Beta This is a new resource - your feedback will help us improve it.
Recommendations Tracker
HHS-OIG provides independent and objective oversight that promotes economy, efficiency, and effectiveness in HHS programs and operations. To drive positive change, we produce reports and identify recommendations for improvement. We have developed this public-facing page for tracking all of our open recommendations. Learn More
Summary of Recommendations Data
Updated Monthly · Last updated on April 15, 2024
1,298
Unimplemented
recommendations
$280.1B
Potential savingsfrom unimplemented recommendations
2,443
Implemented and Closed
recommendations since FY 2017
OIG Recommendations Grouped by Report
Views
-
Medicare Made $11.7 Million in Overpayments for Nonphysician Outpatient Services Provided Shortly Before or During Inpatient Stays
20-A-01-105.01We recommended that CMS ensure that all necessary information is included in the CWF edits to accurately identify and prevent incorrect payments for nonphysician outpatient services provided within 3 days before the date of admission, on the date of admission, or during IPPS stay.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 05/01/2020
- Legislative Related
- No
20-A-01-105.02We recommended that CMS direct the Medicare contractors to recover the portion of $11.7 million in identified overpayments (for claims within the 4-year reopening period) resulting from the 40,984 incorrectly billed services and instruct the outpatient providers to refund the portion of the $2,785,607 in deductible and coinsurance amounts (for claims within the 4-year reopening period) that may have been incorrectly collected from beneficiaries or from someone on their behalf.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Non-Concur
- Potential Savings
- $11,707,874
- Last Update Received
- -
- Closed Date
- 05/01/2020
- Legislative Related
- No
20-A-01-105.03We recommended that CMS direct the MACs to, based upon the results of this audit, notify the appropriate providers so that the providers can exercise reasonable diligence to identify, report, and return any overpayments in accordance with the 60-day rule and identify any of those returned overpayments as having been made in accordance with this recommendation.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 05/01/2020
- Legislative Related
- No
20-A-01-105.04We recommended that CMS direct the MACs to educate outpatient providers on how to correctly bill nonphysician outpatient services provided within 3 days before the date of admission, on the date of admission, or during IPPS stays.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 05/01/2020
- Legislative Related
- No
-
Selected Health Care Coalitions Increased Involvement in Whole Community Preparedness But Face Developmental Challenges Following New Requirements in 2017
20-E-04-019.01ASPR should clarify HPP guidance that HCCs’ membership should ensure strategic, comprehensive coverage of their communities’ gaps in preparedness and response.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 02/08/2023
- Next Update Expected
- 02/22/2024
- Legislative Related
- No
20-E-04-019.02ASPR should continue to work with CMS to help health care entities comply with the CMS emergency preparedness CoPs.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 02/08/2023
- Next Update Expected
- 02/22/2024
- Legislative Related
- No
20-E-04-019.03ASPR should identify ways to incentivize core member participation in HCCs.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 02/08/2023
- Next Update Expected
- 02/22/2024
- Legislative Related
- No
20-E-04-019.04ASPR should clarify to HPP awardees the flexibility available in meeting Cooperative Agreement requirements.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 02/08/2023
- Next Update Expected
- 02/22/2024
- Legislative Related
- No
-
North Carolina Received $30 Million in Excess Federal Funds Related to Improperly Claimed Health Home Expenditures
20-A-04-102.01We recommend that the North Carolina Department of Health and Human Services, Division of Health Benefits reclassify $124,636,146 ($112,172,531 Federal share) from health home expenditures to PCCM expenditures.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/21/2020
- Legislative Related
- No
20-A-04-102.02We recommend that the North Carolina Department of Health and Human Services, Division of Health Benefits refund $30,649,113 in excess Federal funds to the Federal Government.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $30,649,113
- Last Update Received
- -
- Closed Date
- 09/21/2020
- Legislative Related
- No
-
Illinois' Monitoring Did Not Ensure Childcare Provider Compliance With State Criminal Background Check Requirements at 12 of 30 Providers Reviewed
20-A-05-103.01We recommend that the Illinois Department of Human Services conduct all required criminal background checks for the 2 individuals we reviewed who did not have all required checks at the time of our data requests and site visits.- Status
- Closed Unimplemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/19/2022
- Legislative Related
- No
20-A-05-103.02We recommend that the Illinois Department of Human Services conduct all required criminal background checks for the 47 individuals we reviewed who did not have all recurring checks conducted within the last 5 years.- Status
- Closed Unimplemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/19/2022
- Legislative Related
- No
20-A-05-103.03We recommend that the Illinois Department of Human Services ensure that childcare providers notify the State when a new employee is hired or a new household member is added so that the State may conduct the required criminal background checks.- Status
- Closed Unimplemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/19/2022
- Legislative Related
- No
20-A-05-103.04We recommend that the Illinois Department of Human Services work with the State licensing agency to address staff and funding challenges to ensure that background checks are conducted on all licensed providers’ employees or household members at least once every 5 years.- Status
- Closed Unimplemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/19/2022
- Legislative Related
- No
-
Grand Desert Psychiatric Services: Audit of Medicare Payments for Psychotherapy Services
20-A-09-099.01We recommend that Grand Desert Psychiatric Services refund to Noridian $421,272 in estimated overpayments for psychotherapy services.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $421,272
- Last Update Received
- -
- Closed Date
- 02/17/2022
- Legislative Related
- No
20-A-09-099.02We recommended that Grand Desert Psychiatric Services exercise reasonable diligence to identify, report, and return any overpayments in accordance with the 60-day rule and identify any of those returned overpayments as having been made in accordance with this recommendation.- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/01/2022
- Legislative Related
- No
20-A-09-099.03We recommended that Grand Desert Psychiatric Services implement policies and procedures to ensure that psychotherapy services billed to Medicare are adequately documented, including the time spent on those services.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/10/2020
- Legislative Related
- No
20-A-09-099.04We recommended that Grand Desert Psychiatric Services strengthen management oversight and review Medicare claims to ensure that psychotherapy services billed to Medicare meet incident-to requirements.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/10/2020
- Legislative Related
- No
20-A-09-099.05We recommended that Grand Desert Psychiatric Services improve its billing system to ensure that Medicare claims identify the correct provider of psychotherapy services.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/10/2020
- Legislative Related
- No
20-A-09-099.06We recommended that Grand Desert Psychiatric Services strengthen management oversight to ensure that psychotherapy services billed to Medicare were actually provided and have supporting documentation.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 09/10/2020
- Legislative Related
- No
-
Palmetto Government Benefits Administrator, LLC, Overstated Its Medicare Segment Pension Assets as of January 1, 2017
20-A-07-095.01We recommend that Palmetto Government Benefits Administrator, LLC decrease the Medicare segment pension assets by $2,126,821 and recognize $73,630,103 as the Medicare segment pension assets as of January 1, 2017.- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/04/2020
- Legislative Related
- No
20-A-07-095.02We recommend that Palmetto Government Benefits Administrator, LLC establish policies and procedures to ensure compliance with Federal requirements and the pension segmentation language of the Medicare contracts.- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/04/2020
- Legislative Related
- No
-
Companion Data Services, LLC, Overstated Its Medicare Segment Pension Assets as of January 1, 2017
20-A-07-096.01We recommend that Companion Data Services, LLC decrease the Medicare segment pension assets by $777,081 and recognize $17,276,454 as the Medicare segment pension assets as of January 1, 2017.- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/04/2020
- Legislative Related
- No
20-A-07-096.02We recommend that Companion Data Services, LLC establish policies and procedures to ensure compliance with Federal requirements.- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/04/2020
- Legislative Related
- No
-
Palmetto Government Benefits Administrator, LLC, Claimed Some Unallowable Medicare Pension Costs
20-A-07-097.01We recommend that Palmetto Government Benefits Administrator, LLC, revise its FACP for FY 2012 to reduce its claimed Medicare pension costs by $42,054.- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $42,054
- Last Update Received
- -
- Closed Date
- 11/04/2020
- Legislative Related
- No
-
Palmetto Government Benefits Administrator, LLC, Claimed Some Unallowable Medicare Postretirement Benefit Costs
20-A-07-098.01We recommend that Palmetto Government Benefits Administrator, LLC, revise its FACP for FY 2012 to decrease its Medicare PRB costs by $11,699.- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $11,699
- Last Update Received
- -
- Closed Date
- 11/04/2020
- Legislative Related
- No
-
Cape Cod Child Development Program Did Not Meet Its Head Start Non-Federal Share Obligations
20-A-01-094.01We recommend that the Administration for Children and Families take steps through the bankruptcy process to recover $1,196,293 in Federal Head Start funds based on CCCDP’s approximately $1,495,366 non-Federal share shortfall.- Status
- Closed Implemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- $1,196,293
- Last Update Received
- -
- Closed Date
- 03/21/2023
- Legislative Related
- No
-
Recommendation Followup: Michigan Did Not Report and Refund the Full Federal Share of Medicaid Overpayments
20-A-05-093.01We recommend that the Michigan Department of Health and Human Services refund $1,217,800 of overpayments not reported on the Form CMS-64.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $1,217,800
- Last Update Received
- -
- Closed Date
- 02/07/2022
- Legislative Related
- No
20-A-05-093.02We recommend that the Michigan Department of Health and Human Services refund $46,370 for overpayments returned at the incorrect FMAP on the Form CMS-64.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $46,370
- Last Update Received
- -
- Closed Date
- 02/07/2022
- Legislative Related
- No
20-A-05-093.03We recommend that the Michigan Department of Health and Human Services refund $648,194 of overpayments not reported from the previous audit (A-05-09-00103) on the Form CMS-64.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 02/07/2022
- Legislative Related
- No
20-A-05-093.04We recommend that the Michigan Department of Health and Human Services follow its policies and procedures to ensure that overpayment collections are reported on the Form CMS-64 as prior period adjustments and at the FMAP in effect at the time the original overpayments were reported.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 02/07/2022
- Legislative Related
- No
-
Most Indian Health Service Purchased/Referred Care Program Claims Were Not Reviewed, Approved, and Paid in Accordance With Federal Requirements
20-A-03-091.01We recommend that the Indian Health Service establish an edit in the RCIS to enforce the requirement that each beneficiary submits documentation showing that he or she meets the geographic component of IHS’s eligibility requirements.- Status
- Closed Implemented
- Responsible Agency
- IHS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/28/2022
- Legislative Related
- No
20-A-03-091.02We recommend that the Indian Health Service educate PRC Program staff about the importance of documenting their review of medical necessity and priority-level requirements.- Status
- Closed Implemented
- Responsible Agency
- IHS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/28/2022
- Legislative Related
- No
20-A-03-091.03We recommend that the Indian Health Service conduct outreach to beneficiaries and providers to ensure that they submit notifications of healthcare services within 72 hours (or 30 days for elderly and disabled beneficiaries).- Status
- Closed Implemented
- Responsible Agency
- IHS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/28/2022
- Legislative Related
- No
20-A-03-091.04We recommend that the Indian Health Service pay for healthcare services only after receiving all required alternate resource documentation and resolving all information gaps.- Status
- Closed Implemented
- Responsible Agency
- IHS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/28/2022
- Legislative Related
- No
20-A-03-091.05We recommend that the Indian Health Service educate providers about informing beneficiaries that they must notify IHS if they have alternate resources that may cover health services.- Status
- Closed Implemented
- Responsible Agency
- IHS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/28/2022
- Legislative Related
- No
20-A-03-091.06We recommend that the Indian Health Service reeducate PRC Program staff about the importance of reviewing and responding to notifications of healthcare services on a timely basis.- Status
- Closed Implemented
- Responsible Agency
- IHS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/28/2022
- Legislative Related
- No
20-A-03-091.07We recommend that the Indian Health Service work with IHS’s fiscal intermediary to ensure that the fiscal intermediary pays completed claim requests within 30 days of claim submission and work with providers to ensure that they submit accurate and complete claims in a timely manner.- Status
- Closed Implemented
- Responsible Agency
- IHS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/28/2022
- Legislative Related
- No
-
An Estimated 87 Percent of Inpatient Psychiatric Facility Claims With Outlier Payments Did Not Meet Medicare's Medical Necessity or Documentation Requirements
20-A-01-089.01We recommend that the Centers for Medicare & Medicaid Services increase the number of postpayment reviews of IPF claims to provide IPFs with more feedback on their compliance with Medicare requirements.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/08/2021
- Legislative Related
- No
20-A-01-089.02We recommend that the Centers for Medicare & Medicaid Services research whether the physician certification and recertification requirements are useful in preventing inappropriate payments and if they are useful, continue to enforce them but if they are not useful, take the steps necessary to eliminate or amend those requirements.- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/11/2021
- Legislative Related
- No
20-A-01-089.03We recommend that the Centers for Medicare & Medicaid Services, while the certification requirements remain in place, revise regulations or guidance to IPFs to require that physician certifications and recertifications be in a specific form, format, or language.- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/18/2021
- Legislative Related
- No
20-A-01-089.04We recommend that the Centers for Medicare & Medicaid Services promulgate regulations to require that each IPF should have a policy compliant with State law to protect and promote the patient’s right to make informed decisions that includes standards for documenting the patient’s ability to make informed decisions.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 05/09/2023
- Legislative Related
- No
20-A-01-089.05We recommend that the Centers for Medicare & Medicaid Services conduct a study to determine whether outlier payments are being made only for cases with unusually high costs, and, if not, consider designing and testing alternatives to the current outlier payment methodology.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/28/2023
- Legislative Related
- No
20-A-01-089.06We recommend that the Centers for Medicare & Medicaid Services reassess the current CMS reimbursement policy for administrative necessary days that meet inpatient coverage requirements because the beneficiary has not met his or her discharge requirements to determine payment accuracy and effects on beneficiaries.- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/18/2020
- Legislative Related
- No
20-A-01-089.07We recommend that the Centers for Medicare & Medicaid Services determine whether patient in-hospital fall rates should be added to the IPFQR program and whether CMS should require present-on-admission indicators on claims as an aid to tracking in-hospital falls.- Status
- Closed Unimplemented
- Responsible Agency
- CMS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 05/09/2023
- Legislative Related
- No
-
Medicare Home Health Agency Provider Compliance Audit: Residential Home Health
20-A-05-090.01We recommend that Residential Home Health for the estimated $2,068,902 overpayment for claims that are outside of the Medicare reopening period, exercise reasonable diligence in identifying and returning overpayments in accordance with the 60-day rule, and identify any returned overpayments as having been made in accordance with this recommendation.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/08/2021
- Legislative Related
- No
20-A-05-090.02We recommend that Residential Home Health exercise reasonable diligence to identify and return any additional similar overpayments outside of our audit period, in accordance with the 60-day rule, and identify any returned overpayments as having been made in accordance with this recommendation.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/08/2021
- Legislative Related
- No
20-A-05-090.03We recommend that Residential Home Health strengthen its procedures to ensure that the homebound statuses of Medicare beneficiaries are verified and continually monitored and the specific factors qualifying beneficiaries as homebound are documented and beneficiaries are receiving only reasonable and necessary skilled services.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 04/08/2021
- Legislative Related
- No
-
New York Did Not Bill Manufacturers for Some Rebates for Drugs Dispensed to Enrollees of Medicaid Managed-Care Organizations
20-A-02-087.01We recommend that New York State Department of Health bill for and collect from manufacturers rebates for single-source and top-20 multiple-source pharmacy and physician-administered drugs and refund the estimated $7,846,147 (Federal share).- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $7,846,147
- Last Update Received
- 03/11/2024
- Next Update Expected
- 09/12/2024
- Legislative Related
- No
20-A-02-087.02We recommend New York State Department of Health work with CMS to determine whether the other pharmacy and physician-administered drugs were eligible for rebates and, if so, upon receipt of the rebates, refund up to an estimated $3,039,473 (Federal share) of rebates collected.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 03/11/2024
- Next Update Expected
- 09/12/2024
- Legislative Related
- No
20-A-02-087.03We recommend New York State Department of Health strengthen its internal controls to ensure that all pharmacy and physician-administered drugs eligible for rebates are invoiced.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/18/2023
- Legislative Related
- No
-
Iowa Inadequately Monitored Its Medicaid Health Home Providers, Resulting in Tens of Millions in Improperly Claimed Reimbursement
20-A-07-088.01We recommend that the Iowa Department of Human Services, Iowa Medicaid Enterprise refund $37,132,109 to the Federal Government.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $37,132,109
- Last Update Received
- -
- Closed Date
- 05/11/2021
- Legislative Related
- No
20-A-07-088.02We recommend that the Iowa Department of Human Services, Iowa Medicaid Enterprise improve its monitoring of the health home program to ensure that health home providers comply with Federal and State requirements for maintaining documentation to support the services for which the providers billed and received PMPM payments.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 05/11/2021
- Legislative Related
- No
20-A-07-088.03We recommend that the Iowa Department of Human Services, Iowa Medicaid Enterprise revise the State plan to define the documentation requirements that health home providers must follow to bill and receive the higher IHH PMPM payments for intense IHH services, and educate providers on these requirements.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 05/11/2021
- Legislative Related
- No
20-A-07-088.04We recommend that the Iowa Department of Human Services, Iowa Medicaid Enterprise revise the State plan to define the documentation requirements that health home providers must follow to bill and receive IHH PMPM payments for outreach services, and educate providers on these requirements.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 05/11/2021
- Legislative Related
- No
-
New Hampshire's Monitoring Did Not Ensure Childcare Provider Compliance With State Criminal Background Check Requirements at 21 of 30 Providers Reviewed
20-A-01-086.01We recommend that the New Hampshire Department of Health and Human Services conduct or renew all required criminal background checks for the 98 individuals we reviewed who did not have all required checks or who had expired background checks at the time of our data requests and site visits.- Status
- Closed Implemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/30/2022
- Legislative Related
- No
20-A-01-086.02We recommend that the New Hampshire Department of Health and Human Services develop a system that provides notifications to providers, employees, and department staff when criminal background checks need to be renewed or information to complete the required checks has not been submitted.- Status
- Closed Implemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/30/2022
- Legislative Related
- No
20-A-01-086.03We recommend that the New Hampshire Department of Health and Human Services determine whether it is feasible to increase the ratio of State licensing inspectors to childcare providers to meet industry standards so that it can review all employee criminal background checks at all childcare centers.- Status
- Closed Implemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/30/2022
- Legislative Related
- No
20-A-01-086.04We recommend that the New Hampshire Department of Health and Human Services require the State licensing agency to increase the number of current employees it reviews at all childcare centers to ensure childcare provider compliance with criminal background check requirements.- Status
- Closed Implemented
- Responsible Agency
- ACF
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 03/30/2022
- Legislative Related
- No
-
Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2019
20-A-18-084.01HHS should commit to creating and implementing a Cybersecurity Maturity Migration Strategy to advance the cybersecurity program from its current maturity state to an effective state across HHS. This strategy should include the following. Perform a risk assessment and identify the optimal maturity level that achieves cost-effective security based on your missions and risks faced, risk appetite, and risk tolerance level. Identify gaps between the current state at each OPDIV and the criteria required to reach the optimal level across HHS’ enterprise-wide cybersecurity program and develop security controls to implement effective security. Ensure the requirements for all metrics is Consistently Implemented or higher are achieved. Articulate roles and shared responsibilities needed to meet the requirements for effective maturity, including whether requirements are to be implemented through centralized, federated, or hybrid controls.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.02HHS should continue to provide department-wide guidance and DHS-supplied Continuous Diagnostics and Mitigation (CDM) tools to each OPDIV for the implementation of their ISCM programs.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.03The Information Security and Privacy Policy (IS2P) is HHS’ primary policy document governing cybersecurity which is pending a rewrite to address the upcoming requirements in NIST 800-53 revision 5. When this update occurs to the IS2P, HHS should specify required cybersecurity control maturity levels in addition to identifying the selection of NIST controls; describe HHS’ Cybersecurity Shared Responsibility Model, including the key roles under centralized, federated and hybrid strategies for control implementation; include responsibilities of the OCIO, the OPDIVs, and third-party stakeholders (including contractors); and communicate that a Managed and Measurable or the optimal maturity level, based on HHS’s risk assessment, be required to be deemed “Effective".- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.04We recommend that the HHS OCIO work with the OPDIVs to review the monthly reconciliation report, currently provided by the HHS OCIO, to ensure that discrepancies on the POA&M exception report are corrected to enable accurate OPDIV and Department-level reporting.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.05We recommend that the HHS OCIO work with the OPDIVs to ensure that the OPDIVs cybersecurity management create and implement a patch management strategy to ensure that patches are installed timely as required by HHS and Federal requirements.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.06We recommend that the HHS OCIO work with the OPDIVs to develop and document an enterprise-wide configuration management plan that allows for OPDIV-level and system-level configuration management plans to be created and implemented in alignment with the higher-level enterprise plans, to ensure that changes implemented at the system level are consistent with and made only after approval by the OPDIV, and that an HHS level plan defines the role of the OPDIVs for the creation, implementation and execution of OPDIV-specific configuration management plans.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.07We recommend that the HHS OCIO work with the OPDIVs to identify roles of stakeholders to ensure proper identification of responsibilities in a shared responsibility environment.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.08We recommend that the HHS OCIO work with the OPDIVs to communicate the enterprise-wide configuration management plan to all HHS system owners and stakeholders.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.09We recommend that the HHS OCIO work with the OPDIVs to implement the enterprise-wide configuration management plan, working with system owners to align system configuration management plans with the enterprise plan.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.10We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs conduct background checks on all personnel with information system access before they are granted access. The OPDIV should also conduct reinvestigations on these individuals in accordance with current personnel security policy.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.11We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs create and implement a process to require privileged users to sign a privileged user rules of behavior agreement for all systems prior to provisioning privileged access to those systems.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.12We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs establish a repository to retain signed copies of privileged user rules of behavior agreements for holders of privileged access for all systems.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.13We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs ensure implementation of strong authentication mechanisms for privileged and non-privileged users to all OPDIV systems using multifactor PIV credentials, NIST 800-63 Identity Assurance Level 3/Authenticator Assurance Level 3/Federated Assurance Level 3 credential or other strong authentication for non-privileged and privileged users.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.14We recommend that the HHS OCIO periodically sample systems to ensure that PIAs are created and maintained for all systems that require one.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.15We recommend that the HHS OCIO work with the OPDIVs to ensure that all PIAs are reviewed, approved and signed by the appropriate HHS personnel at a minimum within three (3) years of the last PIA approval date.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.16We recommend that the HHS OCIO work with the ODPIVs ensure that OPDIVs’ security management improve their processes to consistently and accurately track training to ensure that everyone has taken the training prior to granting them system access. Obtain and retain training certificates as evidence of completed training.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.17We recommend that the HHS OCIO work with the ODPIVs ensure that role-based training is obtained for all users with significant security responsibilities before granting access to the system and annually thereafter.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.18We recommend that the HHS OCIO work with the ODPIVs ensure that a process be designed and implemented that ensures the collection and maintenance of artifacts evidencing the successful completion of annual RBT for all users with significant security responsibilities.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.19We recommend that the HHS OCIO work with the OPDIVs to ensure that they plan and execute resource staffing such that ATOs are kept up to date without a lapse of authorization.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.20We recommend that the HHS OCIO work with the OPDIVs to ensure that they obtain waiver or acceptances of risk approved by senior OPDIV management for those systems continuing to operate in the production environment without authorization.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.21We recommend that the HHS OCIO work with the OPDIVs to ensure that they plan and execute resource staffing such that SCAs are kept up to date as needed to support the ATO process.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.22We recommend that the HHS OCIO work with the OPDIV to define a threat profiling framework that structures and standardizes threat profiling at the OPDIV.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.23We recommend that the HHS OCIO work with the OPDIV to implement threat profiling techniques within the defined framework that helps management understand where the OPDIV’s high-value assets are located, who could be interested in taking control of them, and what attack vectors and under which scenarios they would likely be used to exploit vulnerabilities to succeed in their pursuits.- Status
- Closed Implemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.24We recommend that the HHS OCIO require each OPDIV to develop a POA&M to implement activities required to achieve an effective maturity level for contingency planning, pending HHS risk assessment.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
20-A-18-084.25We recommend that the HHS OCIO work with the OPDIVs to monitor and validate each OPDIV’s implementation progress, which should include periodically sampling HHS systems to ensure the effectiveness of contingency plans, including adequate testing based on system categorization.- Status
- Closed Unimplemented
- Responsible Agency
- OCR
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 07/20/2021
- Legislative Related
- No
-
96 Percent of South Carolina's Medicaid Fee-for-Service Telemedicine Payments Were Insufficiently Documented or Otherwise Unallowable
20-A-04-082.01We recommend that the South Carolina Department of Health and Human Services refund $1,524,536 to the Federal Government.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $1,524,536
- Last Update Received
- -
- Closed Date
- 10/06/2020
- Legislative Related
- No
20-A-04-082.02We recommend that the South Carolina Department of Health and Human Services give providers formal training on telemedicine documentation requirements.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 10/06/2020
- Legislative Related
- No
20-A-04-082.03We recommend that the South Carolina Department of Health and Human Services enhance the monitoring of provider compliance by conducting periodic reviews of telemedicine payments for compliance with documentation requirements.- Status
- Closed Implemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 10/06/2020
- Legislative Related
- No
-
Mississippi Needs To Improve Oversight of Its Child Care Payment Program
20-A-07-083.01We recommend that the Mississippi Department of Human Services refund to the Federal Government the estimated $22,284,900 Federal CCDF share of the Child Care Payment Program claims paid during FYs 2016 and 2017.- Status
- Open Unimplemented
- Responsible Agency
- ACF
- Response
- Overdue
- Potential Savings
- $22,284,900
- Last Update Received
- -
- Next Update Expected
- 09/30/2022
- Legislative Related
- No
20-A-07-083.02We recommend that the Mississippi Department of Human Services strengthen its monitoring program to ensure that providers maintain required attendance documentation to support the childcare payment amounts that they claim for reimbursement by the State agency.- Status
- Open Unimplemented
- Responsible Agency
- ACF
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 09/30/2022
- Legislative Related
- No
20-A-07-083.03We recommend that the Mississippi Department of Human Services develop policies and procedures to ensure that attendance documentation is maintained and provided to the State agency when a provider closes.- Status
- Open Unimplemented
- Responsible Agency
- ACF
- Response
- Overdue
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 09/30/2022
- Legislative Related
- No