Audit: Mental Health Administration failed to check patients’ eligibility and patient information is not secure

By Charlie Hayward

State auditors found that the State Mental Health Administration found that the MHA failed to:

  • Keep documentation showing patients who received over $16 million in mental health services were eligible
  • Assure timely reviews/audits of provider claims and perform regular bank reconciliations
  • Maintain adequate security over computers and sensitive patient data
  • Keep adequate internal control over cash receipts

The Mental Health Administration delivers comprehensive care, treatment, and rehabilitation of individuals with mental illnesses, either through a network of hospital facilities operated by MHA or through community service agencies. MHA spent $788 million during fiscal year 2013.

MHA receives funding from multiple federal and state sources and each funding source can have different eligibility rules. Because of this, MHA must keep detailed records about patients so the funding source is correctly matched to each patient service.

Eligibility documentation missing; important statistics not kept

MHA utilizes an Administrative Services Organization (ASO) to review its mental health  services. During fiscal 2013, the ASO paid approximately $16.4 million of State funds for “uninsured” patient care, without keeping documentation showing patients were eligible for the mental health services they received.

The documentation is important because it is the basis for determining who ultimately pays for care: the state, federal government or the individual. This finding was repeated from the previous audit.

In addition, the ASO is required to periodically examine selected providers and supporting documents supporting claims to see if the process is adequate. However, the ASO didn’t target its examinations to a particular kind of claims (uninsured coverage.) Therefore, critical statistics to measure performance related to those claims were not kept.

Untimely audits and bank reconciliations

MHA hired an accounting firm to conduct quarterly independent reviews of provider claims and reconcile a bank account owned by the state and then issue reports of its findings. The Office of Legislative Audits found the quarterly reports were chronically late; from one year to 21 months. These reporting delays adversely affected MHA’s monitoring of the ASO’s payment and reconciliation duties.

Inadequate security over sensitive information

The ASO’s computer system contains typical demographic information for MHA’s beneficiaries, including name, social security number, address, and date of birth. The system also keeps sensitive personal health information, including medical diagnosis codes, prescribed medications, and physician assessments of patient risks, impairments, and substance abuse. OLA found:

  • Several unnecessary and insecure connections were allowed into portions of the ASO’s internal network, thereby placing various network devices at risk.
  • Ineffective intrusion detection associated with encrypted data transmitted over 61 ASO internal network addresses.
  • Third-party networks had unnecessary access to almost all destinations on the ASO internal network via all ports.
  • Personally Identifiable Information (PII) was not protected against unauthorized use and fraud.
  • Access to PII wasn’t limited based on a need-to-know principle. Thus, users had unnecessary read and modification access to certain critical ASO files containing sensitive PII for Maryland Medicaid enrollees.

Control over cash receipts needs improvement

MHA did not verify that collections received through the mail, which totaled approximately $741,000 during fiscal year 2013, were forwarded to and received by DHMH’s general accounting unit for deposit. Also, collections received at MHA’s Crownsville Hospital Center were not adequately controlled and verified. These collections totaled approximately $251,000 during fiscal year 2013. This finding was repeated from the previous audit.