/ u.s. OFFICE OF PERSONNEL MANAGEMENT OFFicE OF TflErNSPECTOR GENERAL . OFFICE OF AUDITS . . Final Aut1it Report Date: . ••CAUTION- nil! 1111.111 hpvrt'~'~end;Slrlb"itd ftJ Fhlual ami Non·FedeTal nffitiab who m ; rtspo~;'bI~ for l~c,dJnOBUll'1llloa Of tlu; audliid COOl1:UI; This ~ud_i l rtp<lffmay writa,,, Ill'Oprictuydala whkt:. ilI-pt'{II(d~d by Ftdtrallll* (HI U.s.c. 1"'5). ;rht;rdo~...hi!{> thlJ alldit rtpIlft' b ;lY3i1111Ie IIlIdertitcFretdem oflll'forlD3iiofl At( ~~d mlld t ,V:liJbbh- 11)' III;r; PIINit 'O lllht, OJGWtbplIge,ulloon 11«&:10 be o:ncikd hdo~rtJt1Uinglhc J'tport 10 llie gt Mrat I'liblie-lt! Ilmay'«IlIIfala ~i4ry ,jllrftrn~bliiilfttLalm> ~tdadfd from Ibe publicly didril.mttd COpY. ' " UNITED STATES OFFlCE OF PERSONNEL MANAGEMENT Washington, DC 20415 Office of the Inspector G~l\Cral Audit Report FEDERAL EMPLOYEES HEALTIJ BENEFITS PROGRAM CONTRACT CS 1039 BLUECROSS BLUESHIELD OF ALABAMA PLAN CODES 010/510 BIRMINGHAM, ALABAMA Report No. lA-IO-09-09-020 Dote: November 5, 2009 ~/~ Micbael R. Esser Assistant Inspector General for Audits --. =----------------~ -==== "' ......lI p!» .gll'" ,,".. ,.. "<\aloft$.I1"" UNITED STATES OFFICE OF PERSONNEL MANAGEMENT Washington, DC 20415 OffiC(: of Che ln~pe>:tor Gcrt~cl Exccuth'c Summary FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM CONTRACT CS 1039 BLUECROSS BLUESHIELD OF ALABAMA PLAN CODES 010/510 BIRMINGHAM, ALABAMA Report No. IA-IO-09-09-020 Date: November 5, 2009 TIllS final report discusses the results ofour audit of general and application controls over the information systems at BlueCross B1ueShield of Alabama (BCBSAL). Our audit focused on the claims processing applications used to adjudicate Federal Employees Health Benefits Program (FEHBP) claims. for BCBSA L. as well as the various processes and information tochnology (IT) systems used to support these applications. We documented controls in place and opportunities for improvement in each of the areas below. Security Management BCBSAL has established a comprehensive series of IT policies and procedures to create an awareness of IT security at the Phm. BCBSAL has al~o implemented an adequate risk assessment methodology, incident response capabilities, and IT security·reJated human resources controls. Access Controls We found that BCBSAL has implemented numerous physical controls to prevent unauthorlzed access to its facibties, as weB as logical controls to prevent unauthorized access 10 its information systems, www.oprn·c()¥ Configuration Management BCBSAL has established policies and procedures to ensure that modifications to application software occur in a controlled environment. In addition, BCBSAL has implemented a thorough system software change control methodology that calls for the utilization of a change management tool to control and track changes. Contingency Planning We reviewed BCBSAL's business continuity plans and concluded that they contained many of the key elements suggested by relevant guidance and publications. We also determined that these documents are reviewed, updated, and tested on a periodic basis. Application Controls BCBSAL has implemented many controls in its claims adjudication process to ensure that FEHBP claims are processed accurately. However, we recommended that BCBSAL implement several system modifications to ensure that its claims processing systems adjudicate FEHBP claims in a manner consistent with the OPM contract and other regulations. Health Insurance Portability and Accountability Act (HIPAA) Nothing came to our attention that caused us to believe that BCBSAL is not in compliance with the HIP AA security, privacy, and national provider identifier regulations. ii Contents Page Executive Summary ..........................................................................................................................i I. Introduction .................................................................................................................................. I Background.................................................................................................................................. I Objectives .................................................................................................................................... I Scope ........................................................................................................................................... 2 Methodology................................................................................................................................2 Compliance with Laws and Regulations ..................................................................................... 3 II. Audit Findings and Recommendations ....................................................................................... 4 A. Security Management ............................................................................................................ 4 B. Access Controls .....................................................................................................................4 C. Configuration Management ................................................................................................... 5 D. Contingency Planning ............................................................................................................ 5 E. Application Controls .............................................................................................................. 6 F. Health Insurance Portability and Accountability Act .......................................................... 15 III. Maj or Contributors to This Report .......................................................................................... 16 Appendix: B1ueCross BlueShield Association's August I I, 2009 response to the draft audit report issued June 3, 2009. I. Introduction This final report details the findings, conclusions, and recommendations resulting from the audit of general and application controls over the information systems responsible for processing Federal Employees Health Benefits Program (FEHBP) claims at BlueCross BlueShield of Alabama (BCBSAL). The audit was conducted pursuant to Contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code of Federal Regulations (CFR) Chapter I, Part 890. The audit was performed by the U.S. Office of Personnel Management's (OPM) Office of the Inspector General (OIG), as established by the Inspector General Act of 1978, as amended. Background The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on September 28, 1959. The FEHBP was created to provide health insurance benefits for federal employees, annuitants, and qualified dependents. The provisions of the Act are implemented by OPM through regulations codified in Title 5, Chapter I, Part 890 of the CFR. Health insurance coverage is made available through contracts with various carriers that provide service benefits, indemnity benefits, or comprehensive medical services. BCBSAL headquarters is located in Birmingham, Alabama. Employees responsible for processing FEHBP (also, Federal Employee Program or FEP) claims are located at the Plan's facility in Birmingham, Alabama. BCBSAL' s local claims processing system is housed in a mainframe environment with the Z/OS operating platform and IBM's Resource Allocation Control Facility (RACF) as its security server. This was the OIG's first audit of general and application controls at BCBSAL. BCBSAL's compliance with the Health Insurance Portability and Accountability Act (HIP AA) was also reviewed. All BCBSAL personnel that worked with the auditors were particularly helpful and open to ideas and suggestions. They viewed the audit as an opportunity to examine practices and to make changes or improvements as necessary. Their positive attitude and helpfulness throughout the audit was greatly appreciated. Objectives The objectives ofthis audit were to evaluate controls over the confidentiality, integrity, and availability ofFEHBP data processed and maintained in BCBSAL's IT environment. These objectives were accomplished by reviewing the following areas: • Security management; • Access controls; • Configuration management; • Segregation of duties; I • Contingency planning; • Application controls specific to BCBSAL's claims processing systems; and • HIPAA compliance. Scope This performance audit was conducted in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States. Accordingly, the OIG obtained an understanding of BCBSAL' s internal controls through interviews and observations, as well as inspection of various documents, including information technology and other related organizational policies and procedures. This understanding of BCBSAL' s internal controls was used in planning the audit by determining the extent of compliance testing and other auditing procedures necessary to verify that the internal controls were properly designed, placed in operation, and effective. The OIG evaluated the confidentiality, integrity, and availability ofBCBSAL's computer-based information systems used to process FEHBP claims, and found that there are opportunities for improvement in the information systems' internal controls. These areas are detailed in the "Audit Findings and Recommendations" section of this repolL The scope of this audit centered on the claims processing systems that process FEHBP claims for BCBSAL, as well as the business structure and control envirorunent in which they operate. These systems include the local claims processing system owned and operated by BCBSAL, and the FEP Express system owned and operated by the B1ueCross BlueShield Association (BCBSA). BCBSAL is an independent licensee ofthe BCBSA. In conducting our audit, we relied to varying degrees on£omputer-generated data provided by BCBSAL. Due to time constraints, we did not verify the reliability of the data used to complete some. of our audit steps, but we determined that it was adequate to achieve our audit objectives. However, when our objective was to assess computer-generated data, we completed audit steps necessary to obtain evidence that the data was valid and reliable. The audit was performed at BCBSAL offices in Birmingham, Alabama. These on-site activities were performed in February through April 2009. The OIG completed additional audit work hefore and after the on-site visits at OPM's office in Washington, D.C. The findings, recommendations, and conclusions outlined in this report are based on the status of information system general and application controls in place at BCBSAL as of Aprill7, 2009. Methodology In conducting this review the DIG: • Gathered documentation and conducted interviews; • Reviewed BCBSAL's business structure and envirorunent; • Perfomled a risk assessment of BCBSAL's infonnation systems envirorunent and applications, and prepared an audit program based on the assessment and the Government 2 Accountability Office's (GAO) Federal Information System Controls Audit Manual (FISCAM); and • Conducted various compliance tests to determine the extent to which established controls and procedures were functioning as intended. As appropriate, the auditors used judgmental sampling in completing their compliance testing. Various laws, regulations, and industry standards were used as a guide to evaluating BCBSAL's control structure. This criteria includes, but is not limited to, the following publications: • Office of Management and Budget (OMB) Circular A-l30, Appendix III; • OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; • Information Technology Governance Institute's CobiT: Control Objectives for Information and Related Technology; • GAO's Federal Information System Controls Audit Manual; • National Institute of Standards and Technology's Special Publication (NIST SP) 800-12, Introduction to Computer Security; • NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems; • NIST SP 800-30, Risk Management Guide for Information Technology Systems; • NIST SP 800-34, Contingency Planning Guide for Infomlation Technology Systems; • NIST SP 800-41, Guidelines on Firewalls and Firewall Policy; • NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information Systems; • NIST SP 800-61, Computer Security Incident Handling Guide; • NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA Security Rule; and • HIPAA Act of1996. Compliance with Laws and Regulations In conducting the audit, the OIG performed tests to determine whether BCBSAL's practices w.ere consistent with applicable standards. While generally compliant with respect to the items tested, BCBSAL was not in complete compliance with all standards, as described in the "Audit Findings and Recommendations" section of this report. 3 II. Audit Findings and Recommendations A. Security Management The security management component of this audit involved the examination of the policies and procedures that are the foundation of BCBSAL's overall IT security controls. The OIG evaluated the adequacy of BCBSAL's ability to develop security policies, manage risk, assign security-related responsibility, and monitor the effectiveness of various system-related controls. BCBSAL has implemented a conglomeration ofIT security-related policies and procedures that comprise the Plan's entity-wide security program. These policies and procedures each contained a variety of elements that would be expected in a comprehensive security plan. The Plan's Information Security department, as well as the Health Insurance Portability and Accountability Act (HIPAA) Security Official, has the responsibility to develop, maintain, and provide oversight ofBCBSAL's information security policies and procedures. The OIG also evaluated BCBSAL's risk management methodology. The Information Security department at BCBSAL is responsible for conducting ongoing threat-based risk assessments. These assessments are used as a tool to identifY security threats, vulnerabilities, potential impacts, and probability of occurrence. Information Security is also responsible for verifying that all of the controls associated with a risk are implemented. The OIG also reviewed various BCBSAL security-related human resources policies and procedures. It was determined that the Plan has adequately incorporated IT security controls into the following human resources functions: hiring, termination, transfers, conflict of interest, training, and standards of conduct. B. Access Controls Access controls are the policies, procedures, and techniques management has put in place to prevent or detect unauthorized physical or logical access to sensitive resources. The OIG examined the physical controls ofBCBSAL's Birmingham, Alabama facility, as well as the additional controls protecting the data center within this facility. The Plan appeared to have adequate controls to ensure that only BCBSAL employees can access the facility, and that the only individuals who can access the data center are those whose job description requires access. The 01G also examined the logical controls protecting BCBSAL's network environment and claims processing related applications. During this review, the following controls were documented: • Procedures for appropriately granting and disabling access to infom1ation systems; • Procedures for reviewing existing system access for appropriateness; • Adequate intrusion detection capabilities; • Policies to govern the use of firewalls; • Procedures for sanitizing media containing sensitive information; 4 • Procedures for appropriately authorizing system and physical access to new employees; • Procedures for appropriately removing system and physical access for tcnninated empl oyees; • Adequate authentication controls for the local and FEP Express applications; • Secure remote and wireless nelwork access; and • Procedures for monitoring and filtering network activity. The OIG also examined the J)hysical controls of BCBSAL's facilities. Access to both of these facilities is (;onlJolled by an electronic access card system. Card readers are located on tnterioT and exterior doors throughout the buildings, and the system is capable of limiting an individual 's access to the physjcal areas required by their job fwlCtion. The OIG also documented additional pl1ysical cont.rol s rehlted to the data center and network operation centers within these facilities. C. Configuration Manae:ement ~~~~ '!.y,tem is housed in a mainframe environment w i t h _ as its security server. BCBSAL has developed fo rmal policies and procedures prov iding guidance \ 0 ensure that system software is appropriately configured and updated. as well as fo r controll ing system software configuration changes. Auditors verified that these policies arc being appropriately fonowed and did not detect any weaknesses in BCBSAL's conJiguration management methodology. The OIG also conducted a limited review of the security settings ofBCBSAL's ~atabase and did not identify any weaknesses in the configuration settings. D. Contingency Planning The Ola reviewed BCBSAL' s service continuity program to dctcmlinc if ( 1) procedures were in place to protect infonnation resources and minimize the dsk of unpianned inlerruptions, and (2) a pJan exi~1.ed to recover t..i tical opemtions should intemlptiQns occur. In an cffo11 to assess BCBSAL' s contingency planning capabilities, we evaluated documentation related to the Plan' s procedures that ensure continuity of the FEHBP business 'unit, including: • BCBSAL' s Business Continuity Plan Supplemental Guide; • The Incident Management Team Guide; and • Severa) business units' continuity plans including the claims department and cbeck printing plans. The OIG found that each of these documents contain a majority of the key elements of a comprehensive service continuity program suggested by NIST SP 800·34, "Contingency Planning Guide for IT Systems." BCBSAL's service continuity documentation explicitly identifies the systems that are critical to continuing busine....." operations, prioritizes these systems, and outlines the specific rc~ou rc es needed to support each system. 5 Each of these documents are reviewed, updated, and tested regularly. Each business unit is responsible for documenting the results of the annual disaster recovery test. The results are passed to the business recovery coordinator who is responsible for compiling the results. E. Application Controls Application Configuration Management The OlG evaluated the policies and procedures governing software development and change control of the Plan's claims processing application. BCBSAL has adopted a traditional System Development Life Cycle methodology that IT personnel follow during routine software modifications. The Plan also provided evidence indicating that an approval process is in place for change requests. The following controls related to testing and approvals of software modifications were observed: • BCBSAL has adopted practices that allow FEP modifications to be tracked; • Use of parallel and unit testing is conducted in accordance with industry standards; and • BCBSAL programmers conduct walkthroughs of the modifications as a way of testing the data. The OlG also observed the following controls reIated to software libraries: • BCBSAL utilizes a tool called Panvalet to store source code; • BCBSAL clearly segregates application development and change control activities along organizational lines; and • BCBSAL utilizes versioning of the souree code to determine if appropriate changes are implemented as expected. Claims Processing System The OIG evaluated the input, processing, and output controls associated with BCBSAL's local claims processing system and the BCBSAL's FEP Express system. In terms of input controls, the OIG documented the policies and procedures adopted by BCBSAL to help ensure that: 1) there are controls over the inception of claims data into the system; 2) the data received comes from the appropriate sources; and 3) the data is entered into the claims database correctly. BCBSAL's methods for reconciling processing totals against input totals and for evaluating the accuracy of its processes were also reviewed. Auditors also examined the security of physical input and output (paper claims, checks, explanation of benefits, etc.). Application Controls Testing To validate the claims processing controls, a testing exercise was conducted on the BCBSAL local system and FEP Express system. This test was conducted at BCBSAL's Birmingham, Alabama facility with the assistance of BCBSAL persolUJel. The exercise involved developing a test plan that included real life situations to present to BCBSAL persolUJel in the form of institutional and professional claims. All test scenarios were processed through the BCBSAL local claims processing system, and where appropriate, the FEP Express system. The test plan included expected results for each test case. Upon conclusion of the testing exereise, the expected results were compared with the actual results obtained during the exercise. 6 The sections below document the opportunities for improvement thnt \vere noted related to application controls. 1. Procedure to Diagnosis Inconsistency A test claim was processed where benefits were paid for a procedure associated with an inappropriate diagnosis. The OIa entered a test claim into the BCBSAL local code for a Despite the . system without encoontering any edits. and was sent to FEP Express. FEP Express also procc!)sed and paid the claim without triggering any edits. This system weakness increases Ihe risk that benefits are being paid for procedures associated with a diagnosis that may not warrant such treatment. Recommend.lion 1 We recommend that BCBSALfBCBSA make the appropriate system modifications to ensure that claims with pJocedure/diagnosis inconsistencies are flagged for review. BCBSAL Response: "We disagree with this recommendation. BCBSAL has implemented and maintains del£clive system controls to ensur~ c/aimf with diagnosis inconsistencies ore reviewed prior to processillg. In addition, BCBSAL has u comprehel,sive mediaJl policy program that applies necessary controls to ensure services are medically appropriate before approved to pay. These controls were developed through extensive research which includes analysis 0/ prOl'ider filing practices and medic(1/ records. The Plan's mediaII policy edits kal'e been streamlined to ensure that only historically questionable services are pended..• are or ., u$J"n,f/01 rev;,,,,, p,'oe"dures b'lSed Oil the diuguosis submitted. RCBSAL continuou.dy reviews alld updates its edit criteria. Although we do not believe that it is cost effectil'efor these types ofedits to be housed in both the locol Plan system and the FE? claim lYl·tem, BCBSA will ;nve:;tigate the feasibility (If implementing limited ediJs 10 identify serll;ces that lire not related to the diagnosis. The development 0/service and diagnosis groupings will require a J'asl amoulft o/work. We do not expect/he Dualysis to be completed until 2nd quarter 2009.'" 7 QIG Reply: We lIDderstand/acknowledge that BCBSAL may not need acros.<Hhe-board medicaJ edits. However. we intentionally did not usc "normal day~to-day type of hiHing occurrences" to tcst whether the system could detect extreme cases sllch as the one used in the test. In addition, the response did not address the fact that nol all BeBS Plans have diagnosis/procedure compatibility c-dits in their local systems, and some Plans entcr claims directly into FEP Express. The OIG continues to beli(':ve that these vulnerabilities warrant modifications to FEP Express. 2. Provider Invalid for Procedure T\Y\) teh1 claims were processed where a provider was paid for services olltside the scope of their license. The 01G ("'1ltered a test claim indicated that procedure. performed by an the provider/procedure inconsistency, was processed bvthe I>C.t>'''\L and FEP Express without encountering any edits. ~~~~~~i!r test claim into the BCBSAL local system. This claim indicated that This procedure would generally be a surgeon. inconsistency, the claim was processed by the BCBSAL local system and FEP Express without encountering any edits. This system weakness increases tJle risk that providers are being paid for services outside the scope of their license. The fact that Alabama is a "medically underscrvcd area" docs not justiry this anomaly. The BeBS benefit brochure states that in medically underserved are-dS, "we cover any licensed medical pnlctitioner for any covered service performed within the scope of/hat license."'" Recommendation 2 We recommend that BCBSALIBCBSA make the appropriate system modifications to ensure that medical providers are not paid for services outs,ide the scope of their license. BCBSAL Response: "We disagree with this recommendation, given that8CBSAL has implemented and mointaitlS appropriate system controls (0 ensure that medical providers are not paillfor services ouL'iide Ihe scope ojtheir license on a po.,·'paymenJ bllsis. BeBSAL lIas been aeJ'ignaled n Medically UnderservedArea (MUA). The designation 0/ Q ftlUA references Ihe lach ofJicellsed providers available in (In area jor contracting purposes and the intent to contract with alltltat are available. Therefore, in many areas ofllle state, the extent of the services providet! by a single physician may be very wide-runging. Mo:J'I physicians declare a specialty and often receive board certificatio,l, but with additiollal training alld 8 or experirnce ill other specialty areas, can through the lift! oftire practice change tl,e;r practice rpttialty to a subset or other areas of iI,/crest, Edits exist to kup limited license practitioners such QS~rom perJorming mediml services ollt!;ide their scope oj prac/i('e and controls are in piau whid, helps ellsure that medical prol,iden are paid/or senices within the j 'COpt oJtheir license. The Health Care Networks Divisum ofBCBSAL eSfahlides tire contracting rellllionship with providers and overst!£s the credentialing and verification of aI/ providers, including their licensure and specialty information. The llealth l\fanagemenl of Bille Cross Blue Shield oj Alabama D;vi,'~ion i., re.rponsibleJor medical policy creation. U/Uizat;on re,-jew. detection and invesligatioll, reco~ery of overpayment and potential prosecution 0/ cases illvolving unlaW/ill activity against the local Plan. OIG Reply: The fact that Alabama is a medi cally ullderserved area does not mean that existing benefit limitations are \vaived. It means, additional providers may be able to be paid for providing those eJC isting benefits as outlined on page 12 ofibe brochure. The brochure states: "Medically undenerved areas. In the states OPM detennines are "medically uodcrscrved: Under Standard Option, we cover any licensed medical practitioner for any covered service performed within the scope of that license. Under Basic Option, we cover any licensed medical prac titioner who is Preferred for any covered service performed within the scope of that license:' In addition, deteclive controls are not as effective and arc more costly than preventative controls. We continue to recommend that system modifications be made to cnsure that rnl.."(]ical providers afC not paid for services outside the scope of their license. 3, Anesthesia IUncfits A tcst claim was processed ",,'here a standard option member was overcharged for anesthesia services. According to the 2009 Be BS benefit brochure, a standard option member' s liability for anesthesia services at a non-participating provider is " 100% of the billed amount up to a maximum of $800 per anestbctist per day. " The OIG entered a test claim into the BCBSAL local system with lll;tandard option me-mber receiving anesthesia services from a non-partiCipating provider. The claim was processed by the local sy~1:em and by foEP Express, and the member's liability wa~ appropriateJy capped at 9 $800. However, a similar claim was also entered where an accidental injury was indicated on the claim fonn, and the member liability for this claim was $1,209. Nothing in the benefit brochure indicates that the $800 limit for anesthesia services at a non participating provider is affected by the involvement of an accidental injury. This system weakness increases the risk that members will be liable for charges in excess of the limits outlined in the benefit brochure. Recommendation 3 We recommend that BCBSALlBCBSA make the appropriate system modifications to ensure that a member's liability for anesthesia service is limited to the amounts outlined in the benefit brochure. BCBSAL Response: "We agree with this recommendation. The determination ofa member's cost-sharing amount is afunction ofthe FEP claims system. Effective January 1, 2009, FEP modified the payment ofbenefits for anesthesia services provided by non-participating providers to limit the member's out-of-pocket expense to a per day maximum of $800. However, when the updates were made in the FEP claims system to reflect this benefzt change all applicable scenarios did not properly accumulate to limit the member's daily out-of-pocket expense to the $800 maximum. The FEP claims system is scheduled to /,ave a system correction implemented 011 October 17, 2009. Proactively, a preliminary listing was generated to identify those members that have exceeded the daily coinsurance limitfor anesthesia services performed by non participating providers during the period ofJanuary 1, 20P9 through June 30,2009. A minimal number ofmembers have been underpaid as a result ofthis system processing error.. Once this system correction has been successfully implemented, adjustments will be made to the impacted claims and additional payments will be issued to the members. " OIG Reply: As part of the audit resolution process, we recommend that BCBSAL provide OPM's CRlS with appropriate supporting documentation indicating the steps taken to address this rec{)mmendation. We will evaluate the effectiveness of the planned October 17,2009 system correction implementation as part of a follow-up review or during the next audit. 4. OBRA93 Assistant Surgeon An OBRA93 test claim was priced incorrectly. The Ola entered a test claim into the BCBSAL local system with the patient receiving services from an assistant surgeon ('AS' modifier). The patient has Medicare A only, and the claim is subject to OBRA93 pricing. 10 The claim was processed by the local system and FEP Express, and the assistant surgeon was paid 100 percent of the amount allowed by the Medicare fee schedule for the primary surgeon (minus the deductible and coinsurance). This resulted in an overpayment to the provider, as the Centcr for Medicare Services Medicare Claims Processing Manual states that assistant surgeon claims should only be paid at 13.6 percent of the Medicare fee schedule for a regular surgeon. This system weakness was brought to the attention of BCBSA during a prior audit of the FEP Express system. BCBSA responded to the audit finding by indicating that the problem was corrected in May 2008. However, this test case indicates that the weakness still exists. Recommendation 4 We recommend tbat BCBSAlJBCBSA make the appropriate system modifications to ensure that OBRA 93 claims are priced appropriately. BCBSAL Response: "We disagree with this recommendation. OBRA '93 pricing is handled by an outside vendor, Palmetto. The incorrect pricing ofAS (Assistant Surgeon) modifier claims has been cited in several previous audits. This problem resulted from Palmetto not pricing these claims due to the complex nature oftile pricing components. On May 26,2008, Palmetto started generating pricing allowances for these claims. The claim in question was processed on the FEP Test System, not the Production System. Claims processed in the Test System are not sent to Palmetto for pricing. In the FEP Test System, a simulator is used to identify whicll claims are subject to OBRA '93 pricing and the allowance and provider data may not always be updated. Because we do not Ilave the screen input to show the data submitted by the OPM auditors, we could not determine whetller all data fields were correctly populated. However, we did randomly select a claim from our FEP Production System to demonstrate til at tile pricing ofAS Modifier is peiformed correctly by Palmetto, Attached is a copy ofthe claim from the FEP Production System that shows that it was priced according to tile kIedicare Fee Schedule as illustrated Attachment 4.A." OIGReply: BCBSALlBCBSA has copies of all screen input to show the data submitted by OPM/OIG auditors. Furthermore, BCBSAL personnel took the screenshots and later provided them to OPMlOIG auditors for analysis. The simulator should represent the production environment. OPMlOIG suggests using the original data to research whether there is a problem with the simulator or with Palmetto's pricing ofOBRA93 claims. We continue to recommend that BCBSALlBCBSA make the appropriate system modifications to ensure that OBRA 93 claims are priced appropriately. 11 S. Chiropractor Office Visits aDd X-rays The 2009 BeBS benefit brochure allows and o n e _ • each calendar year. However, a test sC"Da<io a member receiving mUltiple _ and ~s in a single calendar year, Tbe 01G entered two test claims into the BCBSAL local system for a standard-option member. lbe frrst claim indicated the patient received an initial ~1l 2009. The second claim indicated that the same patient received a s e c o n d _ and • • from in the same calendar year. The local system and FEP Express both claims. This system weakness increases the risk that _ benefits are being paid in excess of the amount outlined in the benefit brochure. Nothing from the brochure indicates that ~nefit limitations are waived for medically underservcd states such as Alabama. Recommendation 5 We recommend that BCBSAUBCBSA make the appropriate system modifications to ensure that chiropractic benefits are paid in accordance with the BeBS benefit brochure. BCBSAL RespOIue: "We agree with 1.2009, FEP implemented a benefit fo one per year. When tlris change was implemented, waf only to those Plan..r,; nol as Afedically Ul!dersel')1ed (ll-/UA) by OPM.ln MUA service areas, allowed to perform covered professional ,rervic:a that are normally These professional service,'i include visits, It has been difficult 10 determine Ihe requirements to IimiJ in ilfUA sen';ce areas to one visit per yellr in the FEP claims '.' often have multiple diagnoses that also include tnanipubltions. II would he inc()rrect nol to allow Ihese visitsJOT MUA service areas. We colllb'UI! to explore how 10 per yl!fJr. During the period ofJanuary to a total of97, 722 visits have been processed with procedure codes jor someform ofoffice visit. To slop each claim for manual review would impact member serYice and increase member inquirus. The FEP Dinelor Office's staff will cOlllinlle 10 purslle a resolution of litis issue wilh the Contracting Officer." OIG Reply: We acknowledge the steps being taken to enSUIe that chiropractic benefits are paid in accordance with the BCBS benefit brochure. As part of the audit resolution process, we recommend that BCBSAUBCBSA provide OPM's crus with appropriate supporting documentation indicating the steps taken to address this recommendation. 12 6. OBRA90 with Status Code 43 An OBRA90 claim with a patient status code of 43 was incorrectly priced. The OIG entered a test claim for services provided in 2008 into the BCBSAL lecal system with a patient who is enrolled in Medicare part B only; this claim is subject to OBRA90 pricing. The local system processed this claim and passed it to FEP Express. FEP Express appropriately suspended the claim for Medicare information. The claims processors entered into the system the Medicare Explanation of Benefit information provided by the auditors. The claim was then processed and priced by FEP Express. Auditors priced this claim with the current version ofthe 2008 PC CMS PRICER program and found that the Medicare Diagnosis Related Group amount produced by the PRICER did not match the amount indicated in the test claim. In past audits, OIG determined that FEP Express has inappropriately priced claims with status code 43 as a "transfer." However, pricing this claim as a transfer on the PC PRICER does not yield the amount produced in the test case. Recommendation 6 We recommend that BCBSALlBCBSA implement the appropriate system modifications to ensure that OBRA90 claims are priced appropriately. BCBSAL Response: "We disagree with this recommendation. The issue ofreducing the DRG Allowancefor patient status codes other than "02" was identified in several previous FEP EDP Audits in the past. As a result, system changes were made to the FEP claims system to limit the application ofthe OBRA '90 Transfer Pricing Reduction to Patient Status 02. This system correction was implemented in the FEP claims system on April 4, 2009. We have adjudicated two claims on our claims test system with the same condition to demonstrate that the FEP Mainframe OBRA '90 Pricier was functioning according to eMS regulations. One ofthe claims was for Patient Status 01 (discharged to home or selfcare Iroutine discharge) and the other one was for Patient Status 43 (Discharged/transferred to federal care facility). These results are in Attachments 6.A (Patient Status 01) and 6.B (Patient Status 43). The attached results indicate that the same DRG Allowances were generatedfor Patient Status 01 and Patient Status 43. There was no reduction in the DRG Allowancefor these claims. These test claims support our position that the system correction implemented in April 2009 and is properly pricing these claims. " OIG Reply: Based on the information provided and the analysis of the information by OPMlOIG we were unable to determine if the appropriate system modifications to ensure that OBRA90 claims are priced appropriately have been implemented. We will evaluate modifications to the FEP claims systems as part of a follow-up review or during the next audit. I3 7. OBRA90 PRICER Updates BCBSAL OBRA90 claims are being processed with an outdated version of the 2009 CMS PRICER program. The OIG entered four test claims that are subject to OBRA90 pricing into the BCBSAL local system. The local system sent the claims to FEP Express where they were processed and priced. The auditors priced each claim with the PC CMS PRICER program and compared the Medicare DRG amount produced by the PRICER to the amount produced in the test case. In each of the four test claims, the Medicare DRG amount produced by the current version of the 2009 PRICER did not match the amount produced in the test case. The auditors priced each claim again using the original (now outdated) version ofthe 2009 CMS PRICER program, and in each case the Medicare DRG amount matched that from the test case. The OIG believes that this indicates that FEP Express is processing OBRA90 claims with an outdated version of the CMS PRICER. As a result, BCBSALIBCBSA has incorrectly priced all OBRA90 claims processed after January 1,2009. Recommendation 7 We recommend that BCBSAL/BCBSA implement the appropriate system modifications to ensure that OBRA90 claims are priced with the correct version ofthe CMS PRICER. BCBSAL Response: "We agree with this recommendation. The FEP Operations Cenler's OPM approved OBRA '90 Mainframe Pricer is the offcial mechanism used to price all FEP claims meeting the OBRA '90 requirements. In the past, OPM p~ovided FEP with any updates to the OBRA '90 Pricer. Recently, FEP began obtaining the updates directly from CMS. When the first updates were received, it was discovered that the type oftape used by CMS was no longer supported by the FEP Data Center. In order to use the CMS tapes, the Operations Center had to find a vendor to convert them into an alternative tape format for usage in the FEP claims system Mainframe OBRA '90 Pricer. This process resulted in a delay in implementing the CMS updates. All updates receivedfirst and second quarters 2009 were updated by July 17, 2009, and re-pricing ofthe impacted OBRA '90 claims will occur prior to year-end 2009. Attachment 7.A is a schedule ofwhen the updates were receivedfrom the various sources and the dates that the changes were implemented into the FEP Mainframe OBRA '90 Pricer. Since there was a delay to the April 4, 2009 update to the OBRA '90 Pricer, this could account for the different pricing generated during the claims testing process. " OIG Reply: As part of the audit resolution process, we recommend that BeBSAL/BCBSA provide OPM's CRI,s with appropriate supporting documentation indicating the steps taken to address this recommendation. We will evaluate the effectiveness of the 2009 updates as part of a follow-up review or during the next audit. 14 F. Health Insurance Portability and Accountability Act The OIG reviewed BCBSAL's efforts to maintain compliance with the security, privacy, and national provider identifier standards ofHIPAA. Nothing came to our attention that caused us to believe that BCBSAL is not in compliance with the various requirements of these HIPAA regulations. BCBSAL has implemented a series ofIT security policies and procedures to adequately address the requirements of the HIPAA security rule. BCBSAL has also developed a series of privacy policies and procedures that directly addresses all requirements of the HIP AA privacy rule. The documents related to the HIPAA privacy and security rules are readily available to all BCBSAL employees via the company's Intranet. BCBSAL employees receive privacy and security related training during new hire orientation, as well as periodic subsequent training as needed. In addition, the OIG documented that BCBSAL has adopted the national provider identifier as the standard unique health identifier for health care providers, as required by HIPAA. 15 UI. Major Contributors to This Report 'Ibis audit report was prepared by the U.S. Office of Personnel Management. DlIke of Inspector General, Infonnation Systems Audits Group. The following individuals participated in the audit and the preparation of thi s report: • Group Chief • Auditor-In-Charge • IT Auditor • IT Auditor 16 Appendix HlueCross BlueSbicld AMociation A.u ~# I!f lmR-pendent Blue Cr(l.t., atilt Blue Shleh} PJ:&M l'~~ral Employee Program J~lOG Strem. N.W. Washington, D.C. 20005 August 11, 2009 202.942. HJOO Chief Infcumalicm Systems Audits Group Insurance service Programs Office of Personnel Management 1900 E Slreet, N.W., r<oom 6400 Washington, D.C. 20415 Reference: OPM DRAFT EDP AUDIT REPORT Alabama Blue Cross Blue Shield Audit Report Number 1A-10-09-09-020 D e a r _: This report is in response to the above-referenced U.S. Office of Personnel Management (OPM) Draft Audit Report covering the Federal Employees' Health Benelits Program (FEHBP) Audit of Information Systems General and Application Controls for Alabama Blue Cross Blue Shield Plan's interface with the FEP claims processing system, access and security cantmls. Our comments regarding the findings in the report are as follows: A. APPLICATION CONTROLS 1. Procedure to Diagnosis Inconsistency The OIG recommended that Blue Cross Blue Shield of Alabama (BCBSAl) and Blue Cross Blue Shietd Association (BCSSA) make appropriate system modifications to ensure that claims with procedures/diagnosis inconsistencies are flagged for review. We disagree with this recommendation. BCBSAL has implemented and maintains deteclive system controls to ensure claims with diagnosis inconsistencies are reviewed prior to processing. In addition, BCBSAL has a comprehensive medical policy program that apphes necessary controls to ensure services are medically appropriate before approved to pay. These contrrns were developed through extensive research which includes analysts of provider filing practices and medical records. The Plan's medical policy edits have been streamJined to ensure that only historically questionable services are pended, thus limitiog payment delays and the corresponding impact to member and provtder service Page 2 and satisfaction. Several years ago the Plan broadened its "procedure to diagnosis· consistency edits; however. over time found that a very high peJrentage of pended claims were delennined to be medically necessary, Also, often providers do 001 flag each line of the claim with the specific diagnosis for that service, but instead use the presenting diagnosis for an services rendered, While BCBSAL no longer has across-tha-board edits for diagnosis/procedure consistency, there are hundreds of edits in place that pay, reject or suspend for review procedu~es based on the diagnosis submitted, BCBSAL continuously reviews and updates its edit criteria. The guidelines and criteria are reviewed in relation to (1) changes in current medical practiceslmedical policy (2) Blue Cross Blue Shield or FEP bulletins and recommendations from the BCBSAL Medical Director. BCBSAL also has comprehensive edits and anatysis in place to identify actual provider and member fraud. BCBSAL takes its responsibmty for determining whether or root coVered services, medicallreatments/procedures, supplies and drugs meet the criteria for medical necessity very seriously, The BCBSAL Plan's extensive experience and proven performance in accurately processing claims is based on a thorough yet targeted approach to identifying those situations that warrant review. The situations used by the auditors were not the nonnal day-to-day types of billing occurrences. No process is absolute but provides reasonable assuranoo that the controls are effective. Blue Cross and Blue Shield of Alabam.a believes that their edits are suffICient to identify services submitted that are not related to the diagnosis. Although we do not believe that it is cost effective for these types of edits to be housed in both the toeal Plan system and the FEP claim system. SeSSA will investigate the feasibility of implementing limited edits to identify services that are not related to the diagnosis. The development of service and diagnosis groupings will require a vast amount of work. We do not expect the anatysis to be completed until 2nd quarter 2009. 2. Provider Invalid for Procedure The OIG recommended that BCBSAL make appropriate system modifications to ensure that medical providers are not paid for services outside the scope of their license. We disagree with this recommendatjon, given that BCBSAL has Implemented and maintains appropriate system ,controls to ensure that rnedical providers are not paid for services outside the scope of their license on a post payment basis. BCBSAL has been designated a Page 3 Medically Undeserved Area (MUA). The designation of a MUA references the lack of licensed providers available in an area for contracting purposes and the intent 10 contract with all that are available. Therefore, in many areas of the state, the extent of the services provided by a single physician may be very wide-ranging. Most physicians declare a specialty and often receive board certification, but with additional training and or experience in other specialty areas, can through the life of the practice change their practice specialty to a subset or other areas of interest. Edits exist 10 keep timited license practitioners such as ~rom perfonning medical services outside their scope of practice and controls are in place which helps ensure that medical providers are paid for selvices within the scope of their license. The Health Care Networks Division of BCBSAL establishes the contracting relationship with providers and oversees the credehtlalll'lg and verifICation of all provid€rs, including their licensure and specialty information. The Health Management of Blue Cross Blue Shield of Alabama Division is responsible for medical policy creation, utilization review, detection and investigation, recovery of overpayment and potential prosecution of cases involving unlawful activity against the Iocaf Plan. Also, due to the liberty allowed licensed medical professionals in its service area, the Plan does not have pre-payment edits in place to identify providers rendering services outside of the scope licensure. The Plan does have post·payment rev~w processes conducted by its Special Investigation Unit and Utilization Review areas to identify abnormal billing practices. 3. _ Benefits The DIG recommended that BCBSAUBCBSA make the appropriate system modifications to ensure that a member's liability f o r _ service is limited to the amounts outlined in the benefit brochure. We agree with this recommendation. The determination of a member's cost-sharing amount is a function of the FEP claims system. Effective January 1. 2009. FEP modified the payment of benefits f o r _ services provided by non-participating providers to limit the member's out-of-pocket expense to a per day maximum of $800. However, when the updates were made in the FEP claims system to reflect this benefit char1ge all applicable scenarios did not property accumulate to limit the member'S daily out-of-pocket expense to the $800 maximum. The FEP claims system is scheduled to have a system correction implemented on October 17. 2009. _ _ Chief .Ali9u$t1T.ib09 Page 4 Proactively, a preliminal)' listing was generated to idenlily those members that have exceeded the daily coinsurance limit for anesthesia services perfonned by non-participating providers during the period of JanusI)' 1, ~009through June 30, 2009. A minimal number of members have been underpaid as a result of this system processing error. Once this system correction has been successfully implemented, adjustments will be made to the impacted claims and additional payments will be issued to the members. 4. OBRA '93 Assistant Surgeon The OIG recommended that BCSSAUBCBSA make the appropriate system modifications to ensure that OBRA 93 claims are priced appropriately. We disagree wrth this recommendation. OBRA '93 pricing is handled by an outside vendor, Palmetto. The incorrect pricing of AS (Assistant Surgeon) modifJer claims has been cited in several previous audits. This problem resulted from Palmetto not pricing these claims due to the complex nature of the pricing components. On May 26, 2008, Palmetto started 'generating pricing allowances for these claims. The claim in question was processed on the FEP Test System, not the Production System. Claims processed in the Test System are not sent to Palmetto for pricing. In the FEP Test System, a simulator is used to identify which claims are subject to OBRA·'93 pricing and the allowance and provider data may not always be updated. Because we do not have the screen input to show the data submitted by the OPM auditors, we couJd not determine whether an data ftetds were correctly populated. However, we did randomly select a claim from our FEP Production System to demonstrate that the pricing of AS Modmer is performed correctly by Palmetto. Attached is a copy of the claim from the FEP Production System that shows that it was priced according to the Medicare Fee Schedule as illustrated Attachment 4.A. 6, The OIG recommend that BCBSAUBCBSA make the ~r)ror)riaile system modifications to ensure that are paid in accordance with the BeSS benefrt bro'ch'Jre. We agree with this finding . Effective ~~~ implemented a benefit change to i one per year. When this change was j i was applied only to Ihose Plans not designated as Medically Underserved (MUA) by OPM. In MUA service areas, Chiropractors are allowed to ~Chlef ~09 Page 5 perform covered professional services that are no,m8,llypn:,vidled physicians. These professional services include been difficult 10 determine the requirements to _ i n MUA service areas to one visit per year in system because office visits often have multiple diagnoses that also include manipulations, It would be incorrect not to allow these visits for MUA service areas. We continue to explore how to in MUA service areas to one per year. 1,2009 to June 30. 2009. a total of 97.722 visits have been processed with procedure codes for some form of office visit. To stop each clam for manual revte'N wouJd impact member service and increase member inquiries. The FEP Director Office's staffwiJI continue to pursue a resolution of this issue with 100 Contracting Officer, 6. OBRA '90 with Status Code 43 The 010 re<:ommended that BCBSAUBCBSA implement the appropriate system modifICations to ensure that OBRA90 claims are priced appropriately. We disagree with this recommendation. The Issue of reducing the DRG Allowance for patient status codes other than ~02" was identified in several previous FEP EOP Audits in the past. As a result, system changes were made to the FEP claims system to limit the application of the OBRA '90 Transfer Pricing Reduction to Patient Status 02. This system correction was implemented in the FEP claims system on April 4. 2009. We have adjudicated two claims on our claims test system with the same condition to demonstrate that the FEP Mainframe OBRA '90 Pricier was functioning according to eMS regulations. One of the claims was for Patient Status 01 (discharged to home or self care /routine discharge) and the other one was for Patient Status 43 (Discharged/transferred to federal care facuity). These results are in Attachments 6.A (Patient Status 01) and 6.B (Patient Status 43). The attached results indicate that the same DRG Allowances were generated for Patient Status 01 and Patient Status 43. There was no reduction In the DRG Allowance for these claims. These test claims supports our position that the system correction implemented in April 2009 and is properly pricing these claims. _Chief ~09 Page 6 7. OBRA '90 Pricer Updates The OIG recommended that BCBSALlBCBSA implement the appropriate system modifications to ensure that OBRA90 claims are priced with the correct version of the CMS Pricer. We agree with this recommendation. The FEP Operations Center's OPM approved OBRA '90 Mainframe Pricer is the official mechanism used to price all FEP claims meeting the 08RA '90 requirements. In the past. OPM provided FEP with any updates to the OBRA '90 Pricer. Recently, FEP began obtaining the updates directly from CMS. When the first updates were received, it was discovered that the type of tape used by CMS was no longer supported by the FEP Oata Center. In order to use the eMS tapes, the Operations Center had to find a vendor to convert them mto an attemattve tape fonnat for usage in the FEP claims system Mainframe OBRA'90 Pricer. This process resulted in a delay in implementing the CMS updates. All updates received first and second quarters 2009 were updated by July 17, 2009, and re-pricing of the impacted OBRA '90 claims will occur prior to year-end 2009. Attachment 7.A is a schedule of when the updates were received from the various sources and the dates that the changes were implemented into the FEP Mainframe OBRA '90 Pricer. Since there was a delay to the April 4, 2009 update to the OBRA'90 Pricer, this could account for the different pricing generated during the claims testing process. We appreciate the opportunity to provide our response to this Draft Audit Report and request that our comments be included in their entirety as an amendment to -thE. Final Audtt Report. Attachments cc:
Audit of Information Systems General and Application Controls at Bluecross Blueshield of Alabama
Published by the Office of Personnel Management, Office of Inspector General on 2009-11-05.
Below is a raw (and likely hideous) rendition of the original report. (PDF)