Month: September 2024

Cybersecurity in Healthcare: Four Essential Practices to Protect Health Plans and TPAs

Every October, organizations across the public and private sectors come together to observe Cybersecurity Awareness Month. Established in 2004 by a joint declaration from the President of the United States and Congress, this month serves as a critical reminder of the importance of cybersecurity in an increasingly digital world. What began as a U.S. initiative has grown into a global movement, with governments and industries collaborating to raise awareness about the ever-evolving landscape of cyber threats.

Now in its 21st year, Cybersecurity Awareness Month encourages organizations to adopt proactive measures to safeguard personal, financial, and operational data. This year’s focus on best practices serves as a vital guide for healthcare organizations looking to strengthen their defenses.

Protecting sensitive information is paramount in the complex and data-heavy world of healthcare. Health plans and Third-Party Administrators (TPAs) handle large volumes of patient health data, making them prime targets for cyberattacks. As healthcare organizations rely heavily on technology for managing claims, enrollments, and billing, the risk of a breach grows, making cybersecurity not just a priority but a necessity.

In this blog, we will explore four essential practices that healthcare organizations can adopt to enhance their cybersecurity strategies. Building upon guidance from the Cybersecurity & Infrastructure Security Agency (CISA), we have tailored these practices specifically for health plans and TPAs:

  • Recognize and Report Phishing
  • Use Strong Passwords
  • Enable Multi-Factor Authentication (MFA)
  • Keep Software Updated

These tips are designed to help healthcare organizations protect their data and maintain trust with their members, ensuring operational stability and regulatory compliance.

1. Recognize and Report Phishing: Identifying the First Line of Attack

Phishing

Phishing attacks remain one of the most common and dangerous forms of cyber threats. According to the Verizon 2024 Data Breach Investigations Report, phishing remains a significant issue, with the human element involved in 68% of all breaches.1 Furthermore, phishing simulations revealed that 20% of users reported phishing attempts, though the median time for a user to click on a phishing link was alarmingly fast—just 21 seconds.

In healthcare administration, where multiple touchpoints exist between patients, providers, and administrators, phishing schemes are particularly disruptive. Health plans and TPAs must train employees to detect suspicious emails or messages that appear to come from trusted sources but are, in fact, designed to steal sensitive information. Proper reporting channels ensure that phishing attempts are caught and neutralized quickly, reducing the risk of further compromise.

What to Do:

  • Educate employees to recognize telltale signs of phishing, such as unfamiliar senders, incorrect domains, or unexpected attachments.
  • Establish a streamlined reporting process to alert the IT team to suspicious emails and potential phishing attempts.

2. Use Strong Passwords: Fortifying the Gateway to Sensitive Data

Password

Weak passwords remain one of the easiest ways for cybercriminals to access critical systems. According to the CrowdStrike 2024 Global Threat Report, credential-based attacks continue to be a preferred entry method for cyber adversaries, with a 60% year-over-year increase in the number of interactive intrusion campaigns.2 These attacks typically involve the use of stolen or weak credentials to gain access to critical systems, emphasizing the importance of strong, unique passwords to protect healthcare administration systems.

For health plans and TPAs, password policies need to go beyond the basics, ensuring that passwords are not only strong but also unique and regularly updated. Utilizing password management tools can help reduce the risk of using weak or reused credentials.

What to Do:

  • Mandate that passwords be at least 12 characters, incorporating numbers, symbols, and a mix of upper- and lower-case letters.
  • Provide employees with password management tools to ensure they use unique and strong passwords across systems.

The CrowdStrike report emphasizes that password-related vulnerabilities remain a leading cause of system breaches, underscoring the necessity of password security in any comprehensive cybersecurity strategy.

3. Enable Multi-Factor Authentication (MFA): Adding an Extra Layer of Security

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a crucial security measure that goes beyond the use of passwords. According to Microsoft, enabling MFA can block 99.9% of automated cyberattacks.3 With over 300 million fraudulent sign-in attempts to Microsoft’s cloud services daily, MFA has proven to be a powerful tool in preventing unauthorized access.

For health plans and TPAs, MFA can dramatically reduce the risk of unauthorized access to systems containing sensitive personal and financial data. MFA requires users to provide an additional form of verification—such as a one-time code sent to their phone or email—before accessing systems. Even if a password is compromised, MFA provides a critical second layer of defense.

What to Do:

  • Require MFA for all platforms that handle sensitive data, including client portals, health plan administrative systems, and billing platforms.
  • Ensure vendors and partners also use MFA to protect shared systems.

By implementing MFA, organizations can significantly decrease the chances of account compromise, making it a vital part of a robust security strategy.

4. Update Software: Staying Ahead of Vulnerabilities

Update Software

Outdated software continues to be one of the most significant vulnerabilities in healthcare systems. According to the 2023 Ponemon Institute Cost of Insider Risks Report, organizations that experienced insider-related incidents attributed a significant percentage of breaches to employee negligence, which includes failing to update or patch software. In fact, non-malicious insider incidents—often caused by oversight such as missing software updates—represented 55% of all insider incidents, costing organizations an average of $505,113 per incident.4

Health plans and TPAs rely on numerous systems to handle sensitive data, and failure to keep these systems updated leaves them vulnerable to both insider threats and external attacks. Regular software updates ensure that known vulnerabilities are patched, reducing the likelihood of successful cyberattacks.

What to Do:

  • Implement a routine schedule for system audits and software updates, prioritizing critical patches for known security vulnerabilities.
  • Partner with vendors who proactively deliver security updates for their software solutions.

By staying on top of software updates, healthcare organizations can significantly reduce the risk of insider incidents and potential breaches, keeping sensitive data secure.

Commitment to Cybersecurity Beyond October

National Cybersecurity Awareness Month serves as an annual reminder to evaluate and strengthen your organization’s security posture. For health plans and TPAs, securing sensitive health data is about more than compliance—it’s about trust, reputation, and operational stability. By adopting best practices like recognizing phishing, using strong passwords, enabling MFA, and keeping software updated, your organization can mitigate risk and better protect your data from cyber threats.

At HealthAxis, our commitment to cybersecurity extends beyond mere observance of this month. It’s woven into our daily operations and solutions to ensure that we provide the highest standards of security for our clients. Cybersecurity is a shared responsibility, and with the right tools and practices in place, we can all contribute to building a safer healthcare administration ecosystem.

Author:

Ralph Pugh

Ralph Pugh
Information Security Analyst III

Sources:

  1. 2024 Data Breach Investigations Report, Verizon
  2. 2024 Global Threat Report, CrowdStrike
  3. One Simple Action You Can Take to Prevent 99.9 Percent of Attacks on Your Accounts, Microsoft
  4. 2023 Cost of Insider Risks Global Report, Ponemon Institute | DTEX

HealthAxis InFocus: Claims Efficiency – Lower Costs, Higher Retention

In this installment of HealthAxis InFocus, Dawn Pardee, Director of Claims Operations, shares valuable insights into how healthcare payers can improve claims processing efficiency to reduce costs and enhance member retention.

With the increasing complexity of healthcare claims, leveraging solutions like Robotic Process Automation (RPA) is becoming essential for streamlining operations. Dawn explains how automating repetitive tasks not only speeds up processing times but also reduces errors, allowing payers to focus on higher-priority claims and ultimately improve the member experience.

Ready to transform your operations? Connect with our experts to learn how HealthAxis can help you leverage cutting-edge technology for your health plan.

Open Enrollment Readiness: Expert Insights from HealthAxis – Call Center Edition

Welcome to the third edition of our blog series, Open Enrollment Readiness: Expert Insights from HealthAxis. This series is designed to provide health plans with actionable insights and expert advice to navigate the complexities of the open enrollment period successfully.

In our first two editions, we covered critical areas of compliance with insights from our Compliance Officer, Milonda Mitchell, and explored best practices for enrollment processes with Rosalie Torres, our Associate Director of Enrollment and Fulfillment Operations.

In this edition, we’re turning our focus to the heart of member engagement during open enrollment: call center operations. To guide us through this vital topic, we’re featuring Jason Master, Vice President of BPO Operations at HealthAxis. With a robust background in healthcare operations and a passion for innovation, Jason will share his expert insights on managing increased call volumes, tracking performance metrics, and leveraging technology to enhance call center efficiency during open enrollment.

How can health plans effectively manage increased call volumes during open enrollment while maintaining high levels of customer satisfaction?

Jason Masters

Jason Master

Vice President of BPO Operations

Managing the surge in call volumes during open enrollment is a significant challenge, but it’s also an opportunity to reinforce member trust through exceptional service. To effectively handle the influx, health plans should implement a multifaceted approach focused on strategic staffing, advanced call center technology, and a strong emphasis on customer service excellence.

First, it’s crucial to have a well-prepared staffing plan in place. This means hiring additional temporary staff to manage the increased volume and investing in thorough training programs well before open enrollment begins. Agents should be fully equipped with the knowledge and tools they need to resolve member inquiries efficiently, reducing the need for call transfers and ensuring first-call resolution.

Additionally, utilizing intelligent call routing systems can significantly enhance efficiency. By directing calls to the most appropriate agents based on their expertise, health plans can minimize wait times and ensure that members receive the right answers promptly. This, coupled with self-service options such as interactive voice response (IVR) systems and online FAQs, can help deflect routine inquiries, allowing agents to focus on more complex issues.

Lastly, maintaining high levels of customer satisfaction requires a culture of empathy and active listening. Agents should be trained to handle stressful situations calmly and to communicate clearly and compassionately. Providing regular feedback and support to agents during this peak period can help maintain morale and, in turn, improve the overall member experience.

What key metrics should health plans track to measure call center performance during open enrollment, and how can these metrics be used to improve operations?

Tracking the right metrics is essential for health plans to assess call center performance and identify areas for improvement during the busy open enrollment period. The key performance indicators (KPIs) that should be monitored include:

  • Service Level:
    • The percentage of calls answered within a specific time frame (e.g., 80% of calls answered within 30 seconds).
    • Reflects the responsiveness of the call center and impacts customer satisfaction.
  • Average Hold Time (AHT)
    • This is the amount of time a caller spends on hold before speaking to a representative.
    • The goal is to balance efficiency with quality—short calls are not always better if they leave issues unresolved.
    • Monitoring AHT alongside First Call Resolution (FCR) helps ensure that efficiency does not compromise customer satisfaction.
  • Call Abandonment Rate
    • Reflects the percentage of callers who hang up before speaking to an agent.
    • A high abandonment rate often signals long wait times or inadequate staffing levels.
    • Tracking this metric in real-time allows for necessary adjustments, such as reallocating resources or activating overflow teams, to better manage call volume and reduce wait times.
  • First Call Resolution (FCR)
    • Measures the percentage of calls resolved without the need for follow-up.
    • A high FCR indicates that agents are well-trained and empowered to handle a variety of inquiries on the spot.
    • Improving FCR can reduce overall call volume and enhance member satisfaction by addressing issues promptly.
  • Customer Satisfaction Score (CSAT)
    • Provides direct feedback from members about their experience.
    • Regular post-call surveys offer insights into service effectiveness and help identify areas for improvement.
    • Dips in CSAT can prompt immediate corrective actions to address service quality issues before they impact overall member satisfaction.

By closely monitoring these metrics, health plans can make data-driven decisions to optimize call center operations. For instance, if AHT or call abandonment rates are rising, it may indicate a need for additional training or a reevaluation of call routing strategies. Similarly, dips in CSAT can prompt immediate corrective actions to address service quality issues before they affect overall member satisfaction.

How can health plans leverage technology and automation to streamline call center operations and improve agent productivity during open enrollment?

Health Technology and automation are powerful tools that can transform call center operations, especially during the intense period of open enrollment. By integrating advanced solutions, health plans can streamline processes, reduce the burden on agents, and ultimately improve the quality of service provided to members.

One of the most impactful technologies is intelligent call routing, which uses algorithms to direct calls to the most suitable agent based on the caller’s needs and the agent’s expertise. This reduces the time spent transferring calls between departments and ensures that members receive accurate and timely assistance, leading to higher satisfaction rates.

Automation can also play a significant role in handling routine inquiries, such as account balance checks or basic plan information. By utilizing AI-driven chatbots and interactive voice response (IVR) systems, health plans can provide members with instant answers to common questions without requiring human intervention. This not only frees up agents to focus on more complex issues but also reduces wait times for members.

Workforce management tools are also crucial during open enrollment, as they allow health plans to forecast call volumes and adjust staffing levels accordingly. These tools can schedule shifts, monitor agent performance, and ensure that the call center operates at optimal efficiency throughout the enrollment period.

By leveraging these technologies, health plans can not only handle the increased demand during open enrollment but also deliver a superior member experience. The result is a more efficient operation that supports both the plan’s objectives and the needs of its members.

If you need immediate support or have questions about how HealthAxis can assist in your open enrollment readiness, connect with our experts today. We’re here to help ensure your success during this pivotal time.

How Regulatory Requirements Are Affecting Medicare Health Plan Administration

The healthcare landscape is constantly evolving and Medicare health plan administrators are facing a wave of new regulatory requirements that significantly impact their operations. 

These changes are designed to enhance transparency, equity, and compliance, ensuring enrollees receive high-quality care consistent with Medicare’s evolving standards. 

For Medicare Advantage Organizations (MAOs), the path forward requires careful alignment with the latest rules to avoid penalties while ensuring enrollees are well-served.

Key Health Plan Areas Most Affected By Recent Medicare Compliance Changes

Health plans are facing significant regulatory changes, particularly in the areas of configuration, product and enrollment, appeals and grievances, claims, and data analytics.

Configuration processes now require greater transparency, annual reviews, and alignment with clinical guidelines to ensure timely access to care. 

New rules impact product offerings, prior authorizations, and culturally competent enrollment, while appeals and claims processes must adhere to stricter timelines and documentation requirements. Additionally, data privacy, cybersecurity, and reporting standards have been heightened to ensure compliance across the board

These updates are designed to improve care quality and protect enrollees while holding health plans accountable.

Let’s dive into the specific changes in requirements to be aware of.

Configuration Is The Most Impacted With Nine New Regulatory Requirements

Configuration processes are the most affected, with nine new regulatory requirements now governing how MAOs manage coverage, emphasizing transparency and alignment with Medicare standards.

  1. Adherence to Coverage Determinations: MAOs are required to align with updated local and national coverage determinations, ensuring that all coverage decisions meet Medicare standards.
  2. Transparency of Coverage Criteria: Health plans must make internal coverage criteria publicly accessible, ensuring that enrollees and providers understand how coverage decisions are made.
  3. Compliance with Post-Claim Audits: Post-claim audits are subject to updated regulations, meaning that plans must ensure all claim-related activities meet Medicare standards.
  4. Timely Access to Care: Configuration processes must guarantee timely access to care, which is critical to maintaining high-quality service for enrollees.
  5. Documentation of Clinical Criteria: Detailed documentation and justification must be maintained for any clinical criteria not covered by traditional Medicare, ensuring transparency and compliance with regulatory standards.
  6. Annual Review of Prior Authorizations: MAOs are now required to review and potentially revise prior authorizations on an annual basis to ensure they align with current guidelines and clinical needs.
  7. Transparent Configuration Processes: Health plans must ensure that configuration processes are transparent, especially concerning coverage criteria and authorizations.
  8. Alignment with Clinical Guidelines: Utilization management processes must be clearly aligned with clinical guidelines to ensure that decisions are medically appropriate.
  9. Communication with CMS: All configuration changes must be communicated to the Centers for Medicare & Medicaid Services (CMS) through a defined process to avoid non-compliance penalties.

These updates reflect the increasing emphasis on consistency, transparency, and timeliness, which is vital for ensuring that enrollees receive the care they need without unnecessary delays or confusion.

Product And Enrollment Each Have Five New Regulatory Requirements

The regulatory updates extend into product and enrollment areas, with five new requirements that health plans must address.

Team talking about Regulatory requirements at a table

Product

  1. Prior Authorization Policies: New prior authorization policies have been implemented for specific products to ensure that medical necessity is met, balancing access without imposing undue restrictions.
  2. Formulary Flexibility: MAOs are now allowed greater flexibility in formularies, particularly concerning generics and biological products, making it easier to offer cost-effective alternatives.
  3. Agent/Broker Monitoring: There are enhanced monitoring requirements for agent and broker activities to ensure they comply with Medicare’s marketing rules.
  4. Supplemental Benefits: Updated protocols for offering supplemental benefits have been introduced, aligning these benefits with Medicare’s overall objectives.
  5. Consistency Across Products: Internal coverage criteria must be consistent across all products offered by MAOs, promoting fairness and reducing confusion among enrollees.

Enrollment

  1. Special Enrollment Periods (SEPs): Expanded SEP rules provide more opportunities for enrollees to switch plans under specific conditions, giving them greater flexibility.
  2. Culturally Competent Enrollment: Health plans are now required to implement culturally competent enrollment procedures, ensuring that diverse populations receive appropriate and effective guidance and support.
  3. Telephone Enrollment: Stricter guidelines govern telephone enrollments, ensuring that all enrollees fully understand the plan they are signing up for.
  4. Fraud Prevention: Enhanced scrutiny is required during the enrollment process to prevent fraud, protecting both the plan and the enrollees.
  5. Documentation Requirements: New documentation requirements ensure that all enrollment activities are properly recorded, providing an audit trail for compliance and fraud prevention.

These updates highlight the importance of maintaining robust, transparent, and culturally sensitive enrollment practices, ensuring that beneficiaries are well-informed and protected during the enrollment process.

Appeals And Grievances, Claims, And Data Analytics Each Have Four New Regulatory Requirements

The appeals and grievances process is essential to ensuring that beneficiaries’ concerns are addressed swiftly and effectively. 

Appeals & Grievances

  1. Stricter Timelines: Appeals must now be resolved within more stringent timelines, ensuring faster resolutions and improved beneficiary satisfaction.
  2. Detailed Documentation: All grievance cases must be documented in greater detail, ensuring that all issues are properly addressed and reported.
  3. Mandatory Training: Staff members handling appeals must undergo mandatory training to stay current with the latest regulatory requirements.
  4. Reporting Standards: New reporting standards for appeals outcomes have been introduced, ensuring greater transparency and accountability in the process.

Claims

  1. Processing Standards: New standards for claims processing require alignment with traditional Medicare, ensuring consistency in the way claims are handled.
  2. Post-Claim Audits: Updated guidelines govern post-claim audits, ensuring that claims are compliant with Medicare rules.
  3. Handling of Rejected Claims: Stricter compliance rules now apply to the handling of rejected claims, ensuring that beneficiaries are not unfairly denied coverage.
  4. Transparency in Claims Reviews: Enhanced transparency is required in the claims review process, allowing beneficiaries to clearly understand the rationale behind approvals or denials.

Data Analytics

  1. Enhanced Reporting Requirements: Reporting requirements have been enhanced to ensure that health plans submit more accurate and comprehensive data.
  2. Analytics for Compliance Monitoring: The use of data analytics in monitoring compliance is now mandated, ensuring that plans are staying within regulatory guidelines.
  3. Data Privacy and Security: New guidelines for data privacy and security are in place, ensuring that enrollee information is protected.
  4. Clinical Integration: Stricter standards require that data analytics be integrated with clinical processes to enhance the quality of care delivered.

These changes ensure that beneficiaries don’t face extended delays when disputing coverage decisions, contributing to a more responsive and patient-centered system.

Customer Service, Fulfillment, IT, And Utilization Management Each Have Two New Regulatory Changes

In addition to the core areas of configuration, claims, and data analytics, several other key aspects of Medicare health plan administration are undergoing regulatory updates.

Regulatory requirements leading employee on how to provide good customer service

Customer Service

  1. Handling Inquiries: New rules govern how customer service representatives handle inquiries, ensuring that enrollees receive clear, consistent, and accurate information about their benefits.
  2. Mandatory Training: Customer service representatives are now required to undergo mandatory training to ensure they are fully equipped to assist enrollees and remain compliant with Medicare’s standards.

Fulfillment

  1. Stricter Controls on Materials: Stricter controls have been introduced over plan-related materials distribution to ensure that enrollees receive accurate and timely information.
  2. Enhanced Monitoring: Enhanced monitoring procedures are now required to prevent errors and delays in material distribution, ensuring that all enrollee communications are prompt and error-free.

IT 

  1. Cybersecurity Requirements: New cybersecurity regulations have been introduced to safeguard enrollee data, requiring health plans to implement advanced data protection protocols.
  2. Regular IT Audits: Health plans must conduct regular audits of their IT systems to ensure compliance with the latest cybersecurity requirements and to safeguard against breaches.

Utilization Management

  1. Annual Policy Review: The Utilization Management Committee must review all policies on an annual basis to ensure that they are in line with current guidelines and consistent with traditional Medicare standards.
  2. Stricter Guidelines for Prior Authorization: New guidelines have been introduced for prior authorization processes to ensure that decisions are medically necessary and consistent across the board.

By implementing these new standards, health plans can improve customer interactions, safeguard sensitive data, and ensure that care decisions are both consistent and medically necessary.

Reporting Requirements Have Become More Stringent

Regulatory requirements leading reporting for employee on medicare compliance and regulatory changes

Health plan reporting requirements have become significantly more stringent, with a heightened focus on accuracy, timeliness, and comprehensive documentation. Plans are now obligated to submit more detailed reports covering a wide range of metrics, ensuring that all aspects of compliance and enrollee care are thoroughly documented.

These enhanced reporting standards are designed to increase transparency, providing CMS with a clearer and more detailed picture of health plan performance. Failure to meet these new requirements could result in penalties, making it crucial for plans to prioritize timely and precise data submission.

Ensuring Compliance and Quality Care 

These regulatory changes reflect CMS’s commitment to enhancing transparency, equity, and quality across all aspects of Medicare Advantage and Part D plans. For plan administrators, this means thoroughly reviewing and implementing these changes to remain compliant while improving the overall experience for enrollees.

These regulatory changes are designed to ensure that enrollees receive the highest standard of care, fully aligned with Medicare’s continuously evolving requirements. Through greater transparency, data-driven processes, and heightened compliance measures, MAOs can successfully navigate these updates, protecting their organization and the individuals they serve.

Get expert guidance to navigate the complex and ever-changing regulatory requirements facing Medicare Advantage Organizations. 

Our expert consultants leverage our AxisConnect™ suite of services to provide extensive health plan consulting to unlock your organization’s full potential. Our seasoned team collaborates with you in areas like regulatory affairs, technology, and operational efficiency to ensure you meet all requirements. Connect with our team today.

 

Author:

Kelly Thao - Writer

Kelly Thao

Sr. Compliance Analyst

HealthAxis