/
u.s. OFFICE OF PERSONNEL MANAGEMENT
OFFicE OF TflErNSPECTOR GENERAL .
OFFICE OF AUDITS
. .
Final Aut1it Report
Date: .
••CAUTION-
nil! 1111.111 hpvrt'~'~end;Slrlb"itd ftJ Fhlual ami Non·FedeTal nffitiab who m ; rtspo~;'bI~ for l~c,dJnOBUll'1llloa Of tlu; audliid
COOl1:UI; This ~ud_i l rtp<lffmay writa,,, Ill'Oprictuydala whkt:. ilI-pt'{II(d~d by Ftdtrallll* (HI U.s.c. 1"'5). ;rht;rdo~...hi!{> thlJ alldit
rtpIlft' b ;lY3i1111Ie IIlIdertitcFretdem oflll'forlD3iiofl At( ~~d mlld t ,V:liJbbh- 11)' III;r; PIINit 'O lllht, OJGWtbplIge,ulloon 11«&:10 be
o:ncikd hdo~rtJt1Uinglhc J'tport 10 llie gt Mrat I'liblie-lt! Ilmay'«IlIIfala ~i4ry ,jllrftrn~bliiilfttLalm> ~tdadfd from Ibe publicly
didril.mttd COpY. ' "
UNITED STATES OFFlCE OF PERSONNEL MANAGEMENT
Washington, DC 20415
Office of the
Inspector G~l\Cral
Audit Report
FEDERAL EMPLOYEES HEALTIJ BENEFITS PROGRAM
CONTRACT CS 1039
BLUECROSS BLUESHIELD OF ALABAMA
PLAN CODES 010/510
BIRMINGHAM, ALABAMA
Report No. lA-IO-09-09-020
Dote: November 5, 2009
~/~
Micbael R. Esser
Assistant Inspector General
for Audits
--. =----------------~ -====
"' ......lI p!» .gll'" ,,".. ,.. "<\aloft$.I1""
UNITED STATES OFFICE OF PERSONNEL MANAGEMENT
Washington, DC 20415
OffiC(: of Che
ln~pe>:tor Gcrt~cl
Exccuth'c Summary
FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM
CONTRACT CS 1039
BLUECROSS BLUESHIELD OF ALABAMA
PLAN CODES 010/510
BIRMINGHAM, ALABAMA
Report No. IA-IO-09-09-020
Date: November 5, 2009
TIllS final report discusses the results ofour audit of general and application controls over the
information systems at BlueCross B1ueShield of Alabama (BCBSAL).
Our audit focused on the claims processing applications used to adjudicate Federal Employees
Health Benefits Program (FEHBP) claims. for BCBSA L. as well as the various processes and
information tochnology (IT) systems used to support these applications. We documented
controls in place and opportunities for improvement in each of the areas below.
Security Management
BCBSAL has established a comprehensive series of IT policies and procedures to create an
awareness of IT security at the Phm. BCBSAL has al~o implemented an adequate risk
assessment methodology, incident response capabilities, and IT security·reJated human resources
controls.
Access Controls
We found that BCBSAL has implemented numerous physical controls to prevent unauthorlzed
access to its facibties, as weB as logical controls to prevent unauthorized access 10 its
information systems,
www.oprn·c()¥
Configuration Management
BCBSAL has established policies and procedures to ensure that modifications to application
software occur in a controlled environment. In addition, BCBSAL has implemented a thorough
system software change control methodology that calls for the utilization of a change
management tool to control and track changes.
Contingency Planning
We reviewed BCBSAL's business continuity plans and concluded that they contained many of
the key elements suggested by relevant guidance and publications. We also determined that
these documents are reviewed, updated, and tested on a periodic basis.
Application Controls
BCBSAL has implemented many controls in its claims adjudication process to ensure that
FEHBP claims are processed accurately. However, we recommended that BCBSAL implement
several system modifications to ensure that its claims processing systems adjudicate FEHBP
claims in a manner consistent with the OPM contract and other regulations.
Health Insurance Portability and Accountability Act (HIPAA)
Nothing came to our attention that caused us to believe that BCBSAL is not in compliance with
the HIP AA security, privacy, and national provider identifier regulations.
ii
Contents
Page
Executive Summary ..........................................................................................................................i
I. Introduction .................................................................................................................................. I
Background.................................................................................................................................. I
Objectives .................................................................................................................................... I
Scope ........................................................................................................................................... 2
Methodology................................................................................................................................2
Compliance with Laws and Regulations ..................................................................................... 3
II. Audit Findings and Recommendations ....................................................................................... 4
A. Security Management ............................................................................................................ 4
B. Access Controls .....................................................................................................................4
C. Configuration Management ................................................................................................... 5
D. Contingency Planning ............................................................................................................ 5
E. Application Controls .............................................................................................................. 6
F. Health Insurance Portability and Accountability Act .......................................................... 15
III. Maj or Contributors to This Report .......................................................................................... 16
Appendix: B1ueCross BlueShield Association's August I I, 2009 response to the draft audit
report issued June 3, 2009.
I. Introduction
This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims at BlueCross BlueShield of
Alabama (BCBSAL).
The audit was conducted pursuant to Contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code of
Federal Regulations (CFR) Chapter I, Part 890. The audit was performed by the U.S. Office of
Personnel Management's (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.
Background
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter I, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.
BCBSAL headquarters is located in Birmingham, Alabama. Employees responsible for
processing FEHBP (also, Federal Employee Program or FEP) claims are located at the Plan's
facility in Birmingham, Alabama. BCBSAL' s local claims processing system is housed in a
mainframe environment with the Z/OS operating platform and IBM's Resource Allocation
Control Facility (RACF) as its security server.
This was the OIG's first audit of general and application controls at BCBSAL. BCBSAL's
compliance with the Health Insurance Portability and Accountability Act (HIP AA) was also
reviewed.
All BCBSAL personnel that worked with the auditors were particularly helpful and open to ideas
and suggestions. They viewed the audit as an opportunity to examine practices and to make
changes or improvements as necessary. Their positive attitude and helpfulness throughout the
audit was greatly appreciated.
Objectives
The objectives ofthis audit were to evaluate controls over the confidentiality, integrity, and
availability ofFEHBP data processed and maintained in BCBSAL's IT environment.
These objectives were accomplished by reviewing the following areas:
• Security management;
• Access controls;
• Configuration management;
• Segregation of duties;
I
• Contingency planning;
• Application controls specific to BCBSAL's claims processing systems; and
• HIPAA compliance.
Scope
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, the OIG
obtained an understanding of BCBSAL' s internal controls through interviews and observations,
as well as inspection of various documents, including information technology and other related
organizational policies and procedures. This understanding of BCBSAL' s internal controls was
used in planning the audit by determining the extent of compliance testing and other auditing
procedures necessary to verify that the internal controls were properly designed, placed in
operation, and effective.
The OIG evaluated the confidentiality, integrity, and availability ofBCBSAL's computer-based
information systems used to process FEHBP claims, and found that there are opportunities for
improvement in the information systems' internal controls. These areas are detailed in the
"Audit Findings and Recommendations" section of this repolL
The scope of this audit centered on the claims processing systems that process FEHBP claims for
BCBSAL, as well as the business structure and control envirorunent in which they operate.
These systems include the local claims processing system owned and operated by BCBSAL, and
the FEP Express system owned and operated by the B1ueCross BlueShield Association
(BCBSA). BCBSAL is an independent licensee ofthe BCBSA.
In conducting our audit, we relied to varying degrees on£omputer-generated data provided by
BCBSAL. Due to time constraints, we did not verify the reliability of the data used to complete
some. of our audit steps, but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.
The audit was performed at BCBSAL offices in Birmingham, Alabama. These on-site activities
were performed in February through April 2009. The OIG completed additional audit work
hefore and after the on-site visits at OPM's office in Washington, D.C. The findings,
recommendations, and conclusions outlined in this report are based on the status of information
system general and application controls in place at BCBSAL as of Aprill7, 2009.
Methodology
In conducting this review the DIG:
• Gathered documentation and conducted interviews;
• Reviewed BCBSAL's business structure and envirorunent;
• Perfomled a risk assessment of BCBSAL's infonnation systems envirorunent and
applications, and prepared an audit program based on the assessment and the Government
2
Accountability Office's (GAO) Federal Information System Controls Audit Manual
(FISCAM); and
• Conducted various compliance tests to determine the extent to which established controls and
procedures were functioning as intended. As appropriate, the auditors used judgmental
sampling in completing their compliance testing.
Various laws, regulations, and industry standards were used as a guide to evaluating BCBSAL's
control structure. This criteria includes, but is not limited to, the following publications:
• Office of Management and Budget (OMB) Circular A-l30, Appendix III;
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information;
• Information Technology Governance Institute's CobiT: Control Objectives for Information
and Related Technology;
• GAO's Federal Information System Controls Audit Manual;
• National Institute of Standards and Technology's Special Publication (NIST SP) 800-12,
Introduction to Computer Security;
• NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems;
• NIST SP 800-30, Risk Management Guide for Information Technology Systems;
• NIST SP 800-34, Contingency Planning Guide for Infomlation Technology Systems;
• NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
• NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information
Systems;
• NIST SP 800-61, Computer Security Incident Handling Guide;
• NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
Security Rule; and
• HIPAA Act of1996.
Compliance with Laws and Regulations
In conducting the audit, the OIG performed tests to determine whether BCBSAL's practices w.ere
consistent with applicable standards. While generally compliant with respect to the items tested,
BCBSAL was not in complete compliance with all standards, as described in the "Audit Findings
and Recommendations" section of this report.
3
II. Audit Findings and Recommendations
A. Security Management
The security management component of this audit involved the examination of the policies and
procedures that are the foundation of BCBSAL's overall IT security controls. The OIG
evaluated the adequacy of BCBSAL's ability to develop security policies, manage risk, assign
security-related responsibility, and monitor the effectiveness of various system-related controls.
BCBSAL has implemented a conglomeration ofIT security-related policies and procedures that
comprise the Plan's entity-wide security program. These policies and procedures each contained
a variety of elements that would be expected in a comprehensive security plan. The Plan's
Information Security department, as well as the Health Insurance Portability and Accountability
Act (HIPAA) Security Official, has the responsibility to develop, maintain, and provide
oversight ofBCBSAL's information security policies and procedures.
The OIG also evaluated BCBSAL's risk management methodology. The Information Security
department at BCBSAL is responsible for conducting ongoing threat-based risk assessments.
These assessments are used as a tool to identifY security threats, vulnerabilities, potential
impacts, and probability of occurrence. Information Security is also responsible for verifying
that all of the controls associated with a risk are implemented.
The OIG also reviewed various BCBSAL security-related human resources policies and
procedures. It was determined that the Plan has adequately incorporated IT security controls into
the following human resources functions: hiring, termination, transfers, conflict of interest,
training, and standards of conduct.
B. Access Controls
Access controls are the policies, procedures, and techniques management has put in place to
prevent or detect unauthorized physical or logical access to sensitive resources.
The OIG examined the physical controls ofBCBSAL's Birmingham, Alabama facility, as well
as the additional controls protecting the data center within this facility. The Plan appeared to
have adequate controls to ensure that only BCBSAL employees can access the facility, and that
the only individuals who can access the data center are those whose job description requires
access.
The 01G also examined the logical controls protecting BCBSAL's network environment and
claims processing related applications. During this review, the following controls were
documented:
• Procedures for appropriately granting and disabling access to infom1ation systems;
• Procedures for reviewing existing system access for appropriateness;
• Adequate intrusion detection capabilities;
• Policies to govern the use of firewalls;
• Procedures for sanitizing media containing sensitive information;
4
• Procedures for appropriately authorizing system and physical access to new employees;
• Procedures for appropriately removing system and physical access for tcnninated
empl oyees;
• Adequate authentication controls for the local and FEP Express applications;
• Secure remote and wireless nelwork access; and
• Procedures for monitoring and filtering network activity.
The OIG also examined the J)hysical controls of BCBSAL's facilities. Access to both of these
facilities is (;onlJolled by an electronic access card system. Card readers are located on tnterioT
and exterior doors throughout the buildings, and the system is capable of limiting an individual 's
access to the physjcal areas required by their job fwlCtion. The OIG also documented additional
pl1ysical cont.rol s rehlted to the data center and network operation centers within these facilities.
C. Configuration Manae:ement
~~~~ '!.y,tem is housed in a mainframe environment w i t h _
as its security server.
BCBSAL has developed fo rmal policies and procedures prov iding guidance \ 0 ensure that
system software is appropriately configured and updated. as well as fo r controll ing system
software configuration changes. Auditors verified that these policies arc being appropriately
fonowed and did not detect any weaknesses in BCBSAL's conJiguration management
methodology.
The OIG also conducted a limited review of the security settings ofBCBSAL's ~atabase
and did not identify any weaknesses in the configuration settings.
D. Contingency Planning
The Ola reviewed BCBSAL' s service continuity program to dctcmlinc if ( 1) procedures were in
place to protect infonnation resources and minimize the dsk of unpianned inlerruptions, and (2)
a pJan exi~1.ed to recover t..i tical opemtions should intemlptiQns occur.
In an cffo11 to assess BCBSAL' s contingency planning capabilities, we evaluated documentation
related to the Plan' s procedures that ensure continuity of the FEHBP business 'unit, including:
• BCBSAL' s Business Continuity Plan Supplemental Guide;
• The Incident Management Team Guide; and
• Severa) business units' continuity plans including the claims department and cbeck printing
plans.
The OIG found that each of these documents contain a majority of the key elements of a
comprehensive service continuity program suggested by NIST SP 800·34, "Contingency
Planning Guide for IT Systems." BCBSAL's service continuity documentation explicitly
identifies the systems that are critical to continuing busine....." operations, prioritizes these systems,
and outlines the specific rc~ou rc es needed to support each system.
5
Each of these documents are reviewed, updated, and tested regularly. Each business unit is
responsible for documenting the results of the annual disaster recovery test. The results are
passed to the business recovery coordinator who is responsible for compiling the results.
E. Application Controls
Application Configuration Management
The OlG evaluated the policies and procedures governing software development and change
control of the Plan's claims processing application.
BCBSAL has adopted a traditional System Development Life Cycle methodology that IT
personnel follow during routine software modifications. The Plan also provided evidence
indicating that an approval process is in place for change requests. The following controls
related to testing and approvals of software modifications were observed:
• BCBSAL has adopted practices that allow FEP modifications to be tracked;
• Use of parallel and unit testing is conducted in accordance with industry standards; and
• BCBSAL programmers conduct walkthroughs of the modifications as a way of testing the
data.
The OlG also observed the following controls reIated to software libraries:
• BCBSAL utilizes a tool called Panvalet to store source code;
• BCBSAL clearly segregates application development and change control activities along
organizational lines; and
• BCBSAL utilizes versioning of the souree code to determine if appropriate changes are
implemented as expected.
Claims Processing System
The OIG evaluated the input, processing, and output controls associated with BCBSAL's local
claims processing system and the BCBSAL's FEP Express system. In terms of input controls,
the OIG documented the policies and procedures adopted by BCBSAL to help ensure that: 1)
there are controls over the inception of claims data into the system; 2) the data received comes
from the appropriate sources; and 3) the data is entered into the claims database correctly.
BCBSAL's methods for reconciling processing totals against input totals and for evaluating the
accuracy of its processes were also reviewed. Auditors also examined the security of physical
input and output (paper claims, checks, explanation of benefits, etc.).
Application Controls Testing
To validate the claims processing controls, a testing exercise was conducted on the BCBSAL
local system and FEP Express system. This test was conducted at BCBSAL's Birmingham,
Alabama facility with the assistance of BCBSAL persolUJel. The exercise involved developing a
test plan that included real life situations to present to BCBSAL persolUJel in the form of
institutional and professional claims. All test scenarios were processed through the BCBSAL
local claims processing system, and where appropriate, the FEP Express system. The test plan
included expected results for each test case. Upon conclusion of the testing exereise, the
expected results were compared with the actual results obtained during the exercise.
6
The sections below document the opportunities for improvement thnt \vere noted related to
application controls.
1. Procedure to Diagnosis Inconsistency
A test claim was processed where benefits were paid for a procedure associated with an
inappropriate diagnosis.
The OIa entered a test claim into the BCBSAL local code for a
Despite the
. system without
encoontering any edits. and was sent to FEP Express. FEP Express also procc!)sed and paid
the claim without triggering any edits.
This system weakness increases Ihe risk that benefits are being paid for procedures
associated with a diagnosis that may not warrant such treatment.
Recommend.lion 1
We recommend that BCBSALfBCBSA make the appropriate system modifications to ensure
that claims with pJocedure/diagnosis inconsistencies are flagged for review.
BCBSAL Response:
"We disagree with this recommendation. BCBSAL has implemented and maintains
del£clive system controls to ensur~ c/aimf with diagnosis inconsistencies ore reviewed prior
to processillg. In addition, BCBSAL has u comprehel,sive mediaJl policy program that
applies necessary controls to ensure services are medically appropriate before approved to
pay. These controls were developed through extensive research which includes analysis 0/
prOl'ider filing practices and medic(1/ records. The Plan's mediaII policy edits kal'e been
streamlined to ensure that only historically questionable services are pended..•
are or ., u$J"n,f/01 rev;,,,,, p,'oe"dures b'lSed
Oil the diuguosis submitted. RCBSAL continuou.dy reviews alld updates its edit criteria.
Although we do not believe that it is cost effectil'efor these types ofedits to be housed in
both the locol Plan system and the FE? claim lYl·tem, BCBSA will ;nve:;tigate the
feasibility (If implementing limited ediJs 10 identify serll;ces that lire not related to the
diagnosis. The development 0/service and diagnosis groupings will require a J'asl amoulft
o/work. We do not expect/he Dualysis to be completed until 2nd quarter 2009.'"
7
QIG Reply:
We lIDderstand/acknowledge that BCBSAL may not need acros.<Hhe-board medicaJ edits.
However. we intentionally did not usc "normal day~to-day type of hiHing occurrences" to tcst
whether the system could detect extreme cases sllch as the one used in the test. In addition,
the response did not address the fact that nol all BeBS Plans have diagnosis/procedure
compatibility c-dits in their local systems, and some Plans entcr claims directly into FEP
Express. The OIG continues to beli(':ve that these vulnerabilities warrant modifications to
FEP Express.
2. Provider Invalid for Procedure
T\Y\) teh1 claims were processed where a provider was paid for services olltside the scope of
their license.
The 01G ("'1ltered a test
claim indicated that
procedure. performed by an
the provider/procedure inconsistency, was processed bvthe I>C.t>'''\L
and FEP Express without encountering any edits.
~~~~~~i!r test claim into the BCBSAL local system. This
claim indicated that This procedure
would generally be a surgeon. inconsistency,
the claim was processed by the BCBSAL local system and FEP Express without
encountering any edits.
This system weakness increases tJle risk that providers are being paid for services outside the
scope of their license. The fact that Alabama is a "medically underscrvcd area" docs not
justiry this anomaly. The BeBS benefit brochure states that in medically underserved are-dS,
"we cover any licensed medical pnlctitioner for any covered service performed within the
scope of/hat license."'"
Recommendation 2
We recommend that BCBSALIBCBSA make the appropriate system modifications to ensure
that medical providers are not paid for services outs,ide the scope of their license.
BCBSAL Response:
"We disagree with this recommendation, given that8CBSAL has implemented and
mointaitlS appropriate system controls (0 ensure that medical providers are not paillfor
services ouL'iide Ihe scope ojtheir license on a po.,·'paymenJ bllsis. BeBSAL lIas been
aeJ'ignaled n Medically UnderservedArea (MUA). The designation 0/ Q ftlUA references
Ihe lach ofJicellsed providers available in (In area jor contracting purposes and the intent
to contract with alltltat are available. Therefore, in many areas ofllle state, the extent of
the services providet! by a single physician may be very wide-runging. Mo:J'I physicians
declare a specialty and often receive board certificatio,l, but with additiollal training alld
8
or experirnce ill other specialty areas, can through the lift! oftire practice change tl,e;r
practice rpttialty to a subset or other areas of iI,/crest, Edits exist to kup limited license
practitioners such QS~rom perJorming mediml services ollt!;ide their scope oj
prac/i('e and controls are in piau whid, helps ellsure that medical prol,iden are paid/or
senices within the j 'COpt oJtheir license. The Health Care Networks Divisum ofBCBSAL
eSfahlides tire contracting rellllionship with providers and overst!£s the credentialing and
verification of aI/ providers, including their licensure and specialty information. The
llealth l\fanagemenl of Bille Cross Blue Shield oj Alabama D;vi,'~ion i., re.rponsibleJor
medical policy creation. U/Uizat;on re,-jew. detection and invesligatioll, reco~ery of
overpayment and potential prosecution 0/ cases illvolving unlaW/ill activity against the
local Plan.
OIG Reply:
The fact that Alabama is a medi cally ullderserved area does not mean that existing benefit
limitations are \vaived. It means, additional providers may be able to be paid for providing
those eJC isting benefits as outlined on page 12 ofibe brochure. The brochure states:
"Medically undenerved areas. In the states OPM detennines are "medically
uodcrscrved:
Under Standard Option, we cover any licensed medical practitioner for any covered
service performed within the scope of that license.
Under Basic Option, we cover any licensed medical prac titioner who is Preferred for
any covered service performed within the scope of that license:'
In addition, deteclive controls are not as effective and arc more costly than preventative
controls. We continue to recommend that system modifications be made to cnsure that
rnl.."(]ical providers afC not paid for services outside the scope of their license.
3, Anesthesia IUncfits
A tcst claim was processed ",,'here a standard option member was overcharged for anesthesia
services.
According to the 2009 Be BS benefit brochure, a standard option member' s liability for
anesthesia services at a non-participating provider is " 100% of the billed amount up to a
maximum of $800 per anestbctist per day. "
The OIG entered a test claim into the BCBSAL local system with lll;tandard option me-mber
receiving anesthesia services from a non-partiCipating provider. The claim was processed by
the local sy~1:em and by foEP Express, and the member's liability wa~ appropriateJy capped at
9
$800. However, a similar claim was also entered where an accidental injury was indicated
on the claim fonn, and the member liability for this claim was $1,209.
Nothing in the benefit brochure indicates that the $800 limit for anesthesia services at a non
participating provider is affected by the involvement of an accidental injury. This system
weakness increases the risk that members will be liable for charges in excess of the limits
outlined in the benefit brochure.
Recommendation 3
We recommend that BCBSALlBCBSA make the appropriate system modifications to ensure
that a member's liability for anesthesia service is limited to the amounts outlined in the
benefit brochure.
BCBSAL Response:
"We agree with this recommendation. The determination ofa member's cost-sharing
amount is afunction ofthe FEP claims system. Effective January 1, 2009, FEP modified
the payment ofbenefits for anesthesia services provided by non-participating providers to
limit the member's out-of-pocket expense to a per day maximum of $800. However, when
the updates were made in the FEP claims system to reflect this benefzt change all
applicable scenarios did not properly accumulate to limit the member's daily out-of-pocket
expense to the $800 maximum. The FEP claims system is scheduled to /,ave a system
correction implemented 011 October 17, 2009.
Proactively, a preliminary listing was generated to identify those members that have
exceeded the daily coinsurance limitfor anesthesia services performed by non
participating providers during the period ofJanuary 1, 20P9 through June 30,2009. A
minimal number ofmembers have been underpaid as a result ofthis system processing
error.. Once this system correction has been successfully implemented, adjustments will be
made to the impacted claims and additional payments will be issued to the members. "
OIG Reply:
As part of the audit resolution process, we recommend that BCBSAL provide OPM's CRlS
with appropriate supporting documentation indicating the steps taken to address this
rec{)mmendation. We will evaluate the effectiveness of the planned October 17,2009 system
correction implementation as part of a follow-up review or during the next audit.
4. OBRA93 Assistant Surgeon
An OBRA93 test claim was priced incorrectly.
The Ola entered a test claim into the BCBSAL local system with the patient receiving
services from an assistant surgeon ('AS' modifier). The patient has Medicare A only, and
the claim is subject to OBRA93 pricing.
10
The claim was processed by the local system and FEP Express, and the assistant surgeon was
paid 100 percent of the amount allowed by the Medicare fee schedule for the primary
surgeon (minus the deductible and coinsurance). This resulted in an overpayment to the
provider, as the Centcr for Medicare Services Medicare Claims Processing Manual states that
assistant surgeon claims should only be paid at 13.6 percent of the Medicare fee schedule for
a regular surgeon.
This system weakness was brought to the attention of BCBSA during a prior audit of the FEP
Express system. BCBSA responded to the audit finding by indicating that the problem was
corrected in May 2008. However, this test case indicates that the weakness still exists.
Recommendation 4
We recommend tbat BCBSAlJBCBSA make the appropriate system modifications to ensure
that OBRA 93 claims are priced appropriately.
BCBSAL Response:
"We disagree with this recommendation. OBRA '93 pricing is handled by an outside
vendor, Palmetto. The incorrect pricing ofAS (Assistant Surgeon) modifier claims has
been cited in several previous audits. This problem resulted from Palmetto not pricing
these claims due to the complex nature oftile pricing components. On May 26,2008,
Palmetto started generating pricing allowances for these claims.
The claim in question was processed on the FEP Test System, not the Production System.
Claims processed in the Test System are not sent to Palmetto for pricing. In the FEP Test
System, a simulator is used to identify whicll claims are subject to OBRA '93 pricing and
the allowance and provider data may not always be updated. Because we do not Ilave the
screen input to show the data submitted by the OPM auditors, we could not determine
whetller all data fields were correctly populated. However, we did randomly select a claim
from our FEP Production System to demonstrate til at tile pricing ofAS Modifier is
peiformed correctly by Palmetto, Attached is a copy ofthe claim from the FEP Production
System that shows that it was priced according to tile kIedicare Fee Schedule as illustrated
Attachment 4.A."
OIGReply:
BCBSALlBCBSA has copies of all screen input to show the data submitted by OPM/OIG
auditors. Furthermore, BCBSAL personnel took the screenshots and later provided them to
OPMlOIG auditors for analysis. The simulator should represent the production environment.
OPMlOIG suggests using the original data to research whether there is a problem with the
simulator or with Palmetto's pricing ofOBRA93 claims. We continue to recommend that
BCBSALlBCBSA make the appropriate system modifications to ensure that OBRA 93
claims are priced appropriately.
11
S. Chiropractor Office Visits aDd X-rays
The 2009 BeBS benefit brochure allows and o n e _
• each calendar year. However, a test sC"Da<io a member receiving
mUltiple _ and ~s in a single calendar year,
Tbe 01G entered two test claims into the BCBSAL local system for a standard-option
member. lbe frrst claim indicated the patient received an initial ~1l
2009. The second claim indicated that the same patient received a s e c o n d _ and •
• from in the same calendar year. The local system and FEP Express
both claims.
This system weakness increases the risk that _ benefits are being paid in excess of
the amount outlined in the benefit brochure. Nothing from the brochure indicates that
~nefit limitations are waived for medically underservcd states such as Alabama.
Recommendation 5
We recommend that BCBSAUBCBSA make the appropriate system modifications to ensure
that chiropractic benefits are paid in accordance with the BeBS benefit brochure.
BCBSAL RespOIue:
"We agree with 1.2009, FEP implemented a benefit
fo one per year. When tlris change was
implemented, waf only to those Plan..r,; nol as Afedically
Ul!dersel')1ed (ll-/UA) by OPM.ln MUA service areas, allowed to perform
covered professional ,rervic:a that are normally These professional
service,'i include visits, It has been difficult 10 determine Ihe requirements to IimiJ
in ilfUA sen';ce areas to one visit per yellr in the FEP claims
'.' often have multiple diagnoses that also include tnanipubltions.
II would he inc()rrect nol to allow Ihese visitsJOT MUA service areas.
We colllb'UI! to explore how 10
per yl!fJr. During the period ofJanuary to a total of97, 722 visits
have been processed with procedure codes jor someform ofoffice visit. To slop each claim
for manual review would impact member serYice and increase member inquirus. The FEP
Dinelor Office's staff will cOlllinlle 10 purslle a resolution of litis issue wilh the
Contracting Officer."
OIG Reply:
We acknowledge the steps being taken to enSUIe that chiropractic benefits are paid in
accordance with the BCBS benefit brochure. As part of the audit resolution process, we
recommend that BCBSAUBCBSA provide OPM's crus with appropriate supporting
documentation indicating the steps taken to address this recommendation.
12
6. OBRA90 with Status Code 43
An OBRA90 claim with a patient status code of 43 was incorrectly priced.
The OIG entered a test claim for services provided in 2008 into the BCBSAL lecal system
with a patient who is enrolled in Medicare part B only; this claim is subject to OBRA90
pricing. The local system processed this claim and passed it to FEP Express. FEP Express
appropriately suspended the claim for Medicare information. The claims processors entered
into the system the Medicare Explanation of Benefit information provided by the auditors.
The claim was then processed and priced by FEP Express.
Auditors priced this claim with the current version ofthe 2008 PC CMS PRICER program
and found that the Medicare Diagnosis Related Group amount produced by the PRICER did
not match the amount indicated in the test claim. In past audits, OIG determined that FEP
Express has inappropriately priced claims with status code 43 as a "transfer." However,
pricing this claim as a transfer on the PC PRICER does not yield the amount produced in the
test case.
Recommendation 6
We recommend that BCBSALlBCBSA implement the appropriate system modifications to
ensure that OBRA90 claims are priced appropriately.
BCBSAL Response:
"We disagree with this recommendation. The issue ofreducing the DRG Allowancefor
patient status codes other than "02" was identified in several previous FEP EDP Audits in
the past. As a result, system changes were made to the FEP claims system to limit the
application ofthe OBRA '90 Transfer Pricing Reduction to Patient Status 02. This system
correction was implemented in the FEP claims system on April 4, 2009. We have
adjudicated two claims on our claims test system with the same condition to demonstrate
that the FEP Mainframe OBRA '90 Pricier was functioning according to eMS
regulations. One ofthe claims was for Patient Status 01 (discharged to home or selfcare
Iroutine discharge) and the other one was for Patient Status 43 (Discharged/transferred to
federal care facility). These results are in Attachments 6.A (Patient Status 01) and 6.B
(Patient Status 43). The attached results indicate that the same DRG Allowances were
generatedfor Patient Status 01 and Patient Status 43. There was no reduction in the DRG
Allowancefor these claims. These test claims support our position that the system
correction implemented in April 2009 and is properly pricing these claims. "
OIG Reply:
Based on the information provided and the analysis of the information by OPMlOIG we were
unable to determine if the appropriate system modifications to ensure that OBRA90 claims
are priced appropriately have been implemented. We will evaluate modifications to the FEP
claims systems as part of a follow-up review or during the next audit.
I3
7. OBRA90 PRICER Updates
BCBSAL OBRA90 claims are being processed with an outdated version of the 2009 CMS
PRICER program.
The OIG entered four test claims that are subject to OBRA90 pricing into the BCBSAL local
system. The local system sent the claims to FEP Express where they were processed and
priced. The auditors priced each claim with the PC CMS PRICER program and compared
the Medicare DRG amount produced by the PRICER to the amount produced in the test case.
In each of the four test claims, the Medicare DRG amount produced by the current version of
the 2009 PRICER did not match the amount produced in the test case. The auditors priced
each claim again using the original (now outdated) version ofthe 2009 CMS PRICER
program, and in each case the Medicare DRG amount matched that from the test case. The
OIG believes that this indicates that FEP Express is processing OBRA90 claims with an
outdated version of the CMS PRICER. As a result, BCBSALIBCBSA has incorrectly priced
all OBRA90 claims processed after January 1,2009.
Recommendation 7
We recommend that BCBSAL/BCBSA implement the appropriate system modifications to
ensure that OBRA90 claims are priced with the correct version ofthe CMS PRICER.
BCBSAL Response:
"We agree with this recommendation. The FEP Operations Cenler's OPM approved
OBRA '90 Mainframe Pricer is the offcial mechanism used to price all FEP claims
meeting the OBRA '90 requirements. In the past, OPM p~ovided FEP with any updates to
the OBRA '90 Pricer. Recently, FEP began obtaining the updates directly from CMS.
When the first updates were received, it was discovered that the type oftape used by CMS
was no longer supported by the FEP Data Center. In order to use the CMS tapes, the
Operations Center had to find a vendor to convert them into an alternative tape format for
usage in the FEP claims system Mainframe OBRA '90 Pricer. This process resulted in a
delay in implementing the CMS updates. All updates receivedfirst and second quarters
2009 were updated by July 17, 2009, and re-pricing ofthe impacted OBRA '90 claims will
occur prior to year-end 2009.
Attachment 7.A is a schedule ofwhen the updates were receivedfrom the various sources
and the dates that the changes were implemented into the FEP Mainframe OBRA '90
Pricer. Since there was a delay to the April 4, 2009 update to the OBRA '90 Pricer, this
could account for the different pricing generated during the claims testing process. "
OIG Reply:
As part of the audit resolution process, we recommend that BeBSAL/BCBSA provide
OPM's CRI,s with appropriate supporting documentation indicating the steps taken to
address this recommendation. We will evaluate the effectiveness of the 2009 updates as part
of a follow-up review or during the next audit.
14
F. Health Insurance Portability and Accountability Act
The OIG reviewed BCBSAL's efforts to maintain compliance with the security, privacy, and
national provider identifier standards ofHIPAA. Nothing came to our attention that caused us to
believe that BCBSAL is not in compliance with the various requirements of these HIPAA
regulations.
BCBSAL has implemented a series ofIT security policies and procedures to adequately address
the requirements of the HIPAA security rule. BCBSAL has also developed a series of privacy
policies and procedures that directly addresses all requirements of the HIP AA privacy rule. The
documents related to the HIPAA privacy and security rules are readily available to all BCBSAL
employees via the company's Intranet. BCBSAL employees receive privacy and security related
training during new hire orientation, as well as periodic subsequent training as needed.
In addition, the OIG documented that BCBSAL has adopted the national provider identifier as
the standard unique health identifier for health care providers, as required by HIPAA.
15
UI. Major Contributors to This Report
'Ibis audit report was prepared by the U.S. Office of Personnel Management. DlIke of Inspector
General, Infonnation Systems Audits Group. The following individuals participated in the audit
and the preparation of thi s report:
• Group Chief
• Auditor-In-Charge
• IT Auditor
• IT Auditor
16
Appendix HlueCross BlueSbicld
AMociation
A.u ~# I!f lmR-pendent
Blue Cr(l.t., atilt Blue Shleh} PJ:&M
l'~~ral Employee Program
J~lOG Strem. N.W.
Washington, D.C. 20005
August 11, 2009 202.942. HJOO
Chief
Infcumalicm Systems Audits Group
Insurance service Programs
Office of Personnel Management
1900 E Slreet, N.W., r<oom 6400
Washington, D.C. 20415
Reference: OPM DRAFT EDP AUDIT REPORT
Alabama Blue Cross Blue Shield
Audit Report Number 1A-10-09-09-020
D e a r _:
This report is in response to the above-referenced U.S. Office of Personnel
Management (OPM) Draft Audit Report covering the Federal Employees' Health
Benelits Program (FEHBP) Audit of Information Systems General and Application
Controls for Alabama Blue Cross Blue Shield Plan's interface with the FEP claims
processing system, access and security cantmls. Our comments regarding the
findings in the report are as follows:
A. APPLICATION CONTROLS
1. Procedure to Diagnosis Inconsistency
The OIG recommended that Blue Cross Blue Shield of Alabama
(BCBSAl) and Blue Cross Blue Shietd Association (BCSSA) make
appropriate system modifications to ensure that claims with
procedures/diagnosis inconsistencies are flagged for review.
We disagree with this recommendation. BCBSAL has implemented and
maintains deteclive system controls to ensure claims with diagnosis
inconsistencies are reviewed prior to processing. In addition, BCBSAL
has a comprehensive medical policy program that apphes necessary
controls to ensure services are medically appropriate before approved to
pay. These contrrns were developed through extensive research which
includes analysts of provider filing practices and medical records. The
Plan's medical policy edits have been streamJined to ensure that only
historically questionable services are pended, thus limitiog payment
delays and the corresponding impact to member and provtder service
Page 2
and satisfaction. Several years ago the Plan broadened its "procedure
to diagnosis· consistency edits; however. over time found that a very
high peJrentage of pended claims were delennined to be medically
necessary, Also, often providers do 001 flag each line of the claim with
the specific diagnosis for that service, but instead use the presenting
diagnosis for an services rendered,
While BCBSAL no longer has across-tha-board edits for
diagnosis/procedure consistency, there are hundreds of edits in place
that pay, reject or suspend for review procedu~es based on the
diagnosis submitted, BCBSAL continuously reviews and updates its edit
criteria. The guidelines and criteria are reviewed in relation to (1)
changes in current medical practiceslmedical policy (2) Blue Cross Blue
Shield or FEP bulletins and recommendations from the BCBSAL Medical
Director. BCBSAL also has comprehensive edits and anatysis in place to
identify actual provider and member fraud.
BCBSAL takes its responsibmty for determining whether or root coVered
services, medicallreatments/procedures, supplies and drugs meet the
criteria for medical necessity very seriously, The BCBSAL Plan's
extensive experience and proven performance in accurately processing
claims is based on a thorough yet targeted approach to identifying those
situations that warrant review. The situations used by the auditors were
not the nonnal day-to-day types of billing occurrences. No process is
absolute but provides reasonable assuranoo that the controls are
effective. Blue Cross and Blue Shield of Alabam.a believes that their
edits are suffICient to identify services submitted that are not related to
the diagnosis.
Although we do not believe that it is cost effective for these types of edits
to be housed in both the toeal Plan system and the FEP claim system.
SeSSA will investigate the feasibility of implementing limited edits to
identify services that are not related to the diagnosis. The development
of service and diagnosis groupings will require a vast amount of work.
We do not expect the anatysis to be completed until 2nd quarter 2009.
2. Provider Invalid for Procedure
The OIG recommended that BCBSAL make appropriate system
modifications to ensure that medical providers are not paid for services
outside the scope of their license.
We disagree with this recommendatjon, given that BCBSAL has
Implemented and maintains appropriate system ,controls to ensure that
rnedical providers are not paid for services outside the scope of their
license on a post payment basis. BCBSAL has been designated a
Page 3
Medically Undeserved Area (MUA). The designation of a MUA
references the lack of licensed providers available in an area for
contracting purposes and the intent 10 contract with all that are available.
Therefore, in many areas of the state, the extent of the services provided
by a single physician may be very wide-ranging. Most physicians
declare a specialty and often receive board certification, but with
additional training and or experience in other specialty areas, can
through the life of the practice change their practice specialty to a subset
or other areas of interest. Edits exist 10 keep timited license practitioners
such as ~rom perfonning medical services outside their scope
of practice and controls are in place which helps ensure that medical
providers are paid for selvices within the scope of their license. The
Health Care Networks Division of BCBSAL establishes the contracting
relationship with providers and oversees the credehtlalll'lg and
verifICation of all provid€rs, including their licensure and specialty
information. The Health Management of Blue Cross Blue Shield of
Alabama Division is responsible for medical policy creation, utilization
review, detection and investigation, recovery of overpayment and
potential prosecution of cases involving unlawful activity against the Iocaf
Plan.
Also, due to the liberty allowed licensed medical professionals in its
service area, the Plan does not have pre-payment edits in place to
identify providers rendering services outside of the scope licensure. The
Plan does have post·payment rev~w processes conducted by its
Special Investigation Unit and Utilization Review areas to identify
abnormal billing practices.
3. _ Benefits
The DIG recommended that BCBSAUBCBSA make the appropriate
system modifications to ensure that a member's liability f o r _
service is limited to the amounts outlined in the benefit brochure.
We agree with this recommendation. The determination of a member's
cost-sharing amount is a function of the FEP claims system. Effective
January 1. 2009. FEP modified the payment of benefits f o r _
services provided by non-participating providers to limit the member's
out-of-pocket expense to a per day maximum of $800. However, when
the updates were made in the FEP claims system to reflect this benefit
char1ge all applicable scenarios did not property accumulate to limit the
member'S daily out-of-pocket expense to the $800 maximum. The FEP
claims system is scheduled to have a system correction implemented on
October 17. 2009.
_ _ Chief
.Ali9u$t1T.ib09
Page 4
Proactively, a preliminal)' listing was generated to idenlily those
members that have exceeded the daily coinsurance limit for anesthesia
services perfonned by non-participating providers during the period of
JanusI)' 1, ~009through June 30, 2009. A minimal number of members
have been underpaid as a result of this system processing error. Once
this system correction has been successfully implemented, adjustments
will be made to the impacted claims and additional payments will be
issued to the members.
4. OBRA '93 Assistant Surgeon
The OIG recommended that BCSSAUBCBSA make the appropriate
system modifications to ensure that OBRA 93 claims are priced
appropriately.
We disagree wrth this recommendation. OBRA '93 pricing is handled by
an outside vendor, Palmetto. The incorrect pricing of AS (Assistant
Surgeon) modifJer claims has been cited in several previous audits. This
problem resulted from Palmetto not pricing these claims due to the
complex nature of the pricing components. On May 26, 2008, Palmetto
started 'generating pricing allowances for these claims.
The claim in question was processed on the FEP Test System, not the
Production System. Claims processed in the Test System are not sent
to Palmetto for pricing. In the FEP Test System, a simulator is used to
identify which claims are subject to OBRA·'93 pricing and the allowance
and provider data may not always be updated. Because we do not have
the screen input to show the data submitted by the OPM auditors, we
couJd not determine whether an data ftetds were correctly populated.
However, we did randomly select a claim from our FEP Production
System to demonstrate that the pricing of AS Modmer is performed
correctly by Palmetto. Attached is a copy of the claim from the FEP
Production System that shows that it was priced according to the
Medicare Fee Schedule as illustrated Attachment 4.A.
6,
The OIG recommend that BCBSAUBCBSA make the ~r)ror)riaile
system modifications to ensure that are paid in
accordance with the BeSS benefrt bro'ch'Jre.
We agree with this finding . Effective ~~~
implemented a benefit change to i one
per year. When this change was j i was
applied only to Ihose Plans not designated as Medically Underserved
(MUA) by OPM. In MUA service areas, Chiropractors are allowed to
~Chlef
~09
Page 5
perform covered professional services that are no,m8,llypn:,vidled
physicians. These professional services include
been difficult 10 determine the requirements to
_ i n MUA service areas to one visit per year in
system because office visits often have multiple diagnoses that also
include manipulations, It would be incorrect not to allow these visits for
MUA service areas.
We continue to explore how to in MUA
service areas to one per year. 1,2009 to
June 30. 2009. a total of 97.722 visits have been processed with
procedure codes for some form of office visit. To stop each clam for
manual revte'N wouJd impact member service and increase member
inquiries. The FEP Director Office's staffwiJI continue to pursue a
resolution of this issue with 100 Contracting Officer,
6. OBRA '90 with Status Code 43
The 010 re<:ommended that BCBSAUBCBSA implement the
appropriate system modifICations to ensure that OBRA90 claims are
priced appropriately.
We disagree with this recommendation. The Issue of reducing the DRG
Allowance for patient status codes other than ~02" was identified in
several previous FEP EOP Audits in the past. As a result, system
changes were made to the FEP claims system to limit the application of
the OBRA '90 Transfer Pricing Reduction to Patient Status 02. This
system correction was implemented in the FEP claims system on April 4.
2009. We have adjudicated two claims on our claims test system with
the same condition to demonstrate that the FEP Mainframe OBRA '90
Pricier was functioning according to eMS regulations. One of the claims
was for Patient Status 01 (discharged to home or self care /routine
discharge) and the other one was for Patient Status 43
(Discharged/transferred to federal care facuity). These results are in
Attachments 6.A (Patient Status 01) and 6.B (Patient Status 43). The
attached results indicate that the same DRG Allowances were generated
for Patient Status 01 and Patient Status 43. There was no reduction In
the DRG Allowance for these claims. These test claims supports our
position that the system correction implemented in April 2009 and is
properly pricing these claims.
_Chief
~09
Page 6
7. OBRA '90 Pricer Updates
The OIG recommended that BCBSALlBCBSA implement the
appropriate system modifications to ensure that OBRA90 claims are
priced with the correct version of the CMS Pricer.
We agree with this recommendation. The FEP Operations Center's
OPM approved OBRA '90 Mainframe Pricer is the official mechanism
used to price all FEP claims meeting the 08RA '90 requirements. In the
past. OPM provided FEP with any updates to the OBRA '90 Pricer.
Recently, FEP began obtaining the updates directly from CMS. When
the first updates were received, it was discovered that the type of tape
used by CMS was no longer supported by the FEP Oata Center. In
order to use the eMS tapes, the Operations Center had to find a vendor
to convert them mto an attemattve tape fonnat for usage in the FEP
claims system Mainframe OBRA'90 Pricer. This process resulted in a
delay in implementing the CMS updates. All updates received first and
second quarters 2009 were updated by July 17, 2009, and re-pricing of
the impacted OBRA '90 claims will occur prior to year-end 2009.
Attachment 7.A is a schedule of when the updates were received from
the various sources and the dates that the changes were implemented
into the FEP Mainframe OBRA '90 Pricer. Since there was a delay to
the April 4, 2009 update to the OBRA'90 Pricer, this could account for
the different pricing generated during the claims testing process.
We appreciate the opportunity to provide our response to this Draft Audit Report
and request that our comments be included in their entirety as an amendment to
-thE. Final Audtt Report.
Attachments
cc:
Audit of Information Systems General and Application Controls at Bluecross Blueshield of Alabama
Published by the Office of Personnel Management, Office of Inspector General on 2009-11-05.
Below is a raw (and likely hideous) rendition of the original report. (PDF)