oversight

Audit of the Information Systems General and Application Controls at Hawaii Medical Service Association

Published by the Office of Personnel Management, Office of Inspector General on 2012-10-17.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT
                                                           OFFICE OF THE INSPECTOR GENERAL
                                                                            OFFICE OF AUDITS



                                   Final Audit Report

Subject:




               AUDIT OF INFORMATION SYSTEMS
            GENERAL AND APPLICATION CONTROLS AT
             HAWAII MEDICAL SERVICE ASSOCIATION


                                            Report No. 1D-97-00-12-012

                                            Date:                October 17, 2012




                                                          --CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available
under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
                                                       Audit Report


              FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM
                         CONTRACTS 1058 & 1039
                         HAWAII MEDICAL SERVICE ASSOCIATION
                            PLAN CODES 871 / 872 / 104 / 105 / 111 / 112
                                               HONOLULU, HAWAII



                                            Report No. 1D-97-00-12-012

                                           Date:                10/17/12




                                                                                             ________________________
                                                                                             Michael R. Esser
                                                                                             Assistant Inspector General
                                                                                               for Audits



                                                          --CAUTION--
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit
report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available
under the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
                                  Executive Summary


          FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM
                     CONTRACTS 1058 & 1039
                  HAWAII MEDICAL SERVICE ASSOCIATION
                    PLAN CODES 871 / 872 / 104 / 105 / 111 / 112
                                 HONOLULU, HAWAII




                              Report No. 1D-97-00-12-012

                              Date:          10/17/12



This final report discusses the results of our audit of general and application controls over the
information systems at Hawaii Medical Service Association (HMSA). HMSA has two separate
plans that service federal employees, an experience rated Health Maintenance Organization plan
referred to as FED87 and a nationwide fee-for-service plan sponsored by the BlueCross and
BlueShield Federal Employee Program (FEP).

Our audit focused on the claims processing applications used to adjudicate Federal Employees
Health Benefits Program (FEHBP) claims for HMSA, as well as the various processes and
information technology (IT) systems used to support these applications. We documented
controls in place and opportunities for improvement in each of the areas below.

Security Management
HMSA has established a series of IT policies and procedures to create an awareness of IT
security at the Plan. We also verified that HMSA has adequate human resources policies related
to the security aspects of hiring, training, transferring, and terminating employees.

Access Controls
HMSA has implemented numerous controls to add and remove physical access to its data center,
as well as logical controls to encrypt sensitive information. However, we did note several
opportunities for improvement related to HMSA’s physical and logical access controls such as


                                                i
authentication controls over physical access to the data centers and the process for removing
logical access for terminated employees. HMSA has since remediated these weaknesses.

Configuration Management
HMSA has developed formal policies and procedures providing guidance to ensure that system
software is appropriately configured and updated, as well as for controlling system software
configuration changes. However, we noted several weaknesses in HMSA’s configuration
management program related to application patching. HMSA has since remediated the identified
weaknesses.

Contingency Planning
We reviewed HMSA’s business continuity plans and concluded that they contained most of the
key elements suggested by relevant guidance and publications. We also determined that these
documents are reviewed and updated on a periodic basis. However, HMSA’s generator
supporting the main facility does not have the capacity to support the data center in the event of a
disaster.

Claims Adjudication
HMSA has implemented many controls in its claims adjudication process to ensure that FEHBP
claims are processed accurately. However, we recommended that HMSA implement several
system modifications to ensure that its claims processing systems adjudicate FEHBP claims in a
manner consistent with the OPM contract and other regulations.

Health Insurance Portability and Accountability Act (HIPAA)
Nothing came to our attention that caused us to believe that HMSA is not in compliance with the
HIPAA security, privacy, and national provider identifier regulations.




                                                 ii
                                                                  Contents
                                                                                                                                                Page
Executive Summary ............................................................................................................................ i
      I. Introduction ............................................................................................................................. 1
         Background ............................................................................................................................. 1
         Objectives ............................................................................................................................... 1
         Scope ....................................................................................................................................... 2
         Methodology ........................................................................................................................... 2
         Compliance with Laws and Regulations................................................................................. 3
      II. Audit Findings and Recommendations .................................................................................. 4
         A. Security Management ........................................................................................................ 4
         B. Access Controls .................................................................................................................. 4
         C. Configuration Management................................................................................................ 7
         D. Contingency Planning ........................................................................................................ 9
         E. Claims Adjudication ......................................................................................................... 10
         F. Health Insurance Portability and Accountability Act ....................................................... 17
      III. Major Contributors to This Report ..................................................................................... 19

  Appendix: Hawaii Medical Service Association’s June 29, 2012 response to the draft audit
  report issued May 2, 2012.
                                      I. Introduction
This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims at Hawaii Medical Service
Association (HMSA).

The audit was conducted pursuant to FEHBP contracts CS 1039 and CS 1058; 5 U.S.C. Chapter
89; and 5 Code of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by
the U.S. Office of Personnel Management’s (OPM) Office of the Inspector General (OIG), as
established by the Inspector General Act of 1978, as amended.

Background
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

This was our first audit of HMSA’s general and application controls. We also reviewed
HMSA’s compliance with the Health Insurance Portability and Accountability Act (HIPAA).

The business processes related to the scope of this audit are primarily located at HMSA’s
Honolulu, Hawaii facility. HMSA has two data centers supporting FEHBP processes on the
island of Oahu. Employees responsible for processing FEHBP claims are predominantly located
in Honolulu, Hawaii.

All HMSA personnel that worked with the auditors were particularly helpful and open to ideas
and suggestions. They viewed the audit as an opportunity to examine practices and to make
changes or improvements as necessary. Their positive attitude and helpfulness throughout the
audit was greatly appreciated.

Objectives
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability of FEHBP data processed and maintained in HMSA’s information technology (IT)
environment.




                                                1
These objectives were accomplished by reviewing the following areas:
• Security management;
• Access controls;
• Segregation of duties;
• Configuration management;
• Contingency planning;
• Application controls specific to HMSA’s claims processing systems; and,
• HIPAA compliance.

Scope
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, we
obtained an understanding of HMSA’s internal controls through interviews and observations, as
well as inspection of various documents, including information technology and other related
organizational policies and procedures. This understanding of HMSA’s internal controls was
used in planning the audit by determining the extent of compliance testing and other auditing
procedures necessary to verify that the internal controls were properly designed, placed in
operation, and effective.

HMSA has two separate plans that service federal employees, an experience rated Health
Maintenance Organization plan referred to as FED87 and a nationwide fee-for-service plan
sponsored by the BlueCross and BlueShield Federal Employee Program (FEP).

The scope of this audit centered on the information systems used by HMSA to process medical
insurance claims for FEHBP members, with a primary focus on the QCSI New Extensible
Technology (QNXT) and FEP Express claims adjudication applications. The QNXT system
processes claims for both the FED87 and FEP Plans, and FEP Express performs additional
adjudication on FEP claims. The business processes reviewed are primarily located in HMSA’s
Honolulu, Hawaii facility.

The on-site portion of this audit was performed in January and February of 2012. We completed
additional audit work before and after the on-site visit at our office in Washington, D.C. The
findings, recommendations, and conclusions outlined in this report are based on the status of
information system general and application controls in place at HMSA as of March 20, 2012.

In conducting our audit, we relied to varying degrees on computer-generated data provided by
HMSA. Due to time constraints, we did not verify the reliability of the data used to complete
some of our audit steps but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.

Methodology
In conducting this review we:
•   Gathered documentation and conducted interviews;

                                               2
•   Reviewed HMSA’s business structure and environment;
•   Performed a risk assessment of HMSA’s information systems environment and applications,
    and prepared an audit program based on the assessment and the Government Accountability
    Office's (GAO) Federal Information System Controls Audit Manual (FISCAM); and
•   Conducted various compliance tests to determine the extent to which established controls and
    procedures are functioning as intended. As appropriate, we used judgmental sampling in
    completing our compliance testing.

Various laws, regulations, and industry standards were used as a guide to evaluating HMSA’s
control structure. This criteria includes, but is not limited to, the following publications:
• Office of Management and Budget (OMB) Circular A-130, Appendix III;
• OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
   Personally Identifiable Information;
• Information Technology Governance Institute’s CobiT: Control Objectives for Information
   and Related Technology;
• GAO’s Federal Information System Controls Audit Manual;
• National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
   Introduction to Computer Security;
• NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
   Technology Systems;
• NIST SP 800-30, Risk Management Guide for Information Technology Systems;
• NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;
• NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;
• NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information
   Systems;
• NIST SP 800-61, Computer Security Incident Handling Guide;
• NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
   Security Rule; and
• HIPAA Act of 1996.

Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether HMSA’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
HMSA was not in complete compliance with all standards as described in the “Audit Findings
and Recommendations” section of this report.




                                                3
                      II. Audit Findings and Recommendations

A. Security Management
   The security management component of this audit involved the examination of the policies and
   procedures that are the foundation of HMSA’s overall IT security controls. We evaluated
   HMSA’s ability to develop security policies, manage risk, assign security-related responsibility,
   and monitor the effectiveness of various system-related controls.

   HMSA has implemented a series of formal policies and procedures that comprise its security
   management program. HMSA’s Information Protection Unit is responsible for creating,
   reviewing, editing, and disseminating IT security policies. HMSA has also developed a thorough
   risk management methodology, and has procedures to document, track, and mitigate or accept
   identified risks. We also reviewed HMSA’s human resources policies and procedures related to
   hiring, training, transferring, and terminating employees.

   Nothing came to our attention to indicate that HMSA does not have an adequate security
   management program.

B. Access Controls
   Access controls are the policies, procedures, and techniques used to prevent or detect
   unauthorized physical or logical access to sensitive resources.

   We examined the physical access controls at HMSA’s Honolulu headquarters building and its
   data centers in Honolulu and Kapolei, Hawaii. We also examined the logical controls protecting
   sensitive data on HMSA’s network environment and claims processing applications.
   Furthermore, we conducted an automated network topology scan to verify that all known assets
   were included within HMSA’s system inventory list.

   The access controls observed during this audit include, but are not limited to:
   •   procedures for appropriately granting physical access to facilities and data centers;
   •   procedures for revoking access to data centers for terminated employees;
   •   procedures for removing Windows/network access for terminated employees; and,
   •   controls to monitor and filter email and Internet activity.

   However, the following sections document several opportunities for improvement related to
   HMSA’s physical and logical access controls.

   1. Access to Data Center
       HMSA’s primary and back-up data centers use electronic card readers and stand-alone cipher
       locks to control physical access. However, we expect all FEHBP contractors to also have
       multi-factor authentication (e.g., cipher lock or biometric device in addition to an access
       card) at data center entrances. In addition to implementing these minimum controls, HMSA
       should analyze the benefit of implementing the common physical access controls listed
       below that we typically see at other FEHBP carrier facilities.


                                                    4
   •   video monitoring capabilities (limited video monitoring is in place, but there are several
       blind spots within the computer room);
   •   piggybacking alarms to enter the computer room (alarm that sounds if more than one
       person walks past a sensor for each access card that is swiped);
   •   “man-trap” entrances (small space with two locking doors where the first door must close
       before the second opens); and,
   •   automated data center access logs (device that monitors and records access attempts).

   Failure to implement adequate physical access controls increases the risk that unauthorized
   individuals can gain access to HMSA data centers and the sensitive IT resources and
   confidential data they contain. NIST SP 800-53 Revision 3, “Recommended Security
   Controls for Federal Information Systems and Organizations,” provides guidance for
   adequately controlling physical access to information systems containing sensitive data.

   Recommendation 1
   We recommend that HMSA reassess its data centers’ physical access management and
   implement controls that will ensure proper physical security. At a minimum, HMSA should
   implement multi-factor authentication (e.g., cipher lock or biometric device in addition to an
   access card) at data center entrances.

   HMSA Response:
   “HMSA agrees with the recommendation. Effective June 22, 2012, HMSA installed a
   cypher lock to be used with the existing electronic badge reader, at the Keeaumoku (main)
   data center. Individuals must now enter their unique code into the cypher lock and have
   the electronic badge reader authenticate their unique badge before entering the data
   center. Also effective June 22, 2012, HMSA installed an electronic badge reader to be
   used with the existing cypher lock at the Kapolei (second) data center. Individuals must
   now have the electronic badge reader authenticate their unique badge and enter their
   unique code into the cypher lock before entering the data center.”

   OIG Reply:
   The evidence provided by HMSA in response to the draft audit report indicates that the Plan
   has implemented multi-factor authentication at data center entrances; no further action is
   required.

2. Auditing/Monitoring of the HHIN Web Application
   HMSA’s Hawaii Healthcare Information Network (HHIN) web application allows medical
   providers to access and review HMSA member information. HMSA’s access controls over
   its HHIN application include:
   •   requiring providers to sign an Electronic Trading Partner Agreement, which establishes
       confidentiality and security requirements;
   •   requiring providers to sign the HMSA Access Request and Contract to Preserve
       Confidential Information; and,
   •   providing application training upon request.


                                                5
   Although the process for granting access to the HHIN application has adequate controls in
   place, there is no auditing or monitoring process in place to ensure that user access to the
   application remains appropriate. HMSA is in the process of implementing an auditing and
   monitoring process for HHIN, but it has not been fully implemented at this time.

   Failure to routinely audit or monitor the application increases the risk an unauthorized user
   can gain access to confidential and personal member information. NIST SP 800-53 states
   that an organization should disable or remove accounts that no longer require access to the
   information system.

   Recommendation 2
   We recommend HMSA implement an audit/monitoring process for the HHIN application.

   HMSA Response:
   “HMSA agrees with the recommendation. HMSA implemented a formal audit/monitoring
   process for the HHIN application to ensure that user access to the application remains
   appropriate. This process has been documented and was implemented as of June 20,
   2012. In addition, an initial review and deletion of terminated provider IDs was completed
   as of June 15, 2012.”

   OIG Reply:
   The evidence provided by HMSA in response to the draft audit report indicates that the Plan
   has implemented an auditing process for the HHIN application; no further action is required.

3. Logical Access Management
   We conducted a series of logical access control tests for five separate HMSA applications.
   For one test we compared a list of terminated employees to active user lists for each
   application, and discovered that several systems still had active user accounts for terminated
   employees. HMSA indicated that human error was the reason for the failure to remove access
   of those terminated employees.

   Although HMSA corrected all identified errors, our findings indicate that HMSA’s process to
   routinely audit application user accounts is not effective. HMSA is currently evaluating the
   access removal process to identify ways to reduce the potential for human error.

   FISCAM states that “Inactive accounts and accounts for terminated individuals should be
   disabled or removed in a timely manner.” Failure to promptly remove system and
   application access after termination increases the risk a terminated employee could access
   and corrupt sensitive and proprietary information.

   Recommendation 3
   We recommend HMSA improve the existing audit process by routinely comparing the
   termination list to the active user lists for claims processing systems and applications.


                                                6
      HMSA Response:
      “HMSA agrees with the recommendation. Effective February 1, 2012, the existing audit
      process was remediated. The process now requires the Information Privacy & Protection
      department and Human Resources to enter upcoming terminations into a collaboration
      site on the intranet (Sharepoint site) to track terminations. The site will send automated
      alerts to the Access Management unit and will escalate to management if action has not
      been taken on a timely basis.”

      OIG Reply:
      The evidence provided by HMSA in response to the draft audit report indicates that the Plan
      has improved the existing terminated user audit process. While the new process does not
      involve comparing the termination list to the active user list, the evidence indicates that the
      new process is an effective control; no further action is required.

C. Configuration Management
  HMSA uses a third party application called QCSI New Extensible Technology (QNXT) to
  adjudicate claims. This system is housed on a Microsoft Windows server with Microsoft SQL
  Server databases. We evaluated HMSA’s management of the configuration of its server
  environment and determined that the following controls were in place:
  •   policies for ensuring that operating platforms are securely configured;
  •   controls for securely managing changes to the operating platform and claims processing
      application;
  •   controls for monitoring privileged user activity on the operating platform; and,
  •   documented patch management procedures.

  The sections below document areas for improvement related to HMSA’s configuration
  management controls.

  1. Application Level Patching
      We conducted a vulnerability scan on 19 HMSA production servers and 2 databases using
      automated tools. We discovered several weaknesses related to missing or outdated critical
      patches on applications residing on production servers (e.g., IBM Tivoli Storage Manager,
      Microsoft Office, and Wireshark). HMSA has documented patch management procedures,
      and although it appears to adequately patch the servers’ operating systems, it does not
      prioritize application level patching. HMSA is currently in the process of developing and
      implementing an Application Patch Cycle process that will address patching for both in-
      house developed applications and third party vendor applications by October 31, 2012.

      FISCAM states that “Software should be scanned and updated frequently to guard against
      known vulnerabilities.” NIST SP 800-53 states “The organization (including any contractor
      to the organization) promptly installs security-relevant software updates (e.g., patches,
      service packs, and hot fixes). Flaws discovered during security assessments, continuous
      monitoring, incident response activities, or information system error handling, are also
      addressed expeditiously.”


                                                   7
   Failure to promptly install patches increases the risk that vulnerabilities will not be
   remediated and sensitive information could be stolen.

   Recommendation 4
   We recommend HMSA develop and implement an Application Patch Cycle process.

   HMSA Response:
   “HMSA agrees with the recommendation. As of June 15, 2012, the Tivoli Storage
   Manager, Wireshark, and Microsoft Office servers identified in the finding have been
   either upgraded or removed. As of June 20, 2012, HMSA formalized and implemented its
   Windows Server Compliance and Remediation process that encompasses all Microsoft
   installed products. This process includes the application of all security related patches at
   both the operating system and application levels.”

   OIG Reply:
   The evidence provided by HMSA in response to the draft audit report indicates that the Plan
   has developed and implemented an application patch cycle process; no further action is
   required.

2. Unsupported System Software
   HMSA is currently using system software (Windows 2000 and Microsoft IIS 5.0) that is no
   longer supported by its vendor. HMSA is in the process of decommissioning and retiring the
   servers that house the unsupported software.

   FISCAM states that “All vendor supplied system software should be supported by the
   vendor.” Additionally, “Outdated versions of system software should be removed from the
   production environment to preclude their use.”

   Failure to remove unsupported system software increases the risk of an attack that exploits
   the known vulnerabilities within the outdated versions of the software.

   Recommendation 5
   We recommend HMSA complete the decommissioning of servers that house outdated and
   unsupported system software.

   HMSA Response:
   “HMSA agrees with the recommendation. As of March 31, 2012, the Windows 2000 and
   Microsoft IIS 5.0 servers have been decommissioned or upgraded.”




                                                 8
      OIG Reply:
      The evidence provided by HMSA in response to the draft audit report indicates that the Plan
      has completed decommissioning of servers that house outdated and unsupported system
      software; no further action is required.

D. Contingency Planning
  We reviewed the following elements of HMSA’s contingency planning program to determine
  whether controls were in place to prevent or minimize damage and interruptions to business
  operations when disastrous events occur:
  •   business continuity for several business units and data center operations;
  •   disaster recovery plan for the claims processing system;
  •   disaster recovery plan tests conducted in conjunction with the recovery site; and,
  •   emergency response procedures and training.

  We determined that the service continuity documentation contained the critical elements
  suggested by NIST SP 800-34, “Contingency Planning Guide for IT Systems.” HMSA has
  identified and prioritized the systems and resources that are critical to business operations, and
  has developed detailed procedures to recover those systems and resources.

  However, one area for improvement was noted during our review of HMSA’s data center. The
  generator supporting the main facility does not have the capacity to support the data center in the
  event of a power outage. HMSA is aware of this weakness and is currently working to address
  this by installing a larger generator that could support data center operations.

  Recommendation 6
  We recommend that HMSA install a power generator that can maintain data center operations in
  the event of power loss.

  HMSA Response:
  “HMSA agrees with the recommendation. On March 29, 2012, a formal contract to expand
  the capacity of HMSA's existing generator and UPS was signed with IBM and funds were
  committed. Installation of the generator requires a zoning variance because changes to the
  square footage of the building slightly exceeds Code (by 0.26%). The approved application is
  being submitted as evidence that the project is moving forward. A decision by the planning
  department is not expected for 90 - 120 days. Because structural changes are required to the
  building, this effort is expected to complete in the first quarter of calendar year 2013.”

  OIG Reply:
  As part of the audit resolution process, we recommend that HMSA continue to update OPM’s
  Healthcare and Insurance Office (HIO) on its progress in installing the new generator. HMSA
  should also provide HIO with evidence that the new generator can fully maintain data center
  operations in the event of a power loss.




                                                   9
E. Claims Adjudication
  The following sections detail our review of the applications and business processes supporting
  claims adjudication at HMSA.

  Application Configuration Management
  We evaluated the policies and procedures governing software development and change control of
  HMSA’s claims processing applications.

  HMSA has policies and procedures related to application configuration management. HMSA
  has adopted a System Development Life Cycle methodology that IT personnel follow during
  routine software modifications. We observed the following controls related to testing and
  approvals of software modifications:
  •   HMSA has adopted practices that allow modifications to be tracked throughout the change
      process;
  •   code, unit, system, and quality testing are all conducted in accordance with industry
      standards; and,
  •   HMSA uses a separate business unit to move the code between development and production
      to ensure adequate segregation of duties.

  Claims Processing System
  We evaluated the input, processing, and output controls associated with HMSA’s claims
  adjudication systems. We determined that HMSA has implemented policies and procedures to
  help ensure that:
  • claims scheduled for payment are actually paid;
  • claims are monitored as they are processed through the systems with real time tracking of the
    system’s performance; and,
  • paper claims that are received in the mail room are tracked to ensure timely processing (aging
    reports).

  Enrollment
  We evaluated HMSA’s procedures for managing its database of member enrollment data. For
  FEP members, enrollment is handled centrally by the BlueCross BlueShield Association Federal
  Employee Program Director’s Office (BSBSA), not by HMSA. For the FED87 plan, changes to
  member enrollment information are received via an encrypted electronic transmission. A report
  of enrollment changes is generated, and these updates are manually entered into the enrollment
  database. HMSA has an audit function for each step of the enrollment process that requires
  manual data manipulation.

  We do not have any concerns regarding HMSA’s enrollment policies and procedures.




                                                 10
Debarment
HMSA has adequate procedures for updating its claim system with debarred provider
information, and the Plan routinely audits its debarment database for accuracy.

HMSA downloads the OPM OIG debarment list every month and compares it to its provider
maintenance file. Any debarred providers that appear in HMSA’s provider master database are
flagged to prevent claims submitted by that provider from processing successfully during the
claims adjudication process.

We do not have any concerns regarding HMSA’s debarment policies and procedures.

Special Investigations and Fraud
HMSA has a sufficient program in place to detect and review potentially fraudulent claims.

We did determine one area for improvement regarding the reporting of fraudulent cases. HMSA
currently has a process in place to report these cases to the BCBSA on a quarterly and annual
basis. While we have no concerns regarding HMSA’s communication with the BCBSA, HMSA
is not currently reporting cases directly to the OPM OIG Office of Investigations in accordance
with OPM FEHBP Program Carrier Letter No. 2007-12. The Carrier Letter provides guidance
on reporting thresholds and timelines that all FEHBP carriers must follow.

Recommendation 7
We recommend that HMSA review its policies and procedures regarding the reporting of
potentially fraudulent cases to OPM OIG to ensure compliance with OPM Carrier Letter 2007-12
and all subsequent Carrier Letters.

HMSA Response:
“HMSA agrees with the recommendation. On September 13, 2011, HMSA implemented
policies and procedures to ensure proper reporting of potentially fraudulent cases to OPM
OIG and compliance with OPM Carrier Letter 2007-12 and all subsequent Carrier
Letters. HMSA has submitted cases to OPM OIG that met the OPM Carrier Letter 2007-12
criteria.”

OIG Reply:
Our audit work indicated that the policies and procedures created on September 13, 2011 were
not adequately implemented as of March 20, 2012. Subsequent evidence provided by HMSA
indicates that the procedures are now appropriately implemented and cases are reported to OPM
OIG in a manner consistent with OPM Carrier Letter 2007-12; no further action is required.

Application Controls Testing
We conducted a test on HMSA’s claims adjudication applications to validate the systems’ claims
processing controls. The exercise involved processing test claims designed with inherent flaws
and evaluating the manner in which HMSA’s systems adjudicated the claims.



                                              11
The sections below document opportunities for improvement related to HMSA’s claims
application controls.

1. Overlapping Hospital Stays
   The QNXT system paid duplicate room and board charges on test claims for a member with
   two overlapping hospital stays.

   The system does not have edits in place to prevent duplicate room and board (R&B) charges
   for the same time period. We submitted claims for the same member for two instances of
   R&B at the same facility on the same day. We also submitted claims for the same member
   for R&B at different facilities on the same day. QNXT inappropriately processed and paid
   the duplicate services for both sets of claims.

   This system weakness increases the risk that hospitals are being paid for duplicate room and
   board expenses.

   At the conclusion of the fieldwork phase of our audit, HMSA provided evidence that pre-
   payment reports are generated that identify possible duplicate inpatient claims billed for both
   scenarios: overlapping stays at a single facility and different facilities. The implementation
   of pre-payment reports is an acceptable compensating control, but we were unable to test its
   effectiveness due to the timing in which this information was provided to us.

   Recommendation 8
   We recommend that HMSA provide evidence that it is appropriately utilizing pre-payment
   reports related to overlapping hospital stays over a six month time period.

   HMSA Response:
   “HMSA agrees with the recommendation. HMSA applies systematic duplicate editing to
   overlapping hospital stays billed by the same provider or facility. To supplement the
   systematic editing, a prepayment report was created to identify overlapping hospital stays
   billed by different facilities.

   The process includes a review of the prepayment report to ensure that claims with
   overlapping service dates are not duplicate claims. If the claim contains overlapping
   service dates, the examiner will determine whether a transfer or re-admission to a second
   facility occurred and once validated, will allow the claim to pay. If the examiner is unable
   to validate that a transfer or re-admission to a second facility occurred, the claim will be
   denied as a duplicate claim.

   The remediation was implemented on February 27, 2012 and OPM has received and
   acknowledged receipt of the evidence showing implementation of the review. OPM’s
   request for further documentation spanning the 6 month period February 27, 2012 to
   August 27, 2012 is not possible due to the OPM imposed deadline for our response of
   June 30, 2012. As such, HMSA will be submitting the prepayment reports from date of
   implementation through June 22, 2012.”


                                               12
customary settings such as the ambulatory surgical center, inpatient & outpatient
hospital, emergency room and military treatment facilities. Below is a description of
the two programs:

a) Place of Treatment Program (POTP)
   This program requires certain medical services identified in the POTP be
   performed in a physician’s office or outpatient setting. If a more acute setting is
   required, the physician must request precertification prior to rendering
   services. The lack of precertification will result in the claim being routed for
   review by HMSA’s in-house medical consultants for determination or returned to
   the physician with a request for additional information.
   The following attachment is being provided in relation to this response: . . .

b) Place of Service (POS) Claims Editing
   HMSA currently uses a vendor package called iCES KnowledgeBase by OPTUM to
   systematically apply place of service editing on a procedure code level. This vendor
   package is interfaced with our claims adjudication system, QNXT. The iCES
   KnowledgeBase edits approximately 86% of CPT and HCPCS procedure codes
   identified through Medicare Local Coverage Determinations (LCD), Medical
   National Coverage Determinations (NCD), provider specialty societies and code
   descriptors.”

OIG Reply:
We continue to recommend that HMSA conduct a thorough review of place of service
codes and update the system to ensure claims are processed appropriately. As HMSA
stated in its reply to the recommendation, the iCES vendor package only edits 86% of
CTP and HCPCS procedure codes. We subjectively submitted two claims with invalid
place of service codes without reviewing any iCES edit documentation. Both of these
claims processed without encountering any edits. We are therefore not confident that the
current vendor packages can adequately detect place of service inconsistencies.

Recommendation 10
We recommend that HMSA ensure the appropriate system modifications are made to
prevent medically inconsistent claims from processing. Furthermore, we request that
HMSA provide evidence that it is appropriately utilizing these post-payment reports
related to invalid place of service over a six month time period.

HMSA Response:
“HMSA partially agrees with the recommendation.

1) HMSA disagrees with the recommendation to implement additional system
modifications due to the robustness of HMSA’s existing programs and system edits
outlined above in our response to Recommendation 9. We believe that the combination
of the PTOP program, the POS edits and the review of prepayment and post payment
reports provides adequate coverage to mitigate the risk of overpayment for services


                                       15
      being performed at possible inappropriate service locations. Please refer to the
      response provided in Recommendation 9.

      2) HMSA agrees with the request to provide OPM with additional evidence of
      prepayment and post-payment reports related to Recommendation 9. The remediation
      was implemented on February 27, 2012 and OPM has received and acknowledged
      receipt of the evidence showing implementation of the review. OPM’s request for
      further documentation spanning the 6 month period February 27, 2012 to August 27,
      2012 is not possible due to the OPM imposed deadline for our response of June 30,
      2012. As such, HMSA will be submitting samples of the prepayment and post-
      payment reports from date of implementation through June 22, 2012.”

      OIG Reply:
      We have reviewed the provided evidence and agree that pre-payment and post-payment
      reports have been implemented to detect gender inconsistencies, diagnosis to procedure
      inconsistencies, and provider to procedure inconsistencies. However, as stated in our
      reply to recommendation 9, we have not received adequate evidence that the claims
      adjudication system can adequately detect place of service inconsistencies. Therefore,
      we continue to recommend that HMSA conduct a full review of place of service codes.

3. Prior Authorization
   The QNXT system paid a professional claim for                          without receiving the
   appropriate prior authorization required by the benefit brochure.

   HMSA informed us that they do not require all providers to obtain prior authorization for
   services. HMSA has a tiered variable intensity precertification review system for their
   providers and each tier represents a different requirement level for prior authorization.

   This system structure increases the risk that benefits are not being paid in accordance with
   the benefit brochure for procedures requiring prior authorization.

   Recommendation 11
   We recommend that HMSA make the appropriate system modifications to ensure that claims
   without the appropriate prior authorizations are suspended and flagged for review.

   HMSA Response:
   “HMSA disagrees with the recommendation. . . .

   HMSA disagrees with the recommendation to make further system modifications to the
   claims adjudication system since HMSA currently has two approaches to adequately
   administer the prior authorization (precertification) program as follows:

   1) Most services are handled traditionally, where a claim will be denied without prior
   authorization. In these cases, the claim will stop processing and pend if an authorization
   is not present and an adjudicator will validate whether or not a review has been completed.


                                               16
     If it has, and authorization was denied, the claim will be denied. If no review was
     requested, a post-service review will be undertaken and the claim processed or denied
     based on the outcome of the medical necessity review.

     2) Other services are eligible for our variable intensity precertification review program
     (VIR). For eligible categories of services requiring precertification, the VIR program
     allows us to pre-certify services efficiently and encourages provider self-monitoring,
     incenting better quality. Following an intensive data review of a provider’s practice by our
     medical physicians and consultants, HMSA makes a determination whether the provider
     qualifies for an annual waiver for a particular service. If they qualify, our claims system
     allows the claim for the approved service to proceed to payment. Waivers are reviewed at
     least annually and may be rescinded.

     Specific to claims related to                                        services, HMSA operates
     a VIR program that has three tiers. Analysis of the number of visits for conditions treated
     and the intensity of services furnished within each visit are used to stratify the providers
     into one of three tiers based on their efficiency of utilization and understanding of the
     member’s benefits. Authorization points vary depending on the tier to which the
     is assigned. For the claim that was noted as an exception during this audit, the
                            provider was categorized into an approved tier which allowed
     automatic precertification of 8 visits per benefit period. Due to the precertification
     provided by the VIR process, the claim was paid correctly. Thus, we believe no further
     modification is necessary to our claims adjudication system.

     To provide further clarity within the benefit brochure, HMSA received instructions from
     the OPM contract office to modify the 2013 benefit brochure to explicitly state that prior
     authorization is required but is subject to HMSA’s criteria. As of the date of this response,
     HMSA has acknowledged their instructions and has submitted the modifications to the
     OPM contract office and is awaiting confirmation.”

     OIG Reply:
     As part of the audit resolution process, we recommend that HMSA continue to work with
     OPM’s Contract Office to ensure that the language in the 2013 benefit brochure
     appropriately describes prior authorizations related to VIR program.

F. Health Insurance Portability and Accountability Act
  We reviewed HMSA’s efforts to maintain compliance with the security and privacy standards of
  HIPAA.

  HMSA has implemented a series of IT security policies and procedures to adequately address the
  requirements of the HIPAA security rule. HMSA has also developed a series of privacy policies
  and procedures that address all requirements of the HIPAA privacy rule. HMSA uses HIPAA
  regulations as the baseline for the creation of its policies. The plan has a designated Privacy
  Official who is responsible for ensuring HMSA’s compliance with HIPAA Privacy and Security




                                                17
regulations. HMSA employees receive annual compliance training that encompasses HIPAA
regulations.

We do not have any concerns regarding HMSA’s compliance with the various requirements of
HIPAA regulations.




                                            18
                    III. Major Contributors to This Report

This audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector
General, Information Systems Audits Group. The following individuals participated in the audit
and the preparation of this report:
•                  , Group Chief
•                      , Senior Team Leader
•                         , Auditor-In-Charge
•               , IT Auditor
•                    , IT Auditor




                                                19