Audit: Health Benefit Exchange could be compromised by significant internal control problems

By Charlie Hayward

For MarylandReporter.com

A legislative audit of the Maryland Health Benefit Exchange that enrolls uninsured people in Medicaid and qualified health insurance plans found “significant deficiencies” in the program. This is a term in auditing standards meant to bring serious problems to the attention of the governing board and not just the executives in charge.

Auditors found:

  • “significant deficiencies in the design or operation of internal control that could adversely affect MHBE’s ability to maintain reliable financial records, operate effectively and efficiently, and/or comply with applicable laws, rules, and regulations”
  • and “significant instances of noncompliance with applicable laws, rules, or regulations.”

MHBE implements the health insurance marketing and sales provisions of the Affordable Care Act. It is a fairly large and complex independent entity whose fiscal year 2017 spending totaled about $117 million; paid for with state funds totaling $33 million; Federal funds totaling $45 million; and a transfer of $39 million from the Maryland Health Insurance Plan (MHIP), the public insurance program for people with pre-existing conditions that is being phased out.

Spending was primarily for salaries and benefits of exchange personnel; information technology (IT) development, outreach and consumer assistance, reinsurance payments administered by the Exchange, and operating the multipurpose website known as the Maryland Health Connection (MHC).

Aside from the Exchange’s spending to wind down the operation of MHIP, most of MHBE spending was for work done by outside contractors and grantees.

Auditors found multiple shortcomings with verifying eligibility of Medicaid beneficiaries; noncompliance with state procurement policy; weakness involving payment to significant vendors; and information system weaknesses.

MHBE generally agreed with all findings and recommendations, with some exceptions.

***SUPPORT NONPROFIT NEWS: Any tax-deductible donation to MarylandReporter.com up to $1,000 will be doubled by four national foundations if we get it by Dec. 31. $50 becomes $100, $250 is worth $500, $1,000 doubles to $2,000. We’re now 23% toward the maximum grant of $25,000.***  

Eligibility unverified

Eligibility of the state’s 1.3 million Medicaid beneficiaries hinges on their earnings or income because the program only covers low-income persons,

OLA’s audit found that MHBE declared beneficiaries eligible to receive $10.7 billion of healthcare paid by the state’s Department of Health during fiscal year 2017 without having comprehensively verified that applicants’ income met Medicaid’s eligibility criteria.

Auditors said the Exchange relied on state wage data that captured most income but should utilize additional wage and income databases for a more comprehensive picture. In its response, the Exchange said it would enhance verification controls while it also made an important argument that greater wage and income assessments would drive up the cost and time for their determinations.

Overriding eligibility determinations

Medicaid eligibility is predominantly determined by the MHC computer but, in many instances, caseworkers were assigned “super user” authority to change eligibility decisions for complex circumstances on a case-by-case basis.

Auditors found the Exchange granted 119 individuals the ability to perform eligibility “overrides.”

Auditors found 119 super users was excessive, due to the risk of unauthorized changes to vital data because super-user privileges allow changes to critical data which exceed the scope of caseworker responsibilities.

According to the auditors, to compound the excessive access, MHBE didn’t monitor the system overrides to ensure they were proper. Auditors identified 12,700 instances in which the eligibility status was changed without independent review during a one-year period.

MHBE disagreed with the auditor’s characterization that 119 super uses were excessive because the design of the health exchange website cannot accommodate the myriad circumstances of applicants’ eligibility factors. This requires large numbers of caseworkers to confirm Medicaid eligibility within tight deadlines for complex cases.

Procurement issues

Following controversy over excessive sole-source and emergency contracting during 2014/2015, MHBE did a major reprocurement of IT contractors, culminating in 45 contract awards in July 2015.

Auditors found the Exchange:

  • didn’t obtain the required approval by its Board of Trustees for contract awards and task orders;
  • didn’t adequately document it’s evaluation of the vendor task order proposals;
  • and didn’t ensure that all vendors and their related employees were properly qualified.

MHBE disagreed, saying the board approved IT contractor spending on the whole because policy didn’t require the board to approve individual task orders. This disagreement appeared to be inconsistent with the plain language of MHBE’s policy, as auditors pointed out on page 13.

Inadequate evaluation of contract billings

MHBE should have obtained and evaluated detailed records supporting billings for high-dollar contracts and grants for customer support, outreach, and enrollment-support services. This is a repeat finding from a previous legislative audit.

Auditors found the Exchange paid based on high-level review of vendors’ billings rather than assessing the quality of the underlying supporting documents.

MHBE disagreed, saying approvals of billings from its customer support services contractor were based on thorough monitoring of various performance metrics and solid understandings of the contractor’s activities. MHBE’s disagreement, however, appeared to be undercut by the auditor’s findings on pages 17-18 of the report.

IT security deficient

Auditors found MHBE’s information system security to be a significant deficiency.

Auditors reported controls over program changes didn’t assure that management approved changes to computer applications before they were placed into production.

Furthermore, MHBE didn’t deploy a robust intrusion detection/prevention system for encrypted traffic entering its computer network, and didn’t obtain certain security assurances over critical data on servers hosted by contractors. These were repeat findings.

Lawyers block auditor access

OLA’s audit team was precluded by Maryland and federal law from performing a portion of the audit it felt was important because of the risks to data integrity associated with findings on eligibility.

Specifically, OLA was unable to examine data under MHBE’s control which was owned by the Internal Revenue Service, causing OLA to be unable to “…assess whether proper [eligibility] determinations were being made [by MHBE.]” The auditors opted to issue the current report short of resolving the scope limitation, in favor of trying to resolve the access problem in the next audit.

OLA’s audit team also found MHBE satisfactorily addressed seven of its previous audit’s 10 findings. The remaining three previous findings (relating to lack of adequate verifications of vendor billings) were classified as repeat findings, although the Exchange believes the repeat findings should instead be classified as new due to differing interpretations of the original findings.

Overall, the MHBE’s resolution of previous findings indicates it has made significant improvements since a 2015 audit.

Charlie Hayward spent more than 30 years performing Government Accountability Office audits and served as a partner in two accounting firms. He retired in 2007 from Cotton & Company LLP, where he was a partner and principal financial auditor of the firm’s audit practice group. Since retiring, he has been a contributing writer for MarylandReporter.com and Bloomberg News. He has written several articles over the past years about the Maryland Health Benefit Exchange.