oversight

Audit of Information Systems General and Application Controls at Bluecross Blueshield of Alabama

Published by the Office of Personnel Management, Office of Inspector General on 2009-11-05.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

/


                                                        u.s. OFFICE OF PERSONNEL MANAGEMENT
                                                                    OFFicE OF TflErNSPECTOR GENERAL .
                                                                                     OFFICE OF AUDITS


                                                              .                              .

                                     Final Aut1it Report 





                                               Date: . 





                                                              ••CAUTION-­
 nil! 1111.111 hpvrt'~'~end;Slrlb"itd ftJ Fhlual ami Non·FedeTal nffitiab who m ; rtspo~;'bI~ for l~c,dJnOBUll'1llloa Of tlu; audliid
 COOl1:UI; This ~ud_i l rtp<lffmay writa,,, Ill'Oprictuydala whkt:. ilI-pt'{II(d~d by Ftdtrallll* (HI U.s.c. 1"'5). ;rht;rdo~...hi!{> thlJ alldit
 rtpIlft' b ;lY3i1111Ie IIlIdertitcFretdem oflll'forlD3iiofl At( ~~d mlld t ,V:liJbbh- 11)' III;r; PIINit 'O lllht, OJGWtbplIge,ulloon 11«&:10 be
 o:ncikd hdo~rtJt1Uinglhc J'tport 10 llie gt Mrat I'liblie-lt! Ilmay'«IlIIfala ~i4ry ,jllrftrn~bliiilfttLalm> ~tdadfd from Ibe publicly
 didril.mttd COpY.                                '                                                                       "
                        UNITED STATES OFFlCE OF PERSONNEL MANAGEMENT 

                                         Washington, DC 20415 



  Office of the
Inspector G~l\Cral

                                         Audit Report


                     FEDERAL EMPLOYEES HEALTIJ BENEFITS PROGRAM 

                                  CONTRACT CS 1039 

                          BLUECROSS BLUESHIELD OF ALABAMA 

                                 PLAN CODES 010/510 

                                 BIRMINGHAM, ALABAMA 





                                Report No. lA-IO-09-09-020

                                 Dote:        November 5,         2009




                                                                    ~/~

                                                                    Micbael R. Esser
                                                                    Assistant Inspector General
                                                                      for Audits



        --.                =----------------~ -====
        "' ......lI p!» .gll'"                ,,".. ,.. "<\aloft$.I1""
                          UNITED STATES OFFICE OF PERSONNEL MANAGEMENT 

                                                 Washington, DC 20415 


  OffiC(: of Che
ln~pe>:tor Gcrt~cl

                                           Exccuth'c Summary


                     FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM 

                                  CONTRACT CS 1039 

                            BLUECROSS BLUESHIELD OF ALABAMA 

                                   PLAN CODES 010/510 

                                       BIRMINGHAM, ALABAMA 





                                       Report No. IA-IO-09-09-020

                                       Date:         November 5, 2009

        TIllS final report discusses the results ofour audit of general and application controls over the
        information systems at BlueCross B1ueShield of Alabama (BCBSAL).

        Our audit focused on the claims processing applications used to adjudicate Federal Employees
        Health Benefits Program (FEHBP) claims. for BCBSA L. as well as the various processes and
        information tochnology (IT) systems used to support these applications. We documented
        controls in place and opportunities for improvement in each of the areas below.

        Security Management
        BCBSAL has established a comprehensive series of IT policies and procedures to create an
        awareness of IT security at the Phm. BCBSAL has al~o implemented an adequate risk
        assessment methodology, incident response capabilities, and IT security·reJated human resources
        controls.

        Access Controls
        We found that BCBSAL has implemented numerous physical controls to prevent unauthorlzed
        access to its facibties, as weB as logical controls to prevent unauthorized access 10 its
        information systems,




         www.oprn·c()¥
Configuration Management
BCBSAL has established policies and procedures to ensure that modifications to application
software occur in a controlled environment. In addition, BCBSAL has implemented a thorough
system software change control methodology that calls for the utilization of a change
management tool to control and track changes.

Contingency Planning
We reviewed BCBSAL's business continuity plans and concluded that they contained many of
the key elements suggested by relevant guidance and publications. We also determined that
these documents are reviewed, updated, and tested on a periodic basis.

Application Controls
BCBSAL has implemented many controls in its claims adjudication process to ensure that
FEHBP claims are processed accurately. However, we recommended that BCBSAL implement
several system modifications to ensure that its claims processing systems adjudicate FEHBP
claims in a manner consistent with the OPM contract and other regulations.

Health Insurance Portability and Accountability Act (HIPAA)
Nothing came to our attention that caused us to believe that BCBSAL is not in compliance with
the HIP AA security, privacy, and national provider identifier regulations.




                                              ii
                                                                 Contents 

                                                                                                                                               Page
Executive Summary ..........................................................................................................................i 

I. Introduction .................................................................................................................................. I 

   Background.................................................................................................................................. I 

    Objectives .................................................................................................................................... I 

    Scope ........................................................................................................................................... 2 

   Methodology................................................................................................................................2 

    Compliance with Laws and Regulations ..................................................................................... 3 

II. Audit Findings and Recommendations ....................................................................................... 4 

   A. Security Management ............................................................................................................ 4 

    B. Access Controls .....................................................................................................................4 

    C. Configuration Management ................................................................................................... 5 

    D. Contingency Planning ............................................................................................................ 5 

    E. Application Controls .............................................................................................................. 6 

    F. Health Insurance Portability and Accountability Act .......................................................... 15 

III. Maj or Contributors to This Report .......................................................................................... 16 

Appendix: B1ueCross BlueShield Association's August I I, 2009 response to the draft audit
report issued June 3, 2009.
                                      I. Introduction 

This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims at BlueCross BlueShield of
Alabama (BCBSAL).

The audit was conducted pursuant to Contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code of
Federal Regulations (CFR) Chapter I, Part 890. The audit was performed by the U.S. Office of
Personnel Management's (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.

Background
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter I, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

BCBSAL headquarters is located in Birmingham, Alabama. Employees responsible for
processing FEHBP (also, Federal Employee Program or FEP) claims are located at the Plan's
facility in Birmingham, Alabama. BCBSAL' s local claims processing system is housed in a
mainframe environment with the Z/OS operating platform and IBM's Resource Allocation
Control Facility (RACF) as its security server.

This was the OIG's first audit of general and application controls at BCBSAL. BCBSAL's
compliance with the Health Insurance Portability and Accountability Act (HIP AA) was also
reviewed.

All BCBSAL personnel that worked with the auditors were particularly helpful and open to ideas
and suggestions. They viewed the audit as an opportunity to examine practices and to make
changes or improvements as necessary. Their positive attitude and helpfulness throughout the
audit was greatly appreciated.

Objectives
The objectives ofthis audit were to evaluate controls over the confidentiality, integrity, and
availability ofFEHBP data processed and maintained in BCBSAL's IT environment.
These objectives were accomplished by reviewing the following areas:
•   Security management;
•   Access controls;
•   Configuration management;
•   Segregation of duties;



                                                 I

• 	 Contingency planning;
• 	 Application controls specific to BCBSAL's claims processing systems; and
• 	 HIPAA compliance.

Scope
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, the OIG
obtained an understanding of BCBSAL' s internal controls through interviews and observations,
as well as inspection of various documents, including information technology and other related
organizational policies and procedures. This understanding of BCBSAL' s internal controls was
used in planning the audit by determining the extent of compliance testing and other auditing
procedures necessary to verify that the internal controls were properly designed, placed in
operation, and effective.

The OIG evaluated the confidentiality, integrity, and availability ofBCBSAL's computer-based
information systems used to process FEHBP claims, and found that there are opportunities for
improvement in the information systems' internal controls. These areas are detailed in the
"Audit Findings and Recommendations" section of this repolL

The scope of this audit centered on the claims processing systems that process FEHBP claims for
BCBSAL, as well as the business structure and control envirorunent in which they operate.
These systems include the local claims processing system owned and operated by BCBSAL, and
the FEP Express system owned and operated by the B1ueCross BlueShield Association
(BCBSA). BCBSAL is an independent licensee ofthe BCBSA.

In conducting our audit, we relied to varying degrees on£omputer-generated data provided by
BCBSAL. Due to time constraints, we did not verify the reliability of the data used to complete
some. of our audit steps, but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.

The audit was performed at BCBSAL offices in Birmingham, Alabama. These on-site activities
were performed in February through April 2009. The OIG completed additional audit work
hefore and after the on-site visits at OPM's office in Washington, D.C. The findings,
recommendations, and conclusions outlined in this report are based on the status of information
system general and application controls in place at BCBSAL as of Aprill7, 2009.

Methodology
In conducting this review the DIG:
• 	 Gathered documentation and conducted interviews;
• 	 Reviewed BCBSAL's business structure and envirorunent;
• 	 Perfomled a risk assessment of BCBSAL's infonnation systems envirorunent and
    applications, and prepared an audit program based on the assessment and the Government




                                                2

    Accountability Office's (GAO) Federal Information System Controls Audit Manual
    (FISCAM); and
• 	 Conducted various compliance tests to determine the extent to which established controls and
    procedures were functioning as intended. As appropriate, the auditors used judgmental
    sampling in completing their compliance testing.

Various laws, regulations, and industry standards were used as a guide to evaluating BCBSAL's
control structure. This criteria includes, but is not limited to, the following publications:
• 	 Office of Management and Budget (OMB) Circular A-l30, Appendix III;
• 	 OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
    Personally Identifiable Information;
• 	 Information Technology Governance Institute's CobiT: Control Objectives for Information
    and Related Technology;
• 	 GAO's Federal Information System Controls Audit Manual;
• 	 National Institute of Standards and Technology's Special Publication (NIST SP) 800-12,
    Introduction to Computer Security;
• 	 NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
    Technology Systems;
• 	 NIST SP 800-30, Risk Management Guide for Information Technology Systems;
• 	 NIST SP 800-34, Contingency Planning Guide for Infomlation Technology Systems;
• 	 NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
• 	 NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information
    Systems;
• 	 NIST SP 800-61, Computer Security Incident Handling Guide;
• 	 NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
    Security Rule; and
• 	 HIPAA Act of1996.

Compliance with Laws and Regulations
In conducting the audit, the OIG performed tests to determine whether BCBSAL's practices w.ere
consistent with applicable standards. While generally compliant with respect to the items tested,
BCBSAL was not in complete compliance with all standards, as described in the "Audit Findings
and Recommendations" section of this report.




                                               3

                   II. Audit Findings and Recommendations 


A. Security Management
The security management component of this audit involved the examination of the policies and
procedures that are the foundation of BCBSAL's overall IT security controls. The OIG
evaluated the adequacy of BCBSAL's ability to develop security policies, manage risk, assign
security-related responsibility, and monitor the effectiveness of various system-related controls.

BCBSAL has implemented a conglomeration ofIT security-related policies and procedures that
comprise the Plan's entity-wide security program. These policies and procedures each contained
a variety of elements that would be expected in a comprehensive security plan. The Plan's
Information Security department, as well as the Health Insurance Portability and Accountability
Act (HIPAA) Security Official, has the responsibility to develop, maintain, and provide
oversight ofBCBSAL's information security policies and procedures.

The OIG also evaluated BCBSAL's risk management methodology. The Information Security
department at BCBSAL is responsible for conducting ongoing threat-based risk assessments.
These assessments are used as a tool to identifY security threats, vulnerabilities, potential
impacts, and probability of occurrence. Information Security is also responsible for verifying
that all of the controls associated with a risk are implemented.

The OIG also reviewed various BCBSAL security-related human resources policies and
procedures. It was determined that the Plan has adequately incorporated IT security controls into
the following human resources functions: hiring, termination, transfers, conflict of interest,
training, and standards of conduct.

B. Access Controls
Access controls are the policies, procedures, and techniques management has put in place to
prevent or detect unauthorized physical or logical access to sensitive resources.

The OIG examined the physical controls ofBCBSAL's Birmingham, Alabama facility, as well
as the additional controls protecting the data center within this facility. The Plan appeared to
have adequate controls to ensure that only BCBSAL employees can access the facility, and that
the only individuals who can access the data center are those whose job description requires
access.

The 01G also examined the logical controls protecting BCBSAL's network environment and
claims processing related applications. During this review, the following controls were
documented:
•   Procedures for appropriately granting and disabling access to infom1ation systems;
•   Procedures for reviewing existing system access for appropriateness;
•   Adequate intrusion detection capabilities;
•   Policies to govern the use of firewalls;
•   Procedures for sanitizing media containing sensitive information;


                                                 4
• 	 Procedures for appropriately authorizing system and physical access to new employees;
• 	 Procedures for appropriately removing system and physical access for tcnninated
    empl oyees;
• 	 Adequate authentication controls for the local and FEP Express applications;
• 	 Secure remote and wireless nelwork access; and
• 	 Procedures for monitoring and filtering network activity.

The OIG also examined the J)hysical controls of BCBSAL's facilities. Access to both of these
facilities is (;onlJolled by an electronic access card system. Card readers are located on tnterioT
and exterior doors throughout the buildings, and the system is capable of limiting an individual 's
access to the physjcal areas required by their job fwlCtion. The OIG also documented additional
pl1ysical cont.rol s rehlted to the data center and network operation centers within these facilities.

C. Configuration Manae:ement
                          ~~~~ '!.y,tem is housed in a mainframe environment w i t h _
                                         as its security server.

BCBSAL has developed fo rmal policies and procedures prov iding guidance \ 0 ensure that
system software is appropriately configured and updated. as well as fo r controll ing system
software configuration changes. Auditors verified that these policies arc being appropriately
fonowed and did not detect any weaknesses in BCBSAL's conJiguration management
methodology.

The OIG also conducted a limited review of the security settings ofBCBSAL's ~atabase
and did not identify any weaknesses in the configuration settings.

D. 	Contingency Planning
The Ola reviewed BCBSAL' s service continuity program to dctcmlinc if ( 1) procedures were in
place to protect infonnation resources and minimize the dsk of unpianned inlerruptions, and (2)
a pJan exi~1.ed to recover t..i tical opemtions should intemlptiQns occur.

In an cffo11 to assess BCBSAL' s contingency planning capabilities, we evaluated documentation
related to the Plan' s procedures that ensure continuity of the FEHBP business 'unit, including:
• 	 BCBSAL' s Business Continuity Plan Supplemental Guide;
• 	 The Incident Management Team Guide; and
• 	 Severa) business units' continuity plans including the claims department and cbeck printing
    plans.

The OIG found that each of these documents contain a majority of the key elements of a
comprehensive service continuity program suggested by NIST SP 800·34, "Contingency
Planning Guide for IT Systems." BCBSAL's service continuity documentation explicitly
identifies the systems that are critical to continuing busine....." operations, prioritizes these systems,
and outlines the specific rc~ou rc es needed to support each system.



                                                    5

Each of these documents are reviewed, updated, and tested regularly. Each business unit is
responsible for documenting the results of the annual disaster recovery test. The results are
passed to the business recovery coordinator who is responsible for compiling the results.

E. Application Controls
Application Configuration Management
The OlG evaluated the policies and procedures governing software development and change
control of the Plan's claims processing application.

BCBSAL has adopted a traditional System Development Life Cycle methodology that IT
personnel follow during routine software modifications. The Plan also provided evidence
indicating that an approval process is in place for change requests. The following controls
related to testing and approvals of software modifications were observed:
• 	 BCBSAL has adopted practices that allow FEP modifications to be tracked;
• 	 Use of parallel and unit testing is conducted in accordance with industry standards; and
• 	 BCBSAL programmers conduct walkthroughs of the modifications as a way of testing the
    data.

The OlG also observed the following controls reIated to software libraries:
• 	 BCBSAL utilizes a tool called Panvalet to store source code;
• 	 BCBSAL clearly segregates application development and change control activities along
    organizational lines; and
• 	 BCBSAL utilizes versioning of the souree code to determine if appropriate changes are
    implemented as expected.

Claims Processing System
The OIG evaluated the input, processing, and output controls associated with BCBSAL's local
claims processing system and the BCBSAL's FEP Express system. In terms of input controls,
the OIG documented the policies and procedures adopted by BCBSAL to help ensure that: 1)
there are controls over the inception of claims data into the system; 2) the data received comes
from the appropriate sources; and 3) the data is entered into the claims database correctly.
BCBSAL's methods for reconciling processing totals against input totals and for evaluating the
accuracy of its processes were also reviewed. Auditors also examined the security of physical
input and output (paper claims, checks, explanation of benefits, etc.).

Application Controls Testing
To validate the claims processing controls, a testing exercise was conducted on the BCBSAL
local system and FEP Express system. This test was conducted at BCBSAL's Birmingham,
Alabama facility with the assistance of BCBSAL persolUJel. The exercise involved developing a
test plan that included real life situations to present to BCBSAL persolUJel in the form of
institutional and professional claims. All test scenarios were processed through the BCBSAL
local claims processing system, and where appropriate, the FEP Express system. The test plan
included expected results for each test case. Upon conclusion of the testing exereise, the
expected results were compared with the actual results obtained during the exercise.


                                                 6

The sections below document the opportunities for improvement thnt \vere noted related to
application controls.

1. 	 Procedure to Diagnosis Inconsistency

   A test claim was processed where benefits were paid for a procedure associated with an
   inappropriate diagnosis.

   The OIa entered a test claim into the BCBSAL local                          code for a
                                                                        Despite the
                                                                       . system without
   encoontering any edits. and was sent to FEP Express. FEP Express also procc!)sed and paid
   the claim without triggering any edits.

   This system weakness increases Ihe risk that benefits are being paid for procedures
   associated with a diagnosis that may not warrant such treatment.

   Recommend.lion 1
   We recommend that BCBSALfBCBSA make the appropriate system modifications to ensure
   that claims with pJocedure/diagnosis inconsistencies are flagged for review.

   BCBSAL Response:
   "We disagree with this recommendation. BCBSAL has implemented and maintains
   del£clive system controls to ensur~ c/aimf with diagnosis inconsistencies ore reviewed prior
   to processillg. In addition, BCBSAL has u comprehel,sive mediaJl policy program that
   applies necessary controls to ensure services are medically appropriate before approved to
   pay. These controls were developed through extensive research which includes analysis 0/
   prOl'ider filing practices and medic(1/ records. The Plan's mediaII policy edits kal'e been
   streamlined to ensure that only historically questionable services are pended..•


            are                                       or ., u$J"n,f/01 rev;,,,,, p,'oe"dures b'lSed
   Oil   the diuguosis submitted. RCBSAL continuou.dy reviews alld updates its edit criteria.

   Although we do not believe that it is cost effectil'efor these types ofedits to be housed in
   both the locol Plan system and the FE? claim lYl·tem, BCBSA will ;nve:;tigate the
   feasibility (If implementing limited ediJs 10 identify serll;ces that lire not related to the
   diagnosis. The development 0/service and diagnosis groupings will require a J'asl amoulft
   o/work. We do not expect/he Dualysis to be completed until 2nd quarter 2009.'"




                                                 7

   QIG Reply:
   We lIDderstand/acknowledge that BCBSAL may not need acros.<Hhe-board medicaJ edits.
   However. we intentionally did not usc "normal day~to-day type of hiHing occurrences" to tcst
   whether the system could detect extreme cases sllch as the one used in the test. In addition,
   the response did not address the fact that nol all BeBS Plans have diagnosis/procedure
   compatibility c-dits in their local systems, and some Plans entcr claims directly into FEP
   Express. The OIG continues to beli(':ve that these vulnerabilities warrant modifications to
   FEP Express.

2. Provider Invalid for Procedure

   T\Y\) teh1 claims were processed where a provider was paid for services olltside the scope of
   their license.

   The 01G ("'1ltered a test
   claim indicated that
   procedure.                                   performed by an
   the provider/procedure inconsistency,         was processed bvthe I>C.t>'''\L
   and FEP Express without encountering any edits.

                               ~~~~~~i!r         test claim into the BCBSAL local system. This
   claim indicated that                                                         This procedure
   would generally be              a surgeon.                             inconsistency,
   the claim was processed by the BCBSAL local system and FEP Express without
   encountering any edits.

   This system weakness increases tJle risk that providers are being paid for services outside the
   scope of their license. The fact that Alabama is a "medically underscrvcd area" docs not
   justiry this anomaly. The BeBS benefit brochure states that in medically underserved are-dS,
   "we cover any licensed medical pnlctitioner for any covered service performed within the
   scope of/hat license."'"

   Recommendation 2
   We recommend that BCBSALIBCBSA make the appropriate system modifications to ensure
   that medical providers are not paid for services outs,ide the scope of their license.

   BCBSAL Response:
   "We disagree with this recommendation, given that8CBSAL has implemented and
   mointaitlS appropriate system controls (0 ensure that medical providers are not paillfor
   services ouL'iide Ihe scope ojtheir license on a po.,·'paymenJ bllsis. BeBSAL lIas been
   aeJ'ignaled n Medically UnderservedArea (MUA). The designation 0/ Q ftlUA references
   Ihe lach ofJicellsed providers available in (In area jor contracting purposes and the intent
   to contract with alltltat are available. Therefore, in many areas ofllle state, the extent of
   the services providet! by a single physician may be very wide-runging. Mo:J'I physicians
   declare a specialty and often receive board certificatio,l, but with additiollal training alld


                                                8

   or experirnce ill other specialty areas, can through the lift! oftire practice change tl,e;r
   practice rpttialty to a subset or other areas of iI,/crest, Edits exist to kup limited license
   practitioners such QS~rom perJorming mediml services ollt!;ide their scope oj
   prac/i('e and controls are in piau whid, helps ellsure that medical prol,iden are paid/or
   senices within the j 'COpt oJtheir license. The Health Care Networks Divisum ofBCBSAL
   eSfahlides tire contracting rellllionship with providers and overst!£s the credentialing and
   verification of aI/ providers, including their licensure and specialty information. The
   llealth l\fanagemenl of Bille Cross Blue Shield oj Alabama D;vi,'~ion i., re.rponsibleJor
   medical policy creation. U/Uizat;on re,-jew. detection and invesligatioll, reco~ery of
   overpayment and potential prosecution 0/ cases illvolving unlaW/ill activity against the
   local Plan.




   OIG Reply:
   The fact that Alabama is a medi cally ullderserved area does not mean that existing benefit
   limitations are \vaived. It means, additional providers may be able to be paid for providing
   those eJC isting benefits as outlined on page 12 ofibe brochure. The brochure states:
      "Medically undenerved areas. In the states OPM detennines are "medically
      uodcrscrved:
           Under Standard Option, we cover any licensed medical practitioner for any covered
           service performed within the scope of that license.
           Under Basic Option, we cover any licensed medical prac titioner who is Preferred for
           any covered service performed within the scope of that license:'


   In addition, deteclive controls are not as effective and arc more costly than preventative
   controls. We continue to recommend that system modifications be made to cnsure that
   rnl.."(]ical providers afC not paid for services outside the scope of their license.

3, Anesthesia IUncfits

   A tcst claim was processed ",,'here a standard option member was overcharged for anesthesia
   services.

   According to the 2009 Be BS benefit brochure, a standard option member' s liability for
   anesthesia services at a non-participating provider is " 100% of the billed amount up to a
   maximum of $800 per anestbctist per day. "

   The OIG entered a test claim into the BCBSAL local system with lll;tandard option me-mber
   receiving anesthesia services from a non-partiCipating provider. The claim was processed by
   the local sy~1:em and by foEP Express, and the member's liability wa~ appropriateJy capped at



                                                9

  $800. However, a similar claim was also entered where an accidental injury was indicated
  on the claim fonn, and the member liability for this claim was $1,209.

  Nothing in the benefit brochure indicates that the $800 limit for anesthesia services at a non­
  participating provider is affected by the involvement of an accidental injury. This system
  weakness increases the risk that members will be liable for charges in excess of the limits
  outlined in the benefit brochure.

   Recommendation 3
  We recommend that BCBSALlBCBSA make the appropriate system modifications to ensure
  that a member's liability for anesthesia service is limited to the amounts outlined in the
  benefit brochure.

   BCBSAL Response:
  "We agree with this recommendation. The determination ofa member's cost-sharing
  amount is afunction ofthe FEP claims system. Effective January 1, 2009, FEP modified
  the payment ofbenefits for anesthesia services provided by non-participating providers to
  limit the member's out-of-pocket expense to a per day maximum of $800. However, when
  the updates were made in the FEP claims system to reflect this benefzt change all
  applicable scenarios did not properly accumulate to limit the member's daily out-of-pocket
  expense to the $800 maximum. The FEP claims system is scheduled to /,ave a system
  correction implemented 011 October 17, 2009.

  Proactively, a preliminary listing was generated to identify those members that have
  exceeded the daily coinsurance limitfor anesthesia services performed by non­
  participating providers during the period ofJanuary 1, 20P9 through June 30,2009. A
  minimal number ofmembers have been underpaid as a result ofthis system processing
  error.. Once this system correction has been successfully implemented, adjustments will be
  made to the impacted claims and additional payments will be issued to the members. "

   OIG Reply:
  As part of the audit resolution process, we recommend that BCBSAL provide OPM's CRlS
  with appropriate supporting documentation indicating the steps taken to address this
  rec{)mmendation. We will evaluate the effectiveness of the planned October 17,2009 system
  correction implementation as part of a follow-up review or during the next audit.

4. OBRA93 Assistant Surgeon

  An OBRA93 test claim was priced incorrectly.

  The Ola entered a test claim into the BCBSAL local system with the patient receiving
  services from an assistant surgeon ('AS' modifier). The patient has Medicare A only, and
  the claim is subject to OBRA93 pricing.




                                               10 

The claim was processed by the local system and FEP Express, and the assistant surgeon was
paid 100 percent of the amount allowed by the Medicare fee schedule for the primary
surgeon (minus the deductible and coinsurance). This resulted in an overpayment to the
provider, as the Centcr for Medicare Services Medicare Claims Processing Manual states that
assistant surgeon claims should only be paid at 13.6 percent of the Medicare fee schedule for
a regular surgeon.

This system weakness was brought to the attention of BCBSA during a prior audit of the FEP
Express system. BCBSA responded to the audit finding by indicating that the problem was
corrected in May 2008. However, this test case indicates that the weakness still exists.

Recommendation 4
We recommend tbat BCBSAlJBCBSA make the appropriate system modifications to ensure
that OBRA 93 claims are priced appropriately.

BCBSAL Response:
"We disagree with this recommendation. OBRA '93 pricing is handled by an outside
vendor, Palmetto. The incorrect pricing ofAS (Assistant Surgeon) modifier claims has
been cited in several previous audits. This problem resulted from Palmetto not pricing
these claims due to the complex nature oftile pricing components. On May 26,2008,
Palmetto started generating pricing allowances for these claims.

 The claim in question was processed on the FEP Test System, not the Production System.
Claims processed in the Test System are not sent to Palmetto for pricing. In the FEP Test
System, a simulator is used to identify whicll claims are subject to OBRA '93 pricing and
the allowance and provider data may not always be updated. Because we do not Ilave the
screen input to show the data submitted by the OPM auditors, we could not determine
whetller all data fields were correctly populated. However, we did randomly select a claim
from our FEP Production System to demonstrate til at tile pricing ofAS Modifier is
peiformed correctly by Palmetto, Attached is a copy ofthe claim from the FEP Production
System that shows that it was priced according to tile kIedicare Fee Schedule as illustrated
Attachment 4.A."

OIGReply:
BCBSALlBCBSA has copies of all screen input to show the data submitted by OPM/OIG
auditors. Furthermore, BCBSAL personnel took the screenshots and later provided them to
OPMlOIG auditors for analysis. The simulator should represent the production environment.
OPMlOIG suggests using the original data to research whether there is a problem with the
simulator or with Palmetto's pricing ofOBRA93 claims. We continue to recommend that
BCBSALlBCBSA make the appropriate system modifications to ensure that OBRA 93
claims are priced appropriately.




                                           11 

S. Chiropractor Office Visits aDd X-rays

   The 2009 BeBS benefit brochure allows 	                                   and o n e _
   •   each calendar year. However, a test sC"Da<io                      a member receiving
   mUltiple _          and ~s in a single calendar year,

   Tbe 01G entered two test claims into the BCBSAL local system for a standard-option
   member. lbe frrst claim indicated the patient received an initial ~1l
   2009. The second claim indicated that the same patient received a s e c o n d _ and •
   • 	 from                     in the same calendar year. The local system and FEP Express
                                   both claims.

   This system weakness increases the risk that _           benefits are being paid in excess of
   the amount outlined in the benefit brochure. Nothing from the brochure indicates that
   ~nefit limitations are waived for medically underservcd states such as Alabama.

   Recommendation 5
   We recommend that BCBSAUBCBSA make the appropriate system modifications to ensure
   that chiropractic benefits are paid in accordance with the BeBS benefit brochure.

   BCBSAL RespOIue: 

   "We agree with                                        1.2009, FEP implemented a benefit 

                                                   fo one per year. When tlris change was
   implemented,                     waf          only to those Plan..r,; nol          as Afedically
   Ul!dersel')1ed (ll-/UA) by OPM.ln MUA service areas,                            allowed to perform
   covered professional ,rervic:a that are normally                                These professional
   service,'i include        visits, It has been difficult 10 determine Ihe requirements to IimiJ
                                   in ilfUA sen';ce areas to one visit per yellr in the FEP claims
                              '.' often have multiple diagnoses that also include tnanipubltions.
   II would he inc()rrect nol to allow Ihese visitsJOT MUA service areas.

    We colllb'UI! to explore how 10
   per yl!fJr. During the period ofJanuary            to 	                a total of97, 722 visits
   have been processed with procedure codes jor someform ofoffice visit. To slop each claim
   for manual review would impact member serYice and increase member inquirus. The FEP
   Dinelor Office's staff will cOlllinlle 10 purslle a resolution of litis issue wilh the
   Contracting Officer."

   OIG Reply:
   We acknowledge the steps being taken to enSUIe that chiropractic benefits are paid in
   accordance with the BCBS benefit brochure. As part of the audit resolution process, we
   recommend that BCBSAUBCBSA provide OPM's crus with appropriate supporting
   documentation indicating the steps taken to address this recommendation.




                                                12 

6. OBRA90 with Status Code 43

   An OBRA90 claim with a patient status code of 43 was incorrectly priced.

   The OIG entered a test claim for services provided in 2008 into the BCBSAL lecal system
   with a patient who is enrolled in Medicare part B only; this claim is subject to OBRA90
   pricing. The local system processed this claim and passed it to FEP Express. FEP Express
   appropriately suspended the claim for Medicare information. The claims processors entered
   into the system the Medicare Explanation of Benefit information provided by the auditors.
   The claim was then processed and priced by FEP Express.

   Auditors priced this claim with the current version ofthe 2008 PC CMS PRICER program
   and found that the Medicare Diagnosis Related Group amount produced by the PRICER did
   not match the amount indicated in the test claim. In past audits, OIG determined that FEP
   Express has inappropriately priced claims with status code 43 as a "transfer." However,
   pricing this claim as a transfer on the PC PRICER does not yield the amount produced in the
   test case.

   Recommendation 6
   We recommend that BCBSALlBCBSA implement the appropriate system modifications to
   ensure that OBRA90 claims are priced appropriately.

   BCBSAL Response:
   "We disagree with this recommendation. The issue ofreducing the DRG Allowancefor
  patient status codes other than "02" was identified in several previous FEP EDP Audits in
  the past. As a result, system changes were made to the FEP claims system to limit the
  application ofthe OBRA '90 Transfer Pricing Reduction to Patient Status 02. This system
  correction was implemented in the FEP claims system on April 4, 2009. We have
  adjudicated two claims on our claims test system with the same condition to demonstrate
  that the FEP Mainframe OBRA '90 Pricier was functioning according to eMS
  regulations. One ofthe claims was for Patient Status 01 (discharged to home or selfcare
  Iroutine discharge) and the other one was for Patient Status 43 (Discharged/transferred to
  federal care facility). These results are in Attachments 6.A (Patient Status 01) and 6.B
   (Patient Status 43). The attached results indicate that the same DRG Allowances were
  generatedfor Patient Status 01 and Patient Status 43. There was no reduction in the DRG
  Allowancefor these claims. These test claims support our position that the system 

  correction implemented in April 2009 and is properly pricing these claims. " 


   OIG Reply:
   Based on the information provided and the analysis of the information by OPMlOIG we were
   unable to determine if the appropriate system modifications to ensure that OBRA90 claims
   are priced appropriately have been implemented. We will evaluate modifications to the FEP
   claims systems as part of a follow-up review or during the next audit.




                                              I3
7. OBRA90 PRICER Updates

  BCBSAL OBRA90 claims are being processed with an outdated version of the 2009 CMS
  PRICER program.

  The OIG entered four test claims that are subject to OBRA90 pricing into the BCBSAL local
  system. The local system sent the claims to FEP Express where they were processed and
  priced. The auditors priced each claim with the PC CMS PRICER program and compared
  the Medicare DRG amount produced by the PRICER to the amount produced in the test case.

  In each of the four test claims, the Medicare DRG amount produced by the current version of
  the 2009 PRICER did not match the amount produced in the test case. The auditors priced
  each claim again using the original (now outdated) version ofthe 2009 CMS PRICER
  program, and in each case the Medicare DRG amount matched that from the test case. The
  OIG believes that this indicates that FEP Express is processing OBRA90 claims with an
  outdated version of the CMS PRICER. As a result, BCBSALIBCBSA has incorrectly priced
  all OBRA90 claims processed after January 1,2009.

  Recommendation 7
  We recommend that BCBSAL/BCBSA implement the appropriate system modifications to
  ensure that OBRA90 claims are priced with the correct version ofthe CMS PRICER.

  BCBSAL Response:
  "We agree with this recommendation. The FEP Operations Cenler's OPM approved
  OBRA '90 Mainframe Pricer is the offcial mechanism used to price all FEP claims
  meeting the OBRA '90 requirements. In the past, OPM p~ovided FEP with any updates to
  the OBRA '90 Pricer. Recently, FEP began obtaining the updates directly from CMS.
  When the first updates were received, it was discovered that the type oftape used by CMS
  was no longer supported by the FEP Data Center. In order to use the CMS tapes, the
  Operations Center had to find a vendor to convert them into an alternative tape format for
  usage in the FEP claims system Mainframe OBRA '90 Pricer. This process resulted in a
  delay in implementing the CMS updates. All updates receivedfirst and second quarters
  2009 were updated by July 17, 2009, and re-pricing ofthe impacted OBRA '90 claims will
  occur prior to year-end 2009.

  Attachment 7.A is a schedule ofwhen the updates were receivedfrom the various sources
  and the dates that the changes were implemented into the FEP Mainframe OBRA '90
  Pricer. Since there was a delay to the April 4, 2009 update to the OBRA '90 Pricer, this
  could account for the different pricing generated during the claims testing process. "

  OIG Reply:
  As part of the audit resolution process, we recommend that BeBSAL/BCBSA provide
  OPM's CRI,s with appropriate supporting documentation indicating the steps taken to
  address this recommendation. We will evaluate the effectiveness of the 2009 updates as part
  of a follow-up review or during the next audit.


                                             14
F. Health Insurance Portability and Accountability Act
The OIG reviewed BCBSAL's efforts to maintain compliance with the security, privacy, and
national provider identifier standards ofHIPAA. Nothing came to our attention that caused us to
believe that BCBSAL is not in compliance with the various requirements of these HIPAA
regulations.

BCBSAL has implemented a series ofIT security policies and procedures to adequately address
the requirements of the HIPAA security rule. BCBSAL has also developed a series of privacy
policies and procedures that directly addresses all requirements of the HIP AA privacy rule. The
documents related to the HIPAA privacy and security rules are readily available to all BCBSAL
employees via the company's Intranet. BCBSAL employees receive privacy and security related
training during new hire orientation, as well as periodic subsequent training as needed.

In addition, the OIG documented that BCBSAL has adopted the national provider identifier as
the standard unique health identifier for health care providers, as required by HIPAA.




                                              15 

                    UI. Major Contributors to This Report 

'Ibis audit report was prepared by the U.S. Office of Personnel Management. DlIke of Inspector
General, Infonnation Systems Audits Group. The following individuals participated in the audit
and the preparation of thi s report:

•                   Group Chief
•                    Auditor-In-Charge
•                       IT Auditor
•                   IT Auditor




                                              16 

                                Appendix 	                           HlueCross BlueSbicld
                                                                     AMociation
                                                                     A.u ~# I!f lmR-pendent
                                                                     Blue Cr(l.t., atilt Blue Shleh} PJ:&M




                                                                     l'~~ral   Employee Program
                                                                     J~lOG Strem. N.W.
                                                                     Washington, D.C. 20005
August 11, 2009                                                      202.942. HJOO

              Chief
       Infcumalicm Systems Audits Group
Insurance service Programs
Office of Personnel Management
1900 E Slreet, N.W., r<oom 6400
Washington, D.C. 20415

Reference: 	 OPM DRAFT EDP AUDIT REPORT
             Alabama Blue Cross Blue Shield
             Audit Report Number 1A-10-09-09-020

D e a r _:

This report is in response to the above-referenced U.S. Office of Personnel
Management (OPM) Draft Audit Report covering the Federal Employees' Health
Benelits Program (FEHBP) Audit of Information Systems General and Application
Controls for Alabama Blue Cross Blue Shield Plan's interface with the FEP claims
processing system, access and security cantmls. Our comments regarding the
findings in the report are as follows:

A.   APPLICATION CONTROLS
     1.   Procedure to Diagnosis Inconsistency
          The OIG recommended that Blue Cross Blue Shield of Alabama
          (BCBSAl) and Blue Cross Blue Shietd Association (BCSSA) make
          appropriate system modifications to ensure that claims with
          procedures/diagnosis inconsistencies are flagged for review.

          We disagree with this recommendation. BCBSAL has implemented and
          maintains deteclive system controls to ensure claims with diagnosis
          inconsistencies are reviewed prior to processing. In addition, BCBSAL
          has a comprehensive medical policy program that apphes necessary
          controls to ensure services are medically appropriate before approved to
          pay. These contrrns were developed through extensive research which
          includes analysts of provider filing practices and medical records. The
          Plan's medical policy edits have been streamJined to ensure that only
          historically questionable services are pended, thus limitiog payment
          delays and the corresponding impact to member and provtder service
Page 2


         and satisfaction. Several years ago the Plan broadened its "procedure
         to diagnosis· consistency edits; however. over time found that a very
         high peJrentage of pended claims were delennined to be medically
         necessary, Also, often providers do 001 flag each line of the claim with
         the specific diagnosis for that service, but instead use the presenting
         diagnosis for an services rendered,

         While BCBSAL no longer has across-tha-board edits for
         diagnosis/procedure consistency, there are hundreds of edits in place
         that pay, reject or suspend for review procedu~es based on the
         diagnosis submitted, BCBSAL continuously reviews and updates its edit
         criteria. The guidelines and criteria are reviewed in relation to (1)
         changes in current medical practiceslmedical policy (2) Blue Cross Blue
         Shield or FEP bulletins and recommendations from the BCBSAL Medical
         Director. BCBSAL also has comprehensive edits and anatysis in place to
         identify actual provider and member fraud.

         BCBSAL takes its responsibmty for determining whether or root coVered
         services, medicallreatments/procedures, supplies and drugs meet the
         criteria for medical necessity very seriously, The BCBSAL Plan's
         extensive experience and proven performance in accurately processing
         claims is based on a thorough yet targeted approach to identifying those
         situations that warrant review. The situations used by the auditors were
         not the nonnal day-to-day types of billing occurrences. No process is
         absolute but provides reasonable assuranoo that the controls are
         effective. Blue Cross and Blue Shield of Alabam.a believes that their
         edits are suffICient to identify services submitted that are not related to
         the diagnosis.

         Although we do not believe that it is cost effective for these types of edits
         to be housed in both the toeal Plan system and the FEP claim system.
         SeSSA will investigate the feasibility of implementing limited edits to
         identify services that are not related to the diagnosis. The development
         of service and diagnosis groupings will require a vast amount of work.
         We do not expect the anatysis to be completed until 2nd quarter 2009.

    2.   Provider Invalid for Procedure
         The OIG recommended that BCBSAL make appropriate system
         modifications to ensure that medical providers are not paid for services
         outside the scope of their license.

         We disagree with this recommendatjon, given that BCBSAL has
         Implemented and maintains appropriate system ,controls to ensure that
         rnedical providers are not paid for services outside the scope of their
         license on a post payment basis. BCBSAL has been designated a
Page 3


         Medically Undeserved Area (MUA). The designation of a MUA
         references the lack of licensed providers available in an area for
         contracting purposes and the intent 10 contract with all that are available.
         Therefore, in many areas of the state, the extent of the services provided
         by a single physician may be very wide-ranging. Most physicians
         declare a specialty and often receive board certification, but with
         additional training and or experience in other specialty areas, can
         through the life of the practice change their practice specialty to a subset
         or other areas of interest. Edits exist 10 keep timited license practitioners
         such as ~rom perfonning medical services outside their scope
         of practice and controls are in place which helps ensure that medical
         providers are paid for selvices within the scope of their license. The
         Health Care Networks Division of BCBSAL establishes the contracting
         relationship with providers and oversees the credehtlalll'lg and
         verifICation of all provid€rs, including their licensure and specialty
         information. The Health Management of Blue Cross Blue Shield of
         Alabama Division is responsible for medical policy creation, utilization
         review, detection and investigation, recovery of overpayment and
         potential prosecution of cases involving unlawful activity against the Iocaf
         Plan.

         Also, due to the liberty allowed licensed medical professionals in its
         service area, the Plan does not have pre-payment edits in place to
         identify providers rendering services outside of the scope licensure. The
         Plan does have post·payment rev~w processes conducted by its
         Special Investigation Unit and Utilization Review areas to identify
         abnormal billing practices.

    3.   _            Benefits
         The DIG recommended that BCBSAUBCBSA make the appropriate
         system modifications to ensure that a member's liability f o r _
         service is limited to the amounts outlined in the benefit brochure.

         We agree with this recommendation. The determination of a member's
         cost-sharing amount is a function of the FEP claims system. Effective
         January 1. 2009. FEP modified the payment of benefits f o r _
         services provided by non-participating providers to limit the member's
         out-of-pocket expense to a per day maximum of $800. However, when
         the updates were made in the FEP claims system to reflect this benefit
         char1ge all applicable scenarios did not property accumulate to limit the
         member'S daily out-of-pocket expense to the $800 maximum. The FEP
         claims system is scheduled to have a system correction implemented on
         October 17. 2009.
_ _ Chief
.Ali9u$t1T.ib09
 Page 4


          Proactively, a preliminal)' listing was generated to idenlily those
          members that have exceeded the daily coinsurance limit for anesthesia
          services perfonned by non-participating providers during the period of
          JanusI)' 1, ~009through June 30, 2009. A minimal number of members
          have been underpaid as a result of this system processing error. Once
          this system correction has been successfully implemented, adjustments
          will be made to the impacted claims and additional payments will be
          issued to the members.

     4.   OBRA '93 Assistant Surgeon
          The OIG recommended that BCSSAUBCBSA make the appropriate
          system modifications to ensure that OBRA 93 claims are priced
          appropriately.

          We disagree wrth this recommendation. OBRA '93 pricing is handled by
          an outside vendor, Palmetto. The incorrect pricing of AS (Assistant
          Surgeon) modifJer claims has been cited in several previous audits. This
          problem resulted from Palmetto not pricing these claims due to the
          complex nature of the pricing components. On May 26, 2008, Palmetto
          started 'generating pricing allowances for these claims.

          The claim in question was processed on the FEP Test System, not the
          Production System. Claims processed in the Test System are not sent
          to Palmetto for pricing. In the FEP Test System, a simulator is used to
          identify which claims are subject to OBRA·'93 pricing and the allowance
          and provider data may not always be updated. Because we do not have
          the screen input to show the data submitted by the OPM auditors, we
          couJd not determine whether an data ftetds were correctly populated.
          However, we did randomly select a claim from our FEP Production
          System to demonstrate that the pricing of AS Modmer is performed
          correctly by Palmetto. Attached is a copy of the claim from the FEP
          Production System that shows that it was priced according to the
          Medicare Fee Schedule as illustrated Attachment 4.A.

     6,
          The OIG recommend that BCBSAUBCBSA make the ~r)ror)riaile
          system modifications to ensure that            are paid in
          accordance with the BeSS benefrt bro'ch'Jre.

          We agree with this finding . Effective ~~~
          implemented a benefit change to i                                one
          per year. When this change was j                   i       was
          applied only to Ihose Plans not designated as Medically Underserved
          (MUA) by OPM. In MUA service areas, Chiropractors are allowed to
~Chlef
~09
Page 5


         perform covered professional services that are no,m8,llypn:,vidled
         physicians. These professional services include
         been difficult 10 determine the requirements to
         _ i n MUA service areas to one visit per year in
         system because office visits often have multiple diagnoses that also
         include manipulations, It would be incorrect not to allow these visits for
         MUA service areas.

         We continue to explore how to                               in MUA
         service areas to one per year.                               1,2009 to
         June 30. 2009. a total of 97.722 visits have been processed with
         procedure codes for some form of office visit. To stop each clam for
         manual revte'N wouJd impact member service and increase member
         inquiries. The FEP Director Office's staffwiJI continue to pursue a
         resolution of this issue with 100 Contracting Officer,


    6.   OBRA '90 with Status Code 43
         The 010 re<:ommended that BCBSAUBCBSA implement the
         appropriate system modifICations to ensure that OBRA90 claims are
         priced appropriately.

         We disagree with this recommendation. The Issue of reducing the DRG
         Allowance for patient status codes other than ~02" was identified in
         several previous FEP EOP Audits in the past. As a result, system
         changes were made to the FEP claims system to limit the application of
         the OBRA '90 Transfer Pricing Reduction to Patient Status 02. This
         system correction was implemented in the FEP claims system on April 4.
         2009. We have adjudicated two claims on our claims test system with
         the same condition to demonstrate that the FEP Mainframe OBRA '90
         Pricier was functioning according to eMS regulations. One of the claims
         was for Patient Status 01 (discharged to home or self care /routine
         discharge) and the other one was for Patient Status 43
         (Discharged/transferred to federal care facuity). These results are in
         Attachments 6.A (Patient Status 01) and 6.B (Patient Status 43). The
         attached results indicate that the same DRG Allowances were generated
         for Patient Status 01 and Patient Status 43. There was no reduction In
         the DRG Allowance for these claims. These test claims supports our
         position that the system correction implemented in April 2009 and is
         properly pricing these claims.
_Chief
~09
Page 6


      7.      OBRA '90 Pricer Updates
           The OIG recommended that BCBSALlBCBSA implement the
           appropriate system modifications to ensure that OBRA90 claims are
           priced with the correct version of the CMS Pricer.

           We agree with this recommendation. The FEP Operations Center's
           OPM approved OBRA '90 Mainframe Pricer is the official mechanism
           used to price all FEP claims meeting the 08RA '90 requirements. In the
           past. OPM provided FEP with any updates to the OBRA '90 Pricer.
           Recently, FEP began obtaining the updates directly from CMS. When
           the first updates were received, it was discovered that the type of tape
           used by CMS was no longer supported by the FEP Oata Center. In
           order to use the eMS tapes, the Operations Center had to find a vendor
           to convert them mto an attemattve tape fonnat for usage in the FEP
           claims system Mainframe OBRA'90 Pricer. This process resulted in a
           delay in implementing the CMS updates. All updates received first and
           second quarters 2009 were updated by July 17, 2009, and re-pricing of
           the impacted OBRA '90 claims will occur prior to year-end 2009.

           Attachment 7.A is a schedule of when the updates were received from
           the various sources and the dates that the changes were implemented
           into the FEP Mainframe OBRA '90 Pricer. Since there was a delay to
           the April 4, 2009 update to the OBRA'90 Pricer, this could account for
           the different pricing generated during the claims testing process.
 We appreciate the opportunity to provide our response to this Draft Audit Report 

 and request that our comments be included in their entirety as an amendment to 

-thE. Final Audtt Report.




Attachments

cc: