC) for organizations handling large volumes of transactions. This assessment includes on-site audits and both internal and external network penetration tests. An organization will need to perform monthly vulnerability scans and continuous system patching and remediation to ensure ongoing compliance. What are the risks? If an organization does not achieve the appropriate level of PCI compliance, the payment card networks may impose fines or even prohibit the organization from processing payment cards. However, the greatest risk to an organization is the threat of a data breach, which can result in significant fines, legal fees and loss of business. Example: In 2013, a major retail corporation experienced a payment card breach that resulted in a 46 percent decline in profit. In 2009, payment data breaches represented 98% of all data breaches 4 9

HIPAA AND HITECH What is it? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires national standards for privacy, security and electronic healthcare transactions. The Health Information Technology for Economic and Clinical Health (HITECH) Act gives more specific details on the meaningful use of health information technology. While most payers have already achieved HIPAA compliance in a number of areas, as payers move to electronic payments and automation, there are additional requirements that they must meet for all payment types: consumer-to-provider, consumer-to-payer and payer-toprovider. What are the challenges? Many organizations will claim that they are HIPAA compliant, but the only way to prove compliance is through independent, third-party certification. For example, EHNAC (the Electronic Healthcare Network Accreditation Commission) is an independent, federally recognized organization that certifies for EHNAC FSAP (Financial Services Accreditation Program) and HNAP (Healthcare Network Accreditation Program), both of which are important when dealing with healthcare payments. In order to achieve thirdparty HIPAA certification, an organization must complete a self-assessment and undergo regular, on-site audits at all physical locations, including any of the organization s partners. It is crucial that payers ensure that they work with HIPAAcertified vendors for payment processing. What are the risks? The penalties for HIPAA violations vary widely depending on the type of violation, but in most cases, the penalty is a fine of thousands and even millions of dollars. In severe cases, a HIPAA violation can lead to imprisonment. Violators also face significant legal and consulting fees to remediate HIPAA breaches. Example: In 2013, a large health system reported a HIPAA violation affecting more than four million patients when unencrypted laptops were stolen, resulting in a class-action lawsuit. 10

FRAUD PREVENTION What is it? When payers leverage electronic payments, there is a high risk of fraud when it comes to accessing a payee s (the healthcare provider) bank account for direct deposit. For example, a staff member at a provider organization may complete enrollment to receive ERA/EFT, but enter a personal bank account to receive the funds in a fraudulent manner. In addition to payer-to-provider payments, fraud prevention is also important for consumer-toprovider and consumer-to-payer payments. It is the payer s responsibility to ensure that it deposits funds into the correct bank account. What are the challenges? It is crucial that a payer or its vendor has a rigorous underwriting process, automated KYC checks and ongoing monitoring in place for any bank accounts receiving funds. Underwriting: Assess the expected payment volume and any potential risks KYC: Complete KYC (including OFAC/SDN check, IRS TIN match, credit history, etc.) before moving funds to the bank account Real-time security profile monitoring: Monitor payment activity on a daily basis to detect suspicious activity Account changes: Manage changes requested to a provider s account (including banking information, contact information or payment preferences) in a compliant manner What are the risks? If an organization does not have a rigorous fraud-detection program in place, the potential risks include lawsuits, fines and loss of business due to distrust from providers and consumers. If fraudulent activity is found to be money laundering, there are additional penalties on the state and federal levels, which could include fines and imprisonment. Example: In 2008, a major financial corporation received fines of $1 million for failing to document customer identification practices. 60% of U.S. organizations were exposed to actual or attempted payment fraud in 2013 5 11

PPACA ERA/EFT MANDATE What is it? Under PPACA, the Phase III Operating Rules for ERA/EFT developed by CAQH CORE define the requirements that all payers must meet for delivering ERA/ EFT transactions to providers, as of January 2014. The Operating Rules include standards for ERA/EFT enrollment, claim adjustment reason codes (CARCs) and reassociation, which requires the EFT trace number to be included with the ERA file to streamline payment reconciliation. What are the challenges? Complying with the ERA/EFT mandate is a major undertaking for a payer, especially if the payer decides to use internal resources to build the capability rather than partnering with a vendor that is already compliant. Regardless of the manner in which a payer implements ERA/EFT, key components must include: Comprehensive testing plan Provider support and training Daily monitoring and reconciliation of all payments Enrollment automation plan Provider adoption Provider KYC and bank account management What are the risks? The risks of non-compliant ERA/EFT transactions are provider dissatisfaction and loss of revenue by continuing to use manual, payer-based processes. Furthermore, accessing provider bank accounts to deliver EFT payments exposes providers to all of the risks associated with fraud, HIPAA and AML. For more information: www.instamed.com/wp-content/ uploads/implementation- Insights-Models-to-Deliver-EFT- ERA.pdf 50% of payers do not meet the requirements for the CAQH CORE Phase III Operating Rules for ERA/EFT 1 12

ENSURING COMPLIANCE The requirements for achieving compliance are complex, challenging and expensive to manage. It is important to understand all of the key questions to The checklist below includes some of the important questions to ask when ensuring that full compliance is in place. ensure that a vendor is fully compliant and certified. COMPLIANCE CHECKLIST This Compliance Checklist is a guide of questions that payers and/or their downstream vendors should answer when handling payments. MONEY TRANSMISSION Are you registered with FinCEN? Have you obtained all state-specific licenses for money transmission? Do you have an annual staff training program on money transmission laws? AML Describe your AML program. Do you have an automated KYC process? Describe all steps of this process. Do you monitor money movement on a daily basis to detect suspicious activity? Describe this process. How do you document and report suspicious activity detected? Do you have an annual audit of your AML program? Do you have an annual staff training program on AML awareness? PCI Are you PCI Level One certified? Do you have a staff training program on payment card security? Do you conduct monthly vulnerability scans? Do you support end-to-end encryption for payment cards? 13

HIPAA & HITECH Are you independently certified for HIPAA compliance? List the certifications and vendor names. Do you have regular, on-site audits at all of your organization s physical locations? List all physical locations with the date of the most recent on-site audit. List all organizations with whom you partner to deliver payment solutions. Do the partners listed above undergo regular, on-site audits at all of their physical locations? Do you have a staff training program on HIPAA and HITECH? FRAUD PREVENTION Do you maintain an automated KYC process? Describe all steps of this process. Do you monitor money movement on a daily basis to detect suspicious activity? Describe this process. How do you document and report suspicious activity detected? Describe your process to manage requested changes to provider accounts (banking information, contact information, payment preferences, etc.). Describe your underwriting process for new accounts. ERA/EFT MANDATE Do you meet the requirements outlined in the CAQH CORE Operating Rules for ERA/EFT? Can you provide a sample project plan to implement ERA/EFT, including your testing plan? Do you support online and paper-based provider enrollment for ERA/EFT? Describe your standard provider adoption approach, including timing and communication materials. How do you handle provider training and customer service inquiries for ERA/EFT before and after provider enrollment? Do you maintain an automated KYC process? Describe all steps of this process. Do you monitor and reconcile funds on a daily basis? Describe this process. Describe your process to manage requested changes to provider accounts (banking information, contact information, payment preferences, etc.). 14

CONCLUSION The healthcare payments industry is continuing to change drastically, presenting opportunities for payers within all three payment channels in healthcare: consumer-to-provider, consumer-topayer and payer-to-provider. Payers gain significant value in implementing electronic payments and facilitating simpler payments management for consumers, including enhanced consumer engagement and reduced administrative costs. However, it is important for payers to understand and apply the best practices and the security requirements associated with electronic payments. This is not only crucial to increase the value of electronic payments, but also to protect the payer s business. ABOUT INSTAMED InstaMed simplifies every healthcare clearinghouse and payment transaction for providers and payers, all in one place. InstaMed allows payers to cut settlement and disbursement costs with electronic payments. InstaMed enables providers to collect more money, get paid faster and reduce the time and costs to collect. InstaMed s single, integrated network simplifies the healthcare payments process for 1,500+ hospitals, 70,000+ practices/clinics and 100+ billing services; connects to 3,000+ payers; and integrates with 60+ practice management systems. InstaMed processes tens of billions in healthcare payments each year at a rate of more than $1,500 per second. Visit InstaMed on the web at www.instamed.com or contact info@instamed.com for more information. Sources: 1 InstaMed Trends in Healthcare Annual Report 2 AHIP 3 Deloitte Review 4 Trustwave Global Security Report 5 AFP Payments Fraud and Control Survey 15

1880 JFK Boulevard, 12th Floor Philadelphia, PA 19103 (866) INSTAMED www.instamed.com