Semiannual Report Office of the Inspector General TO CONGRESS April 1, 2002 — September 30, 2002 United States Office of Personnel Management For additional information or copies of this publication, please contact: Telephone: (202) 606-1200 Fax: (202) 606-2153 Web site: www.opm.gov/oig Office of the Inspector General U.S. Office of Personnel Management 1900 E Street, NW. Room 6400 Washington, DC 20415-1100 UNITED STATES OFFICE OF PERSONNEL MANAGEMENT WASHINGTON, D.C. 20415-0001 OFFICE OF THE INSPECTOR GENERAL October 31, 2002 Honorable Kay Coles James Director U.S. Office of Personnel Management Washington, D.C. 20415 Dear Mrs. James: I respectfully submit the Office of the Inspector General’s Semiannual Report to Congress for the period April 1, 2002 to September 30, 2002. This report describes our office’s activities during the past six-month reporting period. Should you have any questions about the report or any other matter of concern, please do not hesitate to call upon me for assistance. Sincerely, Patrick E. McFarland Inspector General OIG Semiannual Report April 1, 2002 to September 30, 2002 OIG Semiannual Report Foreword This is the 27th semiannual report that our office has issued under the reporting provisions of the Inspector General Act. The accomplishments it describes reflect the continuing success of our efforts to combat fraud, waste and abuse, and to ensure the integrity of our agency's programs. On April 12, 2002, the Office of Personnel Management (OPM) and the Department of Justice (DOJ) settled the largest false claims case in the history of the Federal Employees Health Benefits Program (FEHBP) against PacifiCare Health Systems, Inc. A detailed article appears in the Audit Activities section of this report describing how our OIG audit and investigative staffs. Diligence and hard work contributed to the successful outcome of this case. The FEHBP will receive approximately $63.9 million from the settlement proceeds. Our audits of OPM programs outside the health insurance area emphasize issues related to major legislation affecting federal performance management. For example, this report contains an article on an audit conducted by our information systems audit unit that addresses OPM's compliance with the most recent government-wide information security requirements issued by Congress and the U.S. Office of Management and Budget. Another significant audit initiative relates to the Government Performance and Results Act of 1993, which promotes improved planning and reporting of agency program results government-wide. We are conducting a compliance audit of OPM's strategic planning process for fiscal years 2002-2007, and expect to report on it in a future semiannual report. Our investigations activities continue to focus on matters involving the payment or receipt of OPM funds, which carry a significant potential for fraud or related violations. This report contains several articles describing egregious cases of fraud by health care providers, employees of FEHBP health insurance carriers, and family members of deceased Civil Service Retirement System annuitants. Our investigative work secured guilty pleas, criminal sentences and orders for full restitution in these cases. Finally, we began during this reporting period to systematically consider administrative sanctions action against health care providers who pose a risk to the integrity of the FEHBP or to the safety of persons who obtain their health coverage through the FEHBP. In one instance, a former employee of an FEHBP carrier was debarred from participating in the FEHBP for a period of 20 years, one of the longest debarments ever issued under the government-wide regulatory authority that was used. April 1, 2002 to September 30, 2002 OIG Semiannual Report Productivity Indicators Financial Impact: Audit Recommendations for Recovery of Funds is $118,483,757* Recoveries Through Investigative Actions is $823,124 Management Commitments to Recover Funds $66,998,279 *Note: Of this amount, $63.9 million was the result of joint activities of our Office of Audits and Office of Investigations *Note: OPM management commitments for recovery of funds during this reporting period reflect amounts covering current and past reporting period audit recommendations. Accomplishments: Audit Reports Issued total 48 Investigative Cases Closed total 20 Indictments total 3 Convictions total 5 Hotline Contacts and Complaint Activity total 291 Health Care Provider Debarments and Suspensions total 1,716 Statutory and Regulatory Review As is required under section 4 (a)(2) of the Inspector General Act of 1978, as amended, (IG Act) our office monitors and reviews legislative and regulatory proposals for their impact on the Office of the Inspector General (OIG) and the Office of Personnel Management (OPM) programs and operations. Specifically, we perform this activity to evaluate the potential of such proposals for encouraging economy and efficiency and preventing fraud, waste and mismanagement. We also monitor legal issues that have a broad effect on the Inspector General community and present testimony and other communications to Congress as appropriate. Oversight of legislative issues affecting Our office and the Inspector General (IG) community remained a high priority during this reporting period. Of particular interest has been S. 2530, a bill amending the Inspector General Act of 1978 to establish permanent law enforcement authority for Inspectors General and provide an oversight mechanism for the exercise of this authority. We have also been following the progress of the House and Senate versions of homeland security legislation. After the reporting period closed, S. 2530, introduced by Senator Leiberman, was approved by the Senate on October 17, and referred to the House Government Reform and Judiciary committees on October 21, where it is awaiting consideration. This bill would provide law enforcement authorities to 23 designated agencies, including ours, to carry firearms and execute arrest and search warrants. S2530 also provides for all other Offices of Inspector General to seek such law enforcement powers. The bill states that the Attorney General of the United States will determine the eligibility of these other OIGs according to prescribed criteria referenced in the legislation. Due to the uncertainty of this legislation coming before either the House of Representatives or the Senate prior to adjournment, Senator Lieberman has OIG Semiannual Report proposed an amendment providing for this permanent OIG law enforcement authority to H.R. 5005, the Homeland Security Department legislation approved by the House of Representatives this past summer and now before the Senate. The Senate recessed for the general elections before voting on any amendments to H.R. 5005. Regarding our regulatory review activities, the following articles describe the progress we have made in developing two sets of regulations to implement the administrative sanctions authorities of Public Law 105-266, the Federal Employees Health Care Protection Act of 1998. We have also included summaries of recent Federal Employees Health Benefits Program (FEHBP) health provider sanctions actions taken by the OIG debarring official in response to cases referred to him by our office's investigators. Our OIG issues these administrative sanctions under a 1991 delegation of authority from the OPM Director. Administrative Sanctions Activities During the reporting period, final regulations implementing the suspension and debarment provisions of P.L. 105-266 continued through OPM's regulatory IG Law Enforcement Authority Under Senate Consideration STATUTORY and REGULATORY REVIEW October clearance process prior to submission to the Office of Management and Budget (OMB) and subsequent publication in the Federal Register. The latter action constitutes the final step in making these regulations official. Specifically, these regulations will authorize the debarment or suspension of health care providers who commit any of 18 categories of violations identified by the statute. In addition, our office has completed its work on another set of proposed regulations relating to P.L. 105-266 to implement the financial sanctions authorities contained in that law. These regulations will permit OPM to impose civil monetary penalties and financial assessments on providers who engage in fraudulent, improper or misleading claims practices against the FEHBP. We anticipate that the civil monetary penalty regulations, once they complete the OPM and OMB regulatory clearance process, will be published in the Federal Register as a proposed rule for public review and comment and finalized in due course. Implementing the statutory suspension and debarment authorities addressed in the first set of regulations in advance of the financial sanctions regulations will not impair our future ability to impose financial sanctions in any current or prior case where the latter regulations may be appropriate. Suspensions and Debarments Under the Government-Wide Common Rule While we have been developing the regulations to implement our statutory sanctions authorities, we have been using a separate regulatory authority, the government-wide Nonprocurement Suspension and Debarment Common Rule (common rule), to exclude health care providers that have previously been debarred from other federal programs. A significant distinction exists between a debarment and suspension action. A debarment excludes a provider from participating in the Federal Employees Health Benefits Program for a specific period of time. It can be imposed only after appropriate prior notice, including the right to an administrative appeal by the provider. A suspension has the effect of a debarment, but it takes effect immediately after issuance by the debarring official and occurs without prior notice or appeal. A suspension is an interim remedy appropriate only in cases where there is reliable information suggesting that a provider poses a tangible risk to the FEHBP or its enrollees. In this reporting period, using the common-rule sanctions authority, our office debarred 1,710 health care providers and suspended six providers and entities owned, operated or otherwise affiliated with debarred or suspended persons. We should note that, generally, the common rule is not as suitable an enforcement tool against improper conduct by health care providers as are the authorities contained in P.L. 105-266. The reason is that the common rule was designed as a generalized exclusion authority that could be applied to virtually any federal grant, loan, scholarship or insurance program. It not only does not specifically address enrollee health and safety issues associated with health care fraud, it does not contain financial sanctions authority. As used by most agencies, debarment periods under the common rule have typically been much shorter than those provided for by the P.L 105-266 sanctions authorities. But, as these debarments might be applied to cases of health care fraud and other abuses, these shorter debarment time frames may result in insufficient protection against providers who commit particularly serious violations. Despite these shortcomings, we have found that the common rule can be used appropriately in selected cases to exclude providers whose misconduct demonstrates that they are not responsible to participate in the FEHBP. Three such cases in which we issued administrative sanctions during the reporting period are described below. BCBS Plan Case Manager Submits False Claims A registered nurse employed as a case manager in northern Virginia by CareFirst BlueCross BlueShield (CareFirst) used her position to approve over $80,000 in false claims submitted by a fictitious company she created as part of a fraudulent scheme. During an interview conducted jointly by our office and carrier investigative personnel, the now former plan employee confessed and agreed to plead guilty to felony charges. After her guilty plea was entered, OIG investigators referred this case internally to the OIG debarring official for consideration of possible administrative sanctions. Our OIG administrative sanctions staff noted that, over the 10-year period preceding her employment by CareFirst, this person had pleaded guilty to three felony offenses involving controlled substances. Also, during that period, Virginia authorities had twice revoked her professional nursing license. In order to obtain employment with CareFirst, she had knowingly and wrongfully concealed these violations. Because of the exceptionally aggravated and repeated nature of her offenses, the debarring official determined that this nurse should be excluded from further participation in the FEHBP for an extended period of time. Accordingly, we imposed a 20-year term of debarment, effective in September 2002. To our knowledge, this represents one of the longest debarment periods ever proposed under the common rule. More detail concerning our investigation of this case and its legal consequences appear in the Investigative Activities section of this report. PPO Physician Involved in Billing Scheme In June 2002, a southern California doctor pleaded guilty to felony charges arising from a prolonged and elaborate scheme to evade federal income tax. In his plea agreement, the doctor stated that, over a period of several years, he had submitted false and improper claims to TRICARE, the health insurance program for military personnel, retirees and their families. OIG investigators determined that the doctor had used the same wrongful claims practices with regard to the FEHBP, and that a substantial volume of claims had been paid by FEHBP carriers. As a result of these findings, the investigators referred the case internally to the OIG debarring official for consideration of appropriate administrative sanctions action to protect the integrity of the FEHBP. Doctor Suspended from FEHBP for Submitting False Claims Our administrative sanctions staff determined that the doctor was a member of the various preferred provider networks of several FEHBP carriers. Because of the seriousness of the doctor's misconduct and the FEHBP's exposure to possible future claims, our office suspended him in September 2002, pending entry of judgment against him and his sentencing on criminal charges relating to the tax fraud. The suspension included not only the provider himself, but also two alternate identities he had used as part of his tax evasion scheme, along with the two clinics he owned and operated. Owner of Medical Equipment Supply Firm Defrauds FEHBP In our semiannual report issued last spring, we described the investigation of the owner of a Midland, Texas durable medical equipment supply firm. This person agreed to plead guilty to felony charges involving fraudulent claims submitted to federal health insurance programs, including Medicare and the FEHBP, and to make restitution of $2.6 million to the U.S. government. After the plea agreement was reached, OIG investigators referred this case internally to the debarring official within our office for possible administrative sanctions action. OIG's administrative sanctions staff identified serious aggravating factors in the case, including: - Existence of tangible financial loss to the FEHBP. - Owner's attempts to conceal improprieties by twice directing employees to alter claims records. - Owner's interaction with other health care providers in the Midland area who also were engaged in schemes to defraud federal health care programs. Based on these factors, the OIG debarring official suspended both the individual and his wholly-owned company, which actually furnished and billed for the medical equipment. The suspension took effect in September 2002, and will continue pending entry of judgment and sentencing. Audit Activities Our audit universe contains approximately 300 audit sites, consisting of health insurance carriers, sponsors and underwriting organizations, as well as two life insurance carriers. The number of audit sites are subject to yearly fluctuations due to contracts not being renewed or because of plan mergers and acquisitions. Annual premium payments are in excess of $23.9 billion for this contract year. The health insurance plans that our office is responsible for auditing are divided into two categories: community-rated and experience-rated. Within the first category are comprehensive medical plans, commonly referred to as health maintenance organizations (HMOs). The second category consists of mostly feefor- service plans, with the most popular among these being the various Blue Cross and Blue Shield health plans. The critical difference between the categories stems from how premium rates are calculated. A community-rated carrier generally sets its subscription rates based on the average revenue needed to provide health benefits to each member of a group, whether that group is from the private or public sector. Rates established by an experience-rated plan reflect a given group's projected paid claims, administrative expenses and service charges for administering a specific group's contract. With respect to the FEHBP, each experience-rated carrier must maintain a separate account for its federal contract, adjusting future premiums to reflect the FEHBP group enrollees. During the current reporting period, we issued 42 final reports on organizations participating in the FEHBP, 26 of which contain recommendations for monetary adjustments in the aggregate amount of $118.5 million due the FEHBP. Our OIG issued 207 reports and questioned $500.7 million in inappropriate charges to the FEHBP during the previous six semiannual reporting periods. We believe it is important to note the dollar significance resulting from our audits of FEHBP carriers and the monetary implications for the FEHBP trust fund. These audit results are reflected in the graph on the following page. The sections that immediately follow provide additional details concerning the two categories of health plans described on this page, along with audit summaries of significant final reports we issued within each category during the past six months. Health and Life Insurance Carrier Audits The Office of Personnel Management (OPM) contracts with private-sector firms to underwrite and provide health and life insurance benefits to civilian federal employees, annuitants, and their dependents and survivors through the Federal Employees Health Benefits Program (FEHBP) and the Federal Employees. Group Life Insurance program (FEGLI). Our office is responsible for auditing these benefits program activities to ensure that these various insurance entities meet their contractual obligations with our agency. Community-Rated Plans Our community-rated HMO audit universe covers approximately 200 rating areas. Community-rated audits are designed to ensure that the plans charge the appropriate premium rates in accordance with their respective FEHBP contracts and applicable federal regulations. We perform two types of community-rated audits. The first type is our traditional audit, where we audit the plans prior year's rates to ensure that the FEHBP did receive a fair market premium rate. In contrast, the second type of audit we perform is called a rate reconciliation audit (RRA), and is discussed in more detail on the next three pages of this section. The rates health plans charge the FEHBP are derived predominantly from two rating methodologies. The key rating factors for the first methodology (community rating by class) are the age and sex distribution of a group's enrollees. In contrast, the second methodology (adjusted community rating) is based on the projected use of benefits by a group using actual claims experience from a prior period of time adjusted for increases in medical cost. However, once a rate is set, it may not be adjusted to actual costs incurred. The inability to adjust to actual costs, including administrative expenses, distinguishes community-rated plans from experience-rated plans. The latter category includes fee-for-service plans as well as experience-rated HMOs. The regulations governing the Federal Employees Health Benefits Program require each carrier to certify that the FEHBP is being offered rates equivalent to the rates given to the two groups closest in enrollment size to the FEHBP. It does this by submitting to OPM a certificate of accurate pricing. The rates charged are determined by the FEHBP-participating carrier, which is responsible for selecting the two appropriate groups. Should our auditors later determine that equivalent rates were not applied to the FEHBP, they will report a condition of defective pricing. The FEHBP is entitled to a downward rate adjustment to compensate for any overcharges resulting from this practice. 2002 AUDIT ACTIVITIES We issued 32 audit reports on communityrated plans during this reporting period, with recommendations for the return of over $113.4 million to the FEHBP. The majority of these monetary findings related to the 14 traditional audits we performed. Seven of the 18 RRA reports contained monetary findings, six of which indicated the plans owed the FEHBP. Those RRA findings totaled $4.9 million in the aggregate. In the seventh report, we noted that the plan actually undercharged the FEHBP $1.2 million, leading us to recommend to OPM's contracting officer that this amount be returned to the plan. We have provided on the following pages a summary of one traditional HMO audit, along with an article containing a more detailed discussion of RRAs, including their benefits to our agency and the HMO plans that participate in the FEHBP. A brief summary of our findings relating to one of these RRA reports issued during the reporting period is also included. Our final article on community-rated plans discusses in more depth the Department of Justice settlement with PacifiCare Health Systems, Inc., referenced in our semiannual report issued this past spring. The settlement was for $87.3 million, of which $63.9 million will directly benefit the FEHBP. Aetna U.S. Healthcare Georgia in Blue Bell, Pennsylvania Report No. 1C-2U-00-01-044 April 2, 2002 Aetna U.S. Healthcare - Georgia (Aetna) began participating in the FEHBP in 1983. The plan provides comprehensive medical services to its members living in the Atlanta, Athens, and Augusta areas of Georgia. The audit was conducted at Aetna U.S. Healthcare's offices in Blue Bell, Pennsylvania, and covered the plan's FEHBP activities during contract years 1996 through 2000. During this period, the FEHBP paid the plan over $123,867,206 in premiums. We found that the FEHBP was charged appropriately in contract years 1996, 1997, 1998 and 2000, but was overcharged $3,565,072 in 1999. In addition, the FEHBP is due $570,412 for lost investment income resulting from this overcharge, for a total of $4.1 million. The plan disagrees with our findings. Premium Rates The primary objectives of this audit were to determine if: - The plan offered the FEHBP market price rates. - The loadings to the FEHBP were reasonable and equitable. - The plan developed the premium rates in accordance with the laws and regulations governing the FEHBP. Pricing discounts. The audit showed that Aetna did not give the FEHBP the largest discount afforded to one of the groups closest in enrollment size to the FEHBP in 1999. Aetna selected the state of Georgia and Columbia/HCA as the two groups closest in enrollment size to the FEHBP. However, we disagreed with the selection of Columbia/ HCA and replaced it with Mercer Coalition, because it was closer in subscriber size to the FEHBP. The Mercer Coalition is a purchasing alliance of large and small companies that join together in order to buy health insurance at a lower rate due to the group's increased size. Inappropriate Charges to FEHBP Total Over $4.1 Million Improper Premium Rates Result in $3,565,072 Loss to FEHBP AUDIT ACTIVITIES October Our review of Mercer's rate development showed that it received a 10.92 percent discount. Neither the state of Georgia nor the FEHBP received a discount equal to that of the Mercer Coalition. Since the FEHBP is entitled to the largest discount granted to either of the groups closest to it in subscriber size, we redeveloped the FEHBP rates using the discount given to the Mercer group. By applying this discount to the FEHBP's rates, we determined that the FEHBP was overcharged $3,565,072. Lost Investment Income In accordance with the FEHBP contract with community-rated carriers and FEHBP regulations, the FEHBP is entitled to recover lost investment income on the defective pricing findings determined by our auditors for contract year 1999. We calculated an additional $570,412 was due the FEHBP for investment income it could have earned through December 31, 2001, had it not been for the overcharges. Additional lost investment income is due for the period beginning January 1, 2002, until all questioned costs have been returned to the FEHBP. HMO Rate Reconciliation Audits Each community-rated plan must submit by May 31 of each year the rates it proposes to charge beginning in January of the following year, seven months before the rates for the new contract year take effect. Because the rates have to be submitted so early, some of the data the plans used to develop their rates is based on estimated or preliminary information. Because of this, OPM subsequently allows plans to submit revised rates during the year that the contract is in effect through what is known as a rate reconciliation. Under no circumstances, however, does this process affect the rates charged subscribers during the year. These revised rates, however, may have an impact on the rates charged the following year. Our office performs rate reconciliation audits (RRAs) to ensure that any adjustments to the revised contract rates are not flawed. During this contract year, we were able to perform 18 RRAs. As an example of how this process works, this past May, community-rated plans submitted their proposed rates for the 2003 contract year to OPM. And, following negotiations between the plans and OPM, the new contract rates were approved. Subscribers will begin paying premiums in January 2003 based on these negotiated rates. Changes made to the 2002 rates as a result of the reconciliation process may have been factored into these new 2003 rates. As mentioned, this reconciliation process allows plans to adjust their original rate submissions based on more upto-date information developed by the plans months later. As a result, if OPM determined that the 2002 contract rates charged to subscribers were too high, it may have lowered the 2003 rates to compensate for the 2002 overcharge. It also could have had a particular plan repay the amount of the overcharge directly to the FEHBP. If, however, the reconciliations showed that the 2002 rates were too low, OPM is obligated to compensate those plans, usually, from FEHBP funds maintained in a contingency reserve fund. In every case, the course of action taken will depend on the circumstances relating to an individual plan. In addition to assisting the agency attain the best premium rates on behalf of all federal civilian employees, retirees and their families by having our auditors perform these RRA audits, significant benefits derive to OPM. RAs Assist OPM in FEHBP Premium Rate Negotiations participating community-rated carriers as follows: - Rating data is reviewed shortly after it is produced when both carrier records and staff who prepare the reconciliation are usually readily available to assist in the audit and the subsequent resolution of any audit issues that may arise. - Representatives from OPM's Office of Actuaries and plan officials receive almost immediate feedback relating to our audit results. - The audit resolution process begins immediately, thus benefiting both the plans and OPM through timely resolution of audit issues. - The RRAs reduce carrier uncertainty regarding any future liabilities that could result from a post-award audit, including any potential interest accruals. A complete listing of RRA reports we issued during the reporting period appears in Appendix III-B, pages 46-47. Our audit of Unicare Health Plan of the Midwest provides an example of an RRA audit containing significant findings. This community-rated plan is based in Chicago, Illinois. In conducting this audit, we determined that the plan had overstated the FEHBP's premium rates, because it included a state premium tax in the reconciled rates. Under FEHBP regulations, a state premium tax is not an appropriate charge to be factored into the rates. In addition to the state premium tax, a discount was given to one of the groups similar in enrollment size to the FEHBP. The discount was not passed on to the FEHBP in the reconciliation. The rating instructions issued by OPM's Office of Actuaries provide specific guidance to plans on providing the FEHBP the largest discount given to one of the two subscriber groups closest in size to the FEHBP. After eliminating the state premium tax and applying the discount to the FEHBP, we determined that the FEHBP's premium rates were overstated by approximately $886,755. PacifiCare Health Systems, Inc. Settlement As we referenced in our last semiannual report, OPM and the Department of Justice (DOJ) reached a global settlement with PacifiCare Health Systems, Inc., in a case concerning premium rates charged to the FEHBP between 1990 and 1997. During this period, PacifiCare overcharged the FEHBP through rates developed contrary to OPM regulations and rating instructions. The settlement, in the amount of $87.3 million, was announced on April 12, 2002. This was the largest false claims case in the history of the FEHBP. Of this amount, approximately $63.9 million will go to the FEHBP. These overcharges were originally identified through several audits our office conducted of health plans owned by PacifiCare and its predecessors, primarily FHP International Corporation. PacifiCare agreed to return this money to the federal government to settle the findings contained in our audit reports. The FEHBP and its subscribers will directly benefit from the settlement, because the funds will be used to keep future premiums PacifiCare charges the FEHBP lower than they would otherwise be due to inflation and other monetary adjustments allowed under its FEHBP contract. The nucleus of the case centered around five FHP audits conducted in 1997. At that time, the five plans listed below had recently been or were being acquired by PacifiCare. We performed the audits during this time frame for the following reasons: (1) the FHP staff that had developed the rates were more likely to still be available to our auditors; (2) we could reduce the likelihood of records being lost, which often occurs with such acquisitions; and (3) other audits of these plans had resulted in a Department of Justice investigation. Our auditors identified numerous and significant problems with the premium rates these plans charged the FEHBP. Because of our concern over the plans' rating practices, we forwarded the audit reports to DOJ for review. In late 1998, a former FHP employee filed a false claims complaint with the Department of Justice against PacifiCare under the qui tam provisions of the False Claims Act. In accordance with the qui tam provisions, a private party can file an action on behalf of the United States and receive a portion of the settlement if the government takes over the case and reaches a monetary agreement with the defendants. The case, which was subsequently accepted by DOJ, alleged that PacifiCare and FHP, in violation of federal regulations, had knowingly overcharged the FEHBP by not giving it discounts received by similarly sized commercial groups served by PacifiCare and FHP. Five other audits of PacifiCare and FHP health plans, conducted before and after the audits discussed above, were subsequently folded into the case. Starting in early 1999, our auditors. and investigators. involvement in this case intensified. In particular, they spent a considerable amount of time working with DOJ attorneys in analyzing and responding to PacifiCare's defense of the audit findings and allegations contained in the qui tam complaint. This process required a relentless focus on detail, involving analysis of highly complex information provided by PacifiCare and its attorneys over an extended period of time. As previously noted, the case concluded on April 12, 2002, when PacifiCare, the Department of Justice, and OPM reached agreement on the settlement of the audit findings and the qui tam complaint filed by the former FHP employee. Below is a summary of one of the FHP audit reports we referred to the Department of Justice. The report illustrates the nature of the allegations contained in the qui tam complaint and the egregious rating irregularities our auditors noted when performing this and the other audits that formed the basis of the PacifiCare case and which eventually led to this historic settlement. FHP of Utah in Fountain Valley, California Report No. KU-00-97-050 May 30, 2002 FHP of Utah began participation in the FEHBP in 1991 as a federally qualified, community-rated comprehensive medical plan. In 1997, FHP merged with PacifiCare Health Systems. The plan provides primary health care services to its members throughout Utah. The audit of the plan's FEHBP activities covered contract years 1992 through 1997. During this period, the plan received approximately $99 million in premium payments from the FEHBP. In conducting the audit, we identified net overcharges to the FEHBP amounting to $20,392,390, including $14,311,097 for inappropriate health benefit charges in 1992 through 1996; $1,222,564 due the plan for Medicare undercharges; and $7,303,857 for investment income lost by the FEHBP as a result of the overcharges. The plan charged the FEHBP appropriate rates in 1997. Premium Rates A primary objective of the audit was to determine if FHP of Utah met its contractual obligation by offering the FEHBP the same premium rate discounts it offered to two other subscriber groups comparable in size to the FEHBP. Another was to determine if specific health benefit premium charges that were not part of the plan's basic benefits package were fair and reasonable to the FEHBP. Defective pricing. From 1992 through 1996, the plan included federal annuitants over age 65 in its calculation of the FEHBP's age/sex adjustment factors used in establishing the rates. The plan maintained that, in determining the factors, it had considered the savings resulting from the coordination of Medicare benefits. Additionally, FHP of Utah's treatment of FEHBP members over age 65 was not consistent with how it treated its other subscriber groups, including those of similar size. For these other groups, the plan excluded annuitants over 65 in its rate development. To address this inequity, we redeveloped the FEHBP's age/sex factors for 1992 through 1996 by removing members over age 65. Using these redeveloped factors had the effect of significantly lowering the FEHBP's rates. However, as discussed later in this article, in conjunction with the age/sex adjustment, we also calculated a Medicare loading to ensure that the plan was appropriately compensated for any additional costs for its members over age 65. Along with the problem concerning the age/sex factor discussed in the previous paragraphs, we found that, from 1992 through 1996, the FEHBP did not receive a market price adjustment equivalent to the largest discount given to one of the two groups closest in enrollment size to the FEHBP, contrary to its contract. For example, in 1992, while the plan did not give the FEHBP a rate discount, we noted that it did give one of the similarly sized groups a discount amount of 19.15 percent. In 1993, the FEHBP did receive a 6.28 percent discount, but a similarly sized group received a 21.57 percent rate reduction. Overall, we determined that because of FHP of Utah's use of incorrect age/sex factors and its failure to give appropriate discounts, the FEHBP was overcharged a total of $14,311,097 from 1992 through 1996. HP-Utah Overcharges FEHBP $20.4 Million Medicare Loadings As mentioned earlier, in order to be fair to the plan, we developed a Medicare loading that we added to the plan's audited rates in conjunction with our removing the overage 65 members from the FEHBP's age/sex calculation. A loading is designed to cover additional costs a plan incurs for its members. Based on information provided by OPM's Office of Actuaries, we determined that the plan was due a total of $1,222,564 for contract years 1992 through 1996 from the FEHBP. Lost Investment Income In accordance with the FEHBP contract with community-rated carriers and FEHBP regulations, the FEHBP is entitled to recover lost investment income on the defective pricing findings in 1992 through 1996. We determined that the FEHBP was due $7,303,857 from the plan for lost investment income through December 31, 2001, on the overcharges we identified. Experience-Rated Plans The Federal Employees Health Benefits Program offers a variety of experience-rated plans, including fee-for-service plans, the latter constituting the majority of federal contracts in this category. Also included are employee organization plans that sponsor or operate health benefit plans. Certain comprehensive medical plans qualify as experience-rated HMOs rather than community-rated plans. For an overview of these rating categories and how they differ, refer to the beginning of the Audits Activities section. The universe of experience-rated plans currently consists of approximately 100 audit sites. When auditing these plans, our auditors generally focus on three key areas: - Appropriateness of contract charges and the recovery of applicable credits, including refunds on behalf of the FEBHP. - Effectiveness of carriers. claims processing, financial and cost accounting systems. - Adequacy of internal controls to ensure proper contract charges and benefit payments. During this reporting period, we issued nine audit reports on experience-rated plans. These audits consisted of six Blue Cross and Blue Shield plans, two employee organization plans, and one experience-rated comprehensive medical plan. In these reports, our auditors recommended that OPM's contracting officer require the plans to return $5.1 million, representing inappropriate charges and lost investment income to the FEHBP associated with these charges. Refer to Appendix III-A, pages 44-45, for a complete listing of the traditional experience-rated plan audit reports we issued this reporting period. A brief description of these three experience-rated plan types can be found on the following pages, along with an audit summary from each plan category illustrating typical findings associated with each. BlueCross Blue Shield Service Benefit Plan This plan is a fee-for-service plan administered by the BlueCross BlueShield Association (BCBS Association), which contracts with our agency on behalf of its numerous BCBS member plans. Participating Blue Cross and Blue Shield plans throughout the United States independently underwrite and process the health benefits claims of their respective federal subscribers under the BCBS Service Benefit Plan, and report their activities to the national BCBS operations center in the Washington, D.C. area. Approximately 51 percent of all FEHBP subscribers are enrolled in Blue Cross and Blue Shield plans nationwide. While the BCBS Association's headquarters are in Chicago, Illinois, its Federal Employee Program (FEP) Director's Office is in Washington, D.C., and provides centralized management for the Service Benefit Plan. The BCBS Association, through its Washington office, oversees a national FEP operations center, whose activities include: n Verifying subscriber eligibility. n Approving or disapproving reimbursement of local plan FEHBP claims payments (using computerized system edits). n Maintaining an FEHBP claims history file and an accounting of all FEHBP funds. As previously referenced, we issued six Blue Cross and Blue Shield experience-rated reports during this reporting period. In these reports, our auditors cited $3,431,246 in questionable contract costs charged to the FEHBP and an additional $68,403 in lost investment income on these questioned costs, for an aggregate total of $3,352,843 owed to the FEHBP. Lost investment income represents those monies the FEHBP would have earned on the questioned costs. The BCBS Association agreed with substantially all the questioned costs in these reports. The following audit narrative describes the major findings from one of these BCBS reports and the questioned costs associated with those findings. BlueCross BlueShield of Georgia in Atlanta, Georgia Report No. 1A-10-05-01-050 April 2, 2002 Our audit of the FEHBP operations at BlueCross BlueShield of Georgia (BCBS of Georgia) took place at the plan's offices in Atlanta, Georgia. The purpose of this audit was to determine whether the plan charged costs to the FEHBP and provided services to FEHBP members in accordance with the terms of the FEHBP contract. Our auditors reviewed health benefit payments made by the plan from contract years 1998 through 2000, along with miscellaneous payments and credits, administrative expenses and cash management activities covering these same contract years. As a result of this audit, our auditors determined that inappropriate charges to the FEHBP totaled: n $2,129,309 in health benefit charges. n $152,686 in administrative expense charges. We also determined that BCBS of Georgia had handled FEHBP funds in accordance with the FEHBP contract and applicable laws and regulations. The BCBS Association agreed with the questioned costs with few exceptions. Lost investment income on the questioned costs totaled $56,950. As discussed elsewhere in this report, lost investment income represents those monies the FEHBP would have earned on the questioned costs. Final calculations by our auditors regarding amounts owed 14 OIG Semiannual Report ................................................................................................................................................................................................................................................................................................................................... AUDIT ACTIVITIES October to the FEHBP totaled $2,338,945. Below is a brief discussion of how our auditors arrived at these totals. Health Benefits From 1998 through 2000, BCBS of Georgia paid $702 million in actual FEHBP claim payments. In conducting our audit, we selected claims to examine at random and in specific health benefit categories. Principally, these claim selections concerned coordination of benefits (COB) with Medicare and potential duplicate payments. We also reviewed specific financial and accounting areas, such as refunds, uncashed checks and other miscellaneous credits relating to FEHBP claim payments. Some of our significant findings included: Coordination of benefits. For the period 1998-2000, our auditors identified 145 hospital claim payments, totaling $1,188,604, and 4,323 physician claim payments, totaling $642,604, wherein the FEHBP paid as primary insurer when Medicare Part A or B was actually the primary insurer. Refer to the box in the next column summarizing Medicare A and B coverage. This inappropriate COB charge, a common but costly administrative error, occurs when a plan fails to coordinate benefits properly with Medicare as primary insurer. As a result, we estimated that the plan overcharged the FEHBP $1,634,003 for these hospital and physician coordination of benefits payment errors. As we referenced earlier, to assist its BCBS member plans with this and other claim reviews, the BlueCross and BlueShield Association maintains a national claims system at its Federal Employee Program (FEP) operations center in the Washington, D.C. area. For 3,695 of the 4,468 claims in question, we noted that there was no information in the FEP national claims system to make the plan aware that Medicare benefits coordination was necessary at the time these claims were paid. However, when this Medicare information was later added to the FEP national claims system, BCBS of Georgia did not review and/or adjust the patients. prior claims back to the Medicare effective dates. Therefore, these claim benefit costs remained charged to the FEHBP in their entirety, resulting in COB overcharges to the FEHBP. We recommended that the contracting officer disallow the uncoordinated claim payments we found and instruct BCBS of Georgia to make a diligent effort to recover the overpayments, crediting all amounts recovered to the FEHBP. The Medicare program is administered by the Centers for Medicare and Medicaid Services (CMS), an agency within the Department of Health and Human Services. Medicare Part A helps pay for care in hospitals, skilled nursing facilities, hospices, and some home health care. Medicare Part B helps pay for doctors, outpatient hospital care, and some other medical services that Part A does not cover, such as services of physical and occupational therapists and some home health services. Part B also helps pay for covered doctor services that are medically necessary. Duplicate payments. BCBS of Georgia inappropriately charged the FEHBP for duplicate claim payments during contract years 1998 through 2000. Of the approximately $702 million in claims paid during this period, we identified 211 duplicate claim payments, totaling $128,752. The relatively small number of duplicate claim payments indicated to our auditors that the plan had effective controls in place to minimize such payments. Nevertheless, we recommended that the contracting officer disallow these duplicate payments and instruct BCBS of Georgia to be conscientious in attempting to collect these payments and credit all amounts recovered to the FEHBP. Payment errors from sampling. During the period January 1, 1998 through December 31, 2000, we selected multiple samples of claims for the purpose of determining if BCBS of Georgia had paid claims properly. As a result of these claim sample reviews, our auditors identified six claim payment errors, resulting in overcharges of $102,567 to the FEHBP. We recommended that the contracting officer disallow these six claim overcharges and direct the plan to make a concerted effort to collect these overcharges and credit all overpaid amounts recovered to the FEHBP. The findings referenced above on coordination of benefits, duplicate payments, and other payment error issues relate to claim overpayments that negatively affect the FEHBP. Once these overpayments appear in one of our audit reports, the FEHBP contract allows a plan to show that it made these overpayments in good faith and has since made a reasonable effort to collect these funds. In turn, OPM's contracting officer may consider these uncollected amounts (questioned costs by our auditors) as allowable charges to the FEHBP. This applies to all FEHBP experience-rated plan contracts. Refunds. BCBS of Georgia did not credit the FEHBP for refunds totaling $107,029 that it received in October 1998. Federal regulations require the carrier to credit refunds relating to health benefit payments to the FEHBP. After our auditors identified these refunds, the plan promptly credited the funds to the FEHBP. Therefore, we only recommended that the contracting officer instruct the plan to implement procedures to ensure that future refunds are credited to the FEHBP without delay. Also, BCBS of Georgia did not make a timely effort to recover 73 claim overpayments, totaling $87,541, identified during its own internal audits during 1998 through 2000. The issue of promptness is based on the fact that the FEHBP contract only allows a plan 30 working days to initiate recovery efforts after identifying an overpayment. Our auditors concluded that the plan did not initiate recovery efforts until one to three years after these overpayments were identified. Consequently, we recommended that the contracting officer direct BCBS of Georgia to collect these overpayments and credit all amounts recovered to the FEHBP. Administrative Expenses During our review of administrative expenses for contract years 1998-2000, we noted that BCBS of Georgia overcharged the FEHBP for costs totaling $152,686, the majority relating to BCBS Association dues. BCBS of Georgia did not allocate Association dues to the FEHBP in accordance with an agreement reached between the Association and OPM regarding the chargeability of dues. The plan also should have excluded lobbying expenses from the Association dues it charged to the FEHBP. Our auditors calculated that the plan overcharged the FEHBP $83,718 for BCBS Association dues from 1998 through 2000. We recommended that the contracting officer disallow these overcharges and instruct the plan to credit the FEHBP the entire amount of the overcharge. Lost Investment Income Federal regulations require a carrier to invest and reinvest all excess FEHBP funds on hand and to credit all investment income earned on those funds. Therefore, we computed lost investment income resulting from our audit findings in the amount of $56,950 through December 31, 2001. We have recommended to the contracting officer that the above amount be returned to the FEHBP. We have also recommended that additional lost investment income due after that date be returned until BCBS of Georgia has returned all questioned costs owed to the FEHBP. Employee Organization Plans Employee organization plans also fall into the category of experience-rated, and operate or sponsor participating health benefits programs. These fee-for-service plans allow members to obtain treatment through facilities or providers of their choice. The largest types of employee organizations are federal employee unions and associations. Some examples are: the American Postal Workers Union (APWU), the National Association of Letter Carriers, the Government Employees Hospital Association and the Special Agents Mutual Benefit Association. During the reporting period, we issued audit reports on two employee organization plans: the Mail Handlers Benefit Plan and the APWU Health Plan, respectively. A summary of the report for the APWU Health Plan, including our audit findings, follows. American Postal Workers Union Health Plan in Silver Spring, Maryland Report No. 1B-47-00-01-080 August 20, 2002 The APWU Health Plan (APWU) is a managed fee-for-service employee organization plan located in Silver Spring, Maryland. The plan enrollment is open to all postal service employees who are members of the American Postal Workers Union, as well as any other federal employees and annuitants that elect to become associate members of the union. The union is the sponsor and underwriter of the health plan. Plan membership totaled approximately 83,000 enrollees as of December 31, 2000. Our audit covered contract years 1998- 2000, and was conducted to determine whether APWU charged costs to the FEHBP and provided services to FEHBP members in accordance with the terms of its FEHBP contract. Our auditors reviewed health benefit payments, miscellaneous payments and credits, administrative expenses and cash management. As a result of this audit, our auditors questioned $723,344 in health benefit costs and $180,399 in administrative expenses charged against the FEHBP contract. APWU agreed with our auditors that these amounts were not allowable under its contract. Since the FEHBP is entitled to receive lost investment income on these unallowable charges, we calculated an additional $11,049 associated with these disallowed amounts. Final calculations by our auditors regarding amounts owed to the FEHBP totaled $914,792. Health Benefits For the contract period 1998 through 2000, APWU paid $1.2 billion in actual FEHBP claim payments. For purposes of this audit, and as we routinely do when conducting these experience-rated audits, we randomly selected health claims for examination in specific health benefit categories. We also reviewed FEHBP claim payment activities relating to refunds, uncashed health benefit checks, and miscellaneous payments and credits. Our findings relating exclusively to health benefit charges in all the above areas totaled $723,344 out of the total questioned costs of $914,792. During this audit, the primary health benefit categories we examined were coordination of benefits with Medicare and potential duplicate payments. Details on these findings are discussed below. Coordination of benefits. As part of our random selection process, our auditors identified 103 hospital claim payments and 640 physician claim payments wherein the FEHBP improperly paid when Medicare was the primary insurer. As discussed in the preceding audit narrative on the BCBS of Georgia plan, this type of improper charge occurs when a plan fails to coordinate benefits properly when Medicare is the primary insurer. We estimated that this failure to coordinate benefits with Medicare for these 743 claims resulted in overcharges to the FEHBP trust fund of $689,287. We recommended that the contracting officer disallow these uncoordinated claim payments and instruct APWU to make a reasonable effort to collect these payments and credit all overpaid amounts to the FEHBP. Duplicate payments. The other major focus of our auditors concerned potential duplicate health benefit payments that may have occurred during the three contract years covered by the audit. We identified 29 duplicate claim payments, resulting in overcharges of $34,057 to the FEHBP. Since these duplicate claim payments were a very small number, we concluded that the plan had effective controls in place to minimize such payments. However, we did recommend that the OPM contracting officer direct the plan to recover these overpayments. Administrative Expenses For contract years 1998 through 2000, APWU charged the FEHBP $69 million in administrative expenses. Our auditors determined that all administrative expenses incurred and charged to the FEHBP were appropriate with one exception. That exception occurred during contract year 2000, when APWU charged the FEHBP $180,399 for legal expenses in connection with a federal investigation of the plan. Federal regulations consider such costs unallowable if the plan is a defendant in a lawsuit filed by the U.S. government against it. Consequently, we recommended that the contracting officer disallow these legal expenses charged to the FEHBP. Experience-Rated Comprehensive Medical Plans Comprehensive medical plans (HMOs) fall into one of two categories: community-rated or experience-rated. As we previously explained in more detail on page 5 of this section, the key difference between the two categories stems from how premium rates are calculated for each. Like other health insurance plans participating in the FEHBP, experience-rated HMOs offer what is termed a point of service product. Under this option, members have the choice of using a designated network of providers or using non-network providers. A member's choice in selecting one health provider over another has obvious monetary and medical implications. For example, if a member chooses a non-network provider, the member will pay a substantial portion of the charges and the benefits available may be less comprehensive. During this reporting period, we issued one experience-rated comprehensive medical plan audit report. Our findings for that audit are summarized below. Health Maintenance Plan in Cincinnati, Ohio Report No. 1D-R5-00-01-043 June 12, 2002 The Health Maintenance Plan (HMP) is a comprehensive medical plan (HMO), based in Cincinnati, Ohio, which provides health benefits to federal enrollees and their families in the following Ohio areas: Cincinnati, Cleveland, Dayton, Akron-Canton, Warren-Youngstown, Columbus and Toledo-Defiance. Our auditors performed a limited-scope audit of the FEHBP operations at HMP covering contract years 1998 through 2000. For this type of audit, auditors only focus on certain costs charged to the FEHBP by the plan. In this instance, we reviewed health benefit payments made by the plan from 1998 through 2000, along with refunds, uncashed checks, and miscellaneous payments and credits. The primary objectives of this audit were to determine if: n The plan complied with FEHBP contract provisions pertaining to coordination of benefits with Medicare, duplicate claim payments and benefit payments. n The plan properly calculated and charged miscellaneous payments to the FEHBP. n The plan promptly returned refunds, uncashed checks and miscellaneous credits relating to health benefit payments to the FEHBP. At the conclusion of our audit, we questioned $659,430 in uncoordinated claim payments with Medicare (see page 14 for more detail on this COB health benefits issue); $95,834 in duplicate claim payments; and $5,620 in uncashed health benefit checks. Out of the total of $760,884 that our auditors determined as unallowable charges to the FEHBP, HMP agreed with $362,184, disagreed with $114,959, and is researching the balance ($283,741). Information Systems Audits In accordance with the Inspector General Act of 1978, as amended, we conduct and supervise independent and objective audits of agency programs and operations to prevent and detect fraud, waste and abuse. To assist in fulfilling this mission, we perform information systems audits of health and life insurance carriers that participate in the Federal Employees Health Benefits Program (FEHBP) and the Federal Employees. Group Life Insurance program (FEGLI). We also audit the agency's computer security environment and systems development activities. he information systems audits function provides a valuable service to our customers by auditing the computer security and information systems of our agency and health insurance carriers participating in the Federal Employees Health Benefits Program (FEHBP). The inherent need for this type of oversight lies in the federal government's heavy reliance on information systems to administer federal programs, manage federal resources, and accurately report costs and benefits. Any breakdown in federal computer systems, including systems of federal contractors, can compromise the government's efficiency and effectiveness, increase the costs of federal projects and programs, and threaten the safety of United States citizens. Ever increasing malicious attacks on public and private computer systems underscore the importance of this issue. These threats include outbreaks of destructive computer viruses, Web site defacements, sabotage, and theft of valuable or sensitive information in computer databases. To minimize information system security risks at our agency, our office audits various security-related activities and agency computer systems development. Our office also audits general and applications controls associated with the computer systems at health carriers under contract with OPM to provide health benefits under the FEHBP. General controls refer to the policies and procedures that apply to an entity's overall computing environment. Application controls are those directly related to individual computer applications, such as a carrier's payroll system or benefits payment system. General controls provide a secure setting in which computer systems can operate, while application controls ensure that the systems completely and accurately process transactions. During this reporting period, we completed an evaluation of OPM's security programs and practices in accordance with Section 1061, Subtitle G: Government Information Security Reform, which appears in P.L. 106-398, the National Defense Authorization Act for FY 2001. We also completed an audit of an FEHBP carrier's information systems general and application controls. A summary of our audit findings and recommendations are described on the following pages. Review of OPM's Compliance with the Government Information Security Reform Act Report No. 4A-CI-00-02-095 September 6, 2002 On October 30, 2000, former President Clinton signed into law the National Defense Authorization Act for FY 2001 (P.L. 106-398) that included new guidance on advancing information security practices within the federal government. Subtitle G of the Act, entitled .Government Information Security Reform,. added a new subchapter to Title 44 of the U.S. Code, codified at 44 U.S.C. §§ 3531-3536, which places new emphasis on federal information policy coordination within all agencies and departments of the government. This subchapter specifically focuses on program management, implementation and evaluation of security for all federal computer systems, including national security computer systems. Its purpose is to ensure that all information resources that support federal operations and information assets are not compromised. In addition, Subtitle G, section 1062(e) of the Act requires OPM to review and update computer security training regulations for federal civilian employees, to assist the Department of Commerce with updating and maintaining certain security awareness and computer security best practices, and to work with other agencies on training initiatives. General Overview While not officially titled as such, this new guidance under Subtitle G has become widely known as the .Government Information Security Reform Act. (GISRA). All future references in this audit summary to the .Security Act. will apply to the requirements stated in Subtitle G, P.L.106-398. In regard to those requirements, we performed an independent evaluation of OPM's computer security program and practices. We evaluated OPM's general compliance efforts for specific areas defined in the Office of Management and Budget's Security Act reporting instructions. These instructions, included in OMB Memorandum M-02-09, dated July 2, 2002, provide a consistent form and format for agencies to report back to OMB. We also evaluated several of OPM's computer systems for compliance. While we concluded that OPM has made significant progress since our FY 2001 evaluation of the agency's computer security program [Report No 4A-CI- 00-01-08], we identified several areas still in need of improvement. However, nothing came to our attention that would cause us to believe that any material weaknesses exist in OPM's information security controls. Agency Head Responsibilities Delegation responsibilities. As stipulated in Section 1061, Subtitle G, of P.L. 106- 398, the Director has now delegated information security responsibility within the agency through the issuance of OPM's information technology (IT) security policy. This policy clearly sets forth the corresponding responsibilities and authorities for the agency's chief information officer and other program officials. However, because the IT security policy was only recently released, the Office of the Chief Information Officer (OCIO) is still in the process of implementing the policy. During our review, we noted that OCIO needs to assume a more proactive leadership role in working with program office heads and their staffs to understand their respective system security responsibilities and to implement effective information security programs accordingly. Security life cycle. OPM has developed a system-development life cycle methodology to be used by all program offices. This approach controls the design and development of computerized information systems and specifically includes security-related controls. However, the methodology will not be fully functional until sometime early in FY 2003. IT security program integration. OPM has not integrated its information technology security program with its critical infrastructure responsibilities. However, the agency is in the process of implementing a security program that will address this issue. For example, the agency is incorporating the following critical computer-related infrastructure protection elements into its overall security program by: n Identifying critical information assets (human resources, computer hardware and software, computer applications, electronic and hard copy data, and physical facilities). n Conducting vulnerability assessments. n Establishing an emergency management program. n Establishing procedures to ensure that security planning is incorporated into system-development life cycle standards. n Identifying resources and organizational requirements. n Establishing clear designations for authorizing access to OPM's computer systems. Critical operations and assets. OPM has controls in place to identify, prioritize and protect critical operations and assets within its computer architecture. The strategies used by OPM include developing and testing a draft disaster recovery plan for its mainframe operation and implementing an agency-wide continuity of operations plan. These controls will be strengthened as OPM fully implements its IT security program. We did note one ongoing control weakness: the lack of a disaster recovery plan for the agency's local area network operations. Security-incident handling. In May 2002, OCIO released incident response and reporting procedures. The procedures include: n Guidance in understanding personnel responsibilities. n Identifying, containing and eliminating security incidents. n Recovering from security incidents. n Reporting and follow-up procedures in response to a security incident. However, until the procedures can be fully implemented, there is a higher risk that security incidents may not be properly handled and reported. Responsibilities of Agency Program Officials Program office reviews. We reviewed OPM's two general computer support systems and five major computer applications. The Washington Technology Center (WTC) maintains and administers the mainframe computer operations that support most of OPM's essential systems. The Network Management Center is responsible for OPM's local area network/wide-area network. The Office of the Chief Information Officer is responsible for the two general computer support systems. Securing these two critical infrastructure components is key to OPM's initial security strategy. The five applications that we reviewed represented a variety of computerized information systems from four of OPM's key program offices. These are: - Central personnel data file (Office of Merit Systems Oversight and Effectiveness). - Government financial information system (Office of the Chief Financial Officer). - Financial management system (Retirement and Insurance Service). - Annuity roll (Retirement and Insurance Service). - USAJobs (Employment Service).* *This application is available to the general public through OPM's Web site. While resource restrictions limited our ability to complete additional evaluations, we believe that the results fairly represent OPM's overall Security Act compliance status. OCIO has clearly made progress in implementing its IT security policy and helping the program offices fulfill their security responsibilities. However, much work remains to be done. For example, during this reporting period, with the exception of the general computer support systems, OPM's program offices had not yet assessed the risk to operations and assets under their respective control. The program offices, likewise, had not developed information system security plans for systems under their individual control nor certified and accredited any of the systems to operate as secure systems. This latter effort is currently underway for the general computer support systems. Once completed, these security plans will be used to facilitate the completion of the security plans for the program offices. Contractor-provided services. With two exceptions, OPM has adequate controls to help ensure that contractor-provided services are performed according to requirements of the Security Act and OPM policy. In that regard, we noted that OPM does not have adequate general controls for deleting system access for contractors when they leave the agency. The Washington Technology Center, however, is considering several options to improve the controls in this area. We have also recommended that program offices address contractor-specific security issues and requirements as part of their respective formal risk assessment processes. Responsibilities of OPM's Chief Information Officer Agency-wide security program. OPM has not fully implemented an agency-wide security program. However, OCIO has developed an IT security policy, an IT security program guide, and an IT security program definition. These documents address the control elements required by federal guidance, including: Risk management. Information system security plans. Certification and accreditation. Security-related personnel controls. Training. Performance measures. Continuity of operations and business recovery plan. Security incident handling. - Operational and technical controls. Contractor security. OPM's security controls for contractors are consistent with the controls governing all of OPM's employees. OPM's IT security policy also requires all contractors to have a background check. However, during our review, we did identify a weakness in OPM's ability to identify its contractors. Weak controls related to contractor identification increase the risk of unauthorized access to sensitive systems and data. Capital planning and investment control. OPM has integrated security requirements and cost estimates into its capital planning and investment control process. However, there is still a need to improve documentation supporting cost estimates. OPM Specific Security Act Responsibilities In 2002, OPM took significant steps to meet its government-wide computer security training responsibilities identified in the Security Act. Specifically, OPM is in the process of reviewing and updating regulations concerning computer security training for federal civilian employees. OPM is also assisting the Department of Commerce in updating and maintaining guidelines for training in computer security awareness and computer security best practices. Finally, OPM has worked with the National Science Foundation to develop and implement a Scholarship for Service program to promote developing information technology skills within the federal government. This scholarship program enrolled its first group of students this past fall. Audit of Information System General and Application Controls at Mail Handlers Benefit Plan in Chicago, Illinois; Rockville, Maryland; and Jacksonville, Florida Report No. 1B-45-00-01-009 June 19, 2002 Mail Handlers is a fee-for-service plan, which received approximately $2.2 billion in FEHBP program income during contract year 2001. At the time of our audit, the Mail Handlers Benefit Plan (Mail Handlers) was administered by the Claims Administration Corporation (CAC), a subsidiary of CNA. Our audit covered CAC/Mail Handlers. general information system controls environment and application controls over its claims processing and enrollment systems. The goal of the audit was to obtain reasonable assurance that CAC/Mail Handlers had implemented proper controls over the confidentiality, integrity and availability of computerized data associated with the FEHBP. We evaluated CAC/Mail Handlers. information system general controls with guidance from the U.S. General Accounting Office's Federal Information System Controls Audit Manual, industry best practices, and pertinent federal law and regulations. We also audited the application controls in place to ensure that the computerized claims system was processing all transactions accurately and completely. In reviewing the company's general controls, we examined how well the company was managing security policy and access controls, along with software changes related to its general information systems. Our auditors also assessed whether there was an appropriate segregation of duties among CAC/Mail Handlers. employees who were involved in the plan's general information systems. Additionally, we looked at controls over the mainframe operating system and security software implementation, and examined the company's plan for maintaining or quickly restoring its critical computer systems functions in the event of a disaster. The second portion of our audit was a limited examination of CAC/Mail Handlers. claims processing system to determine if CAC/Mail Handlers had controls in place to ensure that transactions were valid, properly authorized, and accurately processed in all respects. The objective of the review was to assess the reliability of the data supporting health benefit payments charged to the FEHBP and reported to OPM. We found that CAC/Mail Handlers had a number of controls in place that helped promote a secure computer environment. These included: A comprehensive security policy based on the performance of independent risk evaluations. A computer-incident response team. Controls to prevent unauthorized access to the CNA network. Adequate policies and procedures to control access to Mail Handlers. adjudication system. Controls to ensure that FEHBP's annual benefit changes are updated correctly and in a timely manner. On the other hand, we noted several areas where we believe CAC/Mail Handlers. management should strengthen its controls. In the area of security-related personnel controls, we had several recommendations. We noted in our report that CAC/ Mail Handlers needed to update its personnel-termination procedures and require background checks for all temporary employees and contractors whose positions may require access to sensitive materials. We also recommended that it implement a formal program to complete security awareness training on an annual basis. In addition, we recommended that CAC/ Mail Handlers implement procedures for producing and reviewing violation and activity reports of users with special privileges on a routine basis. Another recommendation was for Mail Handlers to address duty segregation concerns by restricting system programmers and operators access to production program libraries. And, finally, we addressed the need for CAC/Mail Handlers to enhance their disaster recovery/service continuity plan by: Reviewing and updating the plan on a regular basis. Finalizing and implementing their imaging center contingency plan. Developing and implementing a formal contingency plan for claims processing and customer service functions. We believe this review, along with our specific recommendations, will enhance the information system controls at CAC/ Mail Handlers, thereby safeguarding the confidential medical records of its FEHBP enrollees. CAC/Mail Handlers. efforts will also ensure the reliability and continued availability of the company's critical automated information. Other External Audits We conduct audits of the local organizations of the Combined Federal Campaign (CFC), the only authorized fundraising drive conducted in federal installations throughout the world. Also, at the request of Office of Personnel Management (OPM) procurement officials, our office performs pre- and post-award contract audits relating to the acquisition of goods and services by agency program offices. Combined Federal Campaign Under Executive Order 10927, issued August 18, 1961, the U.S. Civil Service Commission (OPM's predecessor) was given the responsibility for arranging national voluntary health and welfare agencies to solicit funds from federal employees and members of the armed services at their places of employment. Since then, OPM's role has been further defined through additional executive orders, one public law (P.L. 100-202), and new federal regulations (5 CFR 950). Key responsibilities include: Providing eligibility guidelines for national and local organizations and charities participating in the Combined Federal Campaign (CFC). Specifying the role of local CFCs. Identifying OPM's specific oversight responsibilities pertaining to the CFC. An estimated 360 campaigns operating nationwide and overseas participated in the 2001 Combined Federal Campaign, the most recent year for which statistical data is available. Federal employee contributions reached $242 million for the 2001 CFC, while campaign expenses totaled $20.5 million. Each of our audits cover two consecutive campaign years. Campaigns are identified by geographical areas, such as a single city, several cities or counties. Our auditors look closely at the eligibility of participating charities associated with a given campaign, whether these charities have complied with federal regulations and OPM guidelines, and if any irregularities appear in their financial records. In addition, all CFC organizations are required by regulation to have an independent public accounting firm conduct an audit of their respective financial activities. We also audit national charitable federations that participate in the CFC. A national charitable federation provides common fundraising, administrative and management services to its members, those being other charitable organizations with similar interests. For example, the Children's Charities of America is a national federation providing services to other charities concerned with the welfare of children. During federation audits, we focus on the eligibility of federation member charities and how funds are distributed and expenses allocated to them. Combined Federal Campaign audits will not ordinarily identify savings to the government, because the funds involved are charitable donations made by federal employees, not federal entities. While infrequent, our audit efforts can result in an internal referral to our OIG investigators for potential fraudulent activity. During this reporting period, we conducted 15 CFC audits. We selected 14 local campaigns and one federation, using a risk assessment that included such factors as the dollar amount of pledges, amount of expenses incurred, and amount of time since our last audit. These 15 CFC audits covered the 1999 and 2000 campaigns. We issued three final local campaign audit reports during the current reporting period. These were: Tri-Community Area (Georgia), Twin Cities Area (Minnesota), Central Savannah River Area (Georgia). See listing on page 47 in Appendix IV. Summarized below are key results from these local CFC audits, which are typical of CFC findings: One campaign included interest that was not incurred and other costs that they could not support towards its campaign expenses. One campaign violated CFC guidelines requiring timely distribution of donations to charities. Two campaigns could not provide all of the audit documentation requested. Agency Contract Audits Our office conducts two types of agency contract audits. We perform pre-award contract audits to: Ensure that a bidding contractor is capable of meeting contractual requirements. Assess whether estimated costs are realistic and reasonable. Determine if the contract complies with all applicable federal regulations. We also conduct post-award contract audits to ensure that costs claimed to have been incurred under the terms of an existing contract are accurate and in accordance with provisions of federal contract regulations. These audits provide OPM procurement officials with the best information available for use in contract negotiations and oversight. In the case of post-award contract audits, for example, the verification of actual costs and performance charges may be useful in negotiating future contract modifications pertaining to cost-savings and efficiency. During this reporting period, we did not issue any audit reports on agency contracts. OPM Internal Audits We conduct and supervise independent and objective audits of the Office of Personnel Management's (OPM) programs and administrative operations. We also perform evaluations and inspections of agency programs and operations. Two critical areas of ongoing audit activity include OPM's consolidated financial statements required under the Chief Financial Officers Act (CFO Act of 1990), as well as the agency's work required under the Government Performance and Results Act of 1993 (GPRA). he success of OPM's mission and achieving its program goals provide the basis for our internal auditing activities. This success is founded, in part, on a key management principle related to operational controls. These internal controls are in place to provide reasonable assurance that program operations will: Be effective and efficient. Be characterized by reliable financial reporting. Maintain compliance with applicable laws and regulations. Our auditors and program evaluators provide recommendations for improving the efficiency and effectiveness of our agency operations and their corresponding internal controls. We use a risk-based methodology to assess OPM's activities and establish annual work agendas. Our risk-based methodology includes such factors as dollars, number of staff, the date of our last audit, computerized or manual information systems, laws and regulations, organizational culture of the work place, and governmental concerns. We have found by identifying and concentrating on agency programs and operations with a high risk, our office can provide the most benefit to the agency. We carefully plan and conduct our activities involving audits or evaluations and inspections in accordance with government auditing standards. We include OPM program managers in every step of the audit process to ensure that we have met their needs, addressed concerns, and received feedback on how we can improve the value of our services. We believe this cooperative spirit ensures that all parties involved with our activities will obtain the maximum benefit and that we will continually improve our level of services. Our internal audits activities cover the following: Agency performance audits. Agency consolidated financial statements audits. Agency compliance reviews. The pages that immediately follow contain descriptions of our agency performance audit efforts. We did not issue any final reports relating to the agency's consolidated financial statements audits and agency compliance reviews during this reporting period. Results of our annual consolidated financial statements audit will appear in our next semiannual report. The financial statements include separate accounts regarding operational costs to conduct OPM business, such as salaries and expenses and the major federal programs under OPM's control. Key among these programs are those affecting federal civilian employees before and after retirement: health, life insurance and annuity benefits. Agency Performance Audits As an independent OIG, our performance auditing plays an important role in OPM program accountability, because it provides an external and objective assessment of the performance of OPM's programs and activities. In turn, the information and recommendations we provide through these audits can aid in decision-making by managers and other OPM officials responsible for overseeing and initiating corrective action. We issued two performance audit reports during this reporting period. One audit relates to our agency's purchase card program and the other to the travel card program. The following narratives describe the major findings contained in our reports. OPM's Travel Card Transactions Report No. 4A-CF-00-01-103 April 8, 2002 The Government Travel Charge Card Program was created by the General Services Administration (GSA) as a government-wide travel payment and expense control system. Under the Travel and Transportation Reform Act of 1998, federal employees are required to use a government contractor-issued travel charge card for official travel expenses unless an exemption has been granted. Bank of America is currently under contract to provide these travel charge card services to OPM and OPM employees. Responsibility for OPM's travel card program resides with the Office of the Chief Financial Officer (OCFO). As such, OCFO is responsible for administering and managing the travel card program for the agency and serves as the intermediary between the cardholder, the bank and OPM program management. Program managers, in turn, must monitor employee travel card use within their respective program areas. Last year, we completed an audit designed to review the internal controls associated with OPM's travel card program. As a follow-up audit, we audited OPM's travel card transactions. The objectives of this most recent audit were to determine the extent of misuse and abuse occurring with travel cards and whether these transactions related to actual authorized travel expenses. This audit covered the time frame between June 2000 and June 2001. The travel card program included 1,467 individual OPM employee cardholders as of July 2001. We reviewed the travel transaction file maintained by the Office of the Chief Financial Officer and noted that, during this period, charge card activity reflected over 23,600 transactions, totaling approximately $3.7 million. We reported that: Transactions, including ATM withdrawals, were made without official travel orders or travel authorization. One employee received an erroneous payment. Duplicate travel reimbursements were made to OPM staff on travel. More detailed comments concerning these three internal control issues appear on the next page. Unauthorized transactions. During our audit, we noted that federal employees made $55,451 in ATM withdrawals and $21,557 in purchase card charges for what appeared to be unauthorized or nongovernmental use. We determined that inadequate oversight and monitoring of the travel card program contributed to such withdrawals and for transactions made without official travel orders or travel authorization. We recommended to program managers that they improve oversight of cardholder use to reduce or eliminate unauthorized withdrawals and transactions in the future. Unauthorized use of the travel card also increases the risk of delinquent debt and the need to write off receivable amounts by Bank of America. Our review determined, for example, six out of the 12 employees we reviewed on the ATM reports also had delinquent balances due. Erroneous reimbursement. An employee claimed and received reimbursement for charges that were paid on an agency corporate account rather than the employee 's OPM-authorized travel card. In this instance, inadequate review of the employee's travel voucher by the employee's supervisor and/or other approving official within the program office was directly linked to the employee's receiving this erroneous reimbursement. The employee has since reimbursed OPM for these funds. Duplicate travel payments. During our review, we determined OPM overpaid 22 employees a total of $2,535 in duplicate travel payments. We further determined that OPM's internal controls over travel reimbursement did not prevent or detect duplicate processing of travel vouchers. Program managers in OCFO are now conducting a review of these vouchers and will take the necessary steps to see that OPM is reimbursed. In addition, we recommended that OCFO design and implement controls to reduce the likelihood of any future duplicate payments. Regarding these 22 duplicate payments, we also determined that the travel payment system edits were inadequate and formal procedures lacking in those instances requiring a travel voucher to be reprocessed. As a result, the safety net that this computerized form of checks and balances was to provide failed. OPM has now installed a new travel payment system, developed by the General Services Administration, to improve its travel information processing operations. Internal Controls over OPM's Purchase Card Program Report No. 4A-CA-00-02-018 June 20, 2002 The General Services Administration administers the government-wide purchase card program, with agencies establishing their own program policies and procedures. Bank of America is currently under contract to provide VISA purchase card services to OPM. Responsibility for OPM's purchase card program is within the agency's Office of Contracting and Administrative Services (OCAS). An OCAS employee serves as OPM's agency program coordinator and is responsible for administering and managing the program. This audit was limited to a review of the internal controls over OPM's purchase card program. We focused our attention on understanding and analyzing those specific controls designed to prevent and detect potential misuse of the program. We also performed tests of controls and transaction details on a sample of fiscal year 2001 purchase card and convenience check transactions. We found no evidence that cardholders were abusing their government purchase card privileges for personal or inappropriate use. However, we made the following recommendations to program management: Improve procedures for purchase cardholder account cancellations. Improve management controls to prevent post-employment purchases. Establish periodic review and reauthorization procedures for cardholders who do not use their purchase cards within a given time frame. Improve purchase card transaction controls by: . Retaining transaction and training documentation. . Establishing approving official training requirements. . Establishing approving official transaction oversight monitoring responsibilities. . Blocking vendor-specific merchant category codes. . Using transaction logs. . Preventing split transactions (splitting amounts into two or more transactions to keep amounts below the cardholder's spending limits). . Excluding sales tax from transactions. Improve convenience-check transaction controls as they relate to: . Unidentified convenience check payee names. . Legibility and consistency issues concerning payee names. . Reporting data to the Internal Revenue Service under its dollar transaction criteria. Improve convenience-check transaction controls to prevent reimbursement to individual government employees. Note: These reimbursements to federal employees should be processed through the agency's financial payment system rather than through the credit card process. Based on our recommendations, OCAS is revising OPM's purchase card program policies and procedures. In addition, OPM has implemented a purchase card module within OPM's new computerized financial system. This new module permits an approving official's signature to be electronically generated on every transaction to provide validation. Government Performance and Results Act Audits During this reporting period, we continued to allocate resources for auditing the agency's performance relating to the Government Performance and Results Act of 1993 (P.L. 103-92). This legislation was enacted to improve government performance and accountability through better planning and reporting of agency results government-wide. GPRA, as it is more commonly called, specifically includes directives for federal agencies and departments to follow regarding strategic planning and performance management processes that emphasize goal-setting, customer satisfaction and results measurements. In an October 1998 congressional request, the Inspector General community was asked to include in future semiannual reports to Congress a summary of reportable actions under GPRA resulting from OIG audit activities. In that regard, during this reporting period, OPM revised its strategic plan for FY 2002-2007. The Director of OPM approved the revised strategic plan in September 2002. We are concluding a compliance audit on the strategic plan as it proceeded through its various stages of development and refinement. The objective of our audit was to determine OPM's compliance with Office of Management and Budget (OMB) Circular A-11, Part 6, in preparing its plan. OMB Circular A-11 is concerned with preparing, submitting and executing the respective budgets of all federal agencies and departments. Part 6 addrsses an agency's preparation of its strategic plan submission, as well as its annual performance plans and annual program performance reports. We will include the results of this audit in our next semiannual report. Within the next few months, we will be auditing OPM's efforts in preparing its annual performance plan and internal controls over FY 2002 performance results. We will be reporting on these in a future semiannual report. Investigative Activities The Office of Personnel Management (OPM) administers benefits from its trust funds for all federal civilian employees and annuitants participating in the federal government's retirement, health and life insurance programs. These trust fund programs cover approximately nine million current and retired civilian employees, including eligible family members, and disburse about $69 billion annually. While we investigate employee misconduct and other wrongdoing brought to our attention, the majority of our OIG investigative efforts is spent examining potential fraud involving these trust funds. As a result of this office's investigative activities, we realized a significant number of judicial and administrative successes during this reporting period, including monetary recoveries totaling $823,124. We also wish to note that an FEHBP-participating HMO, PacifiCare, agreed to a major settlement early in the reporting period that will result in a return of $63.9 million to the FEHBP. Our investigators and auditors made significant contributions to this complicated case, its favorable outcome, and thus share in reporting this amount. See our Audit Activities section, pages 9-10, for a more in-depth discussion of this case and the settlement. Overall, we opened 24 investigations and closed 20 during the reporting period, with 64 still in progress at the end of the period. Our investigations led to two arrests and five convictions during the period. For a more complete statistical summary of our office's investigative activity in this reporting period, refer to Table 1 on page 37 of this section, along with the OIG's productivity indicators listed at the beginning of this report. As mentioned in the shadow box above, most of our casework relates to the federal health, life and retirement trust fund programs our agency administers on behalf of millions of federal employees, retirees, their spouses and dependents. Our office aggressively pursues individuals and corporate entities seeking to defraud these trust funds upon which our federal employees, retirees, their spouses and dependents rely. Over the years, our OIG has worked a number of annuity fraud cases involving the Civil Service Retirement and Disability trust fund. This trust fund program covers all civilian federal employees who contributed to the Civil Service Retirement System (CSRS) and/or the newer Federal Employees Retirement System (FERS). FERS was established by Congress in 1983. At that time, federal employees were given the opportunity to remain in CSRS or switch to the new program. All new federal government employees hired on or after January 1, 1984, were automatically placed in the FERS retirement program. With CSRS being the older of the two systems, more people have retired under this system, creating a greater chance for annuity fraud under it than FERS. Our office long ago assumed a proactive stance in identifying individual cases upon which to base investigations of this nature. We identify fraud in this area by routinely reviewing CSRS annuity records for any type of irregularity, including excessive age. We receive additional information from our agency's Retirement and Insurance Service (RIS) through the computer matches it performs using OPM's annuity rolls and the Social Security Administration's death records. These computer matches have proven very helpful to OPM, since many CSRS annuitants or those receiving CSRS survivor benefits are also eligible for Social Security benefits. RIS also provides our office other annuity records data in support of our investigative activities. Other useful tools to help our office in its efforts to uncover and expose fraud and abuse are the OIG's health-care fraud hotline and retirement and special investigations hotline, along with mailed-in complaints. Formal complaints and calls we receive on these hotlines totaled 422 during this reporting period. Additional information, including specific activity breakdowns for each hotline, can be found on page 38 in this section. In keeping with the emphasis that Congress and various departments and agencies in the executive branch have placed on combating health care fraud, we coordinate our investigations with the Department of Justice (DOJ) and other federal, state and local law enforcement agencies. At the national level, we are participating members of DOJ's health-care fraud working group. We actively work with the various U's. Attorney's offices in their efforts to further consolidate and increase the focus of investigative resources in those regions that have been particularly vulnerable to fraudulent schemes and practices engaged in by unscrupulous health care providers. In addition to our responsibility to detect and investigate fraud perpetrated against OPM's trust funds, this office conducts investigations of serious criminal violations and misconduct by OPM employees. These cases may involve the theft or misuse of government funds and property. On the following pages, we have provided narratives relating to health-care and retirement-fund fraud investigations we conducted or concluded during the reporting period. These illustrate not only the various types of fraud we encounter in our investigations, but what penalties and sanctions face those involved in wrongdoing affecting OPM programs. Health Care-Related Fraud and Abuse Our OIG special agents are in regular contact with the numerous health insurance carriers participating in the Federal Employees Health Benefits Program to provide an effective means for reporting instances of possible fraud by health care providers and FEHBP subscribers. Our office also maintains liaison with federal law enforcement agencies involved in health care fraud investigations and participates in several health-care fraud working groups on both national and local levels. Additionally, we work closely with our own Office of Audits when fraud issues arise during the course of health carrier audits, as well as with the OIG debarring official when investigations of health care providers reveal evidence of violations that warrant consideration of possible administrative sanctions. The following narratives describe three of the cases we concluded in the area of health care fraud during this reporting period. Case Manager Creates Sham Company to Receive FEHBP Funds In August of 2001, we received a referral from CareFirst BlueCross BlueShield (CareFirst), an FEHBP-participating plan based in the Washington, D.C. area, about a former employee. CareFirst informed us that one of its case managers, who was a registered nurse, may have embezzled FEHBP funds during her employment with the plan. Among the case manager's responsibilities was approving the payment of home health services for FEHBP members. Working in conjunction with CareFirst's special investigations unit, we determined that the case manager created a fictitious home health care company, and proceeded to submit at least 30 claims from the sham company to CareFirst. In her position as a case manager, she was able to personally approve payment for each claim. These fraudulent activities took place over a period of several years. Our investigation revealed that payments by CareFirst for these false claims totaled $81,305, and were sent to an address listed for the sham home health company that was actually the home of the case manager's daughter. Investigators from CareFirst and our office subsequently interviewed this individual, who admitted to the fraud. On April 17, 2002, she pleaded guilty to one count of mail fraud in filing these claims through the U.S. mail. She was sentenced in U.S. District Court, in Alexandria, Virginia, on July 19, 2002, to serve 24 months in prison and three years. probation. She was also ordered to make restitution to CareFirst for the entire amount of the fraudulent claims ($81,305). Our investigators also referred this case internally to the OIG debarring official for the FEHBP administrative sanctions program. For this and other egregious professional behavior we uncovered, this registered nurse was debarred for a period of 20 years from participating in the FEHBP. This action makes her ineligible to receive any kind of payment from the FEHBP trust fund for services she may perform in any professional capacity during this 20-year period. For additional details about this debarring action, refer to page 3 in our Administrative Sanctions Activities section of the report. Hospital Chain Involved in Fraudulent Billing Activities In May 1999, at the request of the Department of Justice (DOJ), our office initiated an investigation of Tenet Healthcare Corporation, a nationwide chain of health care providers headquartered in Santa Barbara, California. The investigation concerned overbilling for services and other fraudulent billing activity in violation of the False Claims Act. The investigation, supervised by the DOJ, also addressed allegations of fraud against other federal health care programs, and subsequently involved investigative work by the Offices of Inspector General at the Department of Health and Human Services and the Department of Defense. Our efforts included the collection and analysis of thousands of claims submitted by Tenet to various health plans participating in the Federal Employees Health Benefits Program. In addition to the overbilling, the corporation routinely engaged in an illegal billing practice that involved unbundling claims to augment reimbursements. Simply stated, Tenet took a group of tests customarily performed at the same time under one billing code and identified each test with a different billing code. This, of course, resulted in increasing the corporation's profits on these tests. On May 2, 2002, the corporation agreed to a settlement with the Department of Justice in the amount of $1.7 million, $156,000 of which is to be returned to the FEHBP for being financially harmed by these illegal billing practices. Former Health Plan Employee Alleges Claims Processing Irregularities In June 2000, our OIG initiated an investigation that involved possible claims processing irregularities at BlueCross BlueShield of North Carolina (BCBS of North Carolina) in Durham, North Carolina. The investigation was based on information provided by a former employee of the plan. This individual specifically alleged that a supervisor at BCBS of North Carolina had either personally misdated claims received or ordered others to do so who worked under him so that the plan's claims processing unit would appear more timely in its operations. This supervisor also was said to have routinely errorcoded claims so that they would have to be returned to the health care providers or FEHBP members who had submitted them. This practice was used to eliminate the claims processing unit's backlog, since entering an error code on these claims resulted in deleting them from the plan's computer database. Together, these questionable activities allowed the plan to qualify for a service charge fee on each claim timely processed in accordance with the BCBS Association 's FEHBP contract. In turn, these fees could be used for performance bonuses at the plan, which could directly benefit the supervisor and other plan employees. Soon after we began this investigation, we contacted the BlueCross BlueShield Association's office here in Washington, which is responsible for overseeing the processing of all claims handled by its member Blue Cross and Blue Shield plans. The Association's FEP Director's Office in Washington, D.C, engaged a thirdparty law firm and hired independent auditors to travel to BCBS of North Carolina to look into these allegations. On June 2, 2002, we were advised by BlueCross BlueShield Association that it had issued a Notification of Resolution to BCBS of North Carolina in late March, wherein the Association awarded $419,000 to the plan for service charges earned for its claims performance during the contract year 2000. The Association also ordered the plan to return $88,000 of that amount to the FEHBP as compensation for service charges for which the plan was not entitled based on these claims processing irregularities. The claims processing supervisor responsible for this egregious activity was ordered removed from his position by the Association. Retirement Fraud and Special Investigations As previously stated, in accordance with our mission to prevent and detect fraud, OIG special agents routinely review CSRS annuity records for indications of unusual circumstances. For example, using excessive annuitant age as an indication of potential fraud, our investigators attempt to contact the annuitants and determine if they are alive and still receiving their benefits. In addition, we receive inquiries from OPM program offices, other federal agencies and private citizens that prompt us to investigate cases of potential retirement fraud or alleged misconduct by OPM employees and contractors. Below are the summaries of two cases we completed during this reporting period that illustrate the type of vigilance necessary to combat federal annuity fraud. CSRS Annuitant's Daughter Involved in Annuity Fraud On April 3, 2001, the Office of Inspector General at the Social Security Administration (SSA) notified us of an investigation it was conducting against the daughter of a Social Security beneficiary, residing in Allegheny County, Pennsylvania. That SSA investigation revealed that the daughter had failed to notify the SSA of her mother's death in 1992, and continued to receive her mother's benefits until the fraud was confirmed by the SSA OIG investigation. Those illegally obtained SSA benefits totaled $24,723. Our own investigation disclosed that, in addition to receiving SSA benefits, the mother was also a Civil Service Retirement System (CSRS) annuitant. CSRS benefits after the mother's death totaled $114,479 through April 2001 when OPM ceased making payments electronically to her bank in Pittsburgh, Pennsylvania. The daughter shared this account with her mother and was able to access these funds without notice. On October 17, 2001, the daughter was indicted by a federal grand jury in Pittsburgh, Pennsylvania, on one count of stealing government funds and two counts of making false statements. On March 27, 2002, she was sentenced to 12 months and 1 day in prison, with three year's supervised probation. She was also ordered to make full restitution to the Civil Service Retirement Fund and to the Social Security Administration. Annuitant's Son Convicted of Defrauding CSRS Our office concluded a case during the reporting period involving the son of a deceased survivor annuitant who for many years had received funds intended for his deceased mother. Table 1: Investigative Highlights Judicial Actions: Arrests total 2 Indictments total 3 Convictions total 5 Administrative Actions total 0 Judicial Recoveries: Fines, Penalties, Restitutions and Settlements total $511,460 Administrative Recoveries: Settlements and Restitutions total $311,664 Total Funds Recovered $823,124 INVESTIGATIVE ACTIVITIES Table 2: Hotline Calls and Complaint Activity Retirement and Special Investigations Hotline and Complaint Activity: Retained for Investigation total 20 Referred to: OIG Office of Audits total 1 OPM Groups and Offices . total 65 Other Federal Agencies total 45 Grand Total 131 Health Care Fraud Hotline and Complaint Activity: Retained for Investigation 113 Referred to: OPM Groups and Offices 63 Other Federal/State Agencies 53 Health Insurance Carriers or Providers 62 Total 291 Total Contacts 422 This investigation began in January 1999, based on a referral from OPM's Retirement and Insurance Service. Our investigation disclosed that the mother, who was a survivor annuitant living in Baton Rouge, Louisiana, had died on December 17, 1983, but her death had gone unreported by the family. In addition to her own survivor benefits, the mother was also receiving survivor disability benefits from OPM on behalf of another son, who resided with her. This son, mentally retarded from birth, died on December 19, 1994, at the age of 42. His death also went unreported to OPM. The remaining son, a resident of Woodstock, Georgia, had a joint bank account with his mother at the First Bank and Trust in New Orleans, Louisiana. The monthly survivor annuity checks and the disability checks were deposited into that account. As a result, he was able to access the account and defraud the CSRS trust fund of $141,117. On February 15, 2002, a federal grand jury in Baton Rouge, Louisiana, indicted the son for theft of government funds. He pleaded guilty to this charge on April 25, 2002, and was sentenced in July in U.S. District Court, in Baton Rouge, to five years. The information we receive on our OIG hotlines is generally concerned with FEHBP health care fraud, retirement fraud and other complaints that may warrant special investigations. Our office receives inquiries from the general public, OPM employees, contractors and others interested in reporting waste, fraud and abuse within the agency. In addition to hotline callers, we receive information from individuals through the mail or who appear in our office. Those who report information can do so openly, anonymously and confidentially without fear of reprisal. Retirement Fraud and Special Investigations The Retirement and Special Investigations hotline provides the same assistance as traditional OIG hotlines in that it is used for reporting waste, fraud and abuse within the agency and its programs. The Retirement and Special Investigations hotline and complaint activity for this reporting period included 25 telephone calls, 74 letters, 9 agency referrals, 3 walk-ins, and 20 complaints initiated by the OIG, for a total of 131. Our administrative monetary recoveries resulting from retirement and special investigation complaints totaled $1,236,742. Health Care Fraud The primary reason for establishing an OIG hotline was to handle complaints from subscribers in the Federal Employees Health Benefits Program administered by our agency. The hotline number is listed in the brochures for all the health insurance plans associated with the FEHBP. While the hotline was designed to provide an avenue to report fraud committed by subscribers, health care providers or FEHBP carriers, frequently callers have requested assistance with disputed claims and services disallowed by the carriers. Each caller receives a follow-up call or letter from either the OIG hotline coordinator, the insurance carrier or another OPM office as appropriate. The Health Care Fraud hotline and complaint activity for this reporting period involved 155 telephone calls and 136 letters, for a total of 291. During this period, the administrative monetary recoveries pertaining to health care fraud complaints totaled $311,664. OIG-Initiated Complaints As illustrated earlier in this section, we respond to complaints reported to our office by individuals, government entities at the federal, state and local levels, as well as FEHBP health care insurance carriers and their subscribers. We also initiate our own inquiries as a means to respond effectively to allegations involving fraud, abuse, integrity issues and, occasionally, malfeasance. Our office will initiate an investigation if complaints and inquiries can be substantiated. An example of a specific type of complaint that our office will initiate involves retirement fraud. This might occur when our agency has already received information indicating an overpayment to an annuitant has been made. At that point, our review would determine whether there were sufficient grounds to justify our involvement due to the potential for fraud. There were 43 such complaints associated with agency inquiries during this reporting period. Another example of an OIG-initiated complaint occurs when we review the agency's automated annuity records system for certain items that may indicate a potential for fraud. If we uncover some of these indicators, we initiate personal contact with the annuitant to determine if further investigation is warranted. We believe that these OIG initiatives complement our hotline and outside complaint sources to ensure that our office can continue to be effective in its role to guard against and identify instances of fraud, waste and abuse. Appendices I through VI are available upon request.