CONTENTSThe New Measurement of Value in Medicine: Understanding Outcomes & Competition in a Changing Industry . . 1

The Evolving Cyber Threat & How Healthcare Can Mitigate It . . . . . . . . . .5

Blockchain Could be the Answer to Healthcare’s Interoperability Problem . . . . . . . . . . . . . . . . . . . . . . . . . .8

Trends in Taxation: Hospital Exemptions under the Microscope . . . . . . . . . . . . . . . . . . . . . . 11

Mark Your Calendar… . . . . . . . . . . . . .12

SUMMER 2017www.bdo.com

THE NEW MEASUREMENT OF VALUE IN MEDICINE: UNDERSTANDING OUTCOMES & COMPETITION IN A CHANGING INDUSTRY By David Friend and Patrick Pilch

THE NEWSLETTER FROM THE BDO CENTER FOR HEALTHCARE EXCELLENCE & INNOVATION

Lewis Carroll wrote in Alice’s Adventures in Wonderland & through the Looking-Glass, “If you don’t know where you are going, any road can take you there.”

That has been an apt description of the alignment of healthcare payment and outcomes for some time. The roads are getting clearer and the destinations and goals measured and paid for are becoming more distinct. But new entrants and competition are disintermediating legacy providers and therapies, changing the determination of value for companies, therapies and episodes of care. This is

disrupting traditional methods of value validation in the process.

WHAT IS VALUE AND HOW DO YOU MEASURE IT? In financial terms, value is often measured by discounting projected future cash flows back to the present. This has been an acceptable approach in many industries, including healthcare. However, value changes over time, as the sense of the future evolves.

Case in point is the rise and demise of Tower Records. In the 1980s, when the music industry distribution model increasingly utilized specialty focused

TOP INSIGHTS FROM THE BDO KNOWS HEALTHCARE BLOG

What Healthcare Organizations Should Know About Petya-like Cyberattack

WannaCry: How Healthcare Organizations Can Protect Against it & Other Ransomware Strains

FBI Warns Healthcare Facilities About Cyber-vulnerable FTP Servers

Hospitals: How a Proposed CMS Rule Would Adjust HRRP Penalties by Proportion of Dual-Eligible Patients

Video: 5 Forces Disrupting Healthcare with or Without Washington

Read more and subscribe at www.bdo.com/blogs/healthcare/

full-service record stores, Tower Records flourished. By 2006, Tower Records filed for bankruptcy, brought on by debt that supported an aggressive expansion strategy that failed to understand that music downloads (plus streaming services) were becoming a new competitive force to Tower as an alternative, personalized distribution channel. Tower Records’ failure to recognize new forces of competition and innovation was fatal. By adhering to a facilities-driven channel strategy and continuing to pursue the wrong capital strategy, the company ended up with too much inventory and facility capacity, which ultimately led to its demise.

For the healthcare industry, as care becomes more consumer-focused and personalized, new entrants and competition are coming into the industry. In addition, reimbursement is migrating to episode-based bundles. The industry is facing a disruption scenario much the same as Tower Records. The value of healthcare assets is changing as their respective importance and efficiency shift risk and worth.

As Michael E. Porter, Harvard Business School professor and author of Redefining

CONTINUED FROM PAGE 1

VALUE IN MEDICINE

Health Care: Creating Value-Based Competition on Results, said: “The only way to truly reform healthcare is to reform the nature of competition itself.” This means disintermediation of incumbent players by new participants, (think the iPhone or Pandora vs Tower Records) new models (think streaming music vs buying vinyl records), diagnosis and measurement (think machine learning and artificial intelligence vs “American Top 40”).

The failure of many leading healthcare organizations to grasp this change is leading to an over-weighted, facilities-driven channel strategy, an inefficient capital strategy continuance and ultimately, costly facility capacity. There is no reason to believe the story of healthcare will end any differently than it did for music.

For healthcare institutions to survive and thrive, they will need to understand the nature of competition, how to create and measure value, and how to create sustainable competitive advantage through effective risk management and clinical performance. While this counsel may appear to be redundant to existing practices, changing payment and quality

measures, new competition and innovative forces are converging into a power that can’t be ignored.

Healthcare institutions (including all providers of care and therapies like pharmaceuticals, life sciences, biotech and medical devices) will also need to understand how to respond to the demands of the federal and state governments, which will impose regulatory and policy directionality. They’ll also need to know how to concurrently please consumers and payers who continue to look for the best value based on cost, quality and experience.

Market (innovation and revolutionary forces) and regulatory drivers must be synthesized to plan for a new model that can work profitably and sustainably. These factors are converging to change delivery, pricing, access and value.

MARKET DRIVERSA profound movement of care has taken place from hospitals to non-hospital settings. This shift will only accelerate as integrated supply chains emerge to address high-cost fragmented care and therapies, and mobile technologies and telepresence access points continue to flourish in a world embracing greater site neutrality (think of music downloads and smartphones as comparable distribution channels). The convergence of molecular biology and computer science is already having a notable impact on value by displacing existing protocols and delivery models. Witness the emergence of digital life sciences in its displacement of legacy analog procedures in the diagnostic space. Lastly, there has been negative return on capital for healthcare companies. This is remarkable, as healthcare investment has historically been a stalwart with steady returns.

REGULATORY DRIVERSPolicies at the federal and state levels are changing, as well. The Obama

2 BDO KNOWS HEALTHCARE

gap accelerates with “industrialization” of healthcare through the integration of supply chains. Risk capital and the competence of the clinical enterprise will determine how efficiently providers of care and therapies will extend value multiples on assets. Exceptions to this likelihood—albeit temporary—include defenses associated with patent protection, price/clinical outcomes superiority to market and, in some instances, geographic dominance with full risk providers.

Existing regulatory barriers enforced through anti-kickback provisions and a volume-based predisposition held onto by hospital providers may stall near-term acceptance. Still, value-based pharmaceutical agreements will begin to take hold, and providers, pharma companies, patients and payers will participate in value-based therapies and networks. The federal policy favors this.

THE CHANGING MODEL OF HEALTHCARE

Payment (costs) Moving payment from fee for service (reimbursement for every service) to value based (payments tied to outcomes) has been underway for some time, and there

is certainly much further to go. The cycle of a fragmented payment system leading to fragmented care and an unsustainable healthcare system leads us to payment reform. Rising costs and outcomes not appropriately aligned have laid a foundation for the transition to value-based payment.

As seen in the data from Kaiser above, over the course of 10 years, employer contribution grew from $8,508.00 to $12,865.00, with a compound annual growth rate, or overall return, of 4.22 percent. The cumulative rate of inflation approximates 19.1 percent, or 1.91 percent on a compounded annual growth rate.

Also seen in the data above, over the course of 10 years, worker contribution grew from $2,973.00 to $5,277.00, with a compound annual growth rate, or overall return, of 5.91 percent. The increased cost of health insurance for both employers and workers has changed the derivation of value into the consumers’ hands.

There is a profound risk shift occurring that is changing the way healthcare and pharma/life sciences assets will be valued. The risk shift is from payer to consumer or intermediary. For example, the federal government continues to shift financial

administration focused on policies to speed up the adoption of payment reform through mandates, regulatory enforcements and subsidies. While the Trump administration’s policy counterpoints of choice—competition and actuarial soundness (possibly with assistance from tax credits)—are different approaches from the previous administration, payment reform acceleration is still on track. Adding to the mix, aging populations and increases in co-morbid and chronic illnesses are demanding resources from strained budgets.

At the state level, payment reform, particularly in Medicaid, continues to be explored as state budgets experience strain because of growing pension obligations and tax revenue shortfalls. At least 22 states face budget shortfalls for the current or next fiscal year or biennium (two-year schedule), according to the National Conference of State Legislatures’ Spring 2017 State Budget Update. Thirteen states will face a shortfall in both cycles. The report does not attribute shortfalls to any one cause, but lists a range of causes for many states, including “demographic changes, low energy prices and a sluggish agricultural economy.”

These market and regulatory drivers have led to varied responses, but clearly the healthcare ecosystem is experiencing shifts that ultimately affect the way, where, how and when patients receive care. Moreover, the focus of value has shifted to improving the patient experience and the quality of care while lowering costs. Payment reform in the context of federal and state Medicaid models and bundled payments, and aligning episodes of care with payment will continue to change what “value” means.

It is clear there is a mispricing of healthcare assets, which sets the stage for significant arbitrage opportunities between presumed value and actual value. The highest-cost provider of care and therapies are at the greatest risk of loss through disintermediation. The arbitrage

AVERAGE ANNUAL HEALTH INSURANCE PREMIUMS AND WORKER CONTRIBUTIONS FOR FAMILY COVERAGE, 2006-2016

58% Total Premium Increase

78% Worker Contribution

Increase

$11,480

$8,508

$2,973

$12,865

$5,277

$18,142

2006 2016

Worker contribution

Employer contribution

Source: Kaiser/HRET Survey of Employer-Sponsored Health Benefits, 2006-2016

CONTINUED FROM PAGE 2

VALUE IN MEDICINE

3BDO KNOWS HEALTHCARE

risk to the states and the population. Large employers have become increasingly self-insured, and they too have shifted risk to employees. Providers and provider systems have assumed greater risk associated with value-based payment, while insurers have decanted their risk by positioning themselves as service providers to those entities (providers, self-insured employers and individuals) where someone else is backstopping the risk.

When considering value, measurement systems need to be put into place to collect and measure viable data on performance, ensuring they meet accepted standards. This value-based payment model shows a clear movement toward consumers determining value in healthcare.

Delivery of care (patient experience)There has been a shift away from institutionalized care to site neutrality where the site may be virtual or a step-down unit or location. The de-institutionalization of care calls for site neutrality and creates other types of competition, often generating excess capacity in hospitals. To improve value for traditional “bed-driven” models, sites now need to realign beds with the right acuity and payer mix, leveraging its “circle of clinical competence.”

Again, the application of a value-based pharmaceutical agreement will change the delivery of care model, particularly in new therapies.

In the shift from volume to value, the value multiple shifts from capacity to the circle of clinical competence and its ability to reproduce value (clinical outcomes) efficiently. Investment consideration and due diligence need to take this into account. It is not a simple exercise but certainly an important one.

Type of care (quality)Value used to be tied to the number of specialties provided, particularly for acute care providers. The result has created important service lines in hospitals and often redundancy of services in a market. It has also generated a rush to develop competitive, but not necessarily differentiated, offerings to serve the market and drive volume to achieve revenue goals and absorb capacity availability. Bundling of care and payment is particularly disruptive on existing fee-for-service models and the effect could be either punitive or beneficial. The determining factor is the company’s circle of clinical competence—is it leverageable, and can it be extended efficiently? Though it has abated, the trend had been to organize care

around Centers of Excellence for Advanced Medicine to build a strong reputation. Now, models will move to be aligned more specifically around episodes of care as payment for care is rapidly moving to cover an episode of care which addresses acute and post-acute care delivery. Again, as capacity value diminishes, the circle of high clinical competence value flourishes.

The path to successUltimately, regulators and payers (institutional and individual) are assessing and validating prices, quality and patient experience, which are determining value. Awareness and placement of the arbitrage risk is essential. The patient is the measurable determinant. Competition for differentiation by value requires assessment of cost of care to market and to the possible, understanding what clinical competence is needed to deliver value, and where a company can perform optimally in the supply chain of care as measured by how efficiently a company can reproduce assets. Clearly, there will be winners and losers, and many significant. Our counsel is to seek understanding of value; know where your company’s assets are participating in the supply chain and how well its circle of clinical competence can reproduce value through clinical outcomes more efficiently than the market on a sustainable basis.

As we started, we finish with what Lewis Carroll wrote in Alice’s Adventures in Wonderland & Through the Looking-Glass: “Where should I go?” asked Alice. “That depends on where you want to end up,” replied the Cheshire Cat.

David Friend is the chief transformation officer in The BDO Center for Healthcare Excellence & Innovation. He

can be reached at dfriend@bdo.com.

Patrick Pilch is the national co-leader of The BDO Center for Healthcare Excellence & Innovation. He can be

reached at ppilch@bdo.com.

CONTINUED FROM PAGE 3

VALUE IN MEDICINE

4 BDO KNOWS HEALTHCARE

THE EVOLVING CYBER THREAT & HOW HEALTHCARE CAN MITIGATE ITBy John Riggi and Patrick Pilch

WannaCry sent a message: Healthcare has a target on its back, and cyber-attackers have homed in on the mark.

When the May 12 ransomware attack unleashed more than 75,000 ransomware attacks across the globe and harmed a notable portion of the U.K.’s healthcare sector, U.S. healthcare organizations were largely spared because of a virtual, but temporary, kill switch discovered before the malware made its way across the pond.

Covered entity Location Individuals affected Submission date Breach type Breach location

xxx Kentucky 697,800 March 1 Theft Other

xxx Texas 279,663 March 22 Hacking/IT incident Network server

xxx Pennsylvania 93,323 April 28 Hacking/IT incident Network server

xxx Indiana 85,995 March 2 Hacking/IT incident Network server

xxx Missouri 80,270 March 25 Hacking/IT incident Email

xxx Georgia 79,930 February 21 Hacking/IT incident Other

xxx Texas 75,000 January 23 Unauthorized access/disclosure Desktop computer

xxx Tennessee 65,000 March 9 Hacking/IT incident Network server

xxx Texas 55,447 March 26 Hacking/IT incident Network server

xxx Florida 24,809 January 27 Hacking/IT incident Network server

But it would be dangerous for the U.S. healthcare sector to consider itself immune or even less vulnerable, particularly as current cyber threats grow and new ones emerge, directly targeting the sector and its data.

In 2016, the U.S. healthcare sector saw a record number of large-scale data breaches (those affecting 500 or more patients). According to data from the Department of Health and Human Services’ Office for Civil Rights (OCR), 327 large-scale data breaches were reported last year, compared to 199 in 2010.

In 2017, the industry has already seen its fair share of large-scale data breaches, with 130 reported as of June 13.

OCR defines an information breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI).” It breaks types of information breach into seven categories: hacking/IT incidents, improper disposal, theft, unauthorized access/disclosure, unknown and other.

TOP 10 LARGE-SCALE HEALTHCARE INFORMATION BREACHES OF 2017**

*Data source: OCR’s Breach Portal **As of June 13 and measured by the number of individuals affected

5BDO KNOWS HEALTHCARE

Each type of information breach can be defined as:

u Hacking/IT incidents: Incidents involving insider or outsider intrusions

u Improper disposal: Incidents in which PHI is improperly disposed

u Loss: Incidents in which a device containing PHI is lost by the organization or an employee

uTheft: Incidents in which a device containing PHI is stolen from the organization

u Unauthorized access/disclosure: Incidents in which inside or outside actors either access restricted areas of the organization’s network or disclose PHI to an unauthorized recipient

uUnknown: Incidents in which data is not reported or missing

uOther: All other types of incidents

SHIFTING THREATSThe type of security breach posing the largest threat to the industry has evolved over the last seven years from theft to unauthorized access or disclosure of data.

In 2010, theft was the most common type of information breach, comprising 135 of the 199 reported incidents (68 percent). Hacking or IT incidents and unauthorized access or disclosure breaches remained lower, with each making up 8 percent of all reported breaches.

By 2016, 129 (29 percent) of breaches involved unauthorized access or disclosure, while 113 (35 percent) were associated with hacking or IT incidents—making these two breach types the greatest threats to the healthcare industry, which holds true today.

Theft breaches followed (62 incidents), then data loss (16 incidents) and, finally, improper disposal (7 incidents).

MITIGATING EVOLVING RISKSThe human element presents the greatest cyber risk of all. The most important step to mitigating this risk is to implement

proper access controls including file, directory and network share permissions with least privilege in mind. But a broader, well-rounded and documented cybersecurity plan is crucial and should address the following:

u Risk assessment. Entities should perform regular risk assessments through which they can identify and classify their assets, risks, threats and vulnerabilities.

uData/network mapping and access control/management. Entities should know where all HIPAA information is stored, how it traverses the network and the security around that data—who has access, who has control and who has what privileges?

uDevice monitoring. Crucial when it comes to theft breaches, mobile device management (MDM) can alleviate some of these human error risks. Entities should know about every mobile device in their organization that contains personal health information (PHI).

u Third-party due diligence. Vendor systems can be an access point or weak link in an organization’s protection. Third-party risk due diligence must be done through the prospect, initiation

CONTINUED FROM PAGE 5

CYBER THREATS

and ongoing relationship stages to isolate changes in risk and vulnerability postures.

uTop-down security mindset that supports staffing and training. Board members should be informed and proactive in taking ownership of cybersecurity. Organizations should ensure they have a dedicated information security function that reinforces cyber awareness throughout the organization.

*Note: Chart created using data from OCR’s Breach Portal

HEALTHCARE BREACH TYPES AFFECTING 500+ INDIVIDUALS

NUMBER OF LARGE-SCALE BREACHES BY YEAR*

2010 199

2011 200

2012 218

2013 277

2014 312

2015 269

2016 327

2017** 130

*Note: Each count is the total number of reported breach incidents of the specific information source and breach type. Individual reports of a breach may involve or more breach types (theft, loss, etc.). In those cases, there may be double-counting of the number of reported incidents or reported breaches in a specific year.

**As of June 13, 2017

140

120

100

80

60

40

20

02010 2011 2012 2013 2014 2015 2016 2017

Hacking/IT incident Improper disposal Loss

Other Theft Unauthorized access/disclosure

Unknown

6 BDO KNOWS HEALTHCARE

DID YOU KNOW...Fee-for-service revenue made up 50 percent of HHS organizations’ funding as of their last fiscal year, compared to 29 percent across all nonprofits surveyed, revealed BDO’s Nonprofit Standards. The finding underlines the unique predicament healthcare organizations face in the move to value-based care.

A proposed CMS rule that would require Medicare to consider hospitals’ proportion of dual-eligible patients when calculating penalties under the Hospital Readmissions Reduction Program garnered more than 4,000 public comments.

Medicaid enrollees are, for the most part, happy with the healthcare they receive under the program, a study published in July by the Harvard T.H. Chan School of Public Health revealed. Under the Affordable Care Act, Medicaid was expanded in 31 states and D.C.—underlining the challenges Congress faces as it takes on healthcare reform.

The number of uninsured adults in the U.S. has increased by about 2 million in 2017, with the uninsured rate increasing to 11.7 percent in Q2 compared to a record low of 10.9 percent at the end of 2016, according to the recently published Gallup-Sharecare Well-Being Index.

The rate of serious medication mix-ups has doubled since 2000, according to a new study from the U.S. National Poison Data System, with four out of 10 mistakes involving heart medications, painkillers or hormone therapy prescriptions like insulin. Many times, the errors result in hospitalizations.

uWell-documented policies, standards and procedures. Providers should document their cybersecurity mindset and be able to produce specific guidance, like their cyber incident response plan, the types and frequency of network security tests performed, and training protocols.

Additionally, the FBI recommends the following mitigation measures specific to ransomware attacks like WannaCry:

uApply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017. (Organizations using unsupported Windows operating systems including Windows XP, Windows 8 and Windows Server 2003 should follow customer guidance from Microsoft.)

uEnable strong spam filters to prevent phishing e-mails from reaching end users and authenticate in-bound e-mail using technologies like Sender Policy Framework, Domain Message Authentication Reporting and Conformance, and DomainKeys Identified Mail.

uScan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.

uEnsure anti-virus and anti-malware solutions are set to automatically conduct regular scans.

uManage the use of privileged accounts, assigning administrative access only when absolutely needed.

uDisable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications. Develop, institute and practice employee education programs for identifying scams, malicious links and attempted social engineering.

uHave regular penetration tests run against the network, no less than once a year, and ideally, as often as possible/practical.

uTest your backups to ensure they work correctly upon use.

The FBI also recently identified DeltaCharlie, a Distributed Denial of Service (DDoS) Botnet infrastructure that North Korean cyber actors known as HIDDEN COBRA are using to target media, aerospace, financial and critical infrastructure sectors in the U.S. and around the world. Organizations should read the Department of Homeland Security (DHS)’s full alert on that here.

Organizations could also benefit from the HITRUST CSF, the most widely adopted security framework in the U.S. healthcare market which helps facilitate HIPAA compliance and cyber readiness. Read more information on that here.

Additional cybersecurity resources can be found here:

Introducing SOC for Cybersecurity: Translating Cyber Risk for Every Stakeholder

U.S. Government Introduces Healthcare Cybersecurity Resource Website

Network Segmentation Key to Mitigating Ransomware Risk for Hospitals

Part 2: BDO’s Approach to Information Governance

FBI Warns Healthcare Facilities About Cyber-vulnerable FTP Servers

How Hospitals Can Improve Cyber-response by Forging a Stronger Relationship Between Counsel & IT

WannaCry: How Healthcare Organizations Can Protect Against it & Other Ransomware Strains

For cybersecurity information specific to your healthcare organization, please contact one of the authors of this article.

John Riggi is the head of BDO’s Cybersecurity and Financial Crimes practice. He can be reached at

jriggi@bdo.com.

Patrick Pilch is the national co-leader of The BDO Center for Healthcare Excellence & Innovation. He can be

reached at ppilch@bdo.com.

CONTINUED FROM PAGE 6

CYBER THREATS

7BDO KNOWS HEALTHCARE

BLOCKCHAIN COULD BE THE ANSWER TO HEALTHCARE’S INTEROPERABILITY PROBLEMBy Patrick Pilch, Sanjay Marwaha, Chuck Pine and Greg Schu

Healthcare has an interoperability problem and it’s costing providers and payers money while leaving them open to compliance vulnerabilities.

As providers are increasingly required to coordinate with partners on the care continuum or risk reimbursement penalties, they are being asked to exchange their siloed data and keep track of reimbursement information and contractual processes with more third parties. The potential for inefficiencies, inaccuracies—and data security slipups—has never been higher.

Enter blockchain.

A permanent and distributed ledger of transactions that supports many different uses, from transacting in cryptocurrencies like bitcoin, to verifying information and contractual processes between a health plan and a patient, the

technology could streamline the process of sharing information.

“Take a standard health plan/provider agreement, or in risk-based relationships, provider/provider agreements, where each provides the other with a paper contract. Each entity loads the agreement into their separate systems, and it defines their relationship,” wrote Bruce Broussard, CEO of Humana, on LinkedIn Pulse. “The payor also has a contract with each person who has purchased a health plan. Using blockchain, the health plan and provider could translate the wide variety of agreements needed to contracts on the blockchain so everyone has visibility, and clarity exists for both the provider and the member. So when a transaction is processed, the blockchain checks the authorization, and everyone can view the status, history and next steps.

“This transactional payment information could also be connected with the clinical service details to provide a holistic view

of the patient’s interaction. Storing the information to create this holistic view in blockchain would create a foundation that enables interoperability and innovation across the industry.”

By using blockchain, providers and payers would do more than make the reimbursement process more streamlined and secure. They would also mitigate the growing risk for false claims because every alteration of information in blockchain is automatically recorded, creating heightened levels of transparency and accountability. Moreover, as more clinical outcome information is gathered and iterated over time, effective prospective risk stratification and management can be deployed which, in turn, can improve planning.

Is there an example of applying blockchain in healthcare, practically speaking? We use the audit process as an example of how the technology could be applied across the industry more broadly.

8 BDO KNOWS HEALTHCARE

Automated Compliance Current-state process depiction

Planning Follow-up Reporting Assessment

Auditor Bank Objectives

Audit scope

Risk assessment Bank

Auditor

Independent audit report

Accounts payable

Accounts receivable

Material information

Auditor Bank Supporting

documentation

Identified errors

Auditor Bank

10K/10Q

Current-state process description

Annually, auditors coordinate with the bank to perform the required audit of financial statements

Members of the audit team work directly with the bank to perform an initial risk assessment and align on the scope, objectives, timing and resources required

The bank provides the audit team with copies of financially material data and access to the systems that enable analyses to be conducted

Auditors evaluate the information provided for completeness and conduct tests for accuracy in parallel to performing the evaluation

Throughout the process, auditors work directly with the leadership and representatives from the bank to address identified errors within the data and testing exceptions

As exceptions are identified, the audit team requests additional information to determine the depth of the concern

At the conclusion of the evaluation, the audit team releases an opinion of the overall financial health of the bank in the form of an independent audit report

The bank uses the results of the report to populate its quarterly and annual filings (10K/10Q)

1 5 7 3

2 4

6 8

1

2

3

4

5

6

7

8

EXAMPLES OF BLOCKCHAIN IN THE AUDIT PROCESSBlockchain could provide a clear enhancement to several aspects of audit and compliance processes, both of which can be resource-intensive.

These processes can trigger rounds of manual reconciliations, involve data that requires significant sampling or full testing, and demand hours of often-duplicative data analysis due to a lack of systems integration.

Efforts required to validate transactions manually can drive up the cost, stretch out the process and decrease the efficiency of the audit procedure. Distributed, electronic ledgers make up the underlying structure of blockchain to maintain, in real-time, transactions that are validated and protected via encryption solutions.

What does that really mean?

A blockchain transaction could be validated when it occurs and can be reviewed for completeness and accuracy using entities that exchange transactions through a common platform. The auditor should be able to more quickly and efficiently reconcile data, amounts, assets, ownership, transactions and other detailed information across the distributed general ledger. Using the financial services industry as an example, the following is a current state overview of an audit and compliance review process. In the context of healthcare, a provider, payer or fiscal intermediary would replace the bank in the process.

In the context of healthcare, the financial exchange is made through a payer or fiscal intermediary with the delivery of care or supplies or services vendor. Essentially by leveraging blockchain for audit and compliance activities, data transparency could be improved, and the need for

duplicative and manual reconciliation and validation processes between healthcare organizations and across disparate systems would be greatly reduced.

Completeness and veracity of the data are essential, and there are concerns in any industry—specifically healthcare, as payment methodology is undergoing significant redesign around clinical outcomes. The U.S. Department of Health & Human Services (HHS)’s Office of Inspector General (OIG) designated the improvement of Medicaid data as a top management challenge, creating the Transformed Medicaid Statistical Information System (T-MIS) to address it by better understanding the care delivered to Medicaid patients—a population of 70 million. In a June 26 report about the implementation status of T-MIS, though, the OIG raised a prominent level of concern regarding the “completeness and reliability” of the data coming from T-MSIS.

Source: World Economic Forum

AUTOMATED COMPLIANCECurrent-state process depiction

CONTINUED FROM PAGE 8

BLOCKCHAIN

9BDO KNOWS HEALTHCARE

Assessment

Automated Compliance Future-state process depiction

Reporting Additional compliance activities

Bank

10K/10Q

Smart contract

DLT financial data extraction layer Accounts receivable

Accounts payable

Management assertions

Depreciation Losses Liabilities Assets Income

Auditor

Accounts payable

Accounts receivable

Accessed through DLT

Auditor

Independent audit report

Stored on DLT

Comprehensive Capital Assessment Review

Enterprise tax filing

IRS Accountant + +

Federal Reserve + Regulator

Future-state process description

Financially material information is accessible to auditors in real time through the use of a financial DLT enabled data extraction layer

Since auditors have authorized access to this data, representatives and leadership of the bank do not need to be involved with audit planning and data distribution

The audit team performs an audit evaluation using data directly from the DLT, eliminating errors generated from manual activity and the requirement for follow-up

Auditors develop the independent audit report and store it on the DLT for real-time access by the bank and regulator

A smart contract facilitates the movement of information from the audit report to financial reporting instruments, minimizing duplicate efforts

In the future, DLT is uniquely positioned to seamlessly execute and automate compliance activities such as:

- Comprehensive Capital Assessment Review (pictured)

- Enterprise tax filing (pictured)

- Real time tasks for trading in financial instruments (e.g. insider trading)

- Processing information about new regulatory developments

1

2

3

4

6

5

1

2

3 4

5

6

“Specifically, states indicate that they are unable to report data for all the T-MIS data elements,” the report noted. “Additionally, even with a revised data dictionary that provides definitions for each data element, states and CMS report concerns about states’ varying interpretations of data elements. If states do not have uniform interpretations of data elements, the data they submit for these elements will not be consistent across states, making any analysis of national trends or patterns inherently unreliable.”

Blockchain could be a solution to this challenge.

By making transactions available in real-time, blockchain technology can help reduce the potential for errors and improve the overall quality of the healthcare audit

process. If the initial transaction is audited, blockchain allows for a self-auditing process and, thus, allows a greater level of assurance. With the added automation and integration of systems, blockchain has the potential to shorten the time required to perform the testing and validation of the information. Again using financial services as an example, below is a potential future state of an audit and compliance review process leveraging automated solutions such as blockchain, whereby a provider, payer or fiscal intermediary would replace the bank in the process.

Using blockchain in healthcare is still a novel idea, but the possibilities it presents to the industry are endless. Bundled payments, clinically integrated networks and risk management are additional areas for development and use.

To learn more about how your healthcare organization can capitalize on blockchain’s opportunities and address its challenges, please contact one of the authors of this article.

Patrick Pilch is the national co-leader of The BDO Center for Healthcare Excellence & Innovation. He can be

reached at ppilch@bdo.com.

Sanjay Marwaha is a managing director and leader of BDO’s Risk Advisory Financial Services practice. He can be

reached at smarwaha@bdo.com.

Chuck Pine is a managing director in BDO’s Financial Services, Investigations and Consulting practice. He can be

reached at cpine@bdo.com.

Greg Schu is a partner in BDO’s Risk Advisory Services practice. He can be reached at gschu@bdo.com.

Source: World Economic Forum

AUTOMATED COMPLIANCEFuture-state process depiction

CONTINUED FROM PAGE 9

BLOCKCHAIN

10 BDO KNOWS HEALTHCARE

By Steven Shill

Tom Smith, partner in BDO’s State & Local Taxation (SALT) practice, has more than 20 years of experience, specializing in state and local taxation within healthcare. We interviewed him about state and local taxation issues that are top-of-mind for healthcare providers.

What is your practice’s focus?

Our team provides sales and use tax consulting services for large for-profit hospital groups that operate multiple facilities in multiple states. Issues arise for them because products are taxed differently by jurisdiction—items subject to sales and use tax in one state are not necessarily subject to sales tax in others. We help hospitals navigate the varying tax laws around supplies and devices purchased.

Our goal is to establish preventive measures to mitigate risks around state audits, but we also manage numerous audits. Right now, we are reviewing an acquisition of a large for-profit group to determine whether it has exposure in past periods and providing compliance training for the local account staff.

Tell us about BDO’s Recurring Refund practice. What factors do hospitals often overlook when it comes to overpaying taxes?

The practice started in Oklahoma in 2001, and we now file refund claims on a regular basis for more than 10 hospitals statewide. What led to the practice’s development was the discovery of a rule unique to Oklahoma, whereby all implants are taxable. If a patient has an implant put in, the hospital pays sales tax on it. But hospitals can receive a tax refund if they can prove the implant was put into a Medicare-Medicaid patient, and we help them keep track of such procedures so they can claim refunds.

The biggest reasons hospitals end up overpaying taxes is because of two factors: the sheer volume of goods they purchase, and confusion around what those products are and how they’re being used.

Accounts payable clerks process new products even if they are never actually used, and hospitals are still (often unknowingly) paying taxes on those products.

Hospitals have such a high volume of products that it becomes difficult to keep track of everything that is being taxed. Often, we’ll first ask hospitals how many items they have in their master list,

and if they say more than 3,000, we know they need to trim that list down. We help identify ways they can do so.

What are some emerging trends hospitals should keep an eye on when it comes to state and local taxation?

On a state and local basis, governments are hungry for revenue, with many facing budget crises. One way they look to boost revenue is by increasing taxation, specifically through property taxes.

The issue of whether state and local jurisdictions can tax nonprofit hospitals is still a big one. As nonprofit hospitals are allowed numerous federal and state tax benefits, to the tune of an estimated total annual value of $12 billion, many local and state jurisdictions are calling for a return benefit to qualify for the property tax exemption. At the very least, some jurisdictions require a certain amount of charity care or community benefit to justify property tax exemptions, while others enter agreements called “payments in lieu of taxes,” where nonprofits pay back local governments for some of their foregone property tax revenue.

Most recently, Connecticut’s House of Representatives approved a bill that would allow communities greater flexibility in revising tax bills to reflect changes in state aid ordered later this year. Connecticut Gov. Dannel P. Malloy has separately recommended allowing communities to tax nonprofit hospitals’ real property, which his office estimates would result in about $212 million revenue annually for cities and towns.

Going forward, I think we’ll see an increase in state and local audits of hospitals, and more local governments re-examining exemptions for nonprofit hospitals.

How do these trends intersect with your work at BDO?

It’s no secret that rural hospitals, especially not-for-profit ones, have struggled in recent years for numerous reasons; hospitals with less than 100 beds in 2013 had an occupancy rate of just 37 percent, reflecting a 5.6 percent drop from 2006, according to the

TRENDS IN TAXATION: HOSPITAL EXEMPTIONS UNDER THE MICROSCOPEAN INTERVIEW WITH BDO’S TOM SMITH

11BDO KNOWS HEALTHCARE

MARK YOUR CALENDAR…

AUGUST

August 15SALT: Unclaimed Property Compliance Update – What You Need to KnowWebinar

August 17ASC 606, Revenue from Contracts with CustomersWebinar

August 24Applying the New Revenue Standard (Part 1)Webinar

August 24Applying the New Revenue Standard (Part 2)Webinar

CONTACT:

STEVEN SHILLPartner—Healthcare, National LeaderOrange County, Calif.714-668-7370 / sshill@bdo.com

PATRICK PILCHManaging Director—Healthcare, National LeaderNew York, N.Y.212-885-8006 / ppilch@bdo.com

ABOUT BDO USA

BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, advisory and consulting services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through more than 60 offices and over 500 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a global network of 67,700 people working out of 1,400 offices across 158 countries.

BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. For more information please visit: www.bdo.com.

ABOUT THE BDO CENTER FOR HEALTHCARE EXCELLENCE & INNOVATION

The BDO Center for Healthcare Excellence & Innovation unites recognized industry thought leaders to provide sustainable solutions across the full spectrum of healthcare challenges facing organizations, stakeholders and communities. Leveraging deep healthcare experience in financial, clinical, data analytics and regulatory disciplines, we deliver research-based insights, innovative approaches and value-driven services to help guide efficient healthcare transformation to improve the quality and lower the cost of care. For more information, please visit https://www.bdo.com/industries/healthcare/overview.

Accountants | Consultants | Doctors

www.bdo.com/healthcare

@BDOHealth www .bdo .com/blogs/healthcare

Material discussed is meant to provide general information and should not be acted on without professional advice tailored to your firm’s individual needs.

© 2017 BDO USA, LLP. All rights reserved.

Medicare Payment Advisory Commission. And as governments look to tax them at greater rates, that will only compound their financial risk.

Our practice’s clients are oftentimes the larger, for-profit hospital networks that enter joint ventures with not-for-profit rural hospitals. The larger, for-profit hospitals need the patients from the rural ones to feed into their bigger medical centers, and the smaller, rural hospitals need the larger ones to remain financially viable. And

as hospitals—for-profit and not-for-profits alike—see their taxes increase, that trend is only going to grow.

Steven Shill is the national co-leader of The BDO Center for Healthcare Excellence & Innovation. He can be reached at sshill@bdo.com.

Tom Smith is a partner in BDO’s State & Local Taxation (SALT) practice. He can be reached at tasmith@bdo.com.

CONTINUED FROM PAGE 11

TRENDS IN TAXATION

12 BDO KNOWS HEALTHCARE