oversight

Follow-up Review of Information Systems General and Application Controls at CareFirst BlueShield and the Federal Employee Program Operation Center

Published by the Office of Personnel Management, Office of Inspector General on 2011-06-23.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

JOHN BERRY                                                                                     2


Executive Summary

The original audit report detailed 13 weaknesses in the information systems general and
application controls at CareFirst/FEPOC. The objective of this follow-up review was to evaluate
the current status of each recommendation and determine which, if any, of the recommendations
should be re-opened. We concluded that 9 of the 13 recommendations were adequately
addressed, but that 4 recommendations had not been fully implemented. This report also
contains two new recommendations that address the following outstanding weaknesses:

   •   CareFirst Business Impact Assessment (BIA): As part of the overall risk management
       process, CareFirst conducted a BIA to evaluate the degree to which disruptions to various
       business processes would have on the organization as a whole. However, we found that
       the CareFirst BIA had not been updated since March 2005 – three years prior to the
       original audit. As of April 2011, the CareFirst BIA still has not been updated.

   •   Comprehensive Medical Edits: The original test of FEPOC’s FEP Express claims
       processing application revealed that this system did not have adequate
                                                     in insurance claims. It is common practice
       for health claims processing systems to include such controls to prevent payments for
       abusive or fraudulent billing. As of April 2011, FEP Express has still not been modified
       to address these weaknesses, which affect claims processed by all BlueCross BlueShield
       plans ($25.6 billion in 2010).

Background

Audit report 1A-10-92-08-021 was issued on November 28, 2008 with 13 audit
recommendations. On May 17, 2010, HIO sent a closure letter to the BlueCross BlueShield
Association (BCBSA) indicating that all 13 recommendations were being closed. However, at
this time it was clear that several recommendations should have remained open, as the BCBSA
had not provided evidence to HIO indicating that all corrective action had been implemented.

The issuance of the HIO closure letter created the possibility that CareFirst/FEPOC would halt
its ongoing efforts to remediate the weaknesses identified during the audit. As a result of this
concern, we initiated this follow-up review to determine the current status of the original audit
recommendations and reopen any that had still not been completed.

Scope and Methodology

The scope of this review was limited to the business processes where weaknesses were identified
during the original audit, including:
   •   BIAs;
   •   Firewall management;
   •             management; and
   •   Claims adjudication controls.
JOHN BERRY                                                                                     3


In conducting this review we gathered documentation and conducted interviews related to
remediation activity CareFirst/FEPOC has completed to address our original audit
recommendations. Various laws, regulations, and industry standards were used as a guide to
evaluate the CareFirst/FEPOC control structure. These criteria include, but are not limited to:
   •   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
   •   NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
   •   Health Insurance Portability and Accountability Act of 1996;
   •   Omnibus Budget Reconciliation Act of 1990 (OBRA 90);
   •   Omnibus Budget Reconciliation Act of 1993 (OBRA 93); and
   •   Federal Information System Controls Audit Manual.

Our review was not conducted in accordance with Generally Accepted Government Auditing
Standards (GAGAS). The nature and scope of the work performed was consistent with that
expected of a GAGAS audit; however, because we consider this to be a review, the
documentation, reporting, and quality control standards are not as rigorous.

Review Follow Up

In accordance with Office of Management and Budget (OMB) Circular A-50 and/or Public Law
103-355, all findings must be resolved within six months of the date of this report. In order to
ensure findings are resolved within the required six-month period, we ask that the Healthcare and
Insurance Office (HIO) respond directly to the Office of the Inspector General (OIG) within 90
days of the date of the report advising us whether they agree or disagree with the findings and
recommendations. As stated in OMB Circular A-50, where agreement is indicated, the HIO
should describe planned corrective action. If the HIO disagrees with any of the findings and
recommendations, we need them to explain the reason for the disagreement and provide any
additional documentation that would support their opinion.

Since this office exercises oversight regarding the progress of corrective actions, we also request
that the HIO provide the OIG a report within six months describing corrective action taken. If
the corrective action has not been completed, we also ask that the HIO continue to provide us
with a report on the status of corrective action every March and September thereafter until action
has been completed.
JOHN BERRY                                                                                   4


Results

The following sections outline the results of our follow up review of information systems general
and application controls at CareFirst/FEPOC.

1.   Business Impact Assessments (BIA)

     As part of their overall risk management process, CareFirst and the FEPOC conducted BIAs
     to evaluate the degree that disruptions to various business processes would have on the
     organizations as a whole. However, both the CareFirst and the FEPOC BIAs were outdated.

     a) 2008 Recommendation 1 – FEPOC BIA
       We recommend that the FEPOC BIA be updated on an annual basis.

       2008 BCBSA Response:
       “The FEPOC reviews the BIA on an annual basis, and updates them every two to three
       years. Changes to the critical and non-critical systems do not occur in that interval
       where it would require updating the BIA annually. The FEPOC reviews and makes
       updates to the systems or processes related to our business at least twice a year in
       conjunction with the DR (Disaster Recover) exercises. If there are substantial changes to
       the systems, DR and business continuity documentation changes are accommodated at
       other times to ensure recoverability of all systems in the event of a disaster and during
       the next scheduled Disaster Recovery (DR) exercise.”

       2011 Status:
       We confirmed that the FEPOC BIA was updated in September 2009. FEPOC plans to
       incorporate the results of the BIA into an update of its disaster recovery plan during
       2011; this recommendation is closed.

     b) 2008 Recommendation 2 – CareFirst BIA
       We recommend that the CareFirst BIA be updated to include the results of the most
       recent BIA surveys, and be updated on a periodic basis thereafter.

       2008 BCBSA Response:
       “The data compiled in 2007 and shared with the OIG auditors was an official BIA. At
       that time, a new survey was completed and data was compiled. The business continuity
       and disaster recovery requirements were updated to reflect the information collected in
       this survey. All business continuity scenarios included in our plans were modified to
       reflect this data and these requirements. In addition, business continuity plans are
       reviewed/updated by the business owners on a semi-annual basis and audited on a test
       basis by corporate business continuity. CareFirst is currently undergoing a corporate
       reorganization that is anticipated to be completed in 2009. At that time, new BIA surveys
       will be completed and the data compiled will be incorporated in the business continuity
       and disaster recovery plans.”
JOHN BERRY                                                                                      5



       2011 Status:
       As of April 2011 the CareFirst BIA has not been updated. CareFirst is in the planning
       stages for completing a BIA by December 31, 2011. CareFirst stated that the delay was
       the result of significant organizational and platform changes during the last 3 years, and
       that it would not have been a good use of resources to perform a BIA during this
       transformation.

       2011 Recommendation 1
       We recommend that CareFirst update its BIA and incorporate the results into the
       CareFirst disaster recovery plan. The BIA and disaster recovery plan should be reviewed
       on an annual basis and updated when necessary.

2.   Firewall Management

     CareFirst has established an IT security team at its data center that is responsible for
     configuring and maintaining the organization’s firewalls. However, CareFirst has not
     established a corporate policy detailing firewall configuration requirements.

     a) 2008 Recommendation 3 – Firewall Configuration Policy
       We recommend that CareFirst implement a firewall configuration policy, and begin using
       this policy as a baseline during periodic firewall reviews and audits. The policy should
       contain the elements suggested by NIST SP 800-41 or other appropriate guidance.

       2008 BCBSA Response:
       “CareFirst agrees with this recommendation and has completed the implementation of
       the recommended firewall configuration policy as of May 15, 2008. The firewall
       configuration review/testing was completed during the period of May 22 through June 9,
       2008.”

       2011 Status:
       We confirmed that CareFirst has implemented a firewall configuration policy; this
       recommendation is closed.

3.              Management

     CareFirst uses                                             security software to govern access
     to mainframe applications. The                          requirements for                 are
     defined by the “                      ” outlined in the                          . The OIG
     reviewed CareFirst's             and concluded that the
     requirements are configured in a manner that is not consistent with CareFirst policy or
     industry acceptable best-practice.

     a) 2008 Recommendation 4 –
JOHN BERRY                                                                                           6


         We recommend that CareFirst improve controls related to           requirements in a
         manner that prevents users from setting a               that does not meet CareFirst
         policy and industry standards.

         2008 BCBSA Response:
         “The        system changes recommended would require significant effort in time and
         resources. As a mitigating control, CareFirst utilizes a third party program,
                                   . to allow users to reset and update                . As
         acknowledged by the Office of the Inspector General (OIG) auditors, this program
         enforces                       in accordance with CareFirst and industry standards.
         Therefore, CareFirst security controls are in compliance with standard industry practice
         and HIPAA security guidelines.”

         2011 Status:
         CareFirst has not implemented the recommended system change and has formally
         accepted all associated risk. CareFirst stated that the system change was not feasible
         because of the impact the change would have on legacy claims processing applications.
         This recommendation is closed based on CareFirst’s risk acceptance, but we advise
         CareFirst to continue to evaluate the feasibility of implementing the recommendation as
         legacy systems are decommissioned.

4.   Claims adjudication controls

     To validate the claims adjudication controls, a testing exercise was conducted on
     CareFirst/FEPOC’s claims processing applications. The exercise involved developing a test
     plan that included real life situations to present to CareFirst/FEPOC personnel in the form of
     institutional and professional claims. The test plan included expected results for each test
     case. Upon conclusion of the testing exercise, the expected results were compared with the
     actual results obtained during the exercise. The following system weaknesses were
     identified during this testing:

     •   incorrect pricing of claims involving special rules for certain categories of federal
         members (OBRA 90 and OBRA 93);
     •   incorrect application of             benefits, including a scenario where
              was provided for an                          ;
     •   lack of medical edits to prevent payment for common scenarios such as:
         -                                 provided to a patient by

         -                                                             ;
         -
     •   no control to prevent                                                                   .

     a) 2008 Recommendation 5 – OBRA 93 Pricing
JOHN BERRY                                                                                   7


      We recommend that CareFirst/FEPOC implement the appropriate system modifications
      to ensure that OBRA 93 claims are priced appropriately.

      2008 BCBSA Response:
      “OBRA ’93 claims pricing is an FEP responsibility that is handled by Palmetto, an
      outside vendor. Due to the complex nature of the pricing of claims with procedure code
      modifier ‘AS,’ these claims were excluded from the pricing requirements in the Vendor’s
      contract. The necessary changes to the Vendor’s contract have been made to allow for
      the pricing of these claims. Effective May 26, 2008, FEP claims with the procedure
      code modifier of ‘AS’ began to be priced in accordance to the Medicare Fee Schedule
      by Palmetto. Because the FEP Director’s office was aware of the processing deficiency,
      periodic listings identifying these overpayments were sent to Plans to initiate refunds.
      Once this change was made, the final listings of overpayments caused by the lack of the
      ‘AS’ modifier reduction were sent to Plans to initiate recoveries.”

      2011 Status:
      The OIG has confirmed that the recommended system modifications have been
      implemented; this recommendation is closed.

   b) 2008 Recommendation 6 –
      We recommend that CareFirst/FEPOC implement the appropriate system modifications
      to ensure that                                   are applied correctly.

      2008 BCBSA Response:
      “First, we would like to clarify that the                                              is
      a FEPExpress function. We conducted the same type of testing performed by the OIG
      auditors in an effort to determine whether there are any issues with the manner in which
      FEPExpress                                                         We did not receive the
      same results as the ones obtained by the OIG auditors. Attachment A contains copies of
      our test results using the FEP reporting requirements for this service.”

      2011 Status:
      The OIG has confirmed that the recommended system modifications have been
      implemented; this recommendation is closed.



   c) 2008 Recommendation 7- Chiropractic Office Visits and X-rays
      We recommend that CareFirst/FEPOC implement the appropriate system modifications
      to ensure that subscribers receive benefits for only one chiropractic office visit and one
      set of x-rays each calendar year.

      2008 BCBSA Response:
JOHN BERRY                                                                                  8


      “The 2008 Blue Cross Blue Shield Service Benefit Brochure states on page 46, ‘initial
      office visit’ for a Chiropractor. During late 2007, we became aware of the difficulty in
      the administration of this benefit due to the language used. Initially, an edit was put in
      the FEP system to limit the benefit to one visit. However, because the brochure reads
      initial visit, we had to remove the edit as there was no definition provided to the
      members to define whether initial office visit meant per Chiropractor or per episode or
      per benefit period. As a result, we have made a request for a Contract modification to
      change the word ‘initial’ to ‘one’ visit. This request was submitted with the 2009 Benefit
      Changes/Clarifications. The results of the 2009 Benefit negotiations have not yet been
      published. Once this information is made available, we will provide an update to our
      response.”

      2011 Status:
      We confirmed that the recommended system modifications have been implemented; this
      recommendation is closed.

   d) 2008 Recommendation 8 –
      We recommend that CareFirst/FEPOC implement the appropriate system modifications
      to ensure that a                 is evaluated for appropriateness before
                        are paid.

      2008 BCBSA Response:
      “Medical Edits are the responsibility of the local Plans. Please reference the
      Attachment B for a copy of FEP Administrative Manual Volume I, Chapter 15 – 107 for
      a description of this requirement. It would be a duplication of efforts and costly to the
      Program for FEPExpress to contain the various medical policies for each specific Plan
      as well as requiring numerous Plan specific edits.

      CareFirst will work with the FEP Director’s Office to re-evaluate its medical edits in an
      effort to determine what local system edits may require enhancements in order to ensure
      that these types of situations are pended for review of the medical appropriateness of the
      services prior to payment. We estimate that this evaluation will be completed by the end
      of first quarter 2009.”

      2011 Status:
      This recommendation resulted from a test claim that was processed where benefits were
      paid for                                    associated with an                        .
      This scenario illustrates a medical inconsistency that would typically be detected by
      comprehensive medical edit software.

      We have audited multiple BCBS Plans and have documented an extreme inconsistency
      in the effectiveness of the medical edits implemented on each Plan’s local claims
      processing system. Some Plans have very thorough medical edits from in-house
      developed systems or the use of third-party medical edit software.
JOHN BERRY                                                                                  9




      We believe that the most effective way to ensure that all BCBS FEP claims are subject
      to the same level of quality control is to install comprehensive medical edit software on
      FEP Express.

      2011 Recommendation 2
      We recommend that CareFirst/FEPOC implement comprehensive medical edit
      capabilities on FEP Express.

   e) 2008 Recommendation 9 –
      We recommend that CareFirst/FEPOC incorporate the appropriate edits into FEP
      Express that will allow the system to identify and suspend claims that are
                                                                      .

      We acknowledge the fact that, for certain procedures, it may be possible to have the
                                                                                The system could
      be programmed to selectively apply the new edit based on the procedure in question. In
      order to avoid hindering the efficiency of the edit process, the edit could be designed to
      bypass entire classes of procedures where


      2008 BCBSA Response:
      “There are                                                        ; however, we
      have encountered a number of exceptions with these procedures. Sometimes,




      The example used by the OIG auditors was a
                             Because the example included                             the claim
      did not defer on FEPExpress as a                 .                         are not part of
      the FEP System                   . However, the question with the

                             Since this is not accepted medical practice (Local Medical Policy)
      for the CareFirst service area,                   correctly deferred on the FLEXX
      System. This is the correct process as Medical Edits are housed at the local Plans.
      However, the claim paid on FEPExpress as there are no Medical Edits on FEPExpress.

      If the OIG auditors can provide FEP with a listing of the procedures that should be
      included in a new edit that is designed to
               we will evaluate the feasibility                       . At this time, we
      cannot determine the types of
                   Therefore, no changes will be made to the FEPExpress at this time.”
JOHN BERRY                                                                                  10



      2011 Status:
      This recommendation resulted from two test claims that were processed and paid for a
      subscriber
                 This scenario illustrates a medical inconsistency that would typically be
      detected by comprehensive medical edit software.

      As mentioned in section 4(e), we believe that the most effective way to ensure that all
      BCBS FEP claims are subject to the same level of quality control is to install
      comprehensive medical edit software on FEP Express; see recommendation 2, above.

   f) 2008 Recommendation 10 –
      We recommend that CareFirst/FEPOC implement the appropriate modifications to FEP
      Express to ensure that the system can appropriately process claims where
                          .

      2008 BCBSA Response:
      “                                      is based upon local medical policies and is
      considered a Medical Edit that is handled at the Plan level. The test claims processed
      through FLEXX were                           by ClaimCheck which performs various
      medical edits/bundling for the Plan. The auditors also submitted the
      directly to FEPExpress, which appropriately                  these services as the
                        is not maintained on FEPExpress. As a result, no changes are
      required to the FEPExpress.”

      2011 Status:
      We believe that the most effective way to ensure that all BCBS FEP claims are subject
      to the same level of quality control is to install comprehensive medical edit software on
      FEP Express. However, we acknowledge that implementing                        on FEP
      Express would require each BCBS Plan to modify their system to
              after they have processed through FEP Express. We agree that implementing this
      control would not be cost effective; this recommendation is closed.



   g) 2008 Recommendation 11 –
      We recommend that CareFirst/FEPOC implement the appropriate system modifications
      to ensure that a                                                 before benefits
      are paid.

      2008 BCBSA Response:
      “The determining of whether the                                       requires Medical
      Edits to defer the claim for review. Medical Edits are maintained at the Plan level. The
      test claim in question processed correctly in the local Plan system. However, the
JOHN BERRY                                                                                  11


      auditors also processed the test claim directly in FEPExpress, which appropriately did
      not edit the claim for                                 y since such edits reside in the
      local system. Therefore, no changes are required to FEPExpress.”

      2011 Status:
      This recommendation resulted from a test claim where benefits were paid for
                                                        . This scenario illustrates a
                  that would typically be detected by comprehensive medical edit software.

      As mentioned in section 4(e), we believe that the most effective way to ensure that all
      BCBS FEP claims are subject to the same level of quality control is to install
      comprehensive medical edit software on FEP Express; see recommendation 2, above.

   h) 2008 Recommendation 12 – Non-participating Provider Pricing
      We recommend that CareFirst/FEPOC implement the appropriate system modifications
      to ensure that non-par provider claims are suspended for review when

                 CareFirst/FEPOC will need to determine an acceptable variance above which
      the claims should be suspended.

      2008 BCBSA Response:
      “Non-Par professional claims are priced by FEPExpress. We are currently conducting
      a study to determine the specifications required to implement an edit that would d
                                                                                  The results
      of the study are expected during the fourth quarter 2008 with implementation of the
      recommendation in 2009.”

      2011 Status:
      The OIG has confirmed that the recommended system modifications have been
      implemented; this recommendation is closed.
JOHN BERRY                                                                                  12


    i) 2008 Recommendation 13 – OBRA 90 Transfer
        We recommend that CareFirst/FEPOC implement the necessary system modifications to
        ensure compliance with the requirements of OPM Carrier letter 2007-6.

        2008 BCBSA Response:
        “OBRA ’90 Pricing is a function of FEPExpress. When the system changes to comply
        with OPM Carrier letter 2007-6 was implemented, patient status ‘43’ was incorrectly
        included in the transfer application in the OBRA ’90 Pricer. As a result, these claims
        may have been underpaid. We were aware of this issue from previous audits of other
        Plans. The system correction to limit the OBRA’90 Transfer pricing to patient status
        ‘02’ will be implemented on October 18, 2008.”

        2011 Status:
        The OIG has confirmed that the recommended system modifications have been
        implemented; this recommendation is closed.


cc: John O’Brien
    Director, Healthcare and Insurance

    Shirley Patterson
    Assistant Director for Federal Employee Insurance Operations