Recurring Findings

Health Care: Recurring Material Internal Control Deficiencies
Federal Program Issue First Year Reported
Department's Assertion Page Number
Medicaid Cluster During our fiscal year 2012-13 audit, we reported that certain information security controls over the California Medicaid Management System (CA-MMIS) were not operating effectively. Health Care Services utilizes a third-party fiscal intermediary to adjudicate fee-for-service (FFS) claims. In the 2013-14 audit, we found that certain information security and change management controls over CA-MMIS were also not operating effectively. The failure of these controls was due to the lack of adequate implementation of CA-MMIS policies and procedures. Ineffective IT general controls over the information technology environment, including access and change management, could result in inappropriate claims being processed. Specifically, we identified the following: • CA-MMIS policy requires users to log onto the mainframe every 29 days. We identified 174 accounts that have been idle for more than 29 days. This includes 16 accounts that appear to have never been accessed and 42 accounts that have not been accessed in over 98 days. Of the 174 accounts identified two are test accounts, 14 are Help Desk accounts and the remainder are user accounts. • We identified 84 User ID (UID) strings that are not defined on the Xerox role sheet. As a result, we were unable to identify the associated roles and privileges associated with these accounts to validate the appropriateness of the user privileges. These UID strings belong to 500 Access Control Facility (ACF2) accounts. • Health Care Services was unable to produce a complete listing of employees. We found 1,303 CA-MMIS user accounts that could not be found on the HR listings provided. Given the large volume of user accounts, maintaining a complete listing of employees and comparing that listing to user accounts would provide a reliable way to identify terminated employees and validate user access and privilege levels. • We selected five standard changes promoted into the production environment for testing and identified one change with an invalid test result for one test script performed and one change with invalid test results for all test scripts performed. Both changes identified were marked “Passed” and promoted into the production environment despite not passing the required test scripts. 2011-12
Health Care Services agrees with the Audit Finding. The fiscal year 2013-14 CA-MMIS audit material weakness findings are known to Health Care Services. The Contract requires annual reviews and/or updates for all CA-MMIS documentation listed in the Contract, Exhibit A, Attachment II, Sections HH-QQ including but not limited to Manuals, Deliverables, Plans, Policies, and Procedures. Several CA-MMIS Policies, Procedures, Plans, and other documentation are missing, inadequate, or have not been updated since fiscal year 2010-11. Timely and accurate documentation is essential to maintain security and confidentiality of the CA-MMIS systems. Evidence that documentation creation, reviews and updates are not taking place, or lack of adequate procedures to ensure required documentation is created, reviewed and updated, at least annually, are of the greatest concern to Health Care Services. CA-MMIS issued two Corrective Action Plan (CAP) requests to Xerox within the last 12 months to address these findings and concerns. CAP 022 addressed user access and other system security deficiencies. Xerox responded with a request for closure, referencing existing plans that addressed Health Care Services concerns. On March 2nd, 2015, DHCS formally denied Xerox’s request to close CAP 022, Ref. A4672. The denial basis highlighted non-existent process or procedure level documentation necessary to address gaps where Xerox does not follow security policies. The current audit findings further support previous CA-MMIS analyses and decision to ultimately deny Xerox’s CAP closure request. CA-MMIS sent another CAP Request on February 24th, 2015, to address deficient documentation, Ref. A-4604. This CAP intended to update documentation failing to meet contract compliance standards. The CAP must define methods by which improvements will be attained, the specific timeline and milestones, and assigned resources for achieving satisfactory and sustained performance including a specific and measurable criterion to be utilized in determining satisfactory and sustained performance. CA-MMIS requires this documentation to be formally submitted to Health Care Services. However, Xerox failed to prepare and submit a CAP response to this issue by 2:00p.m.on March 5, 2015. CA-MMIS will follow up with a delinquency letter by March 13th, 2015. Currently, no sanctions are actively exercised against Xerox. CA-MMIS will reaffirm the need for a formal extension of time when Xerox cannot meet Health Care Services’ deadlines. From an accountability perspective, if Xerox was egregiously non-responsive, the Department could in its discretion withhold the General Adjudicated Claim Line invoice as a consequence for non-compliance of the Corrective Action Plan. CA-MMIS is confident that these two CAPs address the 2013-14 audit findings as well as other deficiencies. However, each CAP scope is highly complex and addresses both mainframe and other CA-MMIS enterprise systems, 90+ subsystems in all. While it is possible to prioritize correction of the 2013-14 audit findings early in the resolution plan, the scale and effort to address the entire CAP is considerably large. For this reason, CA-MMIS chooses to initiate a separate third CAP request to specifically address the current findings. With a minimized scope, the third CAP achieves a more timely resolution of these specific findings: • Enforcement of the mainframe account policy to deactivate user IDs that have been idle for 29 days. • Complete documentation of the 84 User ID (UID) strings not currently defined on Xerox’s role based security sheet. • Develop process and procedures to regularly compare current employee listings, from all CA-MMIS business partners, to the mainframe account user database. • Update change control documentation to include checklist approval criteria associated with test script review and validation. CA-MMIS plans to immediately initiate this third CAP request to Xerox and will issue the CAP no later than March 13, 2015. 70
Medical Assistance Program During our fiscal year 2012-13 audit, we reported that certain information security controls over the California Medicaid Management System (CA-MMIS) were not operating effectively. Health Care Services utilizes a third-party fiscal intermediary to adjudicate fee-for-service (FFS) claims. In the 2013-14 audit, we found that certain information security and change management controls over CA-MMIS were also not operating effectively. The failure of these controls was due to the lack of adequate implementation of CA-MMIS policies and procedures. Ineffective IT general controls over the information technology environment, including access and change management, could result in inappropriate claims being processed. Specifically, we identified the following: • CA-MMIS policy requires users to log onto the mainframe every 29 days. We identified 174 accounts that have been idle for more than 29 days. This includes 16 accounts that appear to have never been accessed and 42 accounts that have not been accessed in over 98 days. Of the 174 accounts identified two are test accounts, 14 are Help Desk accounts and the remainder are user accounts. • We identified 84 User ID (UID) strings that are not defined on the Xerox role sheet. As a result, we were unable to identify the associated roles and privileges associated with these accounts to validate the appropriateness of the user privileges. These UID strings belong to 500 Access Control Facility (ACF2) accounts. • Health Care Services was unable to produce a complete listing of employees. We found 1,303 CA-MMIS user accounts that could not be found on the HR listings provided. Given the large volume of user accounts, maintaining a complete listing of employees and comparing that listing to user accounts would provide a reliable way to identify terminated employees and validate user access and privilege levels. • We selected five standard changes promoted into the production environment for testing and identified one change with an invalid test result for one test script performed and one change with invalid test results for all test scripts performed. Both changes identified were marked “Passed” and promoted into the production environment despite not passing the required test scripts. 2011-12
Health Care Services agrees with the Audit Finding. The fiscal year 2013-14 CA-MMIS audit material weakness findings are known to Health Care Services. The Contract requires annual reviews and/or updates for all CA-MMIS documentation listed in the Contract, Exhibit A, Attachment II, Sections HH-QQ including but not limited to Manuals, Deliverables, Plans, Policies, and Procedures. Several CA-MMIS Policies, Procedures, Plans, and other documentation are missing, inadequate, or have not been updated since fiscal year 2010-11. Timely and accurate documentation is essential to maintain security and confidentiality of the CA-MMIS systems. Evidence that documentation creation, reviews and updates are not taking place, or lack of adequate procedures to ensure required documentation is created, reviewed and updated, at least annually, are of the greatest concern to Health Care Services. CA-MMIS issued two Corrective Action Plan (CAP) requests to Xerox within the last 12 months to address these findings and concerns. CAP 022 addressed user access and other system security deficiencies. Xerox responded with a request for closure, referencing existing plans that addressed Health Care Services concerns. On March 2nd, 2015, DHCS formally denied Xerox’s request to close CAP 022, Ref. A4672. The denial basis highlighted non-existent process or procedure level documentation necessary to address gaps where Xerox does not follow security policies. The current audit findings further support previous CA-MMIS analyses and decision to ultimately deny Xerox’s CAP closure request. CA-MMIS sent another CAP Request on February 24th, 2015, to address deficient documentation, Ref. A-4604. This CAP intended to update documentation failing to meet contract compliance standards. The CAP must define methods by which improvements will be attained, the specific timeline and milestones, and assigned resources for achieving satisfactory and sustained performance including a specific and measurable criterion to be utilized in determining satisfactory and sustained performance. CA-MMIS requires this documentation to be formally submitted to Health Care Services. However, Xerox failed to prepare and submit a CAP response to this issue by 2:00p.m.on March 5, 2015. CA-MMIS will follow up with a delinquency letter by March 13th, 2015. Currently, no sanctions are actively exercised against Xerox. CA-MMIS will reaffirm the need for a formal extension of time when Xerox cannot meet Health Care Services’ deadlines. From an accountability perspective, if Xerox was egregiously non-responsive, the Department could in its discretion withhold the General Adjudicated Claim Line invoice as a consequence for non-compliance of the Corrective Action Plan. CA-MMIS is confident that these two CAPs address the 2013-14 audit findings as well as other deficiencies. However, each CAP scope is highly complex and addresses both mainframe and other CA-MMIS enterprise systems, 90+ subsystems in all. While it is possible to prioritize correction of the 2013-14 audit findings early in the resolution plan, the scale and effort to address the entire CAP is considerably large. For this reason, CA-MMIS chooses to initiate a separate third CAP request to specifically address the current findings. With a minimized scope, the third CAP achieves a more timely resolution of these specific findings: • Enforcement of the mainframe account policy to deactivate user IDs that have been idle for 29 days. • Complete documentation of the 84 User ID (UID) strings not currently defined on Xerox’s role based security sheet. • Develop process and procedures to regularly compare current employee listings, from all CA-MMIS business partners, to the mainframe account user database. • Update change control documentation to include checklist approval criteria associated with test script review and validation. CA-MMIS plans to immediately initiate this third CAP request to Xerox and will issue the CAP no later than March 13, 2015. 70
SCHIP (State Children's Insurance Program) During our fiscal year 2012-13 audit, we reported that certain information security controls over the California Medicaid Management System (CA-MMIS) were not operating effectively. Health Care Services utilizes a third-party fiscal intermediary to adjudicate fee-for-service (FFS) claims. In the 2013-14 audit, we found that certain information security and change management controls over CA-MMIS were also not operating effectively. The failure of these controls was due to the lack of adequate implementation of CA-MMIS policies and procedures. Ineffective IT general controls over the information technology environment, including access and change management, could result in inappropriate claims being processed. Specifically, we identified the following: • CA-MMIS policy requires users to log onto the mainframe every 29 days. We identified 174 accounts that have been idle for more than 29 days. This includes 16 accounts that appear to have never been accessed and 42 accounts that have not been accessed in over 98 days. Of the 174 accounts identified two are test accounts, 14 are Help Desk accounts and the remainder are user accounts. • We identified 84 User ID (UID) strings that are not defined on the Xerox role sheet. As a result, we were unable to identify the associated roles and privileges associated with these accounts to validate the appropriateness of the user privileges. These UID strings belong to 500 Access Control Facility (ACF2) accounts. • Health Care Services was unable to produce a complete listing of employees. We found 1,303 CA-MMIS user accounts that could not be found on the HR listings provided. Given the large volume of user accounts, maintaining a complete listing of employees and comparing that listing to user accounts would provide a reliable way to identify terminated employees and validate user access and privilege levels. • We selected five standard changes promoted into the production environment for testing and identified one change with an invalid test result for one test script performed and one change with invalid test results for all test scripts performed. Both changes identified were marked “Passed” and promoted into the production environment despite not passing the required test scripts. 2011-12
Health Care Services agrees with the Audit Finding. The fiscal year 2013-14 CA-MMIS audit material weakness findings are known to Health Care Services. The Contract requires annual reviews and/or updates for all CA-MMIS documentation listed in the Contract, Exhibit A, Attachment II, Sections HH-QQ including but not limited to Manuals, Deliverables, Plans, Policies, and Procedures. Several CA-MMIS Policies, Procedures, Plans, and other documentation are missing, inadequate, or have not been updated since fiscal year 2010-11. Timely and accurate documentation is essential to maintain security and confidentiality of the CA-MMIS systems. Evidence that documentation creation, reviews and updates are not taking place, or lack of adequate procedures to ensure required documentation is created, reviewed and updated, at least annually, are of the greatest concern to Health Care Services. CA-MMIS issued two Corrective Action Plan (CAP) requests to Xerox within the last 12 months to address these findings and concerns. CAP 022 addressed user access and other system security deficiencies. Xerox responded with a request for closure, referencing existing plans that addressed Health Care Services concerns. On March 2nd, 2015, DHCS formally denied Xerox’s request to close CAP 022, Ref. A4672. The denial basis highlighted non-existent process or procedure level documentation necessary to address gaps where Xerox does not follow security policies. The current audit findings further support previous CA-MMIS analyses and decision to ultimately deny Xerox’s CAP closure request. CA-MMIS sent another CAP Request on February 24th, 2015, to address deficient documentation, Ref. A-4604. This CAP intended to update documentation failing to meet contract compliance standards. The CAP must define methods by which improvements will be attained, the specific timeline and milestones, and assigned resources for achieving satisfactory and sustained performance including a specific and measurable criterion to be utilized in determining satisfactory and sustained performance. CA-MMIS requires this documentation to be formally submitted to Health Care Services. However, Xerox failed to prepare and submit a CAP response to this issue by 2:00p.m.on March 5, 2015. CA-MMIS will follow up with a delinquency letter by March 13th, 2015. Currently, no sanctions are actively exercised against Xerox. CA-MMIS will reaffirm the need for a formal extension of time when Xerox cannot meet Health Care Services’ deadlines. From an accountability perspective, if Xerox was egregiously non-responsive, the Department could in its discretion withhold the General Adjudicated Claim Line invoice as a consequence for non-compliance of the Corrective Action Plan. CA-MMIS is confident that these two CAPs address the 2013-14 audit findings as well as other deficiencies. However, each CAP scope is highly complex and addresses both mainframe and other CA-MMIS enterprise systems, 90+ subsystems in all. While it is possible to prioritize correction of the 2013-14 audit findings early in the resolution plan, the scale and effort to address the entire CAP is considerably large. For this reason, CA-MMIS chooses to initiate a separate third CAP request to specifically address the current findings. With a minimized scope, the third CAP achieves a more timely resolution of these specific findings: • Enforcement of the mainframe account policy to deactivate user IDs that have been idle for 29 days. • Complete documentation of the 84 User ID (UID) strings not currently defined on Xerox’s role based security sheet. • Develop process and procedures to regularly compare current employee listings, from all CA-MMIS business partners, to the mainframe account user database. • Update change control documentation to include checklist approval criteria associated with test script review and validation. CA-MMIS plans to immediately initiate this third CAP request to Xerox and will issue the CAP no later than March 13, 2015. 70
State Survey and Certification of Health Care Providers and Suppliers During our fiscal year 2012-13 audit, we reported that certain information security controls over the California Medicaid Management System (CA-MMIS) were not operating effectively. Health Care Services utilizes a third-party fiscal intermediary to adjudicate fee-for-service (FFS) claims. In the 2013-14 audit, we found that certain information security and change management controls over CA-MMIS were also not operating effectively. The failure of these controls was due to the lack of adequate implementation of CA-MMIS policies and procedures. Ineffective IT general controls over the information technology environment, including access and change management, could result in inappropriate claims being processed. Specifically, we identified the following: • CA-MMIS policy requires users to log onto the mainframe every 29 days. We identified 174 accounts that have been idle for more than 29 days. This includes 16 accounts that appear to have never been accessed and 42 accounts that have not been accessed in over 98 days. Of the 174 accounts identified two are test accounts, 14 are Help Desk accounts and the remainder are user accounts. • We identified 84 User ID (UID) strings that are not defined on the Xerox role sheet. As a result, we were unable to identify the associated roles and privileges associated with these accounts to validate the appropriateness of the user privileges. These UID strings belong to 500 Access Control Facility (ACF2) accounts. • Health Care Services was unable to produce a complete listing of employees. We found 1,303 CA-MMIS user accounts that could not be found on the HR listings provided. Given the large volume of user accounts, maintaining a complete listing of employees and comparing that listing to user accounts would provide a reliable way to identify terminated employees and validate user access and privilege levels. • We selected five standard changes promoted into the production environment for testing and identified one change with an invalid test result for one test script performed and one change with invalid test results for all test scripts performed. Both changes identified were marked “Passed” and promoted into the production environment despite not passing the required test scripts. 2011-12
Health Care Services agrees with the Audit Finding. The fiscal year 2013-14 CA-MMIS audit material weakness findings are known to Health Care Services. The Contract requires annual reviews and/or updates for all CA-MMIS documentation listed in the Contract, Exhibit A, Attachment II, Sections HH-QQ including but not limited to Manuals, Deliverables, Plans, Policies, and Procedures. Several CA-MMIS Policies, Procedures, Plans, and other documentation are missing, inadequate, or have not been updated since fiscal year 2010-11. Timely and accurate documentation is essential to maintain security and confidentiality of the CA-MMIS systems. Evidence that documentation creation, reviews and updates are not taking place, or lack of adequate procedures to ensure required documentation is created, reviewed and updated, at least annually, are of the greatest concern to Health Care Services. CA-MMIS issued two Corrective Action Plan (CAP) requests to Xerox within the last 12 months to address these findings and concerns. CAP 022 addressed user access and other system security deficiencies. Xerox responded with a request for closure, referencing existing plans that addressed Health Care Services concerns. On March 2nd, 2015, DHCS formally denied Xerox’s request to close CAP 022, Ref. A4672. The denial basis highlighted non-existent process or procedure level documentation necessary to address gaps where Xerox does not follow security policies. The current audit findings further support previous CA-MMIS analyses and decision to ultimately deny Xerox’s CAP closure request. CA-MMIS sent another CAP Request on February 24th, 2015, to address deficient documentation, Ref. A-4604. This CAP intended to update documentation failing to meet contract compliance standards. The CAP must define methods by which improvements will be attained, the specific timeline and milestones, and assigned resources for achieving satisfactory and sustained performance including a specific and measurable criterion to be utilized in determining satisfactory and sustained performance. CA-MMIS requires this documentation to be formally submitted to Health Care Services. However, Xerox failed to prepare and submit a CAP response to this issue by 2:00p.m.on March 5, 2015. CA-MMIS will follow up with a delinquency letter by March 13th, 2015. Currently, no sanctions are actively exercised against Xerox. CA-MMIS will reaffirm the need for a formal extension of time when Xerox cannot meet Health Care Services’ deadlines. From an accountability perspective, if Xerox was egregiously non-responsive, the Department could in its discretion withhold the General Adjudicated Claim Line invoice as a consequence for non-compliance of the Corrective Action Plan. CA-MMIS is confident that these two CAPs address the 2013-14 audit findings as well as other deficiencies. However, each CAP scope is highly complex and addresses both mainframe and other CA-MMIS enterprise systems, 90+ subsystems in all. While it is possible to prioritize correction of the 2013-14 audit findings early in the resolution plan, the scale and effort to address the entire CAP is considerably large. For this reason, CA-MMIS chooses to initiate a separate third CAP request to specifically address the current findings. With a minimized scope, the third CAP achieves a more timely resolution of these specific findings: • Enforcement of the mainframe account policy to deactivate user IDs that have been idle for 29 days. • Complete documentation of the 84 User ID (UID) strings not currently defined on Xerox’s role based security sheet. • Develop process and procedures to regularly compare current employee listings, from all CA-MMIS business partners, to the mainframe account user database. • Update change control documentation to include checklist approval criteria associated with test script review and validation. CA-MMIS plans to immediately initiate this third CAP request to Xerox and will issue the CAP no later than March 13, 2015. 70
Medicaid Cluster State automated welfare systems (SAWS) were implemented to manage various county welfare processes, including Medicaid, Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). In California, the state does not maintain the computer systems supporting the eligibility determination process, but the state does pay benefits on behalf of participants for Medicaid. All 58 counties aligned themselves into one of three consortia. Each county consortium is responsible for the design, development, implementation, maintenance, and operation of its SAWS. As a result of setting up these consortia, counties are thereby responsible for monitoring these systems to ensure they meet the federal requirements necessary to ensure compliance, including federal compliance related to eligibility determination and redetermination. Health Care Services communicates to counties information required by federal regulations through the State Plan, alert letters, and other agreements. However, as identified during our fiscal year 2011–12 audit, Health Care Services did not evaluate that the use of county-owned systems for eligibility determination rather than a state-owned system created the need for additional communication to counties as to how federal compliance requirements related to eligibility were to be addressed in county OMB Circular A-133 audits. Health Care Services also did not report subrecipient expenditures for fee-for-service amounts and managed care premiums to counties. In other words, the OMB A-133 Compliance Supplement guidance on split eligibility does not apply in California. Instead, the county auditor is responsible for meeting internal control and compliance objectives for eligibility. During fiscal year 2012–13, Health Care Services began to evaluate how to communicate to counties and auditors their responsibilities under OMB Circular A-133; however, no changes were made. As part of its evaluation, Health Care Services began to consider implication of the federal Patient Protection and Affordable Care Act (PPACA), which expanded Medicaid coverage and simplified eligibility requirements to be based on financial and nonfinancial criteria including income and citizenship/immigration status for a majority of beneficiaries. Health Care Services partnered with the California Health Benefit Exchange (Covered California) to implement the state’s health benefit exchange or marketplace, as required by the PPACA. Covered California is a related organization to the State of California and not considered a department or component unit. Through Covered California, the California Healthcare Eligibility, Enrollment and Retention System (CalHEERS) was deployed on October 1, 2013 to meet the requirements of the PPACA. CalHEERS was designed to determine eligibility based on modified adjusted gross income (MAGI) and citizenship, immigration status, incarceration status and other healthcare coverage among others. The county is also responsible for determining eligibility in certain circumstances, including those not determined based on modified adjusted gross income. In addition, counties continue to be responsible for redeterminations and case management for all beneficiaries. During fiscal year 2013–14, Health Care Services reassessed the need to ensure relevant eligibility control and compliance objectives were subject to audit at the county. Health Care Services estimates there are approximately 1 million Medi-Cal beneficiaries whose determinations were made by the counties using the SAWS. Health Care Services also concluded that given anticipated changes in federally mandated Medi-Cal eligibility quality control reviews to include non-MAGI determinations, ensuring eligibility was audited at the county was not necessary. Given that non-MAGI beneficiaries make up approximately 9 percent of the 10.9 million Medi-Cal beneficiaries and counties perform all parts of non-MAGI eligibility determinations, the county auditor is responsible for meeting internal control and compliance objectives for non-MAGI eligibility. N/A
Health Care Services agrees that the SAWS are owned, operated and maintained by the respective 58 counties throughout the state. However, Health Care Services contends that existing federally mandated Medi-Cal eligibility quality control reviews performed by Health Care Services, along with additional reviews that Health Care Services is planning to implement in fiscal year 2015-16, is more than sufficient to meet county internal control and compliance objectives for eligibility. The fact that Health Care Services is performing the reviews instead of county auditors should not preclude the objectives from being met. Health Care Services is currently working closely with the CMS to obtain approval to implement a series of four new Medicaid eligibility quality control pilots over the next three years that are designed to replace pre-ACA quality control requirements (Medi-Cal Eligibility Quality Control and Payment Error Rate Measurement programs). The new pilot programs will consist of Health Care Services staff re-performing eligibility determinations from a random sample that will identify potential errors made by SAWS and/or county eligibility workers, including non-MAGI determinations starting in Round 3 (10/1/14 – 3/31/15) of the quality control pilots. In addition, pursuant to Senate Bill 28 (Hernandez, Chapter 4, Statutes of 2013), Health Care Services is required to implement a new budgeting methodology for county administrative costs that Health Care Services plans to implement no sooner than FY 2015/16. The new budgeting methodology is intended to address the changes in eligibility determination rules and processes resulting from implementation of ACA. A core element of the new budgeting methodology is to utilize a private contractor, to perform county reviews, including, time studies to assess how long it takes county eligibility workers to perform various tasks under new ACA rules. The data obtained by the contractor will be used as part of the new budgeting methodology. Health Care Services suggests the auditor of the State continue to audit Medi- Cal eligibility performed by the SAWS/counties for fiscal year 2014-15 and close out this audit finding based on implementation of the Health Care Services review processes described above. 64
Medical Assistance Program State automated welfare systems (SAWS) were implemented to manage various county welfare processes, including Medicaid, Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). In California, the state does not maintain the computer systems supporting the eligibility determination process, but the state does pay benefits on behalf of participants for Medicaid. All 58 counties aligned themselves into one of three consortia. Each county consortium is responsible for the design, development, implementation, maintenance, and operation of its SAWS. As a result of setting up these consortia, counties are thereby responsible for monitoring these systems to ensure they meet the federal requirements necessary to ensure compliance, including federal compliance related to eligibility determination and redetermination. Health Care Services communicates to counties information required by federal regulations through the State Plan, alert letters, and other agreements. However, as identified during our fiscal year 2011–12 audit, Health Care Services did not evaluate that the use of county-owned systems for eligibility determination rather than a state-owned system created the need for additional communication to counties as to how federal compliance requirements related to eligibility were to be addressed in county OMB Circular A-133 audits. Health Care Services also did not report subrecipient expenditures for fee-for-service amounts and managed care premiums to counties. In other words, the OMB A-133 Compliance Supplement guidance on split eligibility does not apply in California. Instead, the county auditor is responsible for meeting internal control and compliance objectives for eligibility. During fiscal year 2012–13, Health Care Services began to evaluate how to communicate to counties and auditors their responsibilities under OMB Circular A-133; however, no changes were made. As part of its evaluation, Health Care Services began to consider implication of the federal Patient Protection and Affordable Care Act (PPACA), which expanded Medicaid coverage and simplified eligibility requirements to be based on financial and nonfinancial criteria including income and citizenship/immigration status for a majority of beneficiaries. Health Care Services partnered with the California Health Benefit Exchange (Covered California) to implement the state’s health benefit exchange or marketplace, as required by the PPACA. Covered California is a related organization to the State of California and not considered a department or component unit. Through Covered California, the California Healthcare Eligibility, Enrollment and Retention System (CalHEERS) was deployed on October 1, 2013 to meet the requirements of the PPACA. CalHEERS was designed to determine eligibility based on modified adjusted gross income (MAGI) and citizenship, immigration status, incarceration status and other healthcare coverage among others. The county is also responsible for determining eligibility in certain circumstances, including those not determined based on modified adjusted gross income. In addition, counties continue to be responsible for redeterminations and case management for all beneficiaries. During fiscal year 2013–14, Health Care Services reassessed the need to ensure relevant eligibility control and compliance objectives were subject to audit at the county. Health Care Services estimates there are approximately 1 million Medi-Cal beneficiaries whose determinations were made by the counties using the SAWS. Health Care Services also concluded that given anticipated changes in federally mandated Medi-Cal eligibility quality control reviews to include non-MAGI determinations, ensuring eligibility was audited at the county was not necessary. Given that non-MAGI beneficiaries make up approximately 9 percent of the 10.9 million Medi-Cal beneficiaries and counties perform all parts of non-MAGI eligibility determinations, the county auditor is responsible for meeting internal control and compliance objectives for non-MAGI eligibility. N/A
Health Care Services agrees that the SAWS are owned, operated and maintained by the respective 58 counties throughout the state. However, Health Care Services contends that existing federally mandated Medi-Cal eligibility quality control reviews performed by Health Care Services, along with additional reviews that Health Care Services is planning to implement in fiscal year 2015-16, is more than sufficient to meet county internal control and compliance objectives for eligibility. The fact that Health Care Services is performing the reviews instead of county auditors should not preclude the objectives from being met. Health Care Services is currently working closely with the CMS to obtain approval to implement a series of four new Medicaid eligibility quality control pilots over the next three years that are designed to replace pre-ACA quality control requirements (Medi-Cal Eligibility Quality Control and Payment Error Rate Measurement programs). The new pilot programs will consist of Health Care Services staff re-performing eligibility determinations from a random sample that will identify potential errors made by SAWS and/or county eligibility workers, including non-MAGI determinations starting in Round 3 (10/1/14 – 3/31/15) of the quality control pilots. In addition, pursuant to Senate Bill 28 (Hernandez, Chapter 4, Statutes of 2013), Health Care Services is required to implement a new budgeting methodology for county administrative costs that Health Care Services plans to implement no sooner than FY 2015/16. The new budgeting methodology is intended to address the changes in eligibility determination rules and processes resulting from implementation of ACA. A core element of the new budgeting methodology is to utilize a private contractor, to perform county reviews, including, time studies to assess how long it takes county eligibility workers to perform various tasks under new ACA rules. The data obtained by the contractor will be used as part of the new budgeting methodology. Health Care Services suggests the auditor of the State continue to audit Medi- Cal eligibility performed by the SAWS/counties for fiscal year 2014-15 and close out this audit finding based on implementation of the Health Care Services review processes described above. 64
SCHIP (State Children's Insurance Program) State automated welfare systems (SAWS) were implemented to manage various county welfare processes, including Medicaid, Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). In California, the state does not maintain the computer systems supporting the eligibility determination process, but the state does pay benefits on behalf of participants for Medicaid. All 58 counties aligned themselves into one of three consortia. Each county consortium is responsible for the design, development, implementation, maintenance, and operation of its SAWS. As a result of setting up these consortia, counties are thereby responsible for monitoring these systems to ensure they meet the federal requirements necessary to ensure compliance, including federal compliance related to eligibility determination and redetermination. Health Care Services communicates to counties information required by federal regulations through the State Plan, alert letters, and other agreements. However, as identified during our fiscal year 2011–12 audit, Health Care Services did not evaluate that the use of county-owned systems for eligibility determination rather than a state-owned system created the need for additional communication to counties as to how federal compliance requirements related to eligibility were to be addressed in county OMB Circular A-133 audits. Health Care Services also did not report subrecipient expenditures for fee-for-service amounts and managed care premiums to counties. In other words, the OMB A-133 Compliance Supplement guidance on split eligibility does not apply in California. Instead, the county auditor is responsible for meeting internal control and compliance objectives for eligibility. During fiscal year 2012–13, Health Care Services began to evaluate how to communicate to counties and auditors their responsibilities under OMB Circular A-133; however, no changes were made. As part of its evaluation, Health Care Services began to consider implication of the federal Patient Protection and Affordable Care Act (PPACA), which expanded Medicaid coverage and simplified eligibility requirements to be based on financial and nonfinancial criteria including income and citizenship/immigration status for a majority of beneficiaries. Health Care Services partnered with the California Health Benefit Exchange (Covered California) to implement the state’s health benefit exchange or marketplace, as required by the PPACA. Covered California is a related organization to the State of California and not considered a department or component unit. Through Covered California, the California Healthcare Eligibility, Enrollment and Retention System (CalHEERS) was deployed on October 1, 2013 to meet the requirements of the PPACA. CalHEERS was designed to determine eligibility based on modified adjusted gross income (MAGI) and citizenship, immigration status, incarceration status and other healthcare coverage among others. The county is also responsible for determining eligibility in certain circumstances, including those not determined based on modified adjusted gross income. In addition, counties continue to be responsible for redeterminations and case management for all beneficiaries. During fiscal year 2013–14, Health Care Services reassessed the need to ensure relevant eligibility control and compliance objectives were subject to audit at the county. Health Care Services estimates there are approximately 1 million Medi-Cal beneficiaries whose determinations were made by the counties using the SAWS. Health Care Services also concluded that given anticipated changes in federally mandated Medi-Cal eligibility quality control reviews to include non-MAGI determinations, ensuring eligibility was audited at the county was not necessary. Given that non-MAGI beneficiaries make up approximately 9 percent of the 10.9 million Medi-Cal beneficiaries and counties perform all parts of non-MAGI eligibility determinations, the county auditor is responsible for meeting internal control and compliance objectives for non-MAGI eligibility. N/A
Health Care Services agrees that the SAWS are owned, operated and maintained by the respective 58 counties throughout the state. However, Health Care Services contends that existing federally mandated Medi-Cal eligibility quality control reviews performed by Health Care Services, along with additional reviews that Health Care Services is planning to implement in fiscal year 2015-16, is more than sufficient to meet county internal control and compliance objectives for eligibility. The fact that Health Care Services is performing the reviews instead of county auditors should not preclude the objectives from being met. Health Care Services is currently working closely with the CMS to obtain approval to implement a series of four new Medicaid eligibility quality control pilots over the next three years that are designed to replace pre-ACA quality control requirements (Medi-Cal Eligibility Quality Control and Payment Error Rate Measurement programs). The new pilot programs will consist of Health Care Services staff re-performing eligibility determinations from a random sample that will identify potential errors made by SAWS and/or county eligibility workers, including non-MAGI determinations starting in Round 3 (10/1/14 – 3/31/15) of the quality control pilots. In addition, pursuant to Senate Bill 28 (Hernandez, Chapter 4, Statutes of 2013), Health Care Services is required to implement a new budgeting methodology for county administrative costs that Health Care Services plans to implement no sooner than FY 2015/16. The new budgeting methodology is intended to address the changes in eligibility determination rules and processes resulting from implementation of ACA. A core element of the new budgeting methodology is to utilize a private contractor, to perform county reviews, including, time studies to assess how long it takes county eligibility workers to perform various tasks under new ACA rules. The data obtained by the contractor will be used as part of the new budgeting methodology. Health Care Services suggests the auditor of the State continue to audit Medi- Cal eligibility performed by the SAWS/counties for fiscal year 2014-15 and close out this audit finding based on implementation of the Health Care Services review processes described above. 64
State Survey and Certification of Health Care Providers and Suppliers State automated welfare systems (SAWS) were implemented to manage various county welfare processes, including Medicaid, Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). In California, the state does not maintain the computer systems supporting the eligibility determination process, but the state does pay benefits on behalf of participants for Medicaid. All 58 counties aligned themselves into one of three consortia. Each county consortium is responsible for the design, development, implementation, maintenance, and operation of its SAWS. As a result of setting up these consortia, counties are thereby responsible for monitoring these systems to ensure they meet the federal requirements necessary to ensure compliance, including federal compliance related to eligibility determination and redetermination. Health Care Services communicates to counties information required by federal regulations through the State Plan, alert letters, and other agreements. However, as identified during our fiscal year 2011–12 audit, Health Care Services did not evaluate that the use of county-owned systems for eligibility determination rather than a state-owned system created the need for additional communication to counties as to how federal compliance requirements related to eligibility were to be addressed in county OMB Circular A-133 audits. Health Care Services also did not report subrecipient expenditures for fee-for-service amounts and managed care premiums to counties. In other words, the OMB A-133 Compliance Supplement guidance on split eligibility does not apply in California. Instead, the county auditor is responsible for meeting internal control and compliance objectives for eligibility. During fiscal year 2012–13, Health Care Services began to evaluate how to communicate to counties and auditors their responsibilities under OMB Circular A-133; however, no changes were made. As part of its evaluation, Health Care Services began to consider implication of the federal Patient Protection and Affordable Care Act (PPACA), which expanded Medicaid coverage and simplified eligibility requirements to be based on financial and nonfinancial criteria including income and citizenship/immigration status for a majority of beneficiaries. Health Care Services partnered with the California Health Benefit Exchange (Covered California) to implement the state’s health benefit exchange or marketplace, as required by the PPACA. Covered California is a related organization to the State of California and not considered a department or component unit. Through Covered California, the California Healthcare Eligibility, Enrollment and Retention System (CalHEERS) was deployed on October 1, 2013 to meet the requirements of the PPACA. CalHEERS was designed to determine eligibility based on modified adjusted gross income (MAGI) and citizenship, immigration status, incarceration status and other healthcare coverage among others. The county is also responsible for determining eligibility in certain circumstances, including those not determined based on modified adjusted gross income. In addition, counties continue to be responsible for redeterminations and case management for all beneficiaries. During fiscal year 2013–14, Health Care Services reassessed the need to ensure relevant eligibility control and compliance objectives were subject to audit at the county. Health Care Services estimates there are approximately 1 million Medi-Cal beneficiaries whose determinations were made by the counties using the SAWS. Health Care Services also concluded that given anticipated changes in federally mandated Medi-Cal eligibility quality control reviews to include non-MAGI determinations, ensuring eligibility was audited at the county was not necessary. Given that non-MAGI beneficiaries make up approximately 9 percent of the 10.9 million Medi-Cal beneficiaries and counties perform all parts of non-MAGI eligibility determinations, the county auditor is responsible for meeting internal control and compliance objectives for non-MAGI eligibility. N/A
Health Care Services agrees that the SAWS are owned, operated and maintained by the respective 58 counties throughout the state. However, Health Care Services contends that existing federally mandated Medi-Cal eligibility quality control reviews performed by Health Care Services, along with additional reviews that Health Care Services is planning to implement in fiscal year 2015-16, is more than sufficient to meet county internal control and compliance objectives for eligibility. The fact that Health Care Services is performing the reviews instead of county auditors should not preclude the objectives from being met. Health Care Services is currently working closely with the CMS to obtain approval to implement a series of four new Medicaid eligibility quality control pilots over the next three years that are designed to replace pre-ACA quality control requirements (Medi-Cal Eligibility Quality Control and Payment Error Rate Measurement programs). The new pilot programs will consist of Health Care Services staff re-performing eligibility determinations from a random sample that will identify potential errors made by SAWS and/or county eligibility workers, including non-MAGI determinations starting in Round 3 (10/1/14 – 3/31/15) of the quality control pilots. In addition, pursuant to Senate Bill 28 (Hernandez, Chapter 4, Statutes of 2013), Health Care Services is required to implement a new budgeting methodology for county administrative costs that Health Care Services plans to implement no sooner than FY 2015/16. The new budgeting methodology is intended to address the changes in eligibility determination rules and processes resulting from implementation of ACA. A core element of the new budgeting methodology is to utilize a private contractor, to perform county reviews, including, time studies to assess how long it takes county eligibility workers to perform various tasks under new ACA rules. The data obtained by the contractor will be used as part of the new budgeting methodology. Health Care Services suggests the auditor of the State continue to audit Medi- Cal eligibility performed by the SAWS/counties for fiscal year 2014-15 and close out this audit finding based on implementation of the Health Care Services review processes described above. 64
© 2013, California State Auditor | Privacy Policy | Conditions of Use | Download Adobe PDF Reader