Secretary of State Audit Summary Dennis Richardson, Secretary of State
Kip Memmott, Director, Audits Division
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review
OHA:AutomatedMedicaideligibilityisprocessedappropriately,yetmanualinputaccuracyandeligibilityoverridemonitoringneedsimprovement
KEYFINDINGS
Twocriticalautomatedcomputerprogramsappropriatelydeterminedeligibility,enrolledMedicaidclientsincoordinatedcareorganizations,andmadeappropriatepaymentstothoseorganizationsbasedoneligibilityinformationreceived.
AutomatedcomputerprocessesappropriatelyvalidatedtheSocialSecuritynumberandcitizenshipstatusofapplicantsover99.7%ofthetimeinourreviewofover425,000records.
Wereviewed30eligibilitydeterminationsandfoundseven(23%)hadmanualinputerrors.Whileonlyoneerrorresultedinaclientbeingdeterminedeligiblewhentheywerenot,eachoftheerrorsrelatedtoapplicationinformationthatcouldhaveresultedininappropriateeligibilitydeterminations.
Althoughtheirvolumehassignificantlydecreasedovertime,overridesofeligibilityarenotsufficientlymonitored,meaningunauthorizedoverridesofMedicaideligibilitycouldoccur.
Ourreviewof72overriddeneligibilitysegmentsshowedcaseworkersdidnottakeproperactiontoclear25(35%).Overriddensegmentsarenotsubjecttoautomatedprocessesthatredetermineeligibilityforcertainclients.
Our2011auditrecommendationstoOHAandDHSconcerningaccesstotheMedicaidManagementInformationSystemhavenotbeenfullyimplemented,increasingsecurityrisk.
RECOMMENDATIONSSUMMARY
OHAshouldcontinueeffortstoimprovecaseworkermanualinputaccuracythroughadditionaltraining,andimplementareviewprocessforinputwhereerrorsnegativelyaffecteligibilitydetermination.
OHAmanagersshouldmonitoreligibilityoverridestopreventunauthorizedvalidationandensurestateresourcesarespentappropriately.
OHAandDHSshouldfullyimplementour2011auditlogicalaccessrecommendations.
AUDITPURPOSE
InOregon,overonemillionindividualshaveMedicaidcoverage.Medicaidexpenditurestotaled$9.3billioninfiscalyear2016,including$1.2billioninstategeneral
funds.WeconductedthisaudittodetermineiftwocriticalautomatedcomputerprogramsmanagedbytheOregon
HealthAuthorityaccuratelyverifyMedicaidclienteligibilityandaccuratelyissuepaymentstohealthcareproviders.Iftheseprogramsdonotfunctionproperly,
clientsmayinappropriatelyreceive,orbedenied,Medicaidbenefits.
FINDINGSIMPACT
Manualinputerrorsandlackofmonitoringofoverridescancauseinappropriateeligibilitydeterminationsandpaymentstoproviders.Ifagencyleadershipimplementsmoreeffectivemonitoringofcaseworkereligibilityoverridesandimprovesmanualinputaccuracy,thestatewillbettercomplywitheligibilityrequirementsandincreaseaccuracyofpayments.Inactionwillallowoverridesandmanualinputerrorstocontinuecausinginappropriatepaymentstoproviders.
Secretary of State Audit Report Dennis Richardson, Secretary of State
Kip Memmott, Director, Audits Division
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 1
OHA:AutomatedMedicaideligibilityisprocessedappropriately,yetmanualinputaccuracyandeligibilityoverridemonitoringneedsimprovement
Introduction
Audit Purpose
ThepurposeofthisinformationtechnologyauditwastodeterminewhethertwocriticalcomputersystemsmanagedbytheOregonHealthAuthority(OHA)accuratelydetermineMedicaidclienteligibility,appropriatelyenrollclientswithCoordinatedCareOrganizations(CCO),andissueaccuratepaymentstothoseorganizations.
WechosethesesystemsbecausethemajorityofMedicaideligibilitydeterminationsandpaymentsareprocessedthroughthem.Iftheydonotfunctioncorrectly,MedicaidclientsmaybeinappropriatelyapprovedordeniedforMedicaidbenefits,andpaymentstoprovidersmaybeinerror.
OHAandtheDepartmentofHumanServicesrelyonseveralothersystemsforeligibilitydeterminationsandpayments.WeintendtoincludeothersystemsandprocessesrelatedtoMedicaideligibilityandpaymentsinfutureaudits.
Agency Response
TheOregonHealthAuthoritygenerallyagreedwithourfindingsandrecommendations.Thefullagencyresponsecanbefoundattheendofthereport.
Background
Medicaidisagovernmentprogramthatprovideshealthcarecoveragetolow‐incomeindividualsandfamilies.Itisfinancedthroughjointfederalandstatefundingandisadministeredbyeachstate.TheOregonHealthAuthority(OHA)administerstheMedicaidprogramandsetsguidelinesregardingeligibilityandservicesinOregon.DepartmentofHumanServices(DHS)staffworkinpartnershipwithOHAtoensurequalifiedindividualsreceiveMedicaidcoverage.
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 2
MostMedicaidclientsinOregonareenrolledwithoneofOregon’s16CoordinatedCareOrganizations(CCOs).CCOsdeliverhealthcareservicesundercontractswithOHAforaprescribedmonthlyfee,knownasacapitatedpayment.MedicaidclientsnotenrolledinaCCOreceivehealthcareservicesfromdoctors,pharmaciesandotherprofessionalswhosubmitindividualclaimstoOHAfortheservicestheyperform.
ThefederalPatientProtectionandAffordableCareAct,commonlycalledtheAffordableCareAct(ACA),wassignedintolawonMarch23,2010andimplementedinOregonbeginninginJanuary2014.TheACAallowedOregontoexpanditsMedicaidprogramtocoverindividualswhowerenotpreviouslyeligible.Asaresult,MedicaideligibilityinOregonhasgrownfromapproximately650,000individualsin2013toover1millionbytheendof2014.Medicaideligibilityhasremainedatabout1millionindividualssincethen.
TotalMedicaidexpenditureshavelikewiseincreased.DuringFiscalYear(FY)2013,expendituresforMedicaidatDHSandOHAtotaledabout$5.5billion;inFY2016,thisincreasedtoabout$9.3billion.Theseexpenditures,whichconsistofmedicalassistancepaymentsaswellasadministrativeexpenses,areprocessedthroughseveraldifferentcomputersystemsatDHSandOHA.
ThefederalshareofMedicaidexpendituresvariesbytypeofexpenditureandbymedicalassistanceprogram.Formedicalassistancepaymentsmadeonbehalfofclients,thefederalsharerangesfromabout64%formostclientsto100%forclientsdeemednewlyeligibleforMedicaidbecauseoftheACA.Beginningincalendaryear2017,thefederalgovernmentstartedreducingitsshareoffundingfortheseclients,whichwillresultinanincreaseinthestate’sshareoffundingfortheseexpenditures.Overall,stategeneralfundMedicaidexpendituresforfiscalyear2016totaledover$1.2billion.
OHAprimarilyusestheMedicaidManagementInformationSystem(MMIS)topayhealthcareprovidersforservicestheyrendertoindividualswhoqualifyforMedicaid.DuringFY2016,MMISprocessedover$6.7billioninpaymentstoproviders,includingabout$4.9billiontoCCOsascapitatedpaymentsbasedonMedicaidenrollments.
InDecember2015,OHAimplementedanewcomputerapplication,theOregonEligibilitysystem(ONE),specificallydesignedtodeterminewhetherindividualsqualifyforMedicaidaccordingtothenewACArequirements.ThissystemprovidestheneededcorefunctionalitytoprocessmostMedicaidapplications.DHSusesothercomputersystemstodetermineeligibilityforotherspecificgroupsofMedicaidclients.AsofMarch2017,approximately69%ofallMedicaidclientshadtheireligibilitydeterminedthroughtheONEsystem.
Oregon Medicaid provides health care coverage to approximately one million Oregonians.
OHA uses a newly implemented computer system called the Oregon Eligibility system (ONE) to determine client eligibility for certain Medicaid benefit programs.
ONE subsequently transfers eligibility information to the Medicaid Management Information System (MMIS), which enrolls clients in coordinated care organizations and pays providers for Medicaid services. MMIS processed about $6.7 billion to providers in fiscal year 2016.
If these systems do not function correctly, clients may be inappropriately approved or denied for Medicaid benefits and payments to providers may be inappropriate.
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 3
Audit Results
OurworkshowedthattheOregonEligibilitysystem(ONE)appropriatelydeterminesMedicaidclienteligibility,althoughmanualinputaccuracyandeligibilityoverridemonitoringneedimprovement.ONEalsoaccuratelytransmitseligibilityinformationtotheMedicaidManagementInformationSystem(MMIS)forfurtherprocessing.WealsofoundthatMMISappropriatelyenrollsMedicaidclientsinCoordinatedCareOrganizations(CCO)andensuresaccuratepaymentsaremadebasedoninformationreceivedfromONEandothereligibilitysystems
Generallyacceptedcomputercontrolsindicatethattransactiondatashouldbecheckedforaccuracy,completenessandvalidity.Inaddition,processesshouldbeinplacetotimelydetectandcorrectpotentialerrorsthatmayoccurduringcomputerprocessing.Anyoverridesappliedtotransactionprocessingshouldbemonitored.
TheONEsystemreceivesMedicaidapplicationsfromseveralsources.OHAstaffmanuallyinputapplicationstheyreceiveonpaperorthroughtelephoneinterviewsusingtheWorkerPortal.ApplicationsmayalsoenterONEthroughanautomaticcomputerinterfacewiththefederalhealthinsuranceexchangeorfrommanualinputsbycommunityhealthpartnersusingONE’sApplicantPortal.
Aspartofprocessing,ONEqueriesexternalsourcestovalidatetheaccuracyofspecificinformation,includingtheapplicant’sSocialSecuritynumber,dateofbirth,citizenshipstatus,andwhethertheapplicantisincarcerated.Italsocomparestheapplicant’sreportedincometoexternalsourcesincludingfederalcomputersystemsandthestate’sUnemploymentInsurancerecordstoverifythelevelofincomereported.Ifdatadoesnotpassthesetests,ONEautomaticallysendstheapplicantaRequestforInformation(RFI)toprovidetheneededsupportingdocumentationbyacertaindate.
ForapplicationssubmittedthroughthefederalexchangeortheApplicantPortalthatarecomplete,errorfree,andnotduplicatesofpriorreceivedapplications,ONEdetermineseligibilityandpassestherecordtoMMISwithoutmanualintervention.ApplicationsenteredthroughtheWorkerPortal,orsubmittedthroughtheothersourceswhereproblemsweredetected,requirecaseworkerstodirectONEtocontinueprocessingtheapplicationtodeterminetheapplicant’sMedicaideligibility.IfacaseworkeracceptstheeligibilitydeterminationmadebyONEandidentifiesnootherissueswiththecase,theyauthorizethedetermination
The ONE computer system accurately determines Medicaid eligibility, but manual procedures need improvement
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 4
andtherecordissenttoMMIS.Todate,mostapplicationshaverequiredmanualworkbycaseworkersinordertocompleteprocessing.
WetestedautomatedandmanualprocessesassociatedwithONEeligibilitydeterminations.WefoundthatONEautomatedprocessesaccuratelydeterminedMedicaideligibilitybasedontheinformationprovidedandaccuratelytransferredeligibilityinformationtoMMISforfurtherprocessing.Wereviewedmorethan425,000individualrecordsandfoundthatONEappropriatelyvalidatedtheSocialSecuritynumberandcitizenshipstatusofapplicants,orproperlysentRFIstoobtainassurancethereportedinformationwascorrect,over99.7%ofthetime.
However,Medicaideligibilitydeterminationsalsodependonaccurateinputofdatathatarenotexternallyverifiedandonmanualproceduresperformedbycaseworkers.Forexample,stateandfederalrulesdonotrequireexternalvalidationofhouseholdcomposition,soaccurateinputofhouseholdstatusandsizeiscriticalforaccuratelydeterminingwhetherhouseholdincomelevelsqualifyindividualsforMedicaid.Also,whilereportedincomeisvalidatedagainstexternaldata,itoftenrequiresmanualreviewtoensurethatitisaccurate.Accuracyfortheseelementsneedsimprovement.Inaddition,caseworkersmayoverridetheeligibilitydeterminationmadebyONE.Contrarytobestpractices,theseoverridesarenotsufficientlymonitoredtoensuretheywereperformedforapprovedreasonsandthatrequiredactionstocleartheoverridearetaken.
Input accuracy needs improvement
Bestpracticesindicatethatinformationshouldbevalidatedandeditedasclosetothepointoforiginationaspossiblewheninformationisinputintoacomputersystem.Thisallowserrorstobecaughtandresolvedquickly.
ThoughONEappropriatelyensuresinputisintheproperformatandthatcertainconditionsaremet,itcannotdeterminewhetherinputmatcheswhatisincludedontheapplication.Italsocannotdetermineactionsthatshouldbetakenwhentherearemultipleapplicationsorcasesforasingleindividual,orhowtointerpretsupplementalinformationreceivedonacase,suchaswagestubssubmittedbyapplicantstoprovetheirreportedincomeisaccurate.Theseactionsdependondecisionsandmanualproceduresbycaseworkers.
WereviewedMedicaideligibilitydeterminationsfor30randomlyselectedindividualsoutof541,577individualsinthepopulationtoevaluateaccuracyofinputandeligibilitydetermination.Althoughweidentifiederrorsinsevencases,onlyoneerrorresultedinaclientbeingdeterminedeligiblewhentheywerenot.Forthiserror,theclientwasinitiallydeemedeligibleonacasethatincludedonlytheclient.Asecondapplicationwassubmittedthataddedmemberstotheclient’shouseholdandreportedanewincomelevelthatwouldhavemadetheclientnolongereligibleforMedicaidbenefits.OHAindicatedthatthefirstcaseshouldhavebeenclosedandtheclientshouldhavebeenevaluatedonthesecondcase,butthisdidnotoccur.Basedonourevaluation,inappropriatecapitated
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 5
paymentsof$1,778havebeenmadeoverfourmonthsthroughJanuary2017.
Theothererrorshadnoimpactoncapitatedpayments.Twoerrorsresultedinclientsbeingdeterminedeligibleforthewrongbenefitprogramandwererelatedtohouseholdsizeandincomeevaluationsbycaseworkers.Inbothcases,theclientswereeligibleforMedicaidandthecapitatedpaymentswouldhavebeenthesameiftheyhadbeenplacedinthecorrectprogram.Theremainingfourerrorswereminorandhadnoeffectontheeligibilitydeterminationorsubsequentcapitatedpayments.However,foreachofthesevenerrors,thedataelementinvolvedhadthepotentialtoaffecteligibilitydeterminationorthebenefitstartdate.
Table 1: Types of Input Errors Found During Testing
Description EffectThe income level on a new application would have made the client ineligible, but the caseworker did not close the existing case first. (1 error)
Medicaid benefits from the first case continued, resulting in inappropriate capitated payments that totaled $1,778 for four months.
Caseworker made errors evaluating the household size and income level. (2 errors)
Clients appropriately determined eligible for Medicaid but placed in the wrong benefit program.
Caseworker incorrectly determined household size, incorrect application date entered, income attributed to wrong household member. (4 errors)
No effect on Medicaid eligibility. Each of these could have affected eligibility given other circumstances.
OHAhasimplementedaqualityassuranceprocessthatincludesreviewingweeklysamplesofcasestoevaluatecompletenessandaccuracyofinput,andotherproceduresfollowedtoenterandprocessMedicaidapplications.Thisprocesshasalsoidentifiederrorsininputaccuracy,thoughnotallofthedataelementsreviewedinthequalityassuranceprocessaffecteligibility.Oneoftheindividualdataelementswiththehighestleveloferrorsdetectedisforinputorvalidationofincome.Outof1,241casesreviewedthroughDecember2016,OHAdetected182errorsassociatedwithincomeorincomeprocessing,orabout15%.OHAintendstodevelopadditionaltrainingandproceduresforcaseworkerstoimprovethesemeasures,butthisworkwasstillinprocessduringouraudit.
TheseerrorsaredueinparttothecomplexnatureofprocessingMedicaidapplicationsandevaluatingsupportingdocumentation.OHAhasdevelopedmultipleprocedurestoinstructworkersonactionstotakewhenevaluatingsupportingdocumentsorclearingtasks.TheseprocedureshavebeendevelopedoverthecourseofthefirstyearofONEoperationandcontinuetoundergochanges.
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 6
Inadequate monitoring of overrides
Forapplicationsrequiringmanualwork,acaseworkermustauthorizetheeligibilitydeterminationmadebyONE,whichisthentransmittedtoMMIS.Dependingonthecharacteristicsofthecase,thisdeterminationmayconsistofoneormoreeligibilitysegmentscoveringparticulartimeperiods,includingafinalsegmentthatdefinesongoingeligibility.Thecaseworkermayoverridethedeterminationforindividualeligibilitysegments,thoughtheyareexpectedtodosoonlyundercertaincircumstances.CaseworkersmayalsopreventONEfromsendingautomatedRFIstoclients,whichisappropriateifinformationcanbeotherwisevalidated.Bestpracticesdictatethatthesetypesofoverridesshouldbemonitoredtoensuretheyareappropriateand,ifneeded,clearedtoallowthesystemtoresumeautomatedfunctions.
OHAhasdevelopedproceduresforcaseworkerstofollowwhenoverridingeligibility,includingdefiningthespecificinstanceswhenoverridesshouldoccur,andhasalsoprovidedinstructionsondocumentingandperformingtheoverride.Forexample,forsomesegmentsthatareoverridden,workersareinstructedtocreateasystemtasktoreviewtheoverrideatalaterdatetoensuresubsequentappropriateactionsaretakenonacase.
However,OHAhasnotimplementedstandardprocessestoreviewormonitoroverridesoractionsthatpreventRFIsfrombeingissued.Withoutthisstandardizedreview,unauthorizedoverridesofMedicaideligibilitycouldoccur,whichcouldleadtoMedicaidclientsbeinggrantedeligibilitywhentheywerenoteligible,orbeingdeniedbenefitswhentheywereeligible.Inaddition,whenthefinalsegmentthatdefinesongoingeligibilityforanindividualisin“override”status,certainautomatedprocessesperformedbyONEarecircumvented.Forexample,ONEhasaprocesstoidentifyclientswhoareagingoutofonetypeofassistancetoanother,andredeterminetheireligibilityinthenewcategory.Thisredeterminationcouldresultintheclientbeingdeemedineligibleforongoingbenefits.Thisprocessisnotrunforanindividualwhosefinaleligibilitysegmentisinoverridestatus.
Weevaluatedoverridesandsubsequentactionstoresolvecasesinoverridestatus.Wefoundthatthevolumeofoverridesisdecreasingsignificantly,fromapeakof10%ofalleligibilitysegmentsduringMay2016,to4%inJune,tolessthan1%ofsegmentsfromJulyonward.Thisdecreasewasduelargelytochangesinprocedures.
Wealsoreviewed72overriddeneligibilitysegmentsoutofapopulationof31,059approvedsegmentsthatwereoverridden.Wefoundthatwhiletheseoverrideswereperformedforapprovedreasons,workersdidnotsetupatasktoreviewtheoverrideatalaterdateinnineofthesegmentsreviewed.Inaddition,evenwhenacaseworkerinitiallyenteredtheoverrideusingestablishedprocedures,properactiontolatercleartheoverridewasnottakenin25ofthesegmentswereviewed.Thesesegmentsremainedinoverridestatusandwerethereforenotsubjecttofurtherprocessingprocedures.Twooftheserecordswereforindividualswho
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 7
shouldhavehadtheireligibilityredeterminedduetoagingoutofonetypeofassistancetoanother.TheoveralleffectofthelackofredeterminationwasanunderpaymenttoCCOsof$1,809overaperiodofsevenmonths,endingJanuary2017.
Testsofotherareasalsorevealedproblemsassociatedwiththelackofappropriateactiontakenonoverriddeneligibilitysegments.Forexample,wetestedRFIstoensuretheywereappropriatelyresolved.Wetested75RFIsfromanoverallpopulationof180,676.Thisincluded14RFIsfromapopulationof2,815thatweidentifiedashighrisk.Weconsideredthesetobehighriskbecausetheywerestillopenmorethanonemonthpasttheirexpirationdateandtheindividualshadbeendeterminedeligible.OftheRFIswetested,12werenotappropriatelyresolvedforeligibilitysegmentsstillinoverridestatus,including9fromthehighriskpopulation.Fortheseindividuals,benefitsshouldhaveendedaftertheexpirationoftheRFIbasedonanestablishedcutoffdateinONE.However,automatedprocessestoendbenefitsdidnotoccurduetotheoverride.Inaddition,nomanualactionhadbeentakentoeitherauthorizeorendcontinuingbenefits.PaymentsmadetoCCOsonbehalfoftheseclientsaftertheRFIexpirationcutoffdatetotaled$18,902fromJuly2016throughJanuary2017.
ONE,alongwithseveralothereligibilitysourcesystems,sendsMedicaideligibilityinformationtoMMIS,whichapplieseditstothesetransactionsandacceptsorrejectstherecord.Itcreatesorupdatestheindividual’srecordinMMISwithinformationfromthesourcesystemandassignsthebenefitplanandothercodingneededforfurtherprocessing.
IfclientsareinapopulationthatrequiresCCOenrollment,butdidnotchooseaCCOwhenapplyingforbenefits,MMISensurestheyareenrolledthroughanauto‐enrollmentprocess.MMIStransmitstheenrollmentinformationtoCCOs,whichareexpectedtocomparethisinformationtotheirownrecordsandreportbacktoOHAiftherearedifferences.OHAreviewstheseresponsesandgeneratescorrectionstoMMISrecords,orprovidesfurtherinformationtotheCCOs,asneeded.
MMISusesacombinationofeligibilityinformation,clientdemographics,andenrollmentdatatodetermineandprocessmonthlycapitatedpaymentstoCCOs.Italsorunsweeklyadjustmentjobsandcanadjustpriorpaymentsuptooneyearinthepast,basedonchangesthatwouldhaveaffectedthosepayments.
Overall,wefoundthatMMIScontrolsprovidereasonableassurancethatMedicaidclientsareappropriatelyenrolledinCCOsandthatpaymentstotheseorganizationsareappropriate,basedontheinformationreceivedfrommultipleeligibilitysourcesystems,includingONE.Ifthisinformation
MMIS Properly Enrolls Medicaid Clients and Ensures Payments are Appropriate
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 8
wereincorrect,itwouldaffecttheoverallaccuracyofMMISprocessesandpayments.
Specifically,wefound:
CapitationpaymentratesforeachCCOwereappropriatelyloadedintoMMIS. Rateswereappropriatelyusedforpayments,basedonclientdemographicsandcapitationcategory. ControlsweresufficienttoensureclientswereappropriatelyenrolledinCCOs. OHAreconcilesenrollmentdatawithCCOstoensurethatrecordsmatch,andthisreconciliationshowsafairlylownumberofreporteddiscrepancies.
Asrequiredbyauditstandards,weevaluatedthestatusofpriorauditfindingsfromanauditwecompletedin2011.Specifically,ourmanagementlettermadethreerecommendationstoaddressMMISlogicalaccessfindings.
MMIS user roles are not well defined or documented
ThepriorauditfoundthatMMISrolesgrantedtousersappropriatelyrestrictedaccesstothesystemasawhole,buttheywerenotsufficientlydefinedordesignedtoensureusersreceivedonlytheaccesstheyneededtoperformtheirduties.WerecommendedmanagementreviewallMMISuserrolesandmakeadjustmentsasneededtoensuretheyareappropriatelydesignedtoprovideaccessbasedonleastprivilegeprinciples.
Duringourcurrentaudit,MMISsecurityadministratorsindicatedthatreviewsofroleshaveoccurredsincetheprioraudit,andthattheyarecontinuingtomonitorthem.Theyalsoreportedthatseveralroleshavebeenmodifiedtoensuremoregranularaccess.However,wefoundthatMMISrolesremaingenerallydefined.Forexample,arolemayidentifythatitgrants“update”accesstoaparticularsubsystem,withoutdetailsregardingwhichpagesorpanelsallowupdateandwhichdonot.Currently,determiningwhichusershaveaccesstowhichspecificfunctionsisnotpossiblewithoutamanualreviewofsecuritysubsystemsettings.Thislackofgranularityindefiningtherolesincreasestheriskthatuserswillhaveaccesstomorefunctionsthantheyneedtoperformtheirjobs.
Logical access is not reviewed
OurpriorauditalsoidentifiedthatstaffdidnotalwaysremoveuseraccountsfromMMISinatimelymannerandmanagerswerenotperiodicallyreviewingaccessgrantedtousers.Werecommendedthat
Some prior audit findings remain unresolved
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 9
managementensuremanagersperformeffectivereviewofaccessgrantedtotheirpersonnel.
AcurrentDHS/OHApolicyindicatesaccesswillbereviewedannuallybymanagers.However,MMISsecurityadministratorsreportedtheyhavenopracticalwaytoidentifywhichusersworkforwhichmanagers.Asaresult,thereisnoformal,enforcedprocessforreviewofMMISaccess,exceptforexistinginactivityandemployeeterminationreports.Withoutaneffectivereview,currentusersmayretainaccessthatisnolongerneededtoperformtheirjobs.
Audit trails were insufficient
Duringourprioraudit,wefoundMMISlackedcompleteaudittrailstoidentifywhogranteduserswhataccess,andwhen.Werecommendedthatmanagementensureappropriateaudittrailsexisttomonitorchangestousers’accessprivileges.
Currently,avarietyoftoolsareavailabletoshowwhenauserwasgrantedaccess,andwhograntedit,butsomeofthesetoolsrelyonmanualactionstocapturetheinformation.Inaddition,MMISadministratorsindicatedthattheyconductperiodicscanstoidentifyuserswithexcessiveorcontradictoryroles.
Afterconsideringmanagement’scurrentprocedures,weconcludedthatifuseraccesswasbeingeffectivelyreviewed,theriskassociatedwiththelackofaudittrailswouldbereduced,andthereforeapotentiallyexpensivetechnicalmodificationofMMIStodevelopthislevelofaudittrailmaynotbejustified.Asaresult,weconsiderthisrecommendationresolved.
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 10
Recommendations
WerecommendthatOHAmanagement:
Continuetodevelopstrategiestoevaluateandimprovecaseworkerinputaccuracy.Inparticular,werecommendmanagementconsiderimplementingareviewprocessforportionsofinputidentifiedashavinghighererrorratesandthatnegativelyaffecteligibilitydetermination. Developprocedurestomonitoroverridestoensuretheyareperformedonlyforapprovedreasonsandthatneededsubsequentactionsonthesecasesaretimely.
TofullyresolvepriorauditfindingsforMMIS,werecommendOHAandDHSmanagement:
Ensuresystemdocumentationisavailabletofacilitateagranularreviewofpermissionsgrantedforeachrole. Ensuremanagersperformeffectiveperiodicreviewsofaccessgrantedtotheirpersonnel.
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 11
Objectives, Scope, and Methodology
Ourauditobjectiveswereto:
DeterminewhethertheOregonHealthAuthority’s(OHA)OregonEligibility(ONE)systemappropriatelydeterminesMedicaidclienteligibility. DeterminewhetherOHA’sMedicaidManagementInformationSystem(MMIS)reasonablyensuresthatMedicaidclientsareappropriatelyenrolledincoordinatedcareorganizationsandthatpaymentstotheseorganizationsareaccurate.
OurreviewoftheONEsystemfocusedonautomatedsystemprocessesdesignedtoaccuratelyprocessMedicaidapplicationsanddetermineMedicaideligibility.ThereviewalsoevaluatedtheaccuracyofdatainputbycaseworkersintoONEandconsideredactionstakentoresolveitemsthathadbeenpendinginthesystem.
OurreviewofMMISprimarilyfocusedoncapitatedpaymentsmadetocoordinatedcareorganizationsandonenrollmentofclientsintoCCOs,regardlessoftheoriginationoftheeligibilitydetermination.
WeconductedinterviewswithOHAandDHSpersonnelandobservedoperationsandprocesses.WeexaminedselectedpoliciesandproceduresassociatedwithprocessingofMedicaidapplicationsthroughtheONEsystem.WealsoexaminedtechnicaldocumentationrelatingtoONEandMMISandtheirarchitecture.
WeassessedthereliabilityofMMISandONEdatabyreviewingexistinginformationaboutthedataandthesystemthatproducedthem,evaluatingthequeriesusedtodownloadthedata,andinterviewingagencyofficialsknowledgeableaboutthedata.Inaddition,wetracedarandomsampleofdatatootherdatafiles,toavailablesourcedocuments,andtoproductionscreens.Wedeterminedthatthedataweresufficientlyreliableforthepurposesofthisreport.
ToevaluatewhetherONEappropriatelydeterminedMedicaideligibility,we:
obtaineddownloadsofONEdatathatincludedcase,eligibility,RFIandoverridedatafromDecember2015throughOctober2016; randomlyselected30individualsoutofapopulationof541,577individualswithatleastoneapprovedeligibilitysegmentandtestedwhetherselectedportionsoftheapplicationsuchashouseholdcompositionandreportedincomewereaccuratelyrecordedorverifiedintheONEsystem,andwhethertheeligibilitydeterminationmadebytheONEsystemfortheseindividualswasappropriate; randomlyselected75requestsforinformation(RFI)fromvaryingpopulations,including14fromahighriskpopulationof2,815,andevaluatedwhetherappropriateactionwastakentoresolvethem;
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 12
examinedwhetherindividualswhohadturnedage1or19wereappropriatelyredeterminedbyONEtoevaluatewhethertheindividualswerestilleligibleforMedicaidunderanewprogram; examinedwhetherSocialSecuritynumbersandcitizenshipstatushadbeenverifiedfromexternalsources,andwhetherappropriateRFI’swereissuediftheyhadnotbeenverified,outofapplicablepopulationsof445,907individualsand426,102individuals,respectively; randomlyselected72approvedoverriddeneligibilitysegmentsfromvaryingpopulations,outofatotalsummarizedpopulationof31,059individual,case,andtypeofassistancecombinationsandevaluatedwhethertheoverridewasperformedforanapprovedreasonandthatappropriateactionhadbeentakentoresolvetheoverride; conductedalimitedreviewofONEchangemanagementprocedures;and conductedotherdataintegrityteststoensurebasiclogicalconditionsandeligibilityrequirementsweremet.
Fortheitemstestedthroughasample,weperformedtheteststoevaluatetherelativestrengthorweaknessofparticularcontrols.Thesampleselectionsandtestsperformedwerenotdesignedtoprojecttheresultstothepopulation.
WealsotestedwhethereligibilitydeterminationsmadeinONEwereappropriatelyrecordedinMMIS.
WeobtainedMMIScapitatedpaymentdata,andenrollmentandeligibilityrecordsfortheperiodofDecember2015throughAugust2016.WeprimarilyevaluatedtheperiodofJanuary2016throughJune2016forthetestsdescribedbelow.Forthisperiod,therewere6,467,147individualcapitatedpaymentrecords,5,125,876recordsshowingenrollmentdata,and2,068,074recordsforeligibilitydata.
ToevaluatewhetherMMISmadeproperenrollmentsandmadeappropriatecapitationpayments,we:
evaluatedwhethertheprocesstoloadcapitationratesforCCOsintoMMISwasappropriatelycontrolled; evaluatedwhethercapitatedpaymentsweremadeusingtheapprovedrates; evaluatedwhetherduplicatepaymentstoCCOsweremadeonbehalfofindividuals; evaluatedwhetherpaymentswereonlymadeonbehalfofenrolledandeligiblerecipientsandonlytorecipients’selectedorassignedCCO; evaluatedwhetherMMISgeneratedcapitatedpaymentsforallproperlyenrolledandeligiblerecipients; evaluatedwhetherrecipientsinMMISwereassignedappropriatecodingbasedontheirage;
Report Number 2017‐09 May 2017 MMIS/ONE IT Systems Review Page 13
randomlyselected30recordsandevaluatedwhethertheclientsweretimelyenrolledwithaCCO,basedonthedatetheeligibilityrecordswererecordedinMMIS; evaluatedwhetherineligiblerecipientsinMMISwereinappropriatelyenrolledwithaCCO;and conductedlimitedreviewsofMMISchangemanagementandlogicalaccessprocedures.
WeusedtheISACApublication“ControlObjectivesforInformationandRelatedTechnology”(COBIT),andtheUnitedStatesGovernmentAccountabilityOffice’spublication“FederalInformationSystemControlsAuditManual”(FISCAM)toidentifygenerallyacceptedcontrolobjectivesandpracticesforinformationsystems.
Weconductedthisperformanceauditinaccordancewithgenerallyacceptedgovernmentauditingstandards.Thosestandardsrequirethatweplanandperformtheaudittoobtainsufficient,appropriateevidencetoprovideareasonablebasisforourfindingsandconclusionsbasedonourauditobjective.Webelievethattheevidenceobtainedandreportedprovidesareasonablebasistoachieveourauditobjective.
Auditorsfromouroffice,whowerenotinvolvedwiththeaudit,reviewedourreportforaccuracy,checkingfactsandconclusionsagainstoursupportingevidence.
About the Secretary of State Audits Division
TheOregonConstitutionprovidesthattheSecretaryofStateshallbe,byvirtueoftheoffice,AuditorofPublicAccounts.TheAuditsDivisionexiststocarryoutthisduty.ThedivisionreportstotheelectedSecretaryofStateandisindependentofotheragencieswithintheExecutive,Legislative,andJudicialbranchesofOregongovernment.Thedivisionisauthorizedtoauditallstateofficers,agencies,boards,andcommissionsandoverseesauditsandfinancialreportingforlocalgovernments.
AuditTeam
WilliamGarber,CGFM,MPA,DeputyDirector
NealE.Weatherspoon,CPA,CISA,CISSP,AuditManager
TeresaL.Furnish,CISA,AuditManager
ErikaA.Ungern,CISA,CISSP,PrincipalAuditor
AmyK.Mettler,CPA,CISA,StaffAuditor
LuisSandoval,MPA,StaffAuditor
Thisreport,apublicrecord,isintendedtopromotethebestpossiblemanagementofpublicresources.Copiesmaybeobtainedfrom:
website: sos.oregon.gov/audits
phone: 503‐986‐2255
mail: OregonAuditsDivision255CapitolStreetNE,Suite500Salem,Oregon97310
ThecourtesiesandcooperationextendedbyofficialsandemployeesoftheOregonHealthAuthorityandtheOregonDepartmentofHumanServicesduringthecourseofthisauditwerecommendableandsincerelyappreciated.