oversight

Audit of BlueCross BlueShield Association's Fraud Information Management System Washington, D.C. and Chicago, Illinois

Published by the Office of Personnel Management, Office of Inspector General on 2015-07-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

               U.S. OFFICE OF PERSONNEL MANAGEMENT 

                  OFFICE OF THE INSPECTOR GENERAL 

                           OFFICE OF AUDITS 





                                    AUDIT OF 

                       BLUECROSS BLUESHIELD ASSOCIATION'S 

                     FRAUD INFORMATION MANAGEMENT SYSTEM 

                      WASHINGTON, D.C. AND CHICAGO, ILLINOIS 


                                             Report Number 1A-99-00-14-069 

                                                     July 14, 2015 





                                                              -- CAUTION -­
This audit r epot·t has been distributed to Feder al officials who are n sponsible for the administration of the audited program . This audit report may
contain proprietary data th at is protected by Federal law (18 U.S.C. 1905). Thenfore, while t his audit t·eport is available un der the Ft·eedom of
Information Act and m ade available to the public on t he OIG webpage (http:lhmmv.opm.govl our-iuspector-geuernl), caution needs to be exercised
before releasing the t·epot·t to the general public as it may contain proprietary inform ation t hat was r edacted from the publicly distributed copy.
              EXECUTIVE SUMMARY 

        Audit ofthe B lueCross BlueShield Association's Fraud Information Management System

Repot·t ~o. 1A-99-00-14-069                                                                            July 	14, 2015



Why did we conduct the audit?              What did we find?

We conducted this audit to obtain          We identified a procedural finding regarding the Association 's
reasonable assurance that the              rep011ing of fraud and abuse cases entered into FIMS . The
BlueCross BlueShield Association           Association generally disagreed with this procedural finding.
(Association) is complying with the
provisions of the Federal Employees        Our audit results ru·e surnmru·ized as follows:
Health Benefits Act and regulations
that ar e included, by reference, in the   • 	 FIMS System Review - The Association has implemented
Federal Employees Health Benefits              adequate security controls for FIMS. We also concluded that
Program (FEHBP) contract and                   giving the Office of Personnel Management's (OPM) Office of
applicable Cauier Letters.                     the Inspector General (OIG) access to FIMS in a secure and
Specifically, the obj ectives of our           controlled manner is technically feasible. On December 8,
audit were to review the fraud and             2014, the Association gave the OIG's Office of Investigations
abuse case rep011ing process at the            full access (remote and read only) to FIMS.
Association, with a focus on the
Fraud Inf01mation Management               • 	 Fraud. Waste. and Abuse Rep011ing- The Association is not in
System (FIMS), and dete1mine if the            complian ce with the communication and rep011ing
Association is complying with the              requirements for fraud and abuse cases that are set f011h in
FEHBP contract and applicable                  FEHBP Cauier Letter 2011 -1 3. Specifically, the Association
CatTier Letters regru·ding Fraud and           did not rep011 or timely rep011 to the OIG all cases entered into
Abuse Program activities.                      FIMS. The Association also potentially overstated the number
                                               of cases and the dollru· amounts of savings and recoveries that
What did we audit?
                                               were rep011ed in the 2013 BCBS Annual Fraud and Abuse
Our audit covered the Association's            Rep011 submitted to OPM.
FIMS and the potential fraud and
abuse cases entered into FIMS by the
local BlueCross and BlueShield
(BCBS) plans from 2013 through
Jlme 30, 2014.




 Michael R. Esser
Assistant Inspector General
for Audits
                     ABBREVIATIONS

Association   BlueCross BlueShield Association
BCBS          BlueCross BlueShield or BlueCross and/or BlueShield
BCBSA         BlueCross BlueShield Association
CFR           Code of Federal Regulations
CL            Carrier Letter
F&A           Fraud and Abuse
FEHB          Federal Employees Health Benefits
FEHBP         Federal Employees Health Benefits Program
FEP           Federal Employee Program
FEPDO         Federal Employee Program Director’s Office
FIMS          Fraud Information Management System
FWA           Fraud, Waste, or Abuse
Publication   National Institute of Standards and Technology Special Publication
OIG           Office of the Inspector General
OPM           U.S. Office of Personnel Management
SIU           Special Investigations Unit




                                    ii
                             TABLE OF CONTENTS 


                                                                                                                        Page
       EXECUTIVE SUMMARY .................................................................................... ....... i 


       ABBREVIATIONS ...................................................................................................... ii 


I.     BACKGROUND ........................................................................................................... ! 


II.    OBJECTIVES, SCOPE, AND METHODOLOGY.......................................................3 


III.   AUDIT FINDINGS AND RECOMMENDATIONS .................................................... 6 


       A. FIMS SYSTEM REVIEW .......................................................................................6 


       B. FRAUD. WASTE. AND ABUSE REPORTING .................................................... 7 


IV.    MAJOR CONTRIBUTORS TO THIS REPORT ........................................................ 14 


       APPENDIX (BlueCross BlueShield Association ' s Draft Rep01t Response , dated 

       May 11 , 2015) 


       REPORT FRAUD, WASTE, AND MISMANAGEMENT 

                                    I. BACKGROUND 


This final audit rep01t details the findings, conclusions, and recommendations resulting from om
audit of the fraud and abuse case reporting process at the BlueCross BlueShield Association
(Association), with a focus on the Fraud lnf01mation Management System (FIMS). FIMS is a
multi-user, web-based Federal Employee Program (FEP 1) case-tracking database that the FEP
Director's Office (FEPDO) Special Investigations Unit (SIU) developed in-house. FIMS is used
by the local BlueCross and/or BlueShield (BCBS) plans' SIUs and the FEPDO 's SIU to track
and rep01t potential fraud and abuse activities. The Association is located in Washington, D .C.
and Chicago, Illinois.

The audit was perfonned by the U.S. Office of Personnel Management's (OPM) Office of the
Inspector General (OIG), as established by the Inspector General Act of 1978, as amended.

The Federal Employees Health Benefits Program (FEHBP) was established by the Federal
Employees Health Benefits (FEHB) Act (Public Law 86-382), enacted on September 28, 1959.
The FEHBP was created to provide health insmance benefits for federal employees, annuitants,
and dependents. OPM ' s Healthcare and Insm ance Office has overall responsibility for
administration of the FEHBP. The provisions of the FEHB Act are implemented by OPM
through regulations, which ar e codified in Title 5, Chapter 1, Patt 890 of the Code of Federal
Regulations (CFR). Health insmance coverage is made available through contracts with vru·ious
health insmance catTiers.

The Association, on behalf of patticipating BCBS plans , has entered into a Govemment-wide
Service Benefit Plan contract (CS 1039) with OPM to provide a health benefit plan authorized by
the FEHB Act. The Association delegates authority to patticipating local BCBS plans
throughout the United States to process the health benefit claims of its federal subscribers . There
ru·e 64local BCBS plans patticipating in the FEHBP.

The Association has established the FEPDO in Washington, D.C. to provide centralized
management for the Service Benefit Plan. The FEPDO coordinates the administration of the
contract with the Association, member BCBS plans, and OPM. Regarding FIMS, the FEPDO is
responsible for the maintenance and oversight of this system as well as rep01ting to the OIG all
fraud and abuse cases that ru·e entered into FIMS by the local BCBS plans.

Compliance with laws and regulations applicable to the FEHBP is the responsibility of the
Association 's management. Also, the Association 's management is responsible for establishing
and maintaining a system of intemal controls.
1
  1broughout this report, when w e refer to "FEP", we are refen'ing to the Service Benefit Plan lines of business at
the Association and the local BlueCross and/or BlueShield plans. When we refer to the "FEHBP", we are refell'ing
to the program that provides health benefits to federal employees.


                                                          1                                Rep01t No. 1A-99-00-14-069
This is our first audit of FIMS and the fraud and abuse case reporting process at the Association.
The results of this audit were provided to the Association in a written audit inquiry; were
discussed with Association officials throughout the audit and at an exit conference on March 12,
2015; and were presented in detail in a draft report, dated March 31, 2015. The Association’s
comments offered in response to the draft report were considered in preparing our final report
and are included as an Appendix to this report.




                                                2                           Report No. 1A-99-00-14-069
 II. OBJECTIVES, SCOPE, AND METHODOLOGY 


OBJECTIVES

The objectives of om audit were to review the fraud and abuse case rep01iing process at the
Association, with a focus on FIMS, and detennine if the Association is complying with the
FEHBP contract and applicable CmTier Letters. Specifically, om objectives were as follows:

       FIMS System Review

       • 	 To evaluate the infonnation technology secm1ty conu·ols ofFIMS.

       • 	 To detennine the technical feasibility of giving the OIG's Office of Investigations
           direct access to FIMS.

       Fraud, Waste. and Abuse Rep01iing

       • 	 To review the screen prints, status, and/or fmal disposition of each case entered into
           FIMS for a sample of BCBS plans.

       • 	 To review the Association's explanation, rationale, and/or supp01iing documentation
           for each case entered into FIMS but not reported to the OIG for a sample of BCBS
           plans .

       • 	 To detennine whether the BCBS plans use FIMS for non-FEP lines of business (or
           only for FEP).

SCOPE

We conducted om perf01mance audit in accordance with generally accepted govemment auditing
standards. Those standards require that we plan and perfonn the audit to obtain sufficient and
appropriate evidence to provide a reasonable basis for om findings and conclusions based on om
audit objectives. We believe that the evidence obtained provides a reasonable basis for om
findings and conclusions based on om audit objectives.

We reviewed the Association's FIMS and the potential fraud and abuse cases entered into FIMS
by the local BCBS plans from 2013 through June 30, 2014.

In planning and conducting om audit, we obtained an understanding of the Association 's intemal
conu·ol structure to help detennine the natm e, timing, and extent of om auditing procedmes.



                                                3	                          Rep01i No. 1A-99-00-14-069
This was determined to be the most effective approach to select areas of audit. For those areas
selected, we primarily relied on substantive tests of transactions and not tests of controls.
Based on our testing, we did not identify any significant matters involving the Association’s
internal control structure and its operations. However, since our audit would not necessarily
disclose all significant matters in the internal control structure, we do not express an opinion on
the Association’s system of internal controls taken as a whole.

We also conducted tests to determine whether the Association had complied with the FEHBP
contract and applicable Carrier Letters regarding the communication and reporting requirements
for fraud and abuse cases. The results of our tests indicate that, with respect to the items tested,
the Association’s did not comply with all provisions of the FEHBP contract and applicable
Carrier Letters. Exceptions noted in the areas reviewed are set forth in detail in the "Audit
Findings and Recommendations" section of this audit report. With respect to the items not
tested, nothing came to our attention that caused us to believe that the Association had not
complied, in all material respects, with those provisions.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
the Association. Due to time constraints, we did not verify the reliability of the data generated
by the various information systems involved. However, while utilizing the computer-generated
data during our audit testing, nothing came to our attention to cause us to doubt its reliability.
We believe that the data was sufficient to achieve our audit objectives.

We performed the audit survey and fieldwork from our offices in Washington, D.C. and
Cranberry Township, Pennsylvania on various dates from August 2014 through March 2015.
Additionally, we made a site visit to the Association’s office in Washington, D.C. from
December 2, 2014 through December 4, 2014.

METHODOLOGY

We obtained an understanding of the internal controls over the Association’s FIMS by inquiry of
Association officials.

We interviewed Association personnel and reviewed policies, procedures, and security controls
during our audit of FIMS. Specifically, we evaluated the information technology security
controls for FIMS and performed tests of control activities. We also evaluated the technical
feasibility of allowing the OIG’s investigators direct access to FIMS.

We also interviewed the FEPDO’s SIU and reviewed policies and procedures regarding the
Association’s communication and reporting of fraud and abuse cases to the OIG.




                                                  4                           Report No. 1A-99-00-14-069
For the period January 1, 2013 through June 30, 2014, the local BCBS plans entered 3,504
potential fraud and abuse cases into FIMS. Of these, the Association only reported 696 cases (or
20 percent of the cases) to the OIG and did not report 2,808 cases (or 80 percent of the cases) to
the OIG. From the universe of potential fraud and abuse cases not reported to the OIG, we
judgmentally selected 169 cases from a sample of five BCBS plans (BCBS of Tennessee,
Regence BCBS of Oregon, Horizon BCBS of New Jersey, and CareFirst BCBS plans of
Washington, D.C. and Maryland) to determine why the Association did not report these cases to
the OIG. We selected these BCBS plans for review because we recently audited, or were
currently auditing, these plans’ Fraud and Abuse Programs as part of individual plan audits. We
also reviewed all fraud and abuse cases that were reported to the OIG for the purpose of
determining compliance with Contract CS 1039 and applicable FEHBP Carrier Letters.




                                                5                           Report No. 1A-99-00-14-069
III. AUDIT FINDINGS AND RECOMMENDATIONS 


A. FIMS SYSTEM REVIEW

  The audit disclosed no findings pertaining to our system review of FIMS. Overall, we
  concluded that the Association has implemented adequate security conu·ols for FIMS.
  Additionally, we concluded that giving the OIG access to FIMS in a secure and conu·olled
  manner is technically feas ible.

  The National Institute of Stan dards and Technology Special Publication (Publication) 800-53
  Revision 4, Security and Privacy Conu·ols for Federal Inf01mation Systems and
  Organizations, provides guidance for implementing a variety of information technology
  secmity conu·ols for inf01mation systems supporting the federal government. As part of this
  audit, we independently evaluated whether a subset of these conu·ols had been implemented
  for FIMS. We tested approximately 20 secmity conu·ols, including one or more conu·ols
  from each of the following conu·ol categories:


     •   Access Conu·ol                               •   Media Protection
     •   Audit and Accountability                     •   Physical and Environmental Protection
     •   Configuration Man agement                    •   Risk Assessment
     •   Contingency Planning                         •   System and Services Acquisition
     •   Identification and Authentication            •   System and Communications Protection
     •   Incident Response                            •   System and Infonnation Integrity

                                These security conu·ols were evaluated by interviewing
                                individuals with FIMS 's security responsibilities, reviewing
     The OIG concluded
                                applicable documentation an d system screen-shots, obse1v ing
    that the Association's
                                demonsu·ations of system capabilities, and conducting tests on
     security controls for
                                the system. We dete1mined that all of the tested secmity
     FIMS are adequate.
                                conu·ols appear to be in compliance with the Publication 800-53
                                Revision 4 requirements.

  FIMS is a web-based application that is on the Association 's inu·anet site, Blues Web . As
  pali of this audit, we met with Association personnel to dete1mine the feas ibility of giving the
  OIG 's investigators remote access to FIMS in a secure and conu·olled manner. As a result of
  our inte1v iews, we dete1mined that there are several technical solutions for giving the OIG's
  investigators access to FIMS in a secure and conu·olled manner. On December 8, 2014, the
  Association gave the OIG 's Office of Investigations full access (remote and read only) to
  FIMS.




                                               6                            Rep01i N o. 1A-99-00-14-069
B. FRAUD, WASTE, AND ABUSE REPORTING 	                                                  Procedural

  The Association is not in compliance with the communication and reporting requirements for
  fraud and abuse cases that are contained in FEHBP CatTier Letter (CL) 2011-13.
  Specifically, the Association did not rep01t or timely rep01t to the OIG all cases entered into
  FIMS. The Association ' s non-complian ce with the communication and rep01ting
  requirements in CL 2011 -13 is due to the Association ' s FEPDO making decisions on what
  cases entered into FIMS should actually be rep01ted to the OIG. Without awm·eness of these
  existing potential fraud and abuse issues, the OIG cannot investigate the broader impact of
  these potential issues on the FEHBP as a whole.

  CL 2011 -1 3 (Mandat01y lnf01mation Sharing via Written Case
  Notifications to OPM's Office of the Inspector General), dated         The Association is not
  Jlme 17, 2011 , states that all CmTiers "m·e required to submit a     in compliance with the
  written notification to the OPM OIG ... within 30 working days          communication and
  of becoming awm·e of a fraud, waste or abuse issue where there        reporting requirements
  is a reasonable suspicion that a fraud has occmTed or is occmTing       for fraud and abuse
  against the Federal Employees Health Benefits (FEHB)                           cases.
  Program." There is no dollm· threshold for this requirement.

  During the period Januaty 1, 2013 through Jlme 30, 2014, the local BCBS plans entered
  3,504 cases into FIMS. Of these 3,504 FIMS cases, the OIG did not receive notifications for
  2,808 cases (or 80 percent) . For the 696 cases (or 20 percent of the cases) where the OIG
  received notifications, 222 of these cases were sent to the OIG more than 30 days after the
  BCBS plans entered the cases into FIMS, which is not in complian ce with the criteria set
  f01th in CL 2011 -13. Also, based on the audit steps perf01med, we did not identify instances
  where the BCBS plans used FIMS for non-FEP lines of business.


                        Status of Cases Entered into FIMS 



                                                            •	 Notifications NOT Sent to the
                                                               OIG

                                                            •	 Notifications Sent to the OIG
                                                               within 30 Days after FIMS Entry

                                                              Notifications Sent to the OIG
                                                              Untimely




                                               7	                           Rep01t No. 1A-99-00-14-069
    From this universe of FIMS cases, we selected a sample of five BCBS plans (BCBS of
    Tennessee, Regence BCBS of Oregon, Horizon BCBS of New Jersey, and CareFirst BCBS
    plans of Washington, D.C. and Maryland) to determine why the Association is not reporting
    all of the cases to the OIG. We selected these BCBS plans for review because we recently
    audited, or were currently auditing, these plans’ Fraud and Abuse Programs as part of
    individual plan audits. For these five BCBS plans selected for review, we found 169 cases
    entered into FIMS that were not reported to the OIG.

    Based on our review of these 169 FIMS cases, the following is a summary of the top reasons
    why the Association did not report the cases to the OIG.

                           Association’s Response                        Number of Cases
                    Provider Audit or Payment Review                          45
                    Case Being Developed                                      45
                    Billing Issue or Error                                    28
                    Administrative Issue / Not Fraud                          10
                    No FEP Exposure                                            7
                    Issue Resolved via Refund Request                          6
                    Linked to a Previous Case                                  6
                    Allegation Not Substantiated                               3
                    Case Settled before FIMS Entry                             3
                    Other Reasons2                                            16

    We believe that all of these cases should have been reported to the OIG, especially since the
    Association reported these cases to OPM in the Annual Fraud and Abuse (F&A) Report.
    Contract CS 1039 requires the local BCBS plans’ SIU departments to determine whether
    FEP claims and/or members are present in investigations being conducted. When a local
    BCBS plan’s SIU initiates an investigation (i.e., takes an affirmative step to pursue a
    provider or member for potential fraud, waste, or abuse) and the investigation involves FEP
    claims, a case report must be entered into FIMS. In other words, the FEPDO’s SIU relies on
    each BCBS plan’s SIU to review an initial allegation or complaint internally before an entry
    is made into FIMS. Therefore, if a FIMS entry is made by a BCBS plan, the case represents
    an affirmative action to pursue a provider or member. This also triggers the requirement to
    notify the OIG of the case (as required by CL 2011-13). Consequently, the FEPDO SIU’s
    method of filtering what cases are actually reported to the OIG, as well as the SIU’s untimely
    reporting of cases to the OIG, are the primary reasons for the Association’s non-compliance
    with the communication and reporting requirements contained in CL 2011-13.


2
 Examples of other reasons why these FIMS cases were not reported to the OIG include administrative errors, data
mining initiatives, enrollment issues, and cases entered in error.


                                                        8                               Report No. 1A-99-00-14-069
If all fraud, waste and/or abuse investigations are not reported to the OIG, the broader impact
of these potential issues cannot be investigated by the OIG, which has oversight
responsibility for the FEHBP. Furthermore, if the Association is allowing the local BCBS
plans to enter non-fraud, waste, and/or abuse cases into FIMS (such as provider audit
activities and/or recoveries), considered by the FEPDO’s SIU to be not reportable to the OIG,
then the potential exists for the Association to overstate cases, savings and recoveries from
fraud, waste and/or abuse activities that are reported in the F&A Report submitted to OPM.
As an additional concern, OPM’s contracting officer potentially considers this F&A Report
when determining the BCBS service charge amount.

The Association’s 2013 F&A Report included 2,351 cases opened, $18,678,327 in actual
recoveries, $80,102,232 in actual savings, and $139,735,556 in projected savings. We
reconciled the total number of “cases opened” reported in this F&A Report to the number of
cases entered into FIMS during 2013. Since these totals reconciled, we believe that the
Association’s 2013 F&A Report is potentially overstated by as much as 80 percent,
representing the cases not reported to the OIG (based on our audit universe) and considered
to be non-fraud, waste and/or abuse activities by the FEPDO’s SIU.

Association’s Response

The Association states, “FIMS is an internal tool designed to allow BCBSA to assess the
applicability of reported FWA items. Many of these FIMS entries involve hotline tips,
audits, data mining initiatives, or other placeholder activities until more definitive
information is available. Consequently, BCBSA continues to respectfully disagree that every
entry into FIMS represents an active or even potential FWA investigation. Due to the history
of audits involving BCBS Plans during the period under review, many local BCBS Plans
chose to err on the side of caution by entering every tip, audit, or data mining project that
involved a dollar of FEP funds. In these instances, there has been insufficient preliminary
gathering of facts to justify a notification to the OIG. It is the role of the BCBSA, as the
carrier and signatory of CS 1039, to provide the OIG with quality notifications and tips that
meet the requirements of the applicable carrier letters, which set out the minimum
requirements for a referral to the OIG. Many of the initial entries in the FIMS do not contain
these minimum required elements. The BCBSA investigative consultants review all of the
FIMS entries and determine what data or evidentiary elements are missing or need further
development in order for the OIG to view the notification in the proper context and with
sufficient facts. This is a function of the value that BCBSA brings to the CS1039 contract.

Regarding the chart . . . depicting cases not reported to the OIG . . . These items were not
reported to the OIG as there was no evidence to support the accuracy of the allegation
(‘allegation not substantiated,’ ‘administrative issues,’ ‘billing errors’). In addition,



                                             9                            Report No. 1A-99-00-14-069
monitoring and analysis activities conducted by SIU staff or SIU support staff do not
automatically lead to a finding or evidence of FWA (i.e., provider audits/payment reviews).
The purpose of these audits is to locate supporting evidence in the form of false or
misleading claims or misleading medical records. Without this supporting evidence the OIG
has nothing to investigate. The existence of an audit does not necessarily lead to the
assumption that FWA has occurred. Lastly, reporting cases that have previously been the
subject of an OIG notification would create confusion and would be unnecessary. It is more
appropriate to send the OIG a ‘case update’ on the previous case adding the additional
defendant to that case.

In summary, the FIMS entries are often place holders for potential future actions, and as
such, all FIMS entries should not be viewed or treated as fraud waste or abuse cases.
However, there may have been instances in the past where BCBSA inadvertently counted
‘entries’ as ‘case referrals’ in the Annual Fraud and Abuse Report. BCBSA will ensure that
only ‘case referrals’ are included in the 2015 Annual Fraud and Abuse Report.”

OIG Comments

The Association disagrees that every entry into FIMS represents an active or potential
investigation and states that “BCBS plans chose to err on the side of caution by entering
every tip, audit, or data mining project that involved a dollar of FEP funds” and that these
types of entries do not justify notification to the OIG. Although we agree that the
Association may have been justified in not reporting some of these cases, we continue to
believe that a majority of these cases should have been reported to the OIG, especially since
the Association included these cases in the F&A Report submitted to OPM. Additionally, the
Association and the OIG’s Office of Investigations should mutually agree on the types of
case entries that do not require notifications to the OIG. What value to the FEHBP is the
Association’s FEP F&A Program efforts if 80 percent of the cases entered into FIMS by the
local BCBS plans are being deemed non-reportable to the OIG? Conversely, only reporting
20 percent of the cases entered into FIMS to the OIG appears too low for the Association’s
FIMS and F&A Program to be considered efficient and cost effective.

We appreciate that the Association wants to provide the OIG with quality notifications;
however, we are unclear as to what additional value the Association adds to the FIMS case
entries. Providing quality notifications is impossible without performing some type of
review activity, such as obtaining data from the Association’s history file of all FEP claims
(paid for by the FEHBP) to confirm the local BCBS plan’s reported exposure, whether
significant or not, performing independent data analysis of the claims, and/or performing
desk or field investigations. There should be more focus on why the plans are entering so
many cases into FIMS (approximately 80 percent) that the Association considers not



                                            10                           Report No. 1A-99-00-14-069
    reportable to the OIG. Unless there is another FEP case tracking system that the Association
    uses, FIMS is the primary system and should be reliable and useful, especially since FEHBP
    funds are used to reimburse the Association for all of the system and maintenance costs.

    Additionally, CL 2011-13 states that FEHBP carriers are required to submit a written
    notification to the OIG when there is potential fraud, waste, or abuse (FWA) that has
    occurred against the FEHBP. Therefore, place holders in FIMS for potential future actions
    should be reported to the OIG since the BCBS plans have already performed preliminary
    reviews of these cases.

    Recommendation 1

    We recommend that the contracting officer require the Association to provide evidence or
    supporting documentation ensuring that the FEPDO’s SIU has implemented the necessary
    procedural changes to meet the communication and reporting requirements of fraud and
    abuse cases that are contained in CL 2011-13 and CL 2014-29 (Federal Employees Health
    Benefits Fraud, Waste, and Abuse).3

    Association Response

    The Association states, “CL 2011-13 no longer applies to CS 1039, as it has been superseded
    by CL 2014-29 as of December 2014. The BCBSA FEPDO SIU is in the process of
    developing a training program for all local Plans regarding the requirements of CL 2014-29.
    There are a number of points requiring further clarification that BCBSA has solicited from
    OPM and is anticipating feedback. In the interim, the BCBSA FEPDO SIU has emailed all
    Plans a copy of the new CL 2014-29 placing them on notice of the procedural changes and
    the communication and reporting requirements contained therein. A number of the new
    requirements will require substantial operational and system enhancements that will need to
    be phased in during 2015. The FEPDO SIU will be providing Plan training by webinar as
    well as face to face training to all Plans and is in process of revising the FEP Fraud Waste
    and Abuse Program Standards Manual to reflect the new requirements. A copy of the revised
    Manual will be provided to OPM by May 31, 2015.”




3
  CL 2014-29 (dated December 19, 2014) consolidates and updates the information from Carrier Letters 2003-23,
2003-25, 2007-12, and 2011-13, which are superseded by this guidance. CL 2014-29 also supplements guidance
from the FEHBP contract (Section 1.9 – Plan Performance).


                                                      11                               Report No. 1A-99-00-14-069
Recommendation 2

We recommend that the contracting officer ensure that the Association is properly instructing
the local BCBS Plans on what cases to enter into FIMS, with the expectation that all cases
entered into FIMS will be timely reported to the OIG (unless instructed otherwise by the
OIG’s Office of Investigations).

Association Response

The Association states, “The FIMS system was originally conceptualized and developed by
internal BCBSA investigations staff and IT resources. FIMS is an electronic information
gathering tool only, not a definitive record of ‘cases’ initiated by local BCBS Plans. The
entries into FIMS were designed to inform the BCBSA FEP-SIU of the FWA activity being
conducted at the local level. Sometimes there are issues with the completeness of Plan
entries that must be corrected prior to the entry being provided as a notification to the OPM-
OIG. FWA activity includes more than just identifying ‘cases’. It may involve auditing,
hotline complaints, data mining initiatives and certain claims processing edits. Because of
the wide variety of activities that constitute FWA elements, it has been deemed appropriate
for the local Plans to enter any perceived information in FIMS that allows BCBSA the ability
to assess and track investigations, recoveries, savings, and provider/member behavioral
changes that positively or negatively affect the FEP Program.

Because FIMS is an outdated application, it will be replaced during 2015 by an external
vendor product. It is anticipated that when the new system is fully operational in 2016 that it
will allow for further delineation and detail capture to further satisfy the new requirements.

Working with the OPM-OIG senior management, BCBSA provided read only access to the
current FIMS in December 2014. In addition to providing read only access to FIMS, in
September 2014, BCBSA SIU staff and resources were made available on a weekly basis to
review the FIMS entries and case referrals with the OIG. We expect this relationship to
continue as the new system is developed and deployed.”

OIG Comments

We disagree that FIMS is an information gathering tool only. FIMS is also a tracking tool of
cases initiated by the local BCBS plans. CL 2011-13 requires that the Association share this
information with the OIG, if there is reasonable suspicion (i.e., the potential exists) that fraud
has or is occurring against the FEHBP. We continue to consider any type of FIMS case entry
by a local BCBS plan as an affirmative action to pursue an FEP provider and/or member for
potential fraud, waste and/or abuse. CL 2011-13 also states that case notifications are for



                                             12                            Report No. 1A-99-00-14-069
information sharing purposes. Therefore, the entering of information into FIMS by a local
BCBS plan should also be shared with the OIG.

We agree that FIMS is an “outdated” application and believe that FIMS is not efficient and
cost effective. If the Association replaces FIMS with an external vendor product, our
expectation is for OIG’s Office of Investigations to also have full access to this new system.

Recommendation 3

We recommend that the contracting officer direct the Association not to place limitations on
what FIMS cases are to be reported to the OIG, unless both parties (Association and OIG)
have mutually agreed on these exclusions. We also recommend that the contracting officer
instruct the Association to remove all cases deemed not reportable to the OIG from the F&A
Report, or report on these items separately. Only information entered into FIMS by the local
BCBS plans for potential FWA activities or investigations; the FEPDO’s SIU for potential
FWA activities or investigations; and related vendors (e.g., Pharmacy Benefit Manager) for
potential FWA activities or investigations should be included in the F&A Report.
Additionally, activities outside of a local SIU’s primary functions and FWA responsibilities
(such as hospital, provider, and pharmacy audits) should be excluded or reported separately
in the F&A Report.

Association Response

The Association states, “Beginning with the 2015 Annual Fraud and Abuse Report, BCBSA
will ensure that only cases reportable to the OIG are reported. Audits conducted by or
ordered by the SIU will continue to be reported in FIMS and the recoveries and savings for
these activities will be tracked and reported. If possible, BCBSA will report other FWA
activity conducted independent of the SIU in other appropriate sections of the annual report.
The number of ‘cases’ reported will be reduced, however we do not anticipate that the dollars
reported as recovered or saved will be significantly impacted.”




                                            13                           Report No. 1A-99-00-14-069
    IV. MAJOR CONTRIBUTORS TO THIS REPORT

Experience-Rated Audits Group

                 , Auditor-In-Charge

               , Auditor


                  , Chief                


            , Senior Team Leader 


Information Systems Audits Group

             , Chief                 


                  , Lead Information Technology Auditor 

 




                                             14             Report No. 1A-99-00-14-069
                                                                                                              APPENDIX 





                                                                       &  fn1      BlueCross
                                                                       Y. V.       BlueShield
                                                                                   Association
                                                                                  Feden~ l   Employ ee   Progn~m
                                                                                  1310 G Stre-et. N.W,
                                                                                  Wash ington. D.C. 20005
May 11 , 2015                                                                     202.626.4900


                          Group Chief
Experience-Rated Audits G roup
Office of the Inspector General
U.S . Office of Personnel Management
1900 E Street, Room 6400
Washington, DC 20415-1 1000

Reference: 	         OPM DRAFT AUDIT REPORT
                     Blue Cross and Blue Shield Association (BCBSA)
                     Fraud Information Management System (FIMS)
                     Audit Report No. 1A-99-00-14-069
                     (Dated and Received March 31, 2015)

Dear-                  :

This is Blue Cross and Blue Shield Association (BCBSA) response to the above
referenced U .S. Office of Personnel Management (OPM) Draft Audit Report covering
the Federal Employees' Health Benefits Program (FEHBP) FIMS system. Our
comments concerning the findings in the report are as follows :

A. FRAUD WASTE AND ABUSE REPORTING

   FIMS is an interna l tool designed to allow BCBSA to assess the applicability of
   reported FWA items. Many of these FMIS entries involve hotline tips, audits, data
   mining initiatives , or other placeho lder activities until more definitive information is
   available. Consequently, BCBSA continues to respectfully disagree that every entry
   into FIMS represents an active or even potential FWA investigation. Due to the
   history of audits involving BCBS Plans during the period under review, many local
   BCBS Plans chose to err on t he side of caution by entering every tip, audit, or data
   mining project that involved a dollar of FEP funds. In these instances, there has
   been insufficient preliminary gathering of facts to just ify a notification to the OIG. It is
   the role of the BCBSA, as the carrier and signatory of CS 1039, to provide the OIG
   w ith quality notifications and t ips that meet the requirements ofthe applicable carrier
   letters, which set out the minimum requirements for a referral to the OIG. Many of
   the in itial entries in the FIMS do not contain these minim um required e lements. The
   BCBSA investigative consultants review all of the FIMS entries and determine what




                                                                              Rep01i No. lA-99-00-14-069
BCBSA FIMS
Draft Report Response
Page 2 of 4

   data or evidentiary elements are missing or need further development in order for
   the OIG to view the notification in the proper context and with sufficient facts. This is
   a function of the value that BCBSA brings to the CS1 039 contract .

   Regarding the chart shown in the Draft Report depicting cases not reported to the
   OIG during the audit period, we respectfully disagree that "all of these cases (except
   one) should have been reported to the OIG ." These items were not reported to the
   OIG as there was no evidence to support the accuracy of the allegation ("allegation
   not substantiated," "administrative issues," "billing errors"). In addition , monitoring
   and analysis activities conducted by SIU staff or SIU support staff do not
   automatically lead to a finding or evidence of FWA (i.e., provider audits/payment
   reviews) . The purpose of these audits is to locate supporting evidence in the form of
   false or misleading claims or misleading medical records. Without this supporting
   evidence the OIG has nothing to investigate. The existence of an audit does not
   necessarily lead to the assumption that FWA has occurred. Lastly, reporting cases
   that have previously been the subject of an OIG notification would create confusion
   and would be unnecessary. It is more appropriate to send the OIG a "case update"
   on the previous case adding the additional defendant to that case .

   In summary, the FIMS entries are often place holders for potential future actions,
   and as such , all FIMS entries should not be viewed or treated as fraud waste or
   abuse cases. However, there may have been instances in the past where BCBSA
   inadvertently counted "entries" as "case referrals" in the Annual Fraud and Abuse
   Report. BCBSA will ensure that only "case referrals" are included in the 2015
   Annual Fraud and Abuse Report.

   Recommendation 1

   We recommend that the contracting officer require the Association to provide
   evidence or supporting documentation ensuring that the FEPDO's SIU has
   implemented the necessary procedural changes to meet the communication and
   reporting requirements oi fraud and abuse cases that are contained in CL 2011 -13
   and CL 2014-29 (Federal Employees Health Benefits Fraud, Waste and Abuse).

   BCBSA Response

   CL 2011 -13 no longer applies to CS 1039, as it has been superseded by
   CL 2014-29 as of December 2014. The BCBSA FEPDO SIU is in the process of
   developing a training program for all local Plans regarding the requirements of
   CL 2014-29. There are a number of points requiring further clarification that BCBSA
   has solicited from OPM and is anticipating feedback. In the interim , the BCBSA
   FEPDO SIU has emailed all Plans a copy of the new CL 2014-29 placing them on




                                                                           Report No. 1A-99-00-14-069
BCBSA FIMS
Draft Report Response
Page 3 of 4

   notice of the procedural changes and the communication and reporting requirements
   contained therein. A number of the new requirements will require substantial
   operational and system enhancements that will need to be phased in during 2015.
   The FEPDO SIU will be providing Plan training by webinar as well as face to face
   training to all Plans and is in process of revising the FEP Fraud Waste and Abuse
   Program Standards Manual to reflect the new requirements. A copy of the revised
   Manual will be provided to OPM by May 31 , 2015.

   Recommendation 2

   We recommend that the contracting officer ensure that the Association is properly
   instructing the local BCBS Plans on what cases to enter into FIMS , with the
   expectation that all cases entered into FIMS will be timely reported to the OIG
   (unless instructed otherwise by the OIG's Office of Investigations).

   BCBSA Response

   The FIMS system was originally conceptualized and developed by internal BCBSA
   investigations staff and IT resources. FIMS is an electronic information gathering
   tool only, not a definitive record of "cases" initiated by local BCBS Plans. The
   entries into FIMS were designed to inform the BCBSA FEP-SIU of the FWA activity
   being conducted at the local level. Sometimes there are issues with the
   completeness of Plan entries that must be corrected prior to the entry being provided
   as a notification to the OPM-OIG. FWA activity includes more than just identifying
   "cases." It may involve auditing , hotline complaints, data mining initiatives and
   certain claims processing edits. Because of the wide variety of activities that
   constitute FWA elements, it has been deemed appropriate for the local Plans to
   enter any perceived information in FIMS that allows BCBSA the ability to assess and
   track investigations, recoveries, savings, and provider/member behavioral changes
   that positively or negatively affect the FEP Program .

   Because FIMS is an outdated application , it will be replaced during 2015 by an
   external vendor product. It is anticipated that when the new system is fully
   operational in 2016 that it will allow for further delineation and detail capture to
   further satisfy the new requirements.

   Working with the OPM-OIG senior management, BCBSA provided read only access
   to the current FIMS in December 2014. In addition to providing read only access to
   FIMS , in September 2014, BCBSA SIU staff and resources were made available on
   a weekly basis to review the FIMS entries and case referrals with the OIG. We
   expect this relationship to continue as the new system is developed and deployed .




                                                                            Report No. 1A-99-00-14-069
BCBSA FIMS
Draft Report Response
Page 4 of 4

   Recommendation 3

   We recommend that the contracting officer direct the Association not to place
   limitations on what FIMS cases are to be reported to tha OIG, unless both parties
   (Association and OIG) have mutually agreed on these exclusions. We also
   recommend that the contracting officer instruct the Association to remove .2![ cases
   deemed not reportable to the OIG from the BCBS Annual Fraud and Abuse Report
   or report on these items separately. Only information entered into FIMS by the local
   BCBS Plans for potential fraud, waste and abuse (FWA) activities or investigations;
   the FEPDO's SIU for potential FWA activities or investigations; and related vendors
   (e.g ., Pharmacy Benefit Manager) for potential FWA activities or investigations
   should be included in the Annual Report . Additionally, activ~ies outside of an SIU's
   primary functions and FWA responsibilities (such as hospital. provider and pharmacy
   audits) should be excluded or reported separately in the Annual Report.

   BCBSA Response

   Beginning with the 2015 Annual Fraud and Abuse Report, BCBSA will ensure that
   only cases reportable to the OIG are reported. Audits conducted by or ordered by
   the SIU will continue to be reported in FIMS and the recoveries and savings for
   these activities will be tracked and reported . If possible, BCBSA will report other
   FWA activity conducted independent of the SIU in other appropriate sections ofthe
   annual report. The number of "cases" reported will be reduced, however we do not
   anticipate that the dollars reported as recovered or saved will be significantly
   impacted .

Thank you for this opportunity to provide a response to recommendations included in
this report. We request that our response be included in the Final Report. If you have
any questions, please contact me a t - ­

Sincerely,




Managing Director, Program Assurance

cc:­
 Jena Estes




                                                                        Rep01i No. lA-99-00-14-069
                                                                                                                         



                                       Report Fraud, Waste, and 

                                           Mismanagement 

                                                  Fraud, waste, and mismanagement in
                                               Government concerns everyone: Office of
                                                   the Inspector General staff, agency
                                                employees, and the general public. We
                                              actively solicit allegations of any inefficient
                                                    and wasteful practices, fraud, and
                                               mismanagement related to OPM programs
                                              and operations. You can report allegations
                                                          to us in several ways:


                        By Internet:               http://www.opm.gov/our-inspector-general/hotline-to-
                                                   report-fraud-waste-or-abuse


                         By Phone:                 Toll Free Number:                              (877) 499-7295
                                                   Washington Metro Area:                         (202) 606-2423


                           By Mail:                Office of the Inspector General
                                                   U.S. Office of Personnel Management
                                                   1900 E Street, NW
                                                   Room 6400
                                                   Washington, DC 20415-1100
                     
                                                                                                                         
                                                                                                                         




                                                             -- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.

                                                                                                                   Report No. 1A-99-00-14-069