As healthcare organizations prepare for the new year, their concerns likely go beyond what is on their financial statements. In our webinar, “Year-End Accounting & Auditing Update for Healthcare Entities,” Forvis Mazars examined several topics of interest in the healthcare industry, including cybersecurity and what to expect from Washington after last year’s election. This article will offer some key insights for providers to keep in mind.
Risk-Sharing Arrangements
More entities are entering into risk-sharing arrangements, which involve contracts in which a healthcare entity receives payment in exchange for assuming an obligation to provide—and/or become financially responsible for—healthcare services to specified, qualified beneficiaries. It’s important that organizations making contracts communicate with their accounting personnel so the arrangements are properly evaluated. When considering the accounting model to use, entities should refer to Accounting Standards Codification (ASC) 815, Derivatives and Hedging; ASC 460, Guarantees; or ASC 606, Revenue from Contracts with Customers.
Energy Service Agreements (ESAs)
Another arrangement gaining popularity among healthcare entities is the ESA, in which a special purpose entity (SPE) is created and debt remains with the SPE so the provider avoids putting debt on its books. The arrangements also are structured so the SPEs are not consolidated. These arrangements continue to evolve and accounting can vary among providers. Entities considering an ESA should ask questions such as:
- Is there a lease component? In some cases, the provider will retain the underlying assets, but in other cases, they are leased to the SPE, which can trigger a difference in accounting.
- Who gets the excess reserves? Does your organization retain those?
Environmental, Social, & Governance (ESG) Reporting
Even though they aren’t likely SEC registrants, healthcare organizations should understand ESG, particularly what states may require. For example, California has greenhouse gas (GHG) emission and climate risk reporting for organizations that do business in the state that meet certain revenue criteria. In New York, hospitals can have workers’ compensation claim expense reduced if they have a program addressing GHG. By the fourth or fifth year of both programs, there will be reporting requirements that also require auditing.
Student Financial Aid & Related-Party Transactions
Providers that have nursing schools and receive student financial aid money should be aware of new rules that went into effect on July 1, 2024. Robust disclosures are required, such as major donors or board members affiliated with lenders. A Financial Responsibility Supplemental Schedule must be included with audited financial statements and contain information to calculate composite score ratios. If applicable, we recommend filing a separate report with an eZ-Audit filing containing the disclosures.
Employee Retention Credit (ERC)
The ERC, which was available for 2020 and most of 2021, offers a refundable tax credit to help businesses keep staff employed during the COVID-19 pandemic. In the past year, the IRS issued 28,000 disallowance letters for $5 billion in refund claims thought to be “a high risk of being incorrect.” The IRS later indicated that up to 10% of the letters may have been in error. After a lengthy pause, the IRS has resumed issuing refunds for 400,000 low-risk claims. Some organizations may have applied in good faith without being certain that they met the criteria. In those situations, the entities may not want to bring ERC funds into income until they’ve gone through an audit or additional guidance is released.
Single Audit Updates
Providers should note that the annual federal expenditure threshold requiring a Single Audit rose from $750,000 to $1 million effective October 1, 2024. Organizations falling below that threshold won’t be subject to the audit. In addition, the Type A program threshold for awards between $1 million and $34 million is rising to $1 million. Also, the indirect cost rate is increasing from 10% to 15%.
The Office of Inspector General and Health Resources and Services Administration have been auditing organizations that received Provider Relief Fund money, which aimed to support providers during the pandemic. We’ve seen random audits of various providers from across the country. Auditors are focused on lost revenue calculations, specifically how they were recorded, how bad debts and contractual allowances were determined, and controls over not “double-dipping.”
In addition, some providers have received letters from the Homeland Security Operational Analysis Center reviewing FEMA benefits for duplication, particularly reimbursement from another source.
Cybersecurity
The healthcare industry has been the most victimized by cyberattacks for the past 14 consecutive years, with providers containing valuable data with personally identifiable information on patients and employees.1 Some malicious actors engage in blackmail and extortion by threatening to release medical records. Antiquated technology—caused by resource or financial restraints—can create vulnerabilities for healthcare entities.
With some cyberattack disruptions lasting at least 30 days, organizations should consider how they could circumvent a 30-day disruption while continuing to care for patients and access critical data. In addition to policies and procedures, providers should test their readiness by emulating a scenario and simulating what the response will be.
Outlook From Washington, D.C.
When President Donald Trump’s administration begins this month, it will likely reissue a lot of policies from Trump’s first administration that were rescinded by President Joe Biden’s administration, such as the return of short-term, limited-duration health plans to provide 12 months of coverage.
Also, expect CMS to give states much more flexibility in how they manage their Medicaid programs. Governors could take actions such as implement cost sharing and different eligibility and enrollment for the renewal processes.
With the Trump administration potentially using 10% or higher tariffs to raise revenue, healthcare items may be affected. Even if certain categories of healthcare products were excluded, supply chain costs may still be affected.
Forvis Mazars Can Help
Forvis Mazars provides assurance, accounting, tax, and consulting services for hospitals and health systems. If you have any questions on the topics raised in this article or need assistance, please reach out to a professional at Forvis Mazars.
- 1“Cost of a Data Breach Report 2024,” ibm.com.