JOHN BERRY 2
Executive Summary
The original audit report detailed 13 weaknesses in the information systems general and
application controls at CareFirst/FEPOC. The objective of this follow-up review was to evaluate
the current status of each recommendation and determine which, if any, of the recommendations
should be re-opened. We concluded that 9 of the 13 recommendations were adequately
addressed, but that 4 recommendations had not been fully implemented. This report also
contains two new recommendations that address the following outstanding weaknesses:
• CareFirst Business Impact Assessment (BIA): As part of the overall risk management
process, CareFirst conducted a BIA to evaluate the degree to which disruptions to various
business processes would have on the organization as a whole. However, we found that
the CareFirst BIA had not been updated since March 2005 – three years prior to the
original audit. As of April 2011, the CareFirst BIA still has not been updated.
• Comprehensive Medical Edits: The original test of FEPOC’s FEP Express claims
processing application revealed that this system did not have adequate
in insurance claims. It is common practice
for health claims processing systems to include such controls to prevent payments for
abusive or fraudulent billing. As of April 2011, FEP Express has still not been modified
to address these weaknesses, which affect claims processed by all BlueCross BlueShield
plans ($25.6 billion in 2010).
Background
Audit report 1A-10-92-08-021 was issued on November 28, 2008 with 13 audit
recommendations. On May 17, 2010, HIO sent a closure letter to the BlueCross BlueShield
Association (BCBSA) indicating that all 13 recommendations were being closed. However, at
this time it was clear that several recommendations should have remained open, as the BCBSA
had not provided evidence to HIO indicating that all corrective action had been implemented.
The issuance of the HIO closure letter created the possibility that CareFirst/FEPOC would halt
its ongoing efforts to remediate the weaknesses identified during the audit. As a result of this
concern, we initiated this follow-up review to determine the current status of the original audit
recommendations and reopen any that had still not been completed.
Scope and Methodology
The scope of this review was limited to the business processes where weaknesses were identified
during the original audit, including:
• BIAs;
• Firewall management;
• management; and
• Claims adjudication controls.
JOHN BERRY 3
In conducting this review we gathered documentation and conducted interviews related to
remediation activity CareFirst/FEPOC has completed to address our original audit
recommendations. Various laws, regulations, and industry standards were used as a guide to
evaluate the CareFirst/FEPOC control structure. These criteria include, but are not limited to:
• NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
• NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
• Health Insurance Portability and Accountability Act of 1996;
• Omnibus Budget Reconciliation Act of 1990 (OBRA 90);
• Omnibus Budget Reconciliation Act of 1993 (OBRA 93); and
• Federal Information System Controls Audit Manual.
Our review was not conducted in accordance with Generally Accepted Government Auditing
Standards (GAGAS). The nature and scope of the work performed was consistent with that
expected of a GAGAS audit; however, because we consider this to be a review, the
documentation, reporting, and quality control standards are not as rigorous.
Review Follow Up
In accordance with Office of Management and Budget (OMB) Circular A-50 and/or Public Law
103-355, all findings must be resolved within six months of the date of this report. In order to
ensure findings are resolved within the required six-month period, we ask that the Healthcare and
Insurance Office (HIO) respond directly to the Office of the Inspector General (OIG) within 90
days of the date of the report advising us whether they agree or disagree with the findings and
recommendations. As stated in OMB Circular A-50, where agreement is indicated, the HIO
should describe planned corrective action. If the HIO disagrees with any of the findings and
recommendations, we need them to explain the reason for the disagreement and provide any
additional documentation that would support their opinion.
Since this office exercises oversight regarding the progress of corrective actions, we also request
that the HIO provide the OIG a report within six months describing corrective action taken. If
the corrective action has not been completed, we also ask that the HIO continue to provide us
with a report on the status of corrective action every March and September thereafter until action
has been completed.
JOHN BERRY 4
Results
The following sections outline the results of our follow up review of information systems general
and application controls at CareFirst/FEPOC.
1. Business Impact Assessments (BIA)
As part of their overall risk management process, CareFirst and the FEPOC conducted BIAs
to evaluate the degree that disruptions to various business processes would have on the
organizations as a whole. However, both the CareFirst and the FEPOC BIAs were outdated.
a) 2008 Recommendation 1 – FEPOC BIA
We recommend that the FEPOC BIA be updated on an annual basis.
2008 BCBSA Response:
“The FEPOC reviews the BIA on an annual basis, and updates them every two to three
years. Changes to the critical and non-critical systems do not occur in that interval
where it would require updating the BIA annually. The FEPOC reviews and makes
updates to the systems or processes related to our business at least twice a year in
conjunction with the DR (Disaster Recover) exercises. If there are substantial changes to
the systems, DR and business continuity documentation changes are accommodated at
other times to ensure recoverability of all systems in the event of a disaster and during
the next scheduled Disaster Recovery (DR) exercise.”
2011 Status:
We confirmed that the FEPOC BIA was updated in September 2009. FEPOC plans to
incorporate the results of the BIA into an update of its disaster recovery plan during
2011; this recommendation is closed.
b) 2008 Recommendation 2 – CareFirst BIA
We recommend that the CareFirst BIA be updated to include the results of the most
recent BIA surveys, and be updated on a periodic basis thereafter.
2008 BCBSA Response:
“The data compiled in 2007 and shared with the OIG auditors was an official BIA. At
that time, a new survey was completed and data was compiled. The business continuity
and disaster recovery requirements were updated to reflect the information collected in
this survey. All business continuity scenarios included in our plans were modified to
reflect this data and these requirements. In addition, business continuity plans are
reviewed/updated by the business owners on a semi-annual basis and audited on a test
basis by corporate business continuity. CareFirst is currently undergoing a corporate
reorganization that is anticipated to be completed in 2009. At that time, new BIA surveys
will be completed and the data compiled will be incorporated in the business continuity
and disaster recovery plans.”
JOHN BERRY 5
2011 Status:
As of April 2011 the CareFirst BIA has not been updated. CareFirst is in the planning
stages for completing a BIA by December 31, 2011. CareFirst stated that the delay was
the result of significant organizational and platform changes during the last 3 years, and
that it would not have been a good use of resources to perform a BIA during this
transformation.
2011 Recommendation 1
We recommend that CareFirst update its BIA and incorporate the results into the
CareFirst disaster recovery plan. The BIA and disaster recovery plan should be reviewed
on an annual basis and updated when necessary.
2. Firewall Management
CareFirst has established an IT security team at its data center that is responsible for
configuring and maintaining the organization’s firewalls. However, CareFirst has not
established a corporate policy detailing firewall configuration requirements.
a) 2008 Recommendation 3 – Firewall Configuration Policy
We recommend that CareFirst implement a firewall configuration policy, and begin using
this policy as a baseline during periodic firewall reviews and audits. The policy should
contain the elements suggested by NIST SP 800-41 or other appropriate guidance.
2008 BCBSA Response:
“CareFirst agrees with this recommendation and has completed the implementation of
the recommended firewall configuration policy as of May 15, 2008. The firewall
configuration review/testing was completed during the period of May 22 through June 9,
2008.”
2011 Status:
We confirmed that CareFirst has implemented a firewall configuration policy; this
recommendation is closed.
3. Management
CareFirst uses security software to govern access
to mainframe applications. The requirements for are
defined by the “ ” outlined in the . The OIG
reviewed CareFirst's and concluded that the
requirements are configured in a manner that is not consistent with CareFirst policy or
industry acceptable best-practice.
a) 2008 Recommendation 4 –
JOHN BERRY 6
We recommend that CareFirst improve controls related to requirements in a
manner that prevents users from setting a that does not meet CareFirst
policy and industry standards.
2008 BCBSA Response:
“The system changes recommended would require significant effort in time and
resources. As a mitigating control, CareFirst utilizes a third party program,
. to allow users to reset and update . As
acknowledged by the Office of the Inspector General (OIG) auditors, this program
enforces in accordance with CareFirst and industry standards.
Therefore, CareFirst security controls are in compliance with standard industry practice
and HIPAA security guidelines.”
2011 Status:
CareFirst has not implemented the recommended system change and has formally
accepted all associated risk. CareFirst stated that the system change was not feasible
because of the impact the change would have on legacy claims processing applications.
This recommendation is closed based on CareFirst’s risk acceptance, but we advise
CareFirst to continue to evaluate the feasibility of implementing the recommendation as
legacy systems are decommissioned.
4. Claims adjudication controls
To validate the claims adjudication controls, a testing exercise was conducted on
CareFirst/FEPOC’s claims processing applications. The exercise involved developing a test
plan that included real life situations to present to CareFirst/FEPOC personnel in the form of
institutional and professional claims. The test plan included expected results for each test
case. Upon conclusion of the testing exercise, the expected results were compared with the
actual results obtained during the exercise. The following system weaknesses were
identified during this testing:
• incorrect pricing of claims involving special rules for certain categories of federal
members (OBRA 90 and OBRA 93);
• incorrect application of benefits, including a scenario where
was provided for an ;
• lack of medical edits to prevent payment for common scenarios such as:
- provided to a patient by
- ;
-
• no control to prevent .
a) 2008 Recommendation 5 – OBRA 93 Pricing
JOHN BERRY 7
We recommend that CareFirst/FEPOC implement the appropriate system modifications
to ensure that OBRA 93 claims are priced appropriately.
2008 BCBSA Response:
“OBRA ’93 claims pricing is an FEP responsibility that is handled by Palmetto, an
outside vendor. Due to the complex nature of the pricing of claims with procedure code
modifier ‘AS,’ these claims were excluded from the pricing requirements in the Vendor’s
contract. The necessary changes to the Vendor’s contract have been made to allow for
the pricing of these claims. Effective May 26, 2008, FEP claims with the procedure
code modifier of ‘AS’ began to be priced in accordance to the Medicare Fee Schedule
by Palmetto. Because the FEP Director’s office was aware of the processing deficiency,
periodic listings identifying these overpayments were sent to Plans to initiate refunds.
Once this change was made, the final listings of overpayments caused by the lack of the
‘AS’ modifier reduction were sent to Plans to initiate recoveries.”
2011 Status:
The OIG has confirmed that the recommended system modifications have been
implemented; this recommendation is closed.
b) 2008 Recommendation 6 –
We recommend that CareFirst/FEPOC implement the appropriate system modifications
to ensure that are applied correctly.
2008 BCBSA Response:
“First, we would like to clarify that the is
a FEPExpress function. We conducted the same type of testing performed by the OIG
auditors in an effort to determine whether there are any issues with the manner in which
FEPExpress We did not receive the
same results as the ones obtained by the OIG auditors. Attachment A contains copies of
our test results using the FEP reporting requirements for this service.”
2011 Status:
The OIG has confirmed that the recommended system modifications have been
implemented; this recommendation is closed.
c) 2008 Recommendation 7- Chiropractic Office Visits and X-rays
We recommend that CareFirst/FEPOC implement the appropriate system modifications
to ensure that subscribers receive benefits for only one chiropractic office visit and one
set of x-rays each calendar year.
2008 BCBSA Response:
JOHN BERRY 8
“The 2008 Blue Cross Blue Shield Service Benefit Brochure states on page 46, ‘initial
office visit’ for a Chiropractor. During late 2007, we became aware of the difficulty in
the administration of this benefit due to the language used. Initially, an edit was put in
the FEP system to limit the benefit to one visit. However, because the brochure reads
initial visit, we had to remove the edit as there was no definition provided to the
members to define whether initial office visit meant per Chiropractor or per episode or
per benefit period. As a result, we have made a request for a Contract modification to
change the word ‘initial’ to ‘one’ visit. This request was submitted with the 2009 Benefit
Changes/Clarifications. The results of the 2009 Benefit negotiations have not yet been
published. Once this information is made available, we will provide an update to our
response.”
2011 Status:
We confirmed that the recommended system modifications have been implemented; this
recommendation is closed.
d) 2008 Recommendation 8 –
We recommend that CareFirst/FEPOC implement the appropriate system modifications
to ensure that a is evaluated for appropriateness before
are paid.
2008 BCBSA Response:
“Medical Edits are the responsibility of the local Plans. Please reference the
Attachment B for a copy of FEP Administrative Manual Volume I, Chapter 15 – 107 for
a description of this requirement. It would be a duplication of efforts and costly to the
Program for FEPExpress to contain the various medical policies for each specific Plan
as well as requiring numerous Plan specific edits.
CareFirst will work with the FEP Director’s Office to re-evaluate its medical edits in an
effort to determine what local system edits may require enhancements in order to ensure
that these types of situations are pended for review of the medical appropriateness of the
services prior to payment. We estimate that this evaluation will be completed by the end
of first quarter 2009.”
2011 Status:
This recommendation resulted from a test claim that was processed where benefits were
paid for associated with an .
This scenario illustrates a medical inconsistency that would typically be detected by
comprehensive medical edit software.
We have audited multiple BCBS Plans and have documented an extreme inconsistency
in the effectiveness of the medical edits implemented on each Plan’s local claims
processing system. Some Plans have very thorough medical edits from in-house
developed systems or the use of third-party medical edit software.
JOHN BERRY 9
We believe that the most effective way to ensure that all BCBS FEP claims are subject
to the same level of quality control is to install comprehensive medical edit software on
FEP Express.
2011 Recommendation 2
We recommend that CareFirst/FEPOC implement comprehensive medical edit
capabilities on FEP Express.
e) 2008 Recommendation 9 –
We recommend that CareFirst/FEPOC incorporate the appropriate edits into FEP
Express that will allow the system to identify and suspend claims that are
.
We acknowledge the fact that, for certain procedures, it may be possible to have the
The system could
be programmed to selectively apply the new edit based on the procedure in question. In
order to avoid hindering the efficiency of the edit process, the edit could be designed to
bypass entire classes of procedures where
2008 BCBSA Response:
“There are ; however, we
have encountered a number of exceptions with these procedures. Sometimes,
The example used by the OIG auditors was a
Because the example included the claim
did not defer on FEPExpress as a . are not part of
the FEP System . However, the question with the
Since this is not accepted medical practice (Local Medical Policy)
for the CareFirst service area, correctly deferred on the FLEXX
System. This is the correct process as Medical Edits are housed at the local Plans.
However, the claim paid on FEPExpress as there are no Medical Edits on FEPExpress.
If the OIG auditors can provide FEP with a listing of the procedures that should be
included in a new edit that is designed to
we will evaluate the feasibility . At this time, we
cannot determine the types of
Therefore, no changes will be made to the FEPExpress at this time.”
JOHN BERRY 10
2011 Status:
This recommendation resulted from two test claims that were processed and paid for a
subscriber
This scenario illustrates a medical inconsistency that would typically be
detected by comprehensive medical edit software.
As mentioned in section 4(e), we believe that the most effective way to ensure that all
BCBS FEP claims are subject to the same level of quality control is to install
comprehensive medical edit software on FEP Express; see recommendation 2, above.
f) 2008 Recommendation 10 –
We recommend that CareFirst/FEPOC implement the appropriate modifications to FEP
Express to ensure that the system can appropriately process claims where
.
2008 BCBSA Response:
“ is based upon local medical policies and is
considered a Medical Edit that is handled at the Plan level. The test claims processed
through FLEXX were by ClaimCheck which performs various
medical edits/bundling for the Plan. The auditors also submitted the
directly to FEPExpress, which appropriately these services as the
is not maintained on FEPExpress. As a result, no changes are
required to the FEPExpress.”
2011 Status:
We believe that the most effective way to ensure that all BCBS FEP claims are subject
to the same level of quality control is to install comprehensive medical edit software on
FEP Express. However, we acknowledge that implementing on FEP
Express would require each BCBS Plan to modify their system to
after they have processed through FEP Express. We agree that implementing this
control would not be cost effective; this recommendation is closed.
g) 2008 Recommendation 11 –
We recommend that CareFirst/FEPOC implement the appropriate system modifications
to ensure that a before benefits
are paid.
2008 BCBSA Response:
“The determining of whether the requires Medical
Edits to defer the claim for review. Medical Edits are maintained at the Plan level. The
test claim in question processed correctly in the local Plan system. However, the
JOHN BERRY 11
auditors also processed the test claim directly in FEPExpress, which appropriately did
not edit the claim for y since such edits reside in the
local system. Therefore, no changes are required to FEPExpress.”
2011 Status:
This recommendation resulted from a test claim where benefits were paid for
. This scenario illustrates a
that would typically be detected by comprehensive medical edit software.
As mentioned in section 4(e), we believe that the most effective way to ensure that all
BCBS FEP claims are subject to the same level of quality control is to install
comprehensive medical edit software on FEP Express; see recommendation 2, above.
h) 2008 Recommendation 12 – Non-participating Provider Pricing
We recommend that CareFirst/FEPOC implement the appropriate system modifications
to ensure that non-par provider claims are suspended for review when
CareFirst/FEPOC will need to determine an acceptable variance above which
the claims should be suspended.
2008 BCBSA Response:
“Non-Par professional claims are priced by FEPExpress. We are currently conducting
a study to determine the specifications required to implement an edit that would d
The results
of the study are expected during the fourth quarter 2008 with implementation of the
recommendation in 2009.”
2011 Status:
The OIG has confirmed that the recommended system modifications have been
implemented; this recommendation is closed.
JOHN BERRY 12
i) 2008 Recommendation 13 – OBRA 90 Transfer
We recommend that CareFirst/FEPOC implement the necessary system modifications to
ensure compliance with the requirements of OPM Carrier letter 2007-6.
2008 BCBSA Response:
“OBRA ’90 Pricing is a function of FEPExpress. When the system changes to comply
with OPM Carrier letter 2007-6 was implemented, patient status ‘43’ was incorrectly
included in the transfer application in the OBRA ’90 Pricer. As a result, these claims
may have been underpaid. We were aware of this issue from previous audits of other
Plans. The system correction to limit the OBRA’90 Transfer pricing to patient status
‘02’ will be implemented on October 18, 2008.”
2011 Status:
The OIG has confirmed that the recommended system modifications have been
implemented; this recommendation is closed.
cc: John O’Brien
Director, Healthcare and Insurance
Shirley Patterson
Assistant Director for Federal Employee Insurance Operations
Follow-up Review of Information Systems General and Application Controls at CareFirst BlueShield and the Federal Employee Program Operation Center
Published by the Office of Personnel Management, Office of Inspector General on 2011-06-23.
Below is a raw (and likely hideous) rendition of the original report. (PDF)