PAYOR ENTERPRISE RISK MANAGEMENT AND IMPLICATIONS OF THE AFFORDABLE CARE ACT

LINDA DUDASH CAREFIRST BLUECROSS BLUESHIELD

ERIC LOWY KPMG

AHIA 35th Annual Conference – September 11-14, 2016

www.ahia.org

1

Introductions2

Linda Dudash

Director, Operations and Corporate Audit

Audit & Advisory Services

Owings Mills, MD

Tel: (410) 998-7748linda.dudash@carefirst.com

Eric Lowy

Director, Healthcare Advisory

Internal Audit & Regulatory Compliance

Baltimore, MD

Tel: (408) 461-0919elowy@kpmg.com

INSERT PICTURE

INSERT PICTURE

Agenda

Background on CareFirst BlueCross BlueShield and CAAS Overview of Payor Enterprise Risks and Risk Management Impact of Affordable Care Act on Payor Risks Questions

3

Introduction to Payor Enterprise Risk Management and Internal Audit

CareFirst BlueCross BlueShield4

CareFirst BlueCross BlueShield

In its 78th year of service, CareFirst BlueCross BlueShield (CareFirst) is a not-for-profit, non-stock health services company: Largest health care insurer in the Mid-Atlantic region, serving 3.2 million members. Employs approximately 5500 associates and contractors in MD, DC and VA. Largest provider network in the region, over 35k HMO and 40K PPO Providers. Maintains the nation’s largest Patient-Centered Medical Home (PCMH) program. Serves the nations largest Federal Employees Health Program (FEP), >571,000 members. ‘Best in Blue’ insurer for providing stellar customer service:

For 19 consecutive years for D.C. FEP members For 10 consecutive years for Maryland FEP members

In 2015, contributed $40 million to improve overall health, increase accessibility, affordability, safety and quality of healthcare throughout Maryland and the National Capital Area.

Ethisphere named CareFirst among the World’s Most Ethical Companies in 2013, 2014, 2015 & 2016.

5

Corporate Audit & Assurance Services

MISSION: “To deliver world class audit services to assist CareFirst in the effective management of risk and achievement of the company’s business and strategic objectives.” To successfully accomplish these goals, CAAS will:

Evaluate the adequacy and effectiveness of controls, Raise awareness and educate business owners, Maintain a strong collaboration with management, and Focus business insight on operational efficiencies and cost savings.

Reports to management and the Audit and Compliance Committee of the Board of Directors. Conducts audits in accordance with the “International Standards for the Professional Practice

of Internal Auditing” of the Institute of Internal Auditors, specifically: Adopted the following control frameworks:

COSO National Institute of Standards and Technology (NIST) .

6

Payor Enterprise Risk Structure7

BoD

Audit Committee

Sub-Committees

Internal AuditCAAS

2nd Line of Defense Risk Management, Monitoring & Compliance

1st Line of DefenseControl Environment and Internal Controls

Model Audit Rule

Centers for Medicare and

Medicaid Services

External Financial Auditor

Maryland Insurance

Administration

Dept. of Insurance, Securities and Banking (DC)

Virginia Board of Insurance

Insurance Regulators:External Auditors:

1st Line of Defense: Internal Controls8

Polic

ies

Proc

edur

es

Approvals

QA

Reconciliations

Supervision

Monitoring SDLC

User Access

SLAs

Passwords

SOWs

Security

FP&A

Fraud, Waste & Abuse

Reporting

The 1st level of defense, the control environment and internal controls, provide reasonable assurance that business objectives will be achieved.

1st Line of DefenseControl Environment and Internal Controls

*

*

* *

* * *

* Internal Controls impacted by the ACA

*** *

*

1st Line of Defense: Internal Controls9

People are the key to effective internal controls: Designing, implementing and maintaining properly functioning internal controls to protect the Company against risk is the responsibility of all associates to establish effective internal controls within their particular area of operations.

1st Line of DefenseControl Environment and Internal Controls

Fraud, Waste and Abuse (FWA)

Processes to vigilantly recognizing potential issues of fraud, waste, and abuse (FWA). The most effective way to protect against FWA is early detection through awareness, asking

questions, ensuring documentation and quickly sounding the alarm. Operational Managers and Associates receive training by Special Investigations (SI):

Updated Training and Listing of Current Fraud Trends Listing of Fraud Indicators and Potential Red Flags Guidelines on how to submit referrals for SI assistance

Fraud trends and schemes are constantly evolving… put out one fire, another starts Additional resources include:

A fraud hot line

24/7 support at SIU@CareFirst.com

Customized group training

10

1st Line of DefenseControl Environment and Internal Controls

2nd Line of Defense: Risk Management

Risk Management Under the leadership of the VP of Risk Management

Facilitates and monitors implementation of risk management practices and conducts

Conducts Enterprise Risk Assessment (ERA) to identify known and emerging issues

Assist management in development processes and controls to manage risks

Compliance and Ethics Program Under the direction of the VP Chief Compliance, Ethics and Privacy Officer

Establishes a consistent company-wide process to manage the constantly evolving and highly regulated industry.

Promote a corporate culture that encourages ethical conduct and compliance

Exercise due diligence to prevent, detect, and correct potential violations of the Program, applicable federal and state laws and regulations, and Company policies and procedures.

Risk and Control Monitoring – Model Audit Rule

11

2nd Line of Defense Risk Management, Monitoring & Compliance

Model Audit Rule 205

Annual Financial Reporting Model Regulation; Known as Model Audit Rule or MAR: Financial reporting regulation applicable to insurance companies; but adopted by state.

Borrows significantly from Sarbanes-Oxley of 2002.

Co-developed by the American Institute of Certified Public Accounting (AICPA) and National Association of Insurance Commissions (NAIC) and issued to:

Govern the submission of audited statutory financial statements by insurance companies

Drive Consistency Across Insurance Regulators

Improve ability of insurance departments to oversee the financial condition of insurers

Requires the following to be submitted by insurance companies:

An Annual Financial Statement Audit by an Independent CPA

Communication of Internal Control Related Matters Noted in the Audit

Managements Report of Internal Control over Financial Reporting

Responsibilities include: documentation, testing, remediation, SSAE16 oversight, external audit coordination and reporting.

12

2nd Line of Defense Risk Management, Monitoring & Compliance

Internal Audit

Internal Audit: CAAS

Provides the Audit and Compliance Committee and senior management with independent and objective assessments of the effectiveness of governance, risk and control processes.

CAAS delivers internal audit and special investigation services to provide results in an efficient manner utilizing four separate but integrated teams to provide assurance that business processes and internal controls are

Design and operating effectively; and

in accordance with corporate policies, laws and regulations.

Subject matter specific areas are co-sourced with professional services firms, ex. IT, ACA, etc.

13

Office General Auditor

Operations & Corporate Audit

Information Technology Audit

Special Investigations

FEP Audit & Advisory

Internal Audit

CAAS

Audit & Advisory Services

Audits – Conducts full scope audits in accordance with the annual Audit and Assurance Plan as approved by the Audit and Compliance Committee of the Board of Directors.

Corporate, Operational, Financial and IT audits, including SDLC

Federal Employees Program Audit & Advisory Services

Risk Assessments – Evaluation of risk associated with a governance framework based on an analysis of risk related to achieving defined strategies, processes and control objectives.

Advisory Services – Assurance and advisory services performed at the request of management, based on monitoring of corporate initiatives, or risk/control concerns identified, such as significant changes in regulations, processes or systems.

Advisory services may be performed by CAAS or co-sourced

Deliverable for these engagements is typically different than normal audit reports.

Special Investigations – Fraud prevention, detection, investigation and recoveries of FWA

Corporate Initiative Monitoring – Access and develop strategies to mitigate business risks, enhance controls and improve operational effectiveness. Ex. PCMH, CMS Outcomes

14

Internal Audit

CAAS

Special Investigations (SI)

Special Investigations (SI) works directly with business units and departments to: Provide fraud prevention, detection, investigation, and recoveries of FWA;

Help ensure compliance with mandatory local, state, and federal fraud reporting;

Manage professional and facility overpayment audit and recovery efforts;

Seek restitution of monies that have been improperly paid.

SI has many advanced tools and resources at its disposal to: Data mining, ex. STARS, to identify suspicious trends, schemes, and outliers.

Scoring potential fraud schemes, providers and trends.

SI also relies on other sources to develop leads that require investigation: Referrals from local, state, or federal law enforcement

On-going trends and schemes shared by industry groups

Tips

15

Internal Audit

CAAS

Over the past five years, SI savings and avoidances totaled over $300 million.

CareFirst Board Committees

Executive

Compensation

Finance and Investment

Governance and Nominating

Mission Oversight

Service and Quality Oversight

Strategic Planning

16

Sub-Committees

3rd Line of Defense: Headcount17

Internal Audit Function FTEs

Operations and Corporate Audit 10 FTEs

IT Audit 12 FTEs

FEP Audit & Advisory 15 FTEs

Special Investigations 27 FTEs

Model Audit Rule 10 FTEs

Internal Audit

CAASModel

Audit Rule

Serving over 3.2 Million members with an average Medical Care spending over $7 Billion, it takes a small army to “Protect the House.”

Changes and impacts on due to the Patient Protection and Affordable Care Act

Affordable Care Act18

Affordable Care Act19

Goal of the ACA – Healthcare reform, namely the Affordable Care Act (ACA), is meant to improve access to health insurance, improve cost controls of medical spend, and improve quality while reducing waste.

The goal of the ACA aligns closely with other industry initiatives, ex the “Triple Aim”.

The Triple Aim was implemented to:

1) Improve the overall well-being of insured populations

2) Improve patient experiences (including both quality and satisfaction)

3) Reduce health care costs

The Triple Aim1

Population Health

Per Capital CostExperience of Care

1. The Institute for Healthcare Improvement. http://www.ihi.org/Engage/Initiatives/TripleAim/Pages/default.aspx

Key Components of the ACA

Key Components of the Patient Protection and Affordable Care Act: Requires most U.S. citizens to have health insurance

Creates Federal and State Health Benefit Exchanges for individuals and small businesses to purchase coverage

Provides premium and cost sharing to individual/families with income 133 – 140% of FPL

Creates separate exchanges through which small business owners can purchase coverage

Imposes new regulations/qualifications on health plans in the exchange

Expands Medicaid, as many as 13 million additional beneficiaries

Direct resources to health, wellness, transparency and quality reporting

Significant cuts to Medicare Advantage reimbursement

Individual Mandate: Requires citizens and residents to have health coverage or a tax penalty

20

Highlights of the ACA

Highlights of the Plan as described in 2014:

The Congressional Budget Office (CBO) estimates the reform law will provide coverage to an additional 32 million Americans of the 47 million currently uninsured by 2019.

CBO estimated cost of coverage for the law to be $938 billion over 10 years.

The cost of the bill is to be financed by a combination of savings from Medicare and Medicaid, new taxes and fees, including taxes on high cost insurance.

CBO estimates the deficit will be reduced by $124 billion over 10 years.

21

Benefits of the ACA

More extensive coverage Individual and employer mandates Minimum essential coverage / essential health benefits First dollar coverage for preventive care/screenings Subsidized premiums and related cost sharing Elimination of pre-existing conditions exclusions Prohibitions on recessions of coverage No lifetime dollar limits on essential health benefits Health insurance exchanges Medicaid expansion

More efficient medical systems Electronic medical records Accountable Care Organizations (ACO)

22

Impact of Reform Based Initiatives

23

New Way of Doing Business

Selling directly to consumer New products & pricing Increased volume Business process changes Technology Changes

Brand awareness Go-to-market strategies Marketing programs Customer sentiment Mobile and Internet

Increased oversight & expanded focus HIPAA / OCR reviews Business Associates NAIC / ORSA Star ratings ICD-10

Changing payment models Financial planning/budgeting Performance measurements Data access & analytics Quality focus – Transparency

Products/Services Transformation Regulatory Compliance

Consumer Engagement Financial & Quality Reporting

Data Collection Advanced Data Analytics Predictive Modeling

Data & Technology Infrastructure

23

ACA’s Major Business Disruptions

ACA Requirement Business Disruption

Sales & Marketing Market to a new population for individual and SHOP

Fulfillment Meet new fulfillment requirements

System Capabilities Ability to send and receive files with state-based exchanges; new GL interfaces; system upgrades, CSR functionality, etc.

Enrollment Sources Ability to capture and process 834 enrollments for individual and SHOP members, send confirmations; and process audit files

Premiums Ability to capture and match 820 Premiums to enrollment;

Benefit Design Benefit plan re-design to offer Essential Health Benefits

Pricing Set Pricing for an uncertain underlying population / market

Actuarial Specific actuarial value requirements

Benefit Configuration New design requirements for individual and SHOP plans

Billing, Collections Reconcile member enrollee & subsidies; SHOP premium changes

Grace Period & Terminations Apply required 30 day grace period; appeals and terminations

27

ACA’s Major Business Disruptions (Continued)

ACA Requirement Business Disruption

Finance, Accounting & Actuarial Changes to financial accounting, reconciliations & reserves.

Member Subsidies Changes to processes and systems to account for:

Advanced Premium Tax Credit Ability to split premium billing between member and Gov.

Cost Share Reduction Requires adjudication of two claims (Standard / Shadow);Reconciliation of CSR paid to CSR incurred

Exchange based Fees Capture, pay and reconcile per member pay-in fees

3Rs Subsidies: Changes to accounting, finance and actuarial to account for:

Transitional Reinsurance Shared payment of claims exceeding a set threshold (ex $45k)

Risk Adjustment Redistribution of funds based on avg. actuarial risk score

Transitional Risk Corridor Limits losses and gains based on inaccurate pricing

EDGE Server Reporting Ability to report enrollment and claims to a shared server.

External Risks related to (i) Lack of Exchange Functionality (ex. 820), (ii) Voluminous Errors, (iii) evolving Requirements and (iv) Lack of Complete and Timely Payment of Subsidies.

28

ACA Expected Outcomes: Workers Comp

ACA revised the definition of a full-time employee Individual mandate and SHOP coverage expands access to workers Improved health may lead to lower frequency of injuries or less severe injuries Individuals with no health insurance or with poor coverage tended to file

Worker’s Comp claims2

Decreases in the uninsured population may drive decreased incidence rates Shifts to higher deductible plans may lower personal claims, and increase

Worker’s Comp claims

Potential Outcome: Reduction in Worker’s Compensation claims as access to health insurance becomes more available

2. Jain, Vikas. The Affordable Care Act and its Impact on workers compensation. https://www.cognizant.com/content/dam/Cognizant_Dotcom/article_content/insurance/the-affordable-care-act-and-its-impact-on-workers-compensation-codex1329.pdf

24

ACA Expected Outcomes: Morbidity

Improved health and mortality experience may be attributed to: Access to affordable care Preventive care and medical screening Coordination of care through Accountable Care Organizations (ACOs)

Morbidity may improve due to increasing participation3 which may be attributed to: Awareness and familiarity of insurance reforms, exchanges, and federal

subsidies Language accessibility requirements Federal tax penalties

Potential Outcome: Reduction in morbidity rates due to increased coverage, and greater awareness of health insurance coverage

3. Katterman, Scott. http://us.milliman.com/insight/2013/What-now-2015-individual-market-pricing-Morbidity-and-other-considerations/

25

ACA Expected Outcomes: Life Insurance

A Harvard Medical School study5 found that 45,000 annual deaths were attributed to lack of health coverage

Mortality rates have improved for the last century

Growing population see a need for life insurance

Potential life insurance interest from newly-insured (health) ACA populations

Surge in health insurance premium pricing may reduce life insurance purchasing

Individual life insurance ownership has reached record lows for the past 50 years6

Increase in the number of households with no life insurance

30% of households6 have no life insurance as of 2010, versus 22% in 2004

Potential Outcome: Reduction in life insurance participation due to the rise of health insurance premiums

5. Cecere, David. http://news.harvard.edu/gazette/story/2009/09/new-study-finds-45000-deaths-annually-linked-to-lack-of-health-coverage/

6. LIMRA. Ownership of Individual Life Insurance Falls to 50-Year Low, LIMRA Reports. http://www.limra.com/Posts/PR/News_Releases/Ownership_of_Individual_Life_Insurance_Falls_to_50-Year_Low,_LIMRA_Reports.aspx

26

low- and middle-income people,

The failure of co-ops has resulted in a debt,

in security incidence in healthcare,

in cyber related financial losses,

ACA: By the numbers

ACA Health insurers’ loss estimated at

CMS withhold of ACA advanced payments if 820 variances > 10%,

ACA health insurers sought and only received

OIG says nearly at risk,

ACA Enrollment was in subsidized ACA plans by

$2.5 billion,

25%

$362 million, $2.87 billion

$2.8 billion in APTC payments

57% of expectation

11 $1.2 billion

60% increase

282% increase

5 of the 8 Largest healthcare cybersecurity breaches occurred in 2015.

29

Our approach to ACA Assessments

Identify Regulatory Requirements,

Changes & Risks

– Regulatory Requirements– Objective, Scope and Approach– Risk Register

Map Processes and Policies to Regulatory

requirements

– Requirements Gap Assessment– Functional Process Flow Charts– Initial Risk and Control Matrix

Assess Internal Controls within Processes to

Mitigate Risks

– Risk and Control Matrix– Integrated Process Flow Charts– Policy Gap Assessment– Observations & Findings Log– Recommendations & Opportunities

Perform Control, Transaction and

Substantive Testing

– Testing Results– Observations & Findings Log– Recommendations & Opportunities– Corrective Action Plans

Drivers ofRisk-Based Criteria:

Regulatory Requirements

Impacted Processes

Systems Landscape

3rd Party Administrators

Audit Results

Goal of

Deliverables

Facilitate on-going auditing of control

activities and oversightof action plans.

30

Key ACA Takeaways

Not only are losses unsustainable, subsidy dollars that make the ACA bearable are at risk: APTC, CSR and 3Rs (Re-insurance, Risk Adjustment, Risk Corridor); however, Reinsurance and Risk Corridor transitional programs end with the 2017 plan benefit year.

Reporting is dependent on core competencies in enrollment and billing controls.

Enrollment is the source of (most) evils.

Data integrity, analysis and reconciliation is the key to streamline reporting efforts.

3rd party and vendor related risks (ex. F.D.R.) require risk-based protocols, auditing and monitoring.

The role of internal audit and risk in health care has never been more important.

Ultimately, it is too early to tell if health care quality impacts on the market are due to health care reform, but the impact on the medical trends of the ACA appears limited in the short-term.

The cost to play and comply, for Health Plans, as well as States is much higher than expected.

Cost reductions associated with reform-based initiatives may not be fully realized.

ACA initiatives may not ‘bend the curve’ in Workers Comp. experience.

Increase in ACA health insurance premiums may impact life insurance ownership.

31

32

Questions?

*CareFirst BlueCross BlueShield is an independent licensee of the Blue Cross Blue Shield Association,an association of independent BlueCross BlueShield Plans.

Save the DateAugust 27-30, 2017

36th AHIA Annual Conference