NOT FOR REPRODUCTION OR RELEASE PRIOR TO OFFICIAL TRANSMITTAL TO CONGRESS Office of the Inspector General SEMIANNUAL REPORT TO CONGRESS April 1, 2003 - September 30, 2003 U.S. Office of Personnel Management OIG-SAR-29 October 2003 October 31, 2003 Honorable Kay Coles James Director U.S. Office of Personnel Management Washington, D.C. 20415 Dear Mrs. James: I respectfully submit the Office of the Inspector General's Semiannual Report to Congress for the period April 1, 2003 to September 30, 2003. This report describes our office's activities during the past six-month reporting period. Should you have any questions about the report or any other matter of concern, please do not hesitate to call upon me for assistance. Sincerely, Patrick E. McFarland Inspector General Table of Contents Foreword . . . . . . . . . . . . . . . . . . . . . . . . . I Productivity Indicators. . . . . . . . . . . . . . . . . iii Statutory and Regulatory Review. . . . . . . . . . . . . . 1 Audit Activities . . . . . . . . . . . . . . . . . . . . . 7 Health and Life Insurance Carrier Audits. . . . . . . 7 Information Systems Audits. . . . . . . . . . . . . .24 Other External Audits . . . . . . . . . . . . . . . .32 OPM Internal Audits . . . . . . . . . . . . . . . . .34 Investigative Activities . . . . . . . . . . . . . . . . .43 Health Care-Related Fraud and Abuse . . . . . . . . .44 Retirement Fraud and Special Investigations. . . . . . .47 OIG Hotlines and Complaint Activity . . . . . . . . .49 Index of Reporting Requirements. . . . . . . . . . . . . .53 Appendix I: Final Reports Issued With Questioned Costs . . . . . . . .55 Appendix II: Final Reports Issued With Recommendations for Better Use of Funds. . . . . . . . . . . . . . . .56 Appendix III-A Insurance Audit Reports Issued (Standard Audits) . . . . .57 Appendix III-B Insurance Audit Reports Issued (Rate Reconciliation Audits)60 Appendix IV: Internal Audit Reports Issued. . . . . . . . . . . . . . .62 Appendix V: Information Systems Audit Reports Issued . . . . . . . . .63 Investigations Tables Table 1: Investigative Highlights . . . . . . . . . . . .52 Table 2: Hotline Calls and Complaint Activity . . . . . .52 Foreword The year 2003 marks the 25th anniversary of the passage of the Inspector General Act of 1978. During this time, the inspector general concept which was disfavored and even actively opposed by virtually every federal agency in 1978 has become an accepted and valued means of protecting the integrity and improving the effectiveness of federal programs. From its controversial and rather modest beginnings, the Inspector General community has established an exceptional government-wide record of accomplishments and has demonstrated emphatically the importance of an independent voice in addressing problems that detract from the performance of federal programs. The principal short- comings that the Inspector General Act was designed to address included: Fragmented audit units controlled by the entities being audited. Lack of an investigative or law enforcement presence in regard to most programs. Absence of controls in substantial program areas involving payment of large amounts of funds. Our OPM Inspector General office came into being as a statutory body as part of the Inspector General Amendments Act of 1988 . Our own experiences at the beginning of our operations largely mirrored those of our colleagues. For example, when the 1988 IG legislation was passed, we found that there was no independent or unified audit capability in OPM, and that the audit units that did exist had been understaffed and underfunded for many years. Further, there was literally no capability within the agency to investigate wrongdoing that affected OPM's programs, whether the violations came from within OPM itself, employees of other agencies, contractors or payees of OPM programs. In particular, the agency considered the activities of health care providers the ultimate recipients of most funds paid out by the Federal Employees Health Benefits Program to be utterly outside of its jurisdiction. Today, due to the talent and commitment displayed by OIG staff throughout our existence, we are implementing the IG Act's objectives in our everyday work. For example: Our auditors provide or oversee audit services meeting all professional standards for independence and quality encompassing all OPM programs and activities. Over $1 billion dollars of inappropriate, wrongful or fraudulent payments have been recovered by OPM as the result of our OIG activities. OIG special agents, now possessing full authority as federal law enforcement officials, protect the integrity of all OPM programs. In partnership with federal law enforcement task forces, OIG has identified wrongdoing by health care providers as an especially serious problem affecting the integrity of the FEHBP. We are focusing our attention in this area through criminal investigations as well as administrative sanctions against violators. As noted in this semiannual report, our office, as well as the IG community as a whole, is continuing to improve the quality, effectiveness, efficiency and integrity of our work. Our progress in several such areas is noted in this report, including: Increasingly sophisticated information systems audits. Indictments and convictions of health care providers who have committed serious violations against the FEHBP, putting the health care of enrollees at risk as well. Implementation of new, more effective administrative sanctions authorities against untrustworthy health care providers. In the 25-year history of the IG Act, many Inspectors General and their agency heads have come into conflict on various issues. In this regard, I am especially pleased to note our office's accomplishments have always been achieved in the context of a constructive relationship with our agency's top management, yet with a strict adherence to the concept of independence upon which the IG Act was based. While committed to carrying out our responsibilities as defined in this historic legislation, we will do so in a manner that furthers the goals and mission of OPM. Productivity Indicators FINANCIAL IMPACT: Audit Recommendations for Recovery of Funds. . . . . . . . . . . . . . $28,179,715 Recoveries Through Investigative Actions . . . . . . . . . . . . .$433,053 Management Commitments to Recover Funds. . . . . . . . . . . . . . . . $28,352,282 Note: OPM management commitments for recovery of funds during this reporting period reflect amounts covering current and past reporting period audit recommendations. ACCOMPLISHMENTS: Audit Reports Issued . . . . . . . . . . . . . . . . . . .39 Investigative Cases Closed.. . . . . . . . . . . . . . . .13 Indictments. . . . . . . . . . . . . . . . . . . . . . . . 4 Convictions. . . . . . . . . . . . . . . . . . . . . . . . 7 Hotline Contacts and Complaint Activity. . . . . . . . . 548 Health Care Provider Debarments and Suspensions . . . . . . . . . . . . . . . . . 1,605 Health Care Provider Debarment and Suspension Inquiries. . . . . . . . . . . . . 1,222 Statutory and Regulatory Review While we had no significant legislation relating to the Inspector General community to consider in this reporting period, we did make significant gains in initiating original cases under our administrative sanctions authority. As reported in our last semiannual report, earlier this year we issued final regulations implementing our agency's administrative sanctions authority under P.L. 105-266, the Federal Employees Health Care Protection Act of 1998. Another set of sanctions regulations addressing the civil monetary provisions of this law were prepared in final form during the reporting period, and advanced through the OPM clearance process preparatory to final clearance by OPM Director James. Our work on these regulations is described in an article on page 6. The next few pages are devoted to our ongoing efforts and successes in using this important enforcement tool to combat health care fraud and abuse on behalf of the approximately nine million current and former federal civilian employees and their families who receive their health care under the Federal Employees Health Benefits Program (FEHBP) administered by this agency. Administrative Sanctions Activities As commented on in our most recent semiannual report, OPM issued regulations implementing the debarment and suspension provisions of Public Law 105-266, the Federal Employees Health Care Protection Act of 1998, in final form in the Federal Register on February 3, 2003. During the current reporting period, our office used this authority exclusively in issuing debarments and suspensions in lieu of the government-wide Nonprocurement Suspension and Debarment Common Rule (common rule), which we had been using since 1993. We issued 1,605 debarments and suspensions during the period. FEHBP Administrative Sanctions Operating Under New Regulations In line with our expectations, we found that these new sanctions regulations afforded, in most cases, a more efficient and focused approach to suspension and debarment of health care providers than the common rule. A debarment is an administrative sanction action against a health care provider that precludes a provider from participating in the FEHBP-- receiving a direct or indirect payment of FEHBP funds--for a specific period of time, based on a violation of one of the 18 grounds for debarment established by the FEHBP provider sanctions statute. Providers include licensed doctors, nurses, health care facilities, and health care supply companies. Debarments are imposed only after appropriate administrative due process, including notice and an opportunity for a hearing. A suspension excludes a provider to the same extent as a debarment, but becomes effective immediately upon issuance of notice by the suspending official. In our office, that person is the debarring official. Suspensions are for limited periods of time, pending the outcome of an investigation or judicial action. Suspensions are appropriate only when a provider poses a risk to the FEHBP or its enrollees. Although we are no longer issuing new suspensions or debarments under the common rule, we still use it to administer the approximately 23,000 active debarments we issued between May 1993 and February 2003. Two cases in which we used the new regulations to issue administrative sanctions--a suspension in one and a debarment in the other--are described in the following articles. OIG Debarring Official Issues 1,605 Debarments and Suspensions Using New Sanctions Regulations Neurologist and Spouse Suspended After Indictment on Fraud and Conspiracy Counts As reported on pages 46-47, our Office of Investigations participated in a criminal investi- gation that led to the indictment of a Northern Virginia neurologist and his wife on charges of conspiracy and multiple counts of health care fraud. The doctor was the owner of two health care clinics, specializing in neurological services, and the wife was the office manager at both. The indictment was handed down on September 11, 2003, and the next day this case was referred to our administrative sanctions staff for consideration of appropriate administrative action. We initially determined that debarment would not be feasible because no final judicial, administrative or law enforcement action had taken place. However, under our new sanctions regulations, evidence of the following circumstances permit us to review cases to see if a suspension might be warranted: Substantial and reliable evidence that the provider committed a violation for which he could be debarred. Provider has been a participant or may be expected to participate in the FEHBP. Suspending official concludes that immediate action to exclude the provider is warranted because of risk or threat posed to the FEHBP or its enrollees. In this particular case, these three criteria were clearly met and are discussed in more detail below. First, we noted the indictment involving the neurologist and his wife represented a finding by a grand jury that there was probable cause to believe felony offenses associated with health care services had been committed. If convicted of any of the offenses with which they had been charged, the doctor and his wife would be subject to mandatory debarment from the FEHBP. Second, court records substantiated that the neurologist had been an FEHBP participant, and that several of the health care fraud counts in the indictment related to claims the neurologist had filed with FEHBP carriers. Finally, the provider created a health risk for FEHBP patients by placing in their medical files, without the patients' knowledge, purported results of neurological tests and examinations that never took place. Subsequent reliance on these false records by other health care providers could result in incorrect diagnoses and inappropriate treatment of these patients, potentially placing these patients at serious risk. We should point out that the doctor's spouse was also subject to debarment although she did not perform "hands on" health care services. Our regulatory definition of health care provider includes persons or entities who are involved either directly or indirectly in furnishing health care services. This provision allows us to debar persons who assist or participate with direct providers in committing sanctionable violations. Indirect providers are often instrumental to the offenses. For example, the indictment of the neurologist's spouse for conspiracy to commit health care fraud provides adequate evidence, for purposes of suspension, that she actively participated in the actions that caused fraudulent claims to be submitted to FEHBP carriers and other federal health care programs. Court records specifically indicated that the wife, in her capacity as her husband's office manager, actually placed the false records in patient files or directed others to do so. On these bases, our office suspended the neurologist and his spouse on September 29 for an indefinite period, pending final disposition of the criminal charges against them. Physician and Spouse Suspended After Indictment for Fraud and Conspiracy New Debarment Authority Application to Civil Settlements Most of the sanctions actions we have reported in previous editions of our semiannual reports have been associated with criminal investigations and the resulting indictments, convictions or plea agreements. However, as reflected in the case discussed below, and which was resolved during the current reporting period, the applicability of our statutory sanctions authority is by no means limited to criminal violations. Provider and Clinic Debarred as Part of Civil Settlement For a period of nearly two years, beginning in 2001, the U.S. Attorney's Office for the District of Alaska in Anchorage, Alaska, pursued a civil action against a nurse practitioner and the health care clinic that she owned and operated in the Anchorage area based on alleged false and wrongful billings to federal health care programs. In addition to a monetary settlement, the U.S. Attorney concluded that appropriate protection of the government's interests required debarring the nurse practitioner and her clinic from further participation in federal health-related programs. However, in contrast to criminal or civil cases, where the U.S. Department of Justice has full authority in representing the interests of federal agencies to pursue, settle, compromise or terminate litigation, administrative sanctions are exclusively within the authority of the agencies whose interests are affected. This being the case, during the reporting period, the U.S. Attorney in Anchorage asked our office, as well as the debarring official for the Medicare and Medicaid programs under the Department of Health and Human Services (HHS), to authorize a period of debarment for both the provider and her clinic as part of a final settlement of this case. Thus, effective in May 2003, we debarred the provider and her clinic for a period of eight years under a provision of our regulations authorizing debarment for improper billing practices. The same debarment period was imposed by the HHS OIG debarring official on behalf of the Medicare and Medicaid programs. The length of debarment imposed in this case highlights the effect of the interplay between the legal system and the sanctions process. If we had debarred this provider outside the framework of the universal settlement agreement, our regulatory guidelines for setting the length of debarment would have yielded a much shorter period than was ultimately imposed. Not only that, but the provider would have had the right to contest the length of the sanction. However, the provider agreed to an eight-year debarment as part of the overall settlement of the case, so that we did not need to apply our regulatory formulas regarding administrative procedures or length of debarment, respectively, in this case. Nurse and Clinic Debarred for Eight Years as Part of Civil Settlement Other Administrative Sanctions Activities During the current reporting period, our OIG administrative sanctions staff began reporting debarments resulting from original OIG work to the National Practitioner Data Bank and Healthcare Integrity and Protection Data Bank (NPDB-HIPDB). By original work, we mean casework wherein our OIG is the first federal agency to issue an administrative sanction against a health care provider. Sanctions Reported to Government-wide Databases These NPDB-HIPDB databases, operated by the Department of Health and Human Services, are designed to share information reflecting on the professional fitness and responsibility of health care providers among law enforcement organizations, governmental regulatory bodies, organizations that employ providers, and health insurance carriers nationwide. Since 1993, OIG has also been reporting all of its debarment and suspension actions to the Excluded Parties List System, known colloquially as the "GSA List." This system is publicly available on the Internet and contains information on all administrative sanctions issued by all federal agencies. The information covers a wide range of actions, such as contracts, grants, loan programs, insurance payments, scholarships, and other federal subsidies and assistance. Both the specialized NPDB-HIPDB databanks and the more universal GSA List reflect federal law and policies that promote increasingly more extensive dissemination of data on debarments to agencies, interested parties and the public. Based on our own experience and statements by other agencies, we believe that private- sector entities are also expanding their use of federal debarment information as a factor in making decisions about contracts and employment. Federal Law and Policy Promote Increased Dissemination of Sanctions Data Government-Wide Informational Responsibilities The factors creating government-wide informational responsibilities give rise to a significant workload for every agency that issues administrative sanctions. In OIG, because of the large numbers of health care providers we have debarred under the common rule since 1993, and which we continue to debar under our new regulations, we receive a particularly high volume of inquiries from other agencies, health insurance carriers and the public. For example, we responded to 1,222 such inquiries during the current reporting period, and 2,741 during the past year. Beginning in this edition of the semiannual report, we are recognizing this workload by including it in the table of Productivity Indicators at the beginning of this report. Debarment-Related Inquiry Workload Grows Financial Sanctions Regulations Update As noted in the introduction to this portion of the Statutory and Regulatory Review section, the public comment period for our proposed financial sanctions regulations published in the Federal Register in February 2003 closed during the current reporting period. These regulations will implement those provisions contained in P.L. 105-266 that authorize OPM to impose civil monetary penalties and monetary assessments against providers who have submitted false, fraudulent or otherwise wrongful claims to FEHBP carriers. The financial sanctions are intended to deter claims-related misconduct by pro- viders against FEHBP and to permit OPM to recover, through administrative action, its costs and monetary losses attributable to provider violations. We received comments from interested individuals, as well as insurance carriers and an insurance industry association. Most of these involved suggestions to simplify the regulatory language. We did, in fact, rewrite many sections of the proposed regulations to clarify their meaning. Overall, our changes shortened the regulations. We declined to accept a suggestion from the industry group that would have modified the way in which carriers could charge FEHBP funds for costs they incur related to health care provider fraud, because cost rules for FEHBP contracts are governed by the Federal Employees Health Benefits Acquisition Regulation. These regulations, as revised, are now going through final clearance in OPM prior to approval by the U.S. Office of Management and Budget and publication in the Federal Register. They will become effective immediately at that time. Final Financial Sanctions Regulations in Clearance Process Audit Activities Health and Life Insurance Carrier Audits The Office of Personnel Management (OPM) contracts with private-sector firms to underwrite and provide health and life insurance benefits to civilian federal employees, annuitants, and their dependents and survivors through the Federal Employees Health Benefits Program (FEHBP) and the Federal Employees' Group Life Insurance program (FEGLI). Our office is responsible for auditing these benefits program activities to ensure that these various insurance entities meet their contractual obligations with our agency. Our audit universe contains approximately 250 audit sites, consisting of health insurance carriers, sponsors and underwriting organizations, as well as two life insurance carriers. The number of audit sites are subject to yearly fluctuations due to contracts not being renewed or because of plan mergers and acquisitions. Annual premium payments are in excess of $26.1 billion for this contract year. The health insurance plans that our office is responsible for auditing are divided into two categories: community-rated and experience-rated. Within the first category are compre- hensive medical plans, commonly referred to as health maintenance organizations (HMOs). The second category consists of mostly fee-for-service plans, with the most popular among these being the various Blue Cross and Blue Shield health plans. The critical difference between the categories stems from how premium rates are calcu- lated. A community-rated carrier generally sets its subscription rates based on the average revenue needed to provide health benefits to each member of a group, whether that group is from the private or public sector. Rates established by an experience-rated plan reflect a given group's projected paid claims, administrative expenses and service charges for administering a specific group's contract. With respect to the Federal Employees Health Benefits Program (FEHBP), each experience-rated carrier must maintain a separate account for its federal contract, adjusting future premiums to reflect the FEHBP group enrollees' actual past use of benefits. During the current reporting period, we issued 32 final reports on organizations partici- pating in the FEHBP, 21 of which contain recommendations for monetary adjustments in the aggregate amount of $28.2 million due the FEHBP. Our OIG issued 203 reports and questioned $529.1 million in inappropriate charges to the FEHBP during the previous six semiannual reporting periods. We believe it is important to note the dollar significance resulting from our audits of FEHBP carriers and the monetary implications for the FEHBP trust fund. These audit results are reflected in the graph on the following page. A complete listing of all health plan audit reports issued during this reporting period can be found in Appendices III-A, III-B, and V on pages 57-61 and 63, respectively. The sections that immediately follow provide additional details concerning the two cate- gories of health plans described on this page, along with audit summaries of significant final reports we issued within each category during the past six months. Community-Rated Plans Our community-rated HMO audit universe of FEHBP-participating plans covers approximately 150 rating areas throughout the country. Community-rated audits are designed to ensure that plans charge the appropriate premium rates in accordance with their respective contracts and applicable federal regulations. We perform two types of community-rated audits. The first type is what we term a standard audit. With this type of audit, we look at premium rates after they have been finalized by OPM to ensure that the FEHBP received a fair market premium rate. In contrast, the second type of audit we perform is called a rate reconciliation audit. These audits, in addition to reviewing premium rates, also assist OPM on a real time basis as it adjusts and finalizes the rates for the contract year. Refer to pages 14 and 15 for a more detailed discussion of rate reconciliation audits and the benefits they provide. The rates health plans charge the FEHBP are derived predominantly from two rating methodologies. The key rating factors for the first methodology (community rating by class) are the age and sex distribution of a group's enrollees. In contrast, the second methodology (adjusted community rating) is based on the projected use of benefits by a group using actual claims experience from a prior period of time adjusted for expected increases in medical costs. However, once a rate is set, it may not be adjusted to actual costs incurred. The inability to adjust to actual costs, including administrative expenses, distinguishes community-rated plans from experience-rated plans. The latter category includes fee- for-service plans as well as experience-rated HMOs. See pages 15-23 for a detailed discussion on audits of experience-rated carriers. The regulations governing the Federal Employees Health Benefits Program require each carrier to certify that the FEHBP is being offered rates equivalent to the rates given to the two groups closest in subscriber size to the FEHBP. It does this by submitting to OPM a certificate of accurate pricing. The rates charged are set by the FEHBP-participating carrier, which is responsible for selecting the two appropriate groups. Should our auditors later determine that equiva- lent rates were not applied to the FEHBP, they will report a condition of defective pricing. The FEHBP is entitled to a downward rate adjustment to compensate for any overcharges resulting from this practice. We issued 21 audit reports on community-rated plans during this reporting period. The reports contain recommendations for OPM's contracting officer to require the plans to return $16 million to the FEHBP. Eleven of these reports, containing $15.6 million in findings, relate to standard HMO audits. The remaining ten audits are HMO rate recon- ciliation audits (RRAs), with findings amounting to $413,000. Below is a summary of two of the standard HMO audits, along with a discussion of the results of our RRA audits. PacifiCare of Ohio in Cypress, California Report No. 1C-R8-00-02-013 April 28, 2003 Our audit of PacifiCare of Ohio (PacifiCare) was conducted at PacifiCare's offices in Cypress, California, and covered contract years 1996 through 2000. During this period, PacifiCare provided comprehensive medical services to its members in the greater Cincinnati, Ohio and northern Kentucky areas. The FEHBP paid PacifiCare a total of $62.8 million in premiums from 1996 through 2000. PacifiCare of Ohio ended its participation in the FEHBP as of December 31, 2000, and subsequently ceased all business operations. In conducting the audit, we found that PacifiCare overcharged the FEHBP a total of $2,977,027 for inappropriate health benefit charges in 1996 through 2000. In addition, we determined that the FEHBP was due an additional $840,927 for lost investment income. Lost investment income represents the interest the FEHBP would have earned on the money the plan overcharged the FEHBP as a result of defective pricing. PacifiCare agreed that the FEHBP was overcharged but believes the amount is substantially less. Inappropriate Health Benefit Charges Exceed $2.9 Million Premium Rates Our primary objectives in analyzing the premium rates the plan set for the FEHBP were to find out if: PacifiCare offered the FEHBP market price rates. The loadings to the FEHBP were reasonable and equitable. Note: A loading is the term used to define the cost for additional benefits purchased by a group to enhance the basic benefits package for its members. PacifiCare developed the premium rates in accordance with the laws and regulations governing the FEHBP. Defective pricing. In contract years 1996, 1997 and 1998, the FEHBP did not receive a rate discount equivalent to the largest discount PacifiCare gave to one of the similarly sized subscriber groups. The largest discounts given to a similarly sized group in these years amounted to 13.96 percent, 19.64 percent and 2.59 percent, respectively. In contrast, the FEHBP got a discount of 10.98 percent in 1996, 18.8 percent in 1997 and none in 1998. In the calculations used to develop the FEHBP's rates during these contract years, we also noted that PacifiCare included FEHBP annuitants age 65 and over, a majority of whom were covered by Medicare. Since these members were covered by Medicare, the cost to cover them was inherently lower than for members who were age 65 and older, still in the workforce and therefore not receiving Medicare. For 1996 and 1997, we also found that the FEHBP was charged loadings for 12 benefits that were given to one of the similarly sized groups at no charge. These loadings were for such things as heart and liver transplants, kidney dialysis, and diabetic supplies. In 1998, we removed benefit loadings from the FEHBP's rates regarding: Maternity length of stay. Mastectomy with inpatient stay. Office visit copay for pre- and post-natal visits. The covered drugs schedule. We were unable to verify that the benefits received by the FEHBP were greater than the benefits included in the plan's standard benefits package. We determined the FEHBP overcharges in 1996 through 1998 by recalculating the FEHBP rates. In recalculating the rates, we removed all FEHBP annuitants age 65 and older from the Medicare loading, eliminated inappropriate benefit loadings, and applied the largest discount given to a similarly sized subscriber group to the recalculated rates. Using the revised rates, we determined that the FEHBP was overcharged $971,101 in 1996; $643,502 in 1997; and $821,001 in 1998. Our analysis of the FEHBP's 1999 rates revealed that the FEHBP was inappropriately charged a loading for the covered drugs schedule. As in 1998, we could not verify that the FEHBP benefits were greater than the benefits included in the plan's standard benefits package. The language in the drug schedule was the same in the FEHBP and standard benefit brochures. The overcharge for this loading amounted to $47,464. Medicare loading. The removal of all annuitants age 65 and older from our calculation of the FEHBP rates resulted in lower rates. Removing all such annuitants assumes that those members are fully covered by Medicare. However, we knew that a portion of these mem- bers had no or partial coverage. Therefore, to be fair, our auditors calculated a Medicare loading due PacifiCare to account for the higher costs associated with members with less than full Medicare coverage. Based on a formula provided by OPM's Office of Actuaries, we developed a Medicare loading for each year and determined that PacifiCare was due $103,916 for 1996; $143,779 for 1997; and $106,733 for 1998. PacifiCare Due $354,428 for Medicare Loading Children's loading. The FEHBP was overcharged a total of $461,328 for a children's loading in contract years 1996 through 2000. Because the FEHBP requires coverage of unmarried dependent children until their 22nd birthday, OPM allows carriers to calculate a loading to account for these members. However, the plan cannot take the loading if it uses a per-member per-month rate and group-specific family size in calculating group rates, and includes overage dependent children in calculating average family size for the FEHBP. In each of the contracted years covered by our audit, PacifiCare informed the FEHBP that it had included overage dependent children in determining family size. As a result, it was not entitled to the loading under its FEHBP contract. Rating error. In contract year 2000, due to an error in the plan's rate proposal, the FEHBP was overcharged. PacifiCare recognized the error and corrected it when it reconciled its 2000 rates. However, because it was the last year PacifiCare of Ohio participated in the FEHBP, OPM did not process the rate reconciliation. Under FEHBP regulations, neither the government nor the plan is entitled to an adjustment for the difference between the estimated and actual market price. However, the regulations do not prohibit the FEHBP from collecting overcharges resulting from errors made in pre- paring the proposal. We, therefore, recommended that OPM's contracting officer require the plan to return $387,059 to the FEHBP for this rating error. A more detailed discussion of the FEHBP rate reconciliation process follows on pages 14-15. Lost Investment Income In accordance with the FEHBP contract with community-rated carriers and FEHBP regulations, the FEHBP is entitled to recover lost investment income on the defective pricing findings we found in contract years 1996 through 1999. We calculated an additional $840,927 due the FEHBP for investment income it could have earned through December 31, 2002, had it not been for the overcharges. Additional lost investment income is due for the period that began January 1, 2003, and until all questioned costs have been returned to the FEHBP. Auditors Cite Lost Investment Income at $840,927 Group Health Plan, Inc. in St. Louis, Missouri Report No. 1C-MM-00-02-050 August 18, 2003 Group Health Plan, Inc., began its participation in the FEHBP as a community-rated carrier in 1983. In 2000, Group Health merged it operations with Principal Health Care of St. Louis (PHC). Group Health provides comprehensive medical services to its members in the St. Louis, Missouri area and throughout the southern, eastern and central areas of Illinois. The audit of the plan's FEHBP activities covered contract years 1997 through 2001. FEHBP premium payments to Group Health during this period approached $86.7 million. In conducting the audit, we determined that the FEHBP was overcharged $3,942,139 for inappropriate health benefit charges in 1997, 2000 and 2001. We calculated that an additional $524,126 was due for lost investment income as provided for under the plan's agreement with OPM. As mentioned in the previous audit summary, lost investment income represents interest that would have accrued to the FEHBP on the amount of the overcharges our auditors identified during the audit. Group Health contends that the overcharges to the FEHBP were substantially less, citing $284,820 in overcharges to the FEHBP, plus lost investment income. FEHBP Overcharges by Plan Total $3,942,139 Premium Rates A primary objective of the audit was to ascertain if Group Health met its contractual obligation to provide the FEHBP the same premium rate discounts it gave to the two subscriber groups closest in size to the FEHBP. Another was to determine if specific health benefit premium charges not part of the plan's basic benefits package were fair and reasonable to the FEHBP. Defective pricing. In 2000, due to its merger with PHC, Group Health combined the revenue, enrollment, claims, and per-member per-month costs to develop the FEHBP rates. Our analysis of the FEHBP's rate development showed that the plan used a higher claims experience amount in its calculations than it was able to support with acceptable documentation. Group Health could only support $12.2 million of the $13.2 million it used in the rate calculation. In addition, the FEHBP was not given full credit for an adjustment related to the merger of the two plans that was included in the FEHBP rate proposal. After redeveloping the FEHBP rates by making the above adjustments, we determined that the FEHBP was overcharged $2,978,344. In 2001, the FEHBP did not receive a discount equivalent to the largest discount given to one of the two groups closest in size to the FEHBP. Our review showed that one group selected by Group Health was not appropriate and that another group closer in size to the FEHBP should have been selected. Our analysis of the correct group's rates showed that it received a 2.29 percent discount. The other appropriate group did not receive a discount. To determine if the FEHBP had been overcharged, we applied the 2.29 percent discount to the FEHBP's audited rates and found that an overcharge amounting to $917,031 had occurred. Extension of coverage loading. This loading is designed to cover the plan's cost for providing benefits to individuals whose employment with the federal government has ended and they are no longer eligible to receive FEHBP benefits. This type of coverage continues for 31 days after employment ends. The auditors found that Group Health inappropriately charged the FEHBP for an extension of coverage loading in 1997. Since the plan used an adjusted community rating methodology to develop its rates, the costs related to extension of coverage were already included in the FEHBP's claims experience. Based on these facts, the loading was unnecessary as well as inappropriate. The FEHBP was charged $46,764 for this loading. Lost Investment Income Consistent with the FEHBP contract and regulations, the FEHBP is entitled to lost investment income on the defective pricing findings identified in 2000 and 2001. We determined that the FEHBP was due $524,126 for lost investment income covering the period 2000 through 2002. The FEHBP is also entitled to additional lost investment income for the period beginning January 1, 2003, until all questioned costs have been returned to the FEHBP. FEHBP Due $524,126 in Lost Investment Income HMO Rate Reconciliation Audits Each community-rated plan must submit by May 31 of each year the rates it proposes to charge beginning in January of the following year, seven months before the rates for the new contract year take effect. Because the rates have to be submitted so early, some of the data the plans use to develop their rates is based on estimated or prelimi- nary information. Because of this, OPM subsequently allows plans to submit revised rates during the year that the contract is in effect through what is known as a rate reconciliation. Under no circumstances does this process affect the rates charged subscribers during the year. These revised rates, however, may have an impact on the rates charged the following year. Our office performs rate reconciliation audits (RRAs) to ensure that any adjustments to the revised contract rates are not flawed. During this contract year, we conducted ten RRAs. A complete listing of RRA reports we issued during the reporting period appears in Appendix III-B, pages 60-61. RRAs Beneficial to Plans and OPM To illustrate how this process works, this past May, community-rated plans submitted their proposed rates for the 2004 contract year to OPM. Following negotiations between OPM and the plans, the new contract rates were approved. Subscribers will begin paying premiums in January 2004 based on these rates. Changes made to the 2003 rates as a result of the reconciliation process may have been factored into the 2004 rates. As mentioned, the reconciliation process allows plans to adjust their original rate submissions based on more up-to-date information developed by the plans months later. For example, in reviewing the 2003 contract rates, if OPM determined that the rates charged to subscribers were too high, it may have lowered the 2004 rates to compensate for the 2003 overcharge. It could also have a particular plan repay the amount of the overcharge directly to the FEHBP. If the reconciliation showed that the rates were too low, OPM is obligated to compensate those plans, usually from FEHBP funds main- tained in a contingency reserve fund. In every case, the course of action taken depends on the circumstances relating to an individual plan. Rate reconciliation audits take place between the months of May and July each year. In addition to helping OPM obtain the best premium rates for federal civilian employees, retirees and their families, OPM and participating community-rated plans derive other significant benefits as follows: Rating data is reviewed shortly after it is produced when both the plan records and staff who prepared the reconciliation are usually readily available to assist in providing information needed for the audit and the subsequent resolution of any audit issues that may arise. Representatives from OPM's Office of Actuaries and plan officials receive almost immediate feedback relating to our audit results. Audit resolution process begins immediately, thus benefitting the plans and OPM through timely resolution of audit issues. RRAs reduce any uncertainty plans might have regarding any future liabilities resulting from a post-award audit, including the potential for interest accruals that occur with standard audits covering several contract years at one time. Our audit of Group Health Cooperative HMO of South Central Wisconsin, Inc., (Group Health) provides a good example of the results of a typical RRA audit. This community-rated plan is located in Madison, Wisconsin. In conducting the Group Health audit, we reviewed the plan's reconciliation of the rates it charged the FEHBP under its 2003 contract. We found that one of the similarly sized subscriber groups selected by Group Health was not appropriate. Another group was actually closer in size to the FEHBP. Further review showed that this group received a discount that was not given to the FEHBP. After adjusting the FEHBP rates, we determined that the FEHBP was over- charged $182,567. We reported this overcharge to OPM, so that it could take this into consideration in determining Group Health's final rates for 2003. Experience-Rated Plans The Federal Employees Health Benefits Program offers a variety of experience-rated plans, including fee-for-service plans, the latter which constitute the majority of federal contracts in this plan category. Also included are employee organization plans that sponsor or operate health benefits plans. Certain comprehensive medical plans qualify as experience-rated HMOs rather than community-rated plans. For an overview of these rating categories and how they differ, refer to page 7 at the beginning of the Audit Activities section. The universe of experience-rated plans currently consists of approximately 100 audit sites. When auditing these plans, our auditors generally focus on three key areas: Appropriateness of contract charges and the recovery of applicable credits, including refunds, on behalf of the FEHBP. Effectiveness of carriers' claims processing, financial and cost accounting systems. Adequacy of internal controls to ensure proper contract charges and benefit payments. During this reporting period, we issued ten audit reports on experience-rated plans. These audits consisted of six Blue Cross and Blue Shield plans and four employee organization plans. We did not issue any final reports for experience-rated comprehensive medical plans during the reporting period. In these reports, our auditors recommended that OPM's contracting officer require the plans to return $12.2 million in inappropriate charges and lost investment income to the FEHBP related to these disallowed charges. Lost investment income represents those monies (interest) the FEHBP would have earned on these inappropriate charges. A brief description of these three experience-rated plan types can be found on the following pages, along with an audit summary from the two plan categories for which we issued reports. These summaries include key findings typical, for the most part, of our audit results. BlueCross BlueShield Service Benefit Plan This plan is a fee-for-service plan, administered by the BlueCross BlueShield Association (BCBS Association), which contracts with our agency on behalf of its numerous BCBS member plans across the country. Participating Blue Cross and Blue Shield plans throughout the United States independ- ently underwrite and process the health benefits claims of their respective federal sub- scribers under the BCBS Service Benefit Plan, and report their activities to the national BCBS operations center in the Washington, D.C. area. Approximately 53 percent of all FEHBP subscribers are enrolled in Blue Cross and Blue Shield plans nationwide. While the BCBS Association's headquarters are in Chicago, Illinois, its Federal Employee Program (FEP) Director's Office is in Washington, D.C., and provides centralized management for the BCBS Service Benefit Plan. The BCBS Association, through its Washington office, oversees a national FEP operations center, whose activities include: Verifying subscriber eligibility. Approving or disapproving reimbursement of local plan FEHBP claims payments (using computerized system edits). Maintaining an FEHBP claims history file and an accounting of all FEHBP funds. As cited earlier, we issued six Blue Cross and Blue Shield experience-rated reports during the reporting period. Our auditors noted $3,891,802 in questionable contract costs charged to the FEHBP and an additional $68,497 in lost investment income (interest) on these questioned costs, totaling $3,960,299 owed to the FEHBP. The following narrative describes the major findings from one of these BCBS reports. BlueCross BlueShield of North Carolina in Durham, North Carolina Report No. 1A-10-33-02-008 May 14, 2003 Our audit of the FEHBP operations at BlueCross BlueShield of North Carolina (BCBS of North Carolina) took place at the plan's offices in Durham, North Carolina. We reviewed health benefit payments made by the plan from contract years 1998 through 2001, as well as administrative expenses, miscellaneous payments and credits, and cash management. In performing this audit, our major objective was to determine whether the plan charged costs to the FEHBP and provided services to FEHBP members in accordance with the terms of the contract. Our auditors found that BCBS of North Carolina inappropriately charged $2,759,261 in health benefit charges and $445,663 in administrative charges to the FEHBP. The plan's cash management practices, however, were in accordance with its FEHBP contract and applicable laws and regulations. As discussed elsewhere in this report, lost investment income represents interest the FEHBP would have earned on the questioned costs. In this instance, lost investment income for all inappropriate charges totaled $61,259. In adding this figure to the ques- tioned costs, our auditors determined that the plan owed the FEHBP $3,266,183. Below is a brief discussion of how our auditors arrived at these totals. Health Benefits From 1998 through 2001, BCBS of North Carolina paid $533 million in actual FEHBP claim payments. In conducting our audit, we reviewed claim payments for proper pricing and payment, coordination of benefits with Medicare, and potential duplicate payments. We also reviewed specific financial and accounting areas, such as refunds, and other miscellaneous credits relating to FEHBP claim payments. Some of our significant health benefit findings are summarized below. Coordination of benefits. When claims are submitted for payment to a plan, it must coordinate benefits with Medicare before incurring unnecessary claims costs to the FEHBP. However, during the period 1998 through 2001, we noted BCBS of North Carolina failed to do this in association with 592 hospital, skilled nursing facility, hospice, and home health care claim payments, along with 5,600 physician claim payments. As a result, the FEHBP paid as primary insurer when Medicare Parts A or B should have picked up the claim costs, totaling $1,912,680. The shadow box below provides some basic information regarding Medicare Parts A and B coverage. Medicare Part A helps pay for care in hospitals, skilled nursing facilities, hospices and some home health care. Medicare Part B helps pay for doctors, outpatient hospital care, and some other medical services that Part A does not cover, such as services of physical and occupational therapists and some home health care services. Part B also helps pay for covered doctor services that are medically necessary. The Medicare program is administered by the Centers for Medicare and Medicaid Services, an agency within the Department of Health and Human Services. We recommended that the contracting officer disallow the uncoordinated claim payments we noted and instruct BCBS of North Carolina to make a diligent effort to recover the overpayments, crediting all amounts recovered to the FEHBP. Lack of COB Compliance Costs FEHBP $1,912,680 Payment errors from sampling. During the period January 1, 1998 through December 31, 2001, we selected multiple samples of claims for the purpose of determining if BCBS of North Carolina had paid claims properly. As a result of these claim sample reviews, our auditors identified 122 claim payment errors, resulting in overcharges of $705,660 to the FEHBP. A large number of these errors--39 claims totaling $341,741--related to provider billing errors. In each instance, the provider billed BCBS of North Carolina twice for claims under one admission. This oversight caused BCBS of North Carolina to pay two claims when only one claim should have been paid for that admission. Consequently, we recommended that our agency's contracting officer disallow the claims paid in error and instruct BCBS of North Carolina to make a diligent effort to recover the overpayments, crediting all amounts recovered to the FEHBP. Auditors Determine Incorrect Payments to Health Care Providers Total $705,660 Administrative Expenses Under its contract, BCBS of North Carolina was allowed to charge the FEHBP certain expenses to administer the contract. These included such items as salaries, employee benefits, rent and other expenses incurred. These expenses are charged to the FEHBP proportionately, and sometimes exclusively, in relationship to the number of hours and employees necessary to take care of its FEHBP-related work on a daily basis. For contract years 1998-2001, BCBS of North Carolina charged the FEHBP $32 million in administrative expenses. Of this amount, we determined $445,663 of these expenses were not allowable. The most significant overcharge to the FEHBP was for pension cost overcharges in the amount of $287,977. Pension costs. BCBS of North Carolina is allowed to charge the FEHBP for pension costs related to its employee pension plan under certain specific financial conditions. Our auditors reviewed the plan's pension plan for 1998 through 2001, and noted that pension assets were greater than its liabilities during that period. This meant that the pension plan was considered fully funded for those contract years. Based on our reading of the pertinent federal regulations, when a pension plan is fully funded, there is no liability to the pension plan, and therefore no cost can be assigned to the FEHBP during those periods. Our auditors determined that BCBS of North Carolina incorrectly charged pension costs to the FEHBP for contract years 1998 and 1999, but not for contract years 2000 and 2001. The amount of the overcharge to the FEHBP was $165,017 and $122,960, respectively, for the years in question. We recommended that OPM's contracting officer disallow pension costs to the FEHBP in the amount of $287,977 for those contract years. The BCBS Association has this finding under review. Plan Owes FEHBP $287,977 in Pension Cost Overcharges Employee Organization Plans Employee organization plans also fall into the category of experience-rated. These plans either operate or sponsor participating federal health benefits programs. As fee- for-service plans, they allow members to obtain treatment through facilities or providers of their choice. The largest types of employee organizations are federal employee unions and associations. Some examples are: the American Postal Workers Union, the National Association of Letter Carriers, the Government Employees Hospital Association, and the Special Agents Mutual Benefit Association. During the reporting period, we issued four employee organization plan audit reports. Three of these reports related to the Mutual of Omaha Insurance Company as underwriter for the Rural Carrier Benefit Plan, the Foreign Service Benefit Plan and the Association Benefit Plan, respectively. The remaining report covered claim operations at the National Association of Letter Carriers Health Plan. A summary of two of these reports and our major audit findings follow. Mutual of Omaha Insurance Company as Underwriter for the Rural Carrier Benefit Plan in Omaha, Nebraska Report No. 1B-38-07-02-045 July 7, 2003 The Rural Carrier Benefit Plan is an employee organization plan underwritten by Mutual of Omaha Insurance Company (Mutual of Omaha), whose headquarters are located in Omaha, Nebraska. Enrollment in this fee-for-service plan is open to federal employees and annuitants who are members of the National Rural Letter Carriers' Association. As of December 31, 2001, membership totaled approximately 42,000 federal enrollees. Our audit covered contract years 1998 through 2000. In performing this audit, we wanted to determine whether Mutual of Omaha charged costs to the FEHBP and provided services to FEHBP members in accordance with the terms of its contract. We reviewed administrative expenses, miscellaneous health benefit credits and cash management for 1998 through 2000. We also reviewed miscellaneous health benefit payments for 1999 through 2001. Under this limited scope audit, we found no irregularities in charges to the FEHBP regarding cash management or miscellaneous health benefit credits. However, under administrative expenses, we noted significant overcharges under the category of cost containment for contract years 1998 through 2000. Consequently, we made the decision to extend the scope of this audit to include cost containment activities by the plan for contract years 1997 and 2001. As a result, our auditors questioned $5,066,333 in unallowable charges for administra- tive expenses charged to the FEHBP, and calculated an additional amount of $971,655 for lost investment income (interest) on these charges, since this money was not otherwise available to the FEHBP for investment purposes. Our final calculations totaled $6,037,988 owed to the FEHBP. Auditors Note FEHBP Owed $6,037,988 in Inappropriate Charges Administrative Expenses For contract years 1998 through 2000, Mutual of Omaha as the underwriter for this plan charged the FEHBP $35.6 million in administrative expenses. As previously stated, during our review of administrative expenses, we identified significant overcharges pertaining to cost containment. Cost containment encompasses those activities undertaken by the plan to reduce health benefit expenses to the FEHBP and its federal subscribers. These charges include out- side vendor costs as well as the company's in-house administrative fees. Having expanded the scope of our audit to examine cost containment charges for contract years 1997 and 2001, we made the following determinations: Mutual of Omaha's in-house administrative fees were not based on actual costs. The company had insufficient documentation to support all the cost containment charges for the years we audited. Specifically, Mutual of Omaha charged the FEHBP $12,733,175 for cost containment from 1997 through 2001, but could only support $7,685,124 in its cost accounting system. We therefore recommended that the contracting officer disallow the $5,048,051 associated with the unsupported charges. Mutual of Omaha Overcharges FEHBP $5,048,051 for Cost Containment National Association of Letter Carriers Health Benefit Plan in Ashburn, Virginia Report No. 1B-32-00-02-102 April 21, 2003 The National Association of Letter Carriers (NALC) is a nonprofit organization whose primary purpose is to represent and promote the interests of the letter carriers employed by the U.S. Postal Service. The NALC sponsors the National Association of Letter Carriers Health Benefit Plan, and has its headquarters in Ashburn, Virginia. Enrollment in this fee-for-service plan is open to all federal employees and annuitants who become members of the NALC. As of December 31, 2001, membership totaled approximately 156,675 federal enrollees. We reviewed health benefit payments made by the plan from contract years 1999 through 2001, as well as administrative expenses, miscellaneous payments and credits, and cash management. We specifically wanted to determine whether the NALC charged costs to the FEHBP and provided services to FEHBP members in accordance with the terms of its contract. As a result of our audit, we reported inappropriate charges totaling $546,065 for health benefit charges under its FEHBP contract. Improper Health Benefits Charges Cost FEHBP $546,065 From 1999 through 2001, the National Association of Letter Carriers Health Plan paid $1.4 billion in actual FEHBP claim payments. In conducting our audit, we reviewed claim payments for proper pricing and payment, coordination of benefits with Medicare, and potential duplicate payments. We also reviewed specific financial and accounting areas, such as refunds, provider audits, and other miscellaneous credits relating to FEHBP payments. Our findings include the following: Coordination of benefits. Our auditors identified 116 hospital, skilled nursing facility, hospice and home health care claim payments, totaling $115,611, along with an additional 1,793 physician claim payments, totaling $345,574, wherein the FEHBP paid as primary insurer when Medicare Part A or B should have picked up these claim costs as the primary insurer. As discussed in the preceding narrative on the BCBS of North Carolina plan, this type of improper charge occurs when a plan fails to coordinate benefits properly when Medicare is the primary insurer. We estimated that the NALC overcharged the FEHBP $392,070 for the above payments simply by failing to ascertain that Medicare was the primary insurer and the FEHBP the secondary insurer. We recommended that the contracting officer disallow the uncoordinated claim payments we noted and instruct the NALC to make a diligent effort to recover the overpayments, crediting all amounts recovered to the FEHBP. Lack of COB Compliance Results in $392,070 FEHBP Overcharge Duplicate payments. Our auditors also determined that the NALC charged the FEHBP inappropriately for duplicate claim payments. Of the $1.4 billion in claims paid during the period 1999 through 2001, we identified 147 duplicate claim payments, resulting in overcharges of $153,995 to the FEHBP. Since these duplicate claim payments were a very small number, we concluded that the plan had effective controls in place to minimize such payments. Nevertheless, we recom- mended that the contracting officer disallow the duplicate claim payments we identified, and instruct the NALC to make a diligent effort to recover the overpayments, so that these amounts could be returned to the FEHBP. Experience-Rated Comprehensive Medical Plans Comprehensive medical plans (HMOs) fall into one of two categories: community-rated or experience-rated. As we previously explained in more detail on page 7 of this section, the key difference between the categories stems from how premium rates are calculated for each. Like other health insurance plans participating in the FEHBP, experience-rated HMOs offer what is termed a point of service product. Under this option, members have the choice of using a designated network of providers or using non-network providers. A member's choice in selecting one health provider over another has obvious monetary and medical implications. For example, if a member chooses a non-network provider, the member will pay a substantial portion of the charges and the benefits available may be less comprehensive. We did not issue any final reports for experience-rated comprehensive medical plans during the reporting period. Information Systems Audits In accordance with the Inspector General Act of 1978, as amended, we conduct and supervise independent and objective audits of agency programs and operations to prevent and detect fraud, waste and abuse. To assist in fulfilling this mission, we perform information systems audits of health and life insurance carriers that participate in the Federal Employees Health Benefits Program (FEHBP) and the Federal Employees' Group Life Insurance program (FEGLI). We also audit elements of the agency's computer security environment. As computer technology has advanced, individuals, corporations and other organiza- tions have become increasingly dependent on computerized information systems to assist directly or indirectly with their daily activities. As a result, computer-based information and its accessibility have become of paramount importance to all levels of government, private business and to the general public. Malicious attacks on public and private computer systems continue to increase and thus underscore the importance of this issue. These threats include outbreaks of destructive computer worms and viruses, along with sabotage and theft of valuable or sensitive infor- mation in computer databases. The widespread havoc and disruption inflicted upon com- puter systems by the recent Blaster worm is a prime example of the need to proactively identify and address system vulnerabilities. Our agency relies on computer technologies and information systems in one form or another to carry out its work in administering various federal operations, including programs that distribute health and retirement benefits to millions of current and former federal employees. Any breakdown or other negative occurrence affecting these federal computer-based programs could have a harmful domino effect, compromising efficiency and effectiveness and ultimately increasing the cost of government to the American taxpayer. One of the key programs administered by our agency is the Federal Employees Health Benefits Program (FEHBP), serving all federal civilian employees, retirees and family members. Our OIG examines the computer security and information systems of private health insurance carriers participating in the FEHBP by performing general and applica- tions controls audits. Our auditors also seek to minimize information system security risks at OPM through auditing various internal security-related activities and computer systems development. The primary goal of these audits is to aggressively expose and repair information system security weaknesses. OIG Audits Assist Health Carriers in Preventing Costly Computer Security Breaches General controls refer to the policies and procedures that apply to an entity's overall computing environment. Application controls are those directly related to individual computer applications, such as a carrier's payroll system or benefits payment system. General controls provide a secure setting in which computer systems can operate, while application controls ensure that the systems completely and accurately process transactions. In this reporting period, we completed an audit of Humana Health Plans, Inc.'s computer- based information systems. Additionally, we completed an internal computer security review of OPM's information systems and issued a report on the relevant issues. Audit of Information Systems General and Application Controls at Humana Health Plans, Inc. in Louisville, Kentucky Report No. 1C-D2-00-03-001 July 30, 2003 Humana Health Plans, Inc. (Humana) processes the claims of FEHBP subscribers through its facilities located in Louisville, Kentucky. Humana's contract covers nearly 33,000 current and former federal employees and their families at a cost of $164 million annually in health care premiums. This was our first information systems audit at Humana and our first opportunity to evaluate compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 by a participating FEHBP health insurance carrier. We evaluated Humana's computer information systems control environment in order to uncover system vulnerabilities that pose security and financial risks that could eventually translate into higher health care premiums for federal subscribers. In conducting this review, our auditors: (1) gathered documentation and conducted interviews; (2) performed a risk assessment of Humana's information systems environment and applications; and (3) conducted various compliance tests to determine the extent to which established controls and procedures were functioning as intended. During the audit, we evaluated the integrity, confidentiality and availability of Humana's computer-based information systems by reviewing the following areas: Entity-wide security. Access controls. Application software development and change control. System software. Segregation of duties. Service continuity. Application controls within the claims and enrollment systems. We determined that Humana had a number of security controls in place that helped promote a secure computer environment. We noted, in particular, that these included: Effective security incident response team. Adequate system-access policies and procedures. Appropriate input, processing and output controls in claims and enrollment systems. Significant progress towards compliance with privacy and electronic exchange standards. Proper safeguards for Medicare data provided by OPM to the plan. Plan Controls Geared Toward Securing Computer Operating Systems We found that there were opportunities for improvement in the area of information systems internal controls and noted that Humana should: Implement a formal risk assessment methodology. Address several elements essential in its security policy for ensuring its ability to maintain a sound security posture. Ensure all employees are aware of procedures to identify and report security incidents. Establish practices for planning, engineering and managing software development and maintenance projects. Potential Security Weaknesses Identified That Could Compromise FEHBP-Related Information Systems Humana officials have agreed to address the above system vulnerabilities by carrying out our recommendations. These should result in enhancing Humana's information system general and application controls and thereby help ensure the confidentiality, integrity and availability of federal subscriber medical records. Review of OPM Compliance with the Federal Information Security Management Act Report No. 4A-CI-00-03-086 September 17, 2003 On December 17, 2002, President Bush signed into law the Electronic Government Act (P.L. 107-347), which includes the language of the Federal Information Security Management Act of 2002 (FISMA) under Title III - Information Security. Its purpose is to ensure that all information resources that support federal operations and information assets are not compromised. Among other things, FISMA permanently reauthorized the information system security framework laid out in the Government Information Security Reform Act of 2000 (GISRA). This is particularly significant in that GISRA included "sunset" language, marking its expiration the preceding month. By building on GISRA's security requirements, Congress incorporated provisions in FISMA to strengthen the security of all federal government information systems. Critical elements identified in FISMA include: Annual program security reviews. A defined role for the Inspector General. Annual Office of Management and Budget (OMB) reporting requirements. Security incorporated into the life cycle of agency systems. Information system configuration requirements. Annual testing and evaluation of security controls. Continuity of operations for information systems. Inventories of major information systems throughout the federal government. Additionally, FISMA continues to emphasize the role of the chief information officer's (CIO) strategic, agency-wide information systems security responsibility. Key language in this act also clearly places responsibility on each agency program office to develop, implement and maintain a security program that can assess risk and provide adequate security for the operations and assets of programs and systems under its control. CIOs and Program Offices Play Key Roles Under FISMA Provisions General Overview In accordance with the Federal Information Security Management Act, we performed an independent evaluation of OPM's computer security program and practices. We evaluated OPM's general compliance efforts for specific areas defined in the Office of Management and Budget's (OMB) FISMA reporting instructions. These instructions, included in OMB Memorandum M-03-19, dated August 6, 2003, provide a consistent form and format for agencies to report back to OMB. We also included a review of several of OPM's individual program offices' compliance efforts. We believe that the agency has made signifcant progress since our last evaluation of its computer security program. However, we did identify opportunities to improve or enhance information security practices, and we highlighted where compliance efforts were still underway. In response to our report, the CIO indicated that our review was both comprehensive and well balanced. She also indicated that our recommendations will be of assistance in the agency's ongoing efforts to improve its security program. n OPM Director's Security Responsibilities Director's delegation of responsibilities. OPM's information technology (IT) security policy clearly sets forth FISMA's responsibilities and authorities for the agency's chief information officer and program officials. However, as highlighted in this summary, our review indicates that compliance efforts related to the IT security policy are still underway in several areas. As defined in the IT security policy, the Director and the deputy director are responsible for the overall security of OPM systems. The deputy director meets routinely with the chief information officer concerning the agency's FISMA compliance efforts. The author- ity for carrying out these activities is delegated to other OPM officials under the Director's guidance. For example, the associate directors and heads of offices are the designated accrediting authorities for their respective systems. They appoint a designated security officer to assist them in carrying out their responsibilities. The CIO leads the overall IT security program for OPM by: Providing overall management, leadership and direction to the IT security program. Formulating, implementing and enforcing IT security policies. Managing a security awareness program. Monitoring an agency-wide IT security working group that facilitates program-office level understanding of IT security requirements. Reviewing risk assessments, information system security plans and system accreditations. In this area, we recommended that the CIO advocate additional IT security training to enhance awareness of security requirements at both the management and technical levels. Additional IT Security Training Needed With respect to IT investment decisions,currently, there is no formal process in place by which the CIO reviews and approves all IT expenditures for the agency. However, the CIO is actively taking steps to develop and implement a centralized IT procurement oversight process. Systems development life cycle. A standard system development life cycle methodology has been developed by OPM. The chief information officer is continuing efforts to ensure that all new information system development activity incorporates this methodology. Integration of the IT security program. OPM has not fully integrated its information technology security program with its critical infrastructure protection responsibilities. However, this should be resolved as OPM officials take steps to comply fully with the agency's IT security program. Critical operations and assets. OPM has controls in place to identify, prioritize and protect critical operations and assets within its agency-wide IT environment. The strategies used by OPM include a mainframe disaster recovery plan, program-specific continuity of operations plans, and an agency IT security policy. However, a significant concern is that OPM has yet to develop, implement and test a formal disaster recovery plan for the local area network/wide area network. Security incident handling. OPM has recently finalized and communicated procedures for handling and reporting security incidents to agency personnel. While the procedures appear consistent with regulatory guidance, we continue to identify areas where improvements could be made in implementing these procedures. For instance: A trained incident response team has not been formed. The IT help desk has been identified as a key component of the incident response process, yet procedures are not documented and the staff have not been trained in the security incident handling process. The OIG was not notified about the two incidents that occurred during the reporting period. OPM Needs Disaster Recovery Plan for Computer Networking Environment Program Office Reviews For this year's independent evaluation, we reviewed the two general support systems and three major applications for compliance with FISMA. We also documented that OPM had signed certification and accreditation statements for 93 percent of their 45 major systems. These certification and accreditation statements are completed by responsible program managers, and affirm that they have implemented appropriate security controls for their systems. The general support systems we reviewed--the agency's mainframe operations and local area network/wide area network--are administered by the CIO. Securing these systems, which support all of OPM's major applications, is key to OPM's information technology security strategy. The three major applications we reviewed represent a variety of system types from two of OPM's key program offices. These are: Personnel investigations processing system. Annuity roll system. Government financial information system. While resource restrictions limited our ability to complete additional evaluations, we believe that the sample selected provides a good representation of the system security level achieved by OPM. During FY 2003, OPM made significant progress and continued its commitment to managing and securing the agency's information resources. We learned that the CIO has instituted procedures and mechanisms for developing and adopting proper system security controls in accordance with FISMA requirements. In addition, we documented that each of the systems we reviewed had completed the required risk assessment, information system security plan, security control testing, and had tracked security-related action items through the plan of actions and milestone process. However, we observed that improvements could be made in each of the above areas to ensure compliance with appropriate OPM policy, security regulations and other recognized security guidance. OIG Cites Need for Improved IT Security Policy Compliance for OPM Systems Reviewed Responsibilities of OPM's Chief Information Officer Agency-wide security program. While significant progress has been made, agency officials have not fully complied with the agency-wide security program. As reported last year, OPM's chief information officer has developed: (1) an IT security policy, (2) an IT security program guide, and (3) an IT security program definition that individually address control elements required by the U.S. Office of Management and Budget. This year, the CIO has developed implementing guides to assist program offices in their efforts to identify and comply with the components of the IT security program plan. These specifically include: IT security implementation guide. Certification and accreditation implementation guide. Incident response and reporting guide. Security documentation requirements guide. To help fulfill their security program oversight responsibilities, CIO has implemented the following three critical processes: Plan of action and milestone tracking process to identify and track the remediation of agency-wide security weaknesses. Certification and accreditation review process for all major information systems. Self-assessment review process. However, we identified specific control elements where security measures have not been complied with or where controls could be improved. These include: Risk management. Information system security plans. Certification and accreditation. Security training. At the time of our review, OPM employees and contractors were in the process of completing an Intranet-based security awareness training program as required by OPM's IT security policy. The goal was to have all OPM computer users complete this online course by the end of September 2003. In addition, program offices need to take steps to ensure that all employees with significant security responsibilities receive appropriate security training. We also recommended that OPM's IT security officer develop a formal system to track and monitor the specialized training requirements for personnel with security responsibilities. Capital planning and investment control. OPM has integrated security requirements and cost estimates into its capital planning and investment control process. However, improvements should be made in the documentation supporting the IT security investment information submitted to OMB. CIO Making Good Progress Toward IT Security Goals OTHER EXTERNAL AUDITS We conduct audits of the local organizations of the Combined Federal Campaign (CFC), the only authorized fundraising drive conducted in federal installations throughout the world. Also, at the request of Office of Personnel Management procurement officials, our office performs pre- and post-award contract audits relating to the acquisition of goods and services by agency program offices. Combined Federal Campaign Under Executive Order 10927, issued August 18, 1961, the U.S. Civil Service Commission (OPM's predecessor) was given the responsibility for arranging national voluntary health and welfare agencies to solicit funds from federal employees and members of the armed services at their places of employment. Since then, OPM's role has been further defined through additional executive orders, one public law (P.L. 100-202), and new federal regu- lations (5 CFR 950). Key responsibilities include: Providing eligibility guidelines for national and local organizations and charities participating in the Combined Federal Campaign (CFC). Specifying the role of local CFCs. Identifying OPM's specific oversight responsibilities pertaining to the CFC. An estimated 355 campaigns operating nationwide and overseas participated in the 2002 Combined Federal Campaign, the most recent year for which statistical data is available. Federal employee contributions reached $237 million for the 2002 CFC, while campaign expenses totaled $21 million. Our audits ordinarily cover two consecutive campaign years. Campaigns are identified by geographical areas as specific as a single city, several cities or counties. Our auditors look closely at the eligibility of participating charities associated with a given campaign, whether these charities have complied with federal regulations and OPM guidelines, and if any irregularities appear in their financial records. In addition, all CFC organizations are required by regulation to have an independent public accounting firm conduct an audit of their respective financial activities. One of the CFC organizations we audit carries the technical designation of principal combined fund organization (PCFO). Among the key activities of a PCFO is collecting and distributing CFC charitable funds, training volunteers, and maintaining a detailed schedule of CFC administrative expenses incurred during a given campaign. We also audit national charitable federations that participate in the CFC. A national charitable federation provides common fundraising, administrative and management services to its members--those being other charitable organizations with similar interests. For example, the Children's Charities of America is a national federation providing services to other charities concerned with the welfare of children. During federation audits, we focus on the eligibility of federation member charities and how funds are distributed and expenses allocated to them. Federal Employees Contribute Millions During Annual CFC Drive Combined Federal Campaign audits will not ordinarily identify savings to the government, because the funds involved are charitable donations made by federal employees, not federal entities. While infrequent, our audit efforts can result in an internal referral to our OIG investigators for potential fraudulent activity. During this reporting period, we did not issue any final CFC reports. We did, however, perform a significant amount of CFC work during the period. We conducted audits of 19 PCFO's and one national federation we selected for audit as part of our annual audit agenda. One of the campaigns we selected for audit was administered by the United Way of the National Capital Area, covering the 2001 CFC campaign. In our previous semiannual report, we discussed the results of an earlier audit of the 1997-2000 campaigns administered by this organization. Due to the significant issues we identified during that audit, we performed a follow-up audit of the 2001 campaign. Final distributions by the United Way of the National Capital Area to participating charities were made in March 2003 for the 2001 CFC campaign. In addition, we audited 12 national CFC federations in response to regulatory violations alleged by other charities in the CFC. The allegations dealt mainly with the relationship between these national federations and a firm the charities all used for management consulting and marketing services. Finally, we performed an audit of the San Francisco Bay Area CFC at the request of OPM officials based on concerns that federal employee donations may not have been properly handled. These concerns were based on the sudden closing of the company used for processing donations and distributing the funds to designated charities. For instance, there were indications that this company had used funds donated and designated to charities for expenses of the company. Final reports on all 33 of these audits will be issued in subsequent reporting periods. OPM INTERNAL AUDITS We conduct and supervise independent and objective audits of the Office of Personnel Management's (OPM) programs and administrative operations. We also perform evaluations and inspections of agency programs and operations. Two critical areas of ongoing audit activity include OPM's consolidated financial statements required under the Chief Financial Officers Act (CFO Act of 1990), as well as the agency's work required under the Government Performance and Results Act of 1993 (GPRA). Our internal auditing staff focuses on improving the efficiency and effectiveness of OPM's operations and their corresponding internal controls. Internal controls provide reasonable assurance that program operations will: Be effective and efficient. Be characterized by reliable financial reporting. Maintain compliance with applicable laws and regulations. We have found by identifying and concentrating on agency programs and operations with high risk, the OIG can provide the most benefit to the agency. Therefore, we use a risk-based methodology to assess OPM's activities and establish annual work agendas. Our risk-based methodology includes such factors as program dollars, number of staff, the date of our last audit, computerized or manual information systems, laws and regulations, organizational culture of the work place, and governmental concerns. We plan and conduct our activities involving audits or evaluations and inspections in accordance with government auditing standards. We include OPM program managers in every step of the audit process to ensure that we have met their needs, addressed concerns and received feedback on how we can improve the value of our services. We believe this cooperative spirit ensures that all parties involved with our activities will obtain the maximum benefit and that we will continually improve our level of services. Our internal audit activities covered the following areas during the reporting period: Agency performance audits. Government Performance and Results Act related reviews. Other internal agency operations reviews. We issued three performance audit reports, one evaluation report and three formal audit memoranda during the reporting period. The following narratives describe the results contained in two of the audits, the one evaluation report, and two of the memoranda we issued this reporting period. Agency Performance Audits As with all independent OIGs, our performance auditing plays an important role in our agency's program accountability, because it allows for an external and objective assessment of the performance of its programs and activities. In turn, the information and recommendations we provide through these audits can aid in decision-making by managers and other OPM officials responsible for overseeing and initiating corrective action. OPM's Security Guard Contract Report No. 4A-CA-00-03-034 July 23, 2003 OPM entered into a contract with Special Operations Group, Inc. (SOG) on October 1, 2002, to provide security services at OPM's headquarters building here in Washington, D.C. In providing these services, SOG is to have armed and unarmed guards to carry out their respective duties. OPM's Office of Security and Emergency Actions (OSEA) exercises oversight responsi- bility for this contract. More specifically, OSEA monitors the contractor's daily per- formance and provides technical direction within the scope of the contract. During this audit, our overall objective was to review the performance of the contractor for compliance with the terms of its FY 2003 contract. In particular, we reviewed: Documentation supporting guard qualifications. Documentation supporting guard training. OSEA's oversight of this security contract. We identified two areas in which we believe performance could be improved: (1) proof of training for the guards, and (2) greater security of SOG's arms and ammunition stored on site at OPM. Training documents. OSEA could not produce evidence to ensure that the guards had received the necessary training to perform their duties. While the guard files maintained at the OPM contracting site are not as extensive as those maintained at the contractor's main office, this information would be expected to be in the contractor files at OPM. A sample of 12 of 36 security officers' personnel files were randomly selected for review. Of the 12 security officers selected, six were identified as armed guards and six were identified as unarmed guards. We found documentation supporting, for example, that: Only three of the six armed guards were qualified by GSA to handle firearms. No guards had orientation training at OPM. Only six of the 12 guards were qualified by the U.S. General Services Administration (GSA) to be guards. Arms and ammunition. Arms and ammunition for the security officers are kept in a weapons safe. On two separate occasions, OSEA found unsecured weapons. Security Guard Arms and Ammunition Left Unsecured Our recommendations to OSEA included the following: Contractor files should contain evidence that all guards have received proper training prior to assuming their guard duties at OPM and that they have undergone refresher training as appropriate. Contractor shift supervisors should comply with standards for the storage of firearms. Storage of weapons and ammunition by the contractor should comply with government standards at all times. OSEA agreed with our recommendations and is taking measures to implement them. Regarding the last bulleted recommendation, the SOG guard administrative office has been remodeled for this purpose. In addition, only contractor supervisors and OSEA will have access to the arms room. The arms room itself will be within sight of the guard force captain and the project manager. Government Performance and Results Audits The Government Performance and Results Act of 1993 (P.L. 103-92), widely known as the Results Act, was enacted to improve government performance and accountability through better planning and reporting of government-wide agency results. The act seeks to improve the efficiency, effectiveness, and public accountability of federal agencies as well as improve congressional decision-making. The main elements of the Results Act are threefold: Strategic plans. Annual performance plans. Annual performance reports. These elements create a recurring cycle, beginning with setting a strategic direction, followed by defining annual goals and measures, and, finally, reporting on performance. Last year, OPM developed the first element, its FY 2002-2007 strategic plan, which provides the framework for implementing the Results Act. OPM implements its stra- tegic plan through an annual performance plan that includes goals and measures for key program offices. During this reporting period, we continued to allocate resources for reviewing the agency's performance relating to the Results Act. The two audits below describe our activities and corresponding results relating to the last two elements of the Results Act: OPM's annual performance plan and annual performance report. Our OIG will continue to review OPM's efforts in implementing the Results Act as mandated by Congress. OIG Reviews OPM Performance Plan and Report Agency Fiscal Year 2004 Annual Performance Plan Evaluation Report No. 4A-OD-00-03-023 May 15, 2003 As stated in the introduction to this section, the second element required under the Results Act is an agency annual performance plan. In its annual performance plan, OPM describes the goals and measures that the agency would like to achieve annually. Simply stated, goals describe the intended result, measures are the elements used to evaluate progress in goal attainment, while targets are a particular value or characteristic used to measure interim progress for an intended result or level of activity over a period of time or by a specified date. The objectives of our evaluation were to determine if OPM's FY 2004 annual performance plan had: Identified goals or measures related to presidential management initiatives and current management challenges. Integrated budget and performance information, required by Office of Management and Budget Circular A-11, Part 6 (OMB A-11). Included measurable performance goals and measures, required by OMB A-11. To achieve the objectives of our evaluation, we focused on four goals in two major program offices. We reviewed the outcomes, outputs, performance measures, activities and strategies supporting each of these goals to determine if our objectives were met. The goals we reviewed from the two program offices and the results of our review for each are described below. Division for Human Capital Leadership and Merit Systems Accountability Goal 1. Improve the overall effectiveness of merit-based government-wide human capital management by advising agencies and promoting best practices and assessing agency implementation of human capital strategies. Goal 2. Improve the overall effectiveness of merit-based government-wide human capital management by evaluating agencies' human capital programs and assessing their accountability systems. Division for Strategic Human Resources Policy Goal 1. OPM policy and guidance helps federal agencies improve their human capital management and assists them in meeting their strategic performance targets. Goal 2. Implement new integrated human resources systems for the Department of Homeland Security and address legislative fixes as necessary. Based on our evaluation and findings, we cited five recommendations for OPM to follow to improve the agency's annual performance plan. The following are descriptions of the deficiencies we reported and related observations. Management challenges. Management challenges were not included in OPM's annual performance plan. Linking agency management challenges with agency goals and measures demonstrates that the agency is strategically planning the resolution of management challenges. Resources. The program and financing budget totals did not match resources in the agency performance plan. These resources should agree so that users of the annual per- formance plan can make better decisions using information that is aligned with the budget. Measure types. Most of the measures we reviewed for Goal 2 of OPM's Division for Strategic Human Resources Policy were related to customer satisfaction. Other types of measures, such as unit cost or program efficiency, should also be used to balance out the many customer service-related measures. Verification and validation. The items in the verification and validation section of OPM's Division for Human Capital Leadership and Merit Systems Accountability's Goal 1 were extremely generic and nonspecific to program goals. OPM should describe in more specific terms how the actual performance will be verified and validated as reliable data. Targets. Several measures did not include specific targets. Without specific targets, results are difficult to assess whether measures have actually been achieved. Agency Performance Measures Need More Specific Target Levels OPM's Fiscal Year 2002 Annual Performance Data Report No. 4A-CF-00-03-019 April 29, 2003 As referenced on page 36, the third element of the Results Act involves the agency's annual performance report. In its FY 2002 annual performance report, OPM describes its achievement with respect to those goals and measures previously referenced in April 2001 in the agency's annual performance plan. The objectives of our audit were to determine the accuracy and reliability of performance data for selected FY 2002 performance measures and to evaluate the effectiveness of controls over that data. We focused on nine major program offices by selecting 37 performance measures to verify and validate. Specifically, we selected performance measures from the following OPM program offices: Office of Merit Systems Oversight and Effectiveness Employment Service Office of Contracting and Administrative Services Workforce Compensation and Performance Service Office of Chief Information Officer Investigations Services Office of the Chief Financial Officer Office of Human Resources and Equal Employment Opportunity Office of Executive Management Resources What we learned was that OPM needs to improve controls over the performance reporting process by: Establishing policies and procedures for obtaining and compiling performance data. Providing better oversight and monitoring of performance data by OPM managers. Improving controls over survey data. Maintaining documentation supporting performance results. Ensuring results address measures. Ensuring critical performance results are summarized as appropriate. OPM management has been responsive to our findings and has taken steps to implement improvements cited in our audit recommendations. OPM Performance Reporting Continues to Need Strengthening Other Internal Operations Reviews We provide other services to OPM management upon request. For example, OPM frequently requests our input or review of documents relating to contracts or financial management. In this reporting period, OPM requested our input on OPM's procedures in awarding a service contract that subsequently was challenged by another bidder. OPM also requested our help in identifying recommendations to improve the cash reconciliation process under the Division for Management and the Chief Financial Officer. Recruitment One-Stop/USAJobs System Memorandum No. 4A-CA-00-03-118 June 25, 2003 We conducted a review of the procurement action for the contract awarded to TMP Worldwide/Monster Government Solutions (TMP/MGS) to upgrade the online federal employment information system (Recruitment One-Stop/USAJobs). This review was performed at the request of the agency director. One of the four losing bidders on the contract, Symplicity Corporation (Symplicity), filed a protest of the award with the U.S. General Accounting Office (GAO), the agency charged with reviewing contract award disputes of this nature. GAO subsequently issued a decision sustaining Symplicity's protest on two grounds: OPM did not adequately consider whether the services offered by TMP/MGS were covered by its General Services Administration (GSA) federal supply schedule. OPM did not adequately evaluate quotations and the different methods included in the vendors pricing structures. Our review was limited to an analysis of the two issues GAO sustained. Our results are described below. Federal supply schedule contract. Upon review, we found that OPM had failed to con- sider adequately whether the services offered by TMP/MGS were covered under the vendor federal supply schedule. Our review of the pricing proposal submitted by TMP/ MGS showed that two labor categories, technical director and software engineer, pro- posed in TMP/MGS's bid were not on the GSA schedule at the time the proposal was submitted to OPM and that OPM took no steps to address this before awarding the contract. Quotations. Regarding the second issue that GAO sustained, we found that, based on the criteria established by OPM, the steps followed to evaluate these vendor bids and which resulted in the award to TMP/MGS to upgrade the online federal employment information system were neither unreasonable nor irregular. We noted that it was clearly stated in the request for quotation that the technical merit of the proposal was significantly more important than price and that the government reserved the right to award the contract to the technically superior contractor even if it was a higher bid. Thus, this key criterion was known to all vendors who bid, and the method used by the vendors in which the contracts presented the cost for integration should not have been a determining factor in any of the vendor quotation evaluations. Despite GAO's decision sustaining Symplicity's protest, OPM decided not to reopen the bidding for the contract, stating that much of the development work had already been completed. Vendor Contract Award Revisited By GAO and OPM Review of Cash Controls for Revolving Fund and Salaries and Expenses Accounts Memorandum No. 4A-CF-00-03-101 August 8, 2003 At the request of the Office of the Chief Financial Officer (OCFO), we performed a review of the cash controls for OPM's revolving fund and salaries and expenses accounts. Our review consisted of: Analyzing cash transaction work flows for OPM's financial system. Meeting with OCFO and program office staff who process cash transactions. Reviewing cash reports, reconciliations and supporting documentation for January 2003. We issued a memorandum on March 17, 2003, based on this review that included 17 recommendations for improvement in six categories. The six categories related to financial systems, cash reconciliations, manual adjustments, canceled checks, manage- ment oversight and other cash-related errors. We subsequently monitored the implementation of the recommendations through participation in meetings of a special financial management team, formed by OCFO to address weaknesses identified in financial management, and by reviewing OPM's April and June 2003 report of cash transactions and related supporting documentation. We then issued a follow-up memorandum on August 8, 2003, reporting the status of the 17 recommendations from the March 2003 memo. Of the 17 recommendations, we reported 4 being closed, with corrective actions underway for 9, and 4 more waiting to be addressed. Some of the key findings and recommendations are listed below. Financial system. We noted several problems with the report of cash transactions produced by OPM's financial system, including: The report did not provide all necessary information associated with transaction documents. Certain deposits were not recorded in the proper section of the report. The report of cash transactions sometimes listed the wrong schedule numbers for transaction documents, even though the financial system had the correct schedule numbers. We recommended that OCFO work with the contractor that developed OPM's financial system to correct the report of cash transactions issues we noted. Corrective actions are still in process for these issues. Manual adjustments. We noted that OCFO makes numerous manual adjustments to the report of cash transactions prior to reporting to the Department of Treasury each month. Our primary concerns regarding these manual adjustments were the lack of a methodol- ogy for tracking outstanding manual adjustments, incorrect adjusting entries, along with insufficient supervisory review of the adjustments. We made four recommendations regarding these concerns. We consider three of these critical recommendations. These involve having OCFO address the following: Implement a new manual adjustment policy immediately. Require management review and approval for all reversal adjustments. Document all prior unreversed manual adjustments made to the report of cash transactions. In our follow-up review of OPM's June 2003 report of cash transactions, we noted that while manual adjustments all had a supervisory signature and were summarized on a worksheet, we continued to see errors. These included: Manual adjustments were still being made erroneously. The manual adjustments did not have sufficient supporting documentation and were mostly erroneous. A spreadsheet or methodology to track all manual adjustments and their eventual resolution was not prepared. Cash Transaction Manual Adjustments Lack Sufficient Supporting Documentation Management oversight. We noted that management oversight of the cash reconciliation process needs to be improved. We made two recommendations regarding this issue. We recommended that the OCFO: Request a report of cash transactions at least weekly so that the reconciliation process can be performed throughout the month. Review the report of cash transactions and supporting documentation prior to submitting the report to Treasury. OPM Must Substantially Improve Controls over Its Cash Reconciliation Process Investigative Activities The Office of Personnel Management (OPM) administers benefits from its trust funds for all fed- eral civilian employees and annuitants participating in the federal government's retirement, health and life insurance programs. These trust fund programs cover approximately nine million current and retired federal civilian employees, including eligible family members, and disburse about $72 billion annually. While we investigate employee misconduct and other wrongdoing brought to our attention, the majority of our OIG investigative efforts is spent examining potential fraud involving these trust funds. As a result of this office's investigative activities, we realized a significant number of judicial and administrative successes during this reporting period, including monetary recoveries totaling $433,053. Overall, we opened 45 investigations and closed 13 with 59 still in progress at the end of the period. Our investigations also led to three arrests and seven convictions. For a complete statistical summary of our office's investigative activity in this reporting period, refer to Table 1 on page 52 of this section, along with the OIG's productivity indicators listed at the beginning of this report. As mentioned in the shadow box above, most of our casework relates to the federal health, life and retirement trust fund programs our agency administers on behalf of millions of federal employees, retirees, their spouses and dependents. Our office aggressively pursues individuals and corporate entities seeking to defraud these trust funds upon which our federal employees, retirees, their spouses and dependents rely. Over the years, our OIG has worked a number of annuity fraud cases involving the Civil Service Retirement and Disability trust fund. This trust fund program covers all civilian federal employees who contributed to the Civil Service Retirement System (CSRS) and/or the newer Federal Employees Retirement System (FERS). FERS was established by Congress in 1983. At that time, federal employees were given the opportunity to remain in CSRS or switch to the new program. All federal government employees hired on or after January 1, 1984, were automatically placed in the FERS retirement program. With CSRS being the older of the two systems, more people have retired under this system, creating a greater chance for annuity fraud under it than FERS. Our office long ago assumed a proactive stance in identifying individual cases upon which to base annuity fraud investigations. We identify fraud in this area by routinely reviewing CSRS annuity records for any type of irregularity, including excessive age. We receive additional information from our agency's Center for Retirement and Insurance Services (CRIS) through the computer matches it performs using OPM's annuity rolls and the Social Security Administration's death records. These computer matches have proven very helpful to OPM since many CSRS annuitants or those receiving CSRS survivor benefits may also be eligible for Social Security bene- fits. CRIS also provides our office other annuity data in support of our investigative activities. Other useful tools to help our office in its efforts to uncover and expose fraud and abuse are the OIG's health-care fraud hotline and retirement and special investigations hotline, along with mailed-in complaints. Formal complaints and calls we receive on these hotlines totaled 534 during this reporting period. Additional information, including specific activity breakdowns for each hotline, can be found on pages 49-50 and 52 in this section. In keeping with the emphasis that Congress and various departments and agencies in the executive branch have placed on combating health care fraud, we coordinate our investi- gations with the Department of Justice (DOJ) and other federal, state and local law enforcement agencies. At the national level, we are participating members of DOJ's health-care fraud working group. We actively work with the various U.S. Attorney's offices in their efforts to further consolidate and increase the focus of investigative resources in those regions that have been particularly vulnerable to fraudulent schemes and practices engaged in by unscrupulous health care providers. In addition to our responsibility to detect and investigate fraud perpetrated against OPM's trust funds, this office conducts investigations of serious criminal violations and misconduct by OPM employees. These cases may involve the theft or misuse of government funds and property. On the following pages, we have provided narratives relating to health care and retire- ment fund fraud investigations we conducted or concluded during the reporting period. While these summaries represent only a small portion of our total recoveries, they are indicative of the various types of fraud we encounter in our investigations and the penalties and sanctions individuals face when involved in wrongdoing affecting OPM programs. Health Care-Related Fraud and Abuse Our OIG special agents are in regular contact with the numerous health insurance carriers participating in the Federal Employees Health Benefits Program (FEHBP) to provide an effective means for reporting instances of possible fraud by health care providers and FEHBP subscribers. Our office also maintains liaison with federal law enforcement agencies involved in health care fraud investigations and participates in several health- care fraud working groups on both national and local levels. Additionally, we work closely with our own Office of Audits when fraud issues arise during the course of health carrier audits, as well as with the OIG debarring official when investigations of health care providers reveal evidence of violations that warrant consideration of possible administrative sanctions related to the Federal Employees Health Benefits Program administered by our agency. We have included two narratives that describe major ongoing cases in the area of health care fraud during this reporting period. Medical Clinic Physician and Office Manager Guilty of Health Care Fraud As referenced in our semiannual report published in the fall of 2000, this office has been engaged with the U.S. Attorney's office in Midland, Texas, the FBI, and the State of Texas Attorney General's Medicaid fraud control unit in prosecuting a Texas physician, his office administrator, and the walk-in clinic the doctor owned in Midland, Texas, for billing fraud. Following his indictment by a federal grand jury on January 25, 2001, this doctor was arrested the following day on 51 counts of mail fraud, seven counts of money laundering and one count of health care fraud. Thereafter, he was released from jail after posting a $3 million cash bond. The clinic office manager was also indicted on January 25, 2001, and arrested the next day. She was released on her on recognizance. The doctor's office manager was charged with aiding and abetting health care fraud and conspiracy to commit health care fraud. Specifically, the investigation revealed that she was an active participant in this health care fraud scheme through falsifying medical records and forging prescription informa- tion to support false claims. A little over two years later, the trial for both defendants began on February 24, 2003. The medical doctor failed to appear in court, his whereabout unknown. This resulted in a second indictment approximately three weeks later for failing to appear for his trial. A warrant was immediately issued for his arrest. On April 17, 2003, after a lengthy trial of nine and half weeks, the doctor was found guilty in absentia on 49 out of 51 counts, which included: 1 count of health care fraud. 1 count of conspiracy to commit health care fraud. 1 count of aiding and abetting health care fraud. 46 counts of mail fraud. Additionally, the government was able to prove that the physician received payments totaling more than $8 million for false claims of which the FEHBP was defrauded of $849,223. He was found not guilty on two other counts of mail fraud. That same jury found the clinic office manager guilty of aiding and abetting health care fraud, but not guilty of conspiracy to commit health care fraud. Although still a fugitive from justice, the doctor will be sentenced along with the office manager in the next few months. The former office manager remains released on her own recognizance until the date of her sentencing. An update on their sentences will be reported in a future semiannual report. Trial of Physician and Clinic Office Manager Ends in Convictions Neurologist and Wife Indicted for Health Care Fraud In January 2001, our office joined an investigation with the FBI, the U.S. Postal Inspection Service, along with the OIGs at the Department of Health and Human Services and the U.S. Postal Service regarding a neurologist and his wife, who served as his medical clinic's office manager. Together, they were alleged to be falsely billing numerous health care benefit programs for neurological tests never performed and rendering services not medically necessary in violation of the False Claims Act. This doctor owned the Neurological Institute of Northern Virginia, with offices in Alexandria and two other northern Virginia locations. The joint investigation revealed that the couple had conspired to submit false billings to Medicare, the U.S. Department of Labor's Office of Workers' Compensation Programs; the FEHBP, administered by OPM; and to private insurers Anthem Blue Cross and Blue Shield, CareFirst, Inc., Aetna Life Insurance Company, Connecticut General Life Insurance Company, and United Healthcare. On September 11, 2003, a federal grand jury in Alexandria,Virginia, indicted the neurologist, as owner and head of this northern Virginia clinic, and his wife as office manager. They were charged with one count of conspiracy to commit health care fraud and 61 counts of health care fraud. One type of fraud in which the couple engaged was what is commonly referred to in the health care industry as upcoding. In the case of this neurologist, claims were being sub- mitted that falsely indicated that this doctor had performed comprehensive office visits and procedures when, in fact, patients had come in for routine office visits and actual treatments did not correspond to the codes used on the billings. The obvious intent of upcoding is to generate higher reimbursements. That this health care fraud scheme was highly structured and thought out was also detected in false billings through the clinic, indicating that this neurologist had per- formed nerve conduction tests and needle EMG tests when those tests were either not performed or their numbers inflated, all to increase the level of reimbursement. Shortly after the indictment, this case was referred to our office's debarring official, who determines on behalf of OPM whether a health care provider should be debarred or suspended from participating in the Federal Employees Helath Benefits Program. A detailed article on the suspension this couple received appears in our Statutory and Regulatory Activities section on page 2 of the report. Additional information on the prosecution of these defendants will be reported in a future semiannual report. Physician and His Wife Charged with Health Care Fraud Retirement Fraud and Special Investigations As previously stated, in accordance with our mission to prevent and detect fraud, OIG special agents routinely review Civil Service Retirement System (CSRS) annuity records for indications of unusual circumstances. For example, using excessive annuitant age as an indication of potential fraud, our investigators attempt to contact the annuitants and determine if they are alive and still receiving their benefits. In addition, we receive inquiries from OPM program offices, other federal agencies and private citizens that prompt us to investigate cases of potential retirement fraud or alleged misconduct by OPM employees and contractors. Below are summaries of two cases we completed during this reporting period that indicate the type of vigilance necessary to combat federal annuity fraud. CSRS Annuitant's Daughter Admits to Retirement Fraud Our office concluded a joint investigation with the U.S. Secret Service during the reporting period involving the daughter of a deceased annuitant. The daughter, a resident of Tuskegee, Alabama, continued to receive her mother's CSRS annuity after the mother's death on August 2, 1988. Our investigation began in November 1999 after having conducted a routine review of OPM's annuity records for potential fraud. We were able to determine that the deceased annuitant's daughter had failed to notify OPM of her mother's death and subsequently fraudulently acquired $70,507 in CSRS trust fund monies over the course of ten years. Since these annuity funds were electronically deposited to the deceased annuitant's bank account, the daughter was able to access the funds because her name was also on the account. However, with the assistance of the U.S. Department of the Treasury, our agency was able to recover $4,020 through the Treasury Department's reclamation process. As this process applies to our agency, once OPM ascertains an overpayment has been made, it notifies the Treasury Department, which will attempt to reclaim the amount of that overpayment. Treasury will contact the banking institution where the annuity payments were deposited, advising the bank of the circumstances surrounding the overpayments. At this juncture, the bank usually will intervene to take whatever funds are available in the account in question to reimburse the federal government for its loss. This recovery process was also used to recover government funds in another annuity fraud case described on the following page. On January 24, 2003, the daughter pleaded guilty to the theft of U.S. government funds. She was sentenced on April 18 to five months' home confinement with electronic monitoring and three years' supervised probation. She also was ordered to make restitution to OPM in the amount of $66,487. Deceased Annuitant's Daughter Ordered to Pay CSRS Trust Fund $66,487 Deceased Annuitant's Son Involved in CSRS Annuity Fraud As the result of a routine review of OPM's annuity records, our OIG initiated an investigation in July 2000 involving benefits paid to a Civil Service Retirement System (CSRS) annuitant, who had apparently died four years earlier in February 1996. Through our investigation, we learned that the annuitant lived in Wakefield, New York, that his death went unreported to OPM until August 1998, and that his CSRS annuity payments, totaling $41,292, were erroneously dispersed to his bank account until that date. Our investigation also revealed that the annuitant's son, a resident of New York City, did not notify the bank in which OPM had electronically deposited these annuity funds until two and a half years after the father's death. At that time, he provided the bank with a copy of his father's death certificate, showed bank officials legal documents indicating that he was the administrator of his father's estate, and directed the bank to close his father's account, forwarding to him all monies in the account. During the course of our investigation, we further determined that the father was a Social Security beneficiary. We notified the OIG at the Social Security Administration (SSA), and this office joined our investigation to recover Social Security annuity benefits to which the SSA was entitled, an amount totaling $30,564. In cases where recovery of government funds is at stake, the U.S. Department of the Treasury can intercede through its reclamation process (see previously article on pages 47- 48). As a consequence, OPM was successful in recovering $11,988 of the annuity disbursements, thereby reducing the annuity overpayment to $29,304. On May 13, 2003, the son pleaded guilty in U.S. District Court in New York City to theft of U.S. government funds from OPM and the Social Security Administration. The son was sentenced on August 28, 2003, to six months' home confinement, and three years' supervised probation. He was ordered to make full restitution to OPM and SSA in an amount not to exceed $30,000 to either agency. Court Orders Restitution to OPM and SSA Following Son's Conviction for Annuity Fraud OIG Hotlines and Complaint Activity The information we receive on our OIG hotlines is generally concerned with FEHBP health care fraud, retirement fraud and other complaints that may warrant special investigations. Our office receives inquiries from the general public, OPM employees, contractors and others interested in reporting waste, fraud and abuse within OPM and the programs it administers. In addition to hotline callers, we receive information from individuals through the mail or who appear in our office. Those who report information can do so openly, anonymously and confidentially without fear of reprisal. Retirement Fraud and Special Investigations The Retirement and Special Investigations hotline provides the same assistance as traditional OIG hotlines in that it is used for reporting waste, fraud and abuse within the agency and its programs. The Retirement and Special Investigations hotline and complaint activity for this reporting period included 120 telephone calls, 60 letters, 30 agency referrals, walk-ins, and 35 complaints initiated by the OIG, for a total of 247. Health Care Fraud The primary reason for establishing an OIG hotline was to handle complaints from subscribers in the Federal Employees Health Benefits Program administered by our agency. The hotline number is listed in the brochures for all the health insurance plans associated with the FEHBP, as well as on our OIG Web site (www.opm.gov/oig). While the hotline was designed to provide an avenue to report fraud committed by sub- scribers, health care providers or FEHBP carriers, frequently callers have requested assistance with disputed claims and services disallowed by the carriers. Each caller receives a follow-up call or letter from either the OIG hotline coordinator, the insurance carrier or another OPM office as appropriate. The Health Care Fraud hotline and complaint activity for this reporting period involved 69 telephone calls and 118 letters, for a total of 287. During this period, the administra- tive monetary recoveries pertaining to health care fraud complaints totaled $62,536. OIG-Initiated Complaints As illustrated earlier in this section, we respond to complaints reported to our office by individuals, government entities at the federal, state and local levels, as well as FEHBP health care insurance carriers and their subscribers. We also initiate our own inquiries as a means to respond effectively to allegations involving fraud, abuse, integrity issues and, occasionally, malfeasance. Our office will initiate an investigation if complaints and inquiries can be substantiated. An example of a specific type of complaint that our office will initiate involves retirement fraud. This might occur when our agency has already received information indicating an overpayment to an annuitant has been made. At that point, our review would determine whether there were sufficient grounds to justify our involvement due to the potential for fraud. There were 32 such complaints associated with agency inquiries during this reporting period. Another example of an OIG-initiated complaint occurs when we review the agency's automated annuity records system for certain items that may indicate a potential for fraud. An example of our efforts in this area are described in a case narrative on pages 47-48 of this section. If we uncover some of these indicators, we initiate personal contact with the annuitant to determine if further investigation is warranted. We believe that these OIG initiatives complement our hotline and outside complaint sources to ensure that our office can continue to be effective in its role to guard against and identify instances of fraud, waste and abuse. Investigative Activity Tables Judicial Actions: Arrests. . . . . . . . . . . . . . . . . . . . . . . . 3 Indictments. . . . . . . . . . . . . . . . . . . . . . 4 Convictions. . . . . . . . . . . . . . . . . . . . . . 7 Administrative Actions:1 . . . . . . . . . . . . . . . . . 0 Judicial Recoveries: Fines, Penalties, Restitutions and Settlements . . . . . . . . . . . . . .$370,517 Administrative Recoveries: Settlements and Restitutions . . . . . . . . . . $62,536 Total Funds Recovered. . . . . . . . $ 433,053 1Includes suspensions, reprimands, demotions, resignations, removals, and reassignments. Index of Reporting Requirements(Inspector General Act of 1978, As Amended) Section 4 (a) (2): Review of legislation and regulations. . . . . . . . . . .1-6 Section 5 (a) (1): Significant problems, abuses, and deficiencies . . . . .34-42 Section 5 (a) (2): Recommendations regarding significant problems, abuses, and deficiencies . . . . . . . . .35-36, 38-39, 41-42 Section 5 (a) (3): Recommendations described in previous semiannual reports on which corrective action has not been completed. . . . . 55 Section 5 (a) (4): Matters referred to prosecutive authorities. . . . . . .45-49 Section 5 (a) (5): Summary of instances where information was refused during this reporting period . . . . . . . . . . .No Activity Section 5 (a) (6): Listing of audit reports issued during this reporting period57-63 Section 5 (a) (7): Summary of particularly significant reports9-23, 25-31, 35-42 Section 5 (a) (8): Audit reports containing questioned costs. . . . . . . .57-61 Section 5 (a) (9): Audit reports containing recommendations for better use of funds. . . . . . . . . . . . . .No Activity Section 5 (a) (10): Summary of unresolved audit reports issued prior to the beginning of this reporting period. . . . . . 55 Section 5 (a) (11): Significant revised management decisions during this reporting period . . . . . . . . . . .No Activity Section 5 (a) (12): Significant management decisions with which OIG disagreed during this reporting period . . . . . . . . . . .No Activity APPENDIX I Final Reports Issued With Questioned Costs April 1, 2003 to September 30, 2003 Number ofQuestioned Unsupported Subject Reports Costs Costs1 A. B. C. D. Reports for which no management decision had been made by the beginning of the reporting period Reports issued during the reporting period with findings Subtotals (A+B) Reports for which a management decision was made during the reporting period: 1. Disallowed costs 2. Costs not disallowed Reports for which no management decision has been made by the end of the reporting period Reports for which no management decision has been made within 6 months of issuance 15 21 36 21 15 1 $ 31,344,954 28,179,715 59,524,669 31,172,387 28,474,184 2,698,203 28,352,282 2,102,8992 $ 1,293,893 1,293,893 1,293,893