Beta This is a new resource - your feedback will help us improve it.
Recommendations Tracker
HHS-OIG provides independent and objective oversight that promotes economy, efficiency, and effectiveness in HHS programs and operations. To drive positive change, we produce reports and identify recommendations for improvement. We have developed this public-facing page for tracking all of our open recommendations. Learn More
Summary of Recommendations Data
Updated Monthly · Last updated on September 16, 2024
1,350
Unimplemented
recommendations
$281.0B
Potential savingsfrom unimplemented recommendations
2,589
Implemented and Closed
recommendations since FY 2017
OIG Recommendations Grouped by Report
Views
Showing 1–20 of 1,200 reports, containing 3,939 recommendations
Sorted by latest release date
-
Most Children in Foster Care Did Not Receive Credit Checks and Assistance
24-E-07-033.01ACF should monitor whether States are conducting credit checks of all three CRAs for children aged 14 or older who are in foster care, as required.- Status
- Open Unimplemented
- Responsible Agency
- ACF
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 03/04/2025
- Legislative Related
- No
24-E-07-033.02ACF should further assist States in building their capacity to conduct credit checks and to interpret and resolve credit reports effectively.- Status
- Open Unimplemented
- Responsible Agency
- ACF
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 03/04/2025
- Legislative Related
- No
24-E-07-033.03ACF should seek to partner with other government agencies to develop strategies to address issues that States experienced working with CRAs.- Status
- Open Unimplemented
- Responsible Agency
- ACF
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 03/04/2025
- Legislative Related
- No
-
Massachusetts Opioid Treatment Program Services Met Many of the Federal and State Requirements
24-A-01-103.01We recommend the Massachusetts Executive Office of Health & Human Services follow up with the OTP providers to correct the three services that were not supported by the medical records.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/27/2025
- Legislative Related
- No
24-A-01-103.02We recommend the Massachusetts Executive Office of Health & Human Services review its procedures designed to prevent OTP noncompliance with Federal and State requirements and make changes to improve documentation of counseling and more timely review of OTP treatment plans.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/27/2025
- Legislative Related
- No
-
South Carolina Did Not Always Invoice Rebates to Manufacturers for Physician-Administered Drugs Dispensed to Enrollees of Medicaid Managed-Care Organizations
24-A-07-102.01We recommend that the South Carolina Department of Health and Human Services invoice for and collect manufacturers' rebates totaling $12,204,259 (Federal share) for single-source and top-20 multiple-source physician-administered drugs and refund the Federal share of rebates collected.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- $12,204,259
- Last Update Received
- -
- Next Update Expected
- 02/27/2025
- Legislative Related
- No
24-A-07-102.02We recommend that the South Carolina Department of Health and Human Services work with CMS to determine whether the claims for other multiple-source physician-administered drugs, totaling $1,947,035 (Federal share), were eligible for rebates and, if so, determine the rebates due for these drugs and, upon receipt of the rebates, refund the Federal share of the rebates collected.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- $1,947,035
- Last Update Received
- -
- Next Update Expected
- 02/27/2025
- Legislative Related
- No
24-A-07-102.03We recommend that the South Carolina Department of Health and Human Services ensure that all physician-administered drugs eligible for rebates after our audit period are processed for rebates.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/27/2025
- Legislative Related
- No
24-A-07-102.04We recommend that the South Carolina Department of Health and Human Services continue to review and strengthen its internal controls to ensure that, in line with the State agency's existing policies, all physician-administered drugs eligible for rebates are invoiced.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/27/2025
- Legislative Related
- No
-
Utah Generally Completed Medicaid Eligibility Actions During the Unwinding Period in Accordance With Federal and State Requirements
24-A-07-100.01We recommend that the Utah Department of Health and Human Services redetermine Medicaid eligibility for the six sampled enrollees whom we have identified as having had incorrectly completed eligibility determinations.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/26/2025
- Legislative Related
- No
24-A-07-100.02We recommend that the Utah Department of Health and Human Services coordinate with DWS to provide periodic training to caseworkers that focuses on verifying and documenting information used and steps performed during the eligibility renewal process, including: (1) verifying income and assets, (2) verifying residency/contact information, and (3) correctly executing case review and reporting.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/26/2025
- Legislative Related
- No
24-A-07-100.03We recommend that the Utah Department of Health and Human Services identify and correct the eREP data limitations, which in some cases prevented proper reporting classification.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/26/2025
- Legislative Related
- No
24-A-07-100.04We recommend that the Utah Department of Health and Human Services strengthen its policies and procedures to provide for greater accuracy in the monthly unwinding data reports and any future reports of a similar nature that the State agency submits to CMS.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/26/2025
- Legislative Related
- No
-
New Mexico Did Not Ensure Attendants Were Qualified To Provide Personal Care Services, Putting Medicaid Enrollees at Risk
24-A-06-101.01We recommend that the New Mexico Human Services Department work with the MCOs todevelop procedures to monitor PCS provider compliance with attendant qualifications, including those related to criminal background checks, abuse registry checks, TB tests, initial written competency tests, annual training, and CPR and first aid certifications; educate providers more frequently through methods such as guidance letters or webinars to increase PCS providers' understanding of attendant qualification requirements; and take corrective action against providers that do not ensure that attendants comply with qualification requirements, which could include removing providers that repeatedly fail to comply with the State's PCS program.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/26/2025
- Legislative Related
- No
24-A-06-101.02We recommend that the New Mexico Human Services Department share the results of our audit report with PCS providers statewide to emphasize the importance of attendants meeting qualification requirements and clarify the oversight provisions in its contracts with MCOs to require MCOs to monitor PCS providers' compliance with attendant qualification requirements and report monitoring results to the State agency.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/26/2025
- Legislative Related
- No
-
Kansas’s Implemented Electronic Visit Verification System Could Be Improved
24-A-07-099.01We recommend that the Kansas Department of Health and Education improve its electronic visit verification system by developing and implementing procedures to verify that in-home PCS claims are recorded and verified in its EVV system, and implementing edits to verify that tasks recorded on in-home PCS claims match allowable tasks approved in the PCSP.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/19/2025
- Legislative Related
- No
24-A-07-099.02We recommend that the Kansas Department of Health and Education improve its use of the EVV system by verifying that exceptions are reviewed and remedied, requiring that providers use the scheduling function within the EVV system or else directing the EVV contractor to remove the corresponding exception for instances when the scheduling function is not used, training providers on how to address and minimize the occurrence of informational exceptions, and establishing formal requirements governing service workers' use of the web portal.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/19/2025
- Legislative Related
- No
24-A-07-099.03We recommend that the Kansas Department of Health and Education verify that providers are complying with the State agency's established policies and procedures to maintain documentation showing that service workers are registered, screened, and employable pursuant to background check requirements.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/19/2025
- Legislative Related
- No
24-A-07-099.04We recommend that the Kansas Department of Health and Education verify that MCOs are complying with the State agency's established policies and procedures to complete and reassess functional needs assessments, including the needs evaluation tool, every 12 months, and upload these documents into the care management system for retention.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/19/2025
- Legislative Related
- No
-
Certain For-Profit Nursing Homes May Not Have Complied With Federal Requirements Regarding the Infection Preventionist Position
24-A-01-098.01We recommend that the Centers for Medicare & Medicaid Services instruct the SSAs to follow up with the 24 nursing homes that may not have complied with Federal requirements to verify that they have taken corrective actions.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/18/2025
- Legislative Related
- No
24-A-01-098.02We recommend that the Centers for Medicare & Medicaid Services share the results of this audit with the SSAs and encourage them to focus their oversight on verifying that nursing homes designate an IP and that the IPs complete specialized training prior to filling that position.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/18/2025
- Legislative Related
- No
-
Illinois MMIS and E&E System Had Adequate Security Controls in Place, but Some Improvements Are Needed
24-A-18-097.01We recommend that the Illinois Department of Healthcare and Family Services remediate the four security control findings identified by OIG.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/14/2025
- Legislative Related
- No
24-A-18-097.02We recommend that the Illinois Department of Healthcare and Family Services develop and implement flaw remediation policies and procedures for effectively identifying vulnerabilities, prioritizing them based on potential impact and exploitability, and remediating them within a defined timeframe as required by NIST SP 800-53, SI-2, Flaw Remediation, or other standards governing security of Federal systems and information.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/14/2025
- Legislative Related
- No
24-A-18-097.03We recommend that the Illinois Department of Healthcare and Family Services enhance its testing procedures to include performing more robust technical testing of web-facing systems and emulation of an adversary's tactics and techniques on a defined reoccurring basis, in order to better assess the effectiveness of NIST SP 800-53 controls.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/14/2025
- Legislative Related
- No
-
Medicare Advantage Compliance Audit of Diagnosis Codes That MMM Healthcare, LLC, (Contract H4003) Submitted to CMS
24-A-04-095.01We recommend that MMM Healthcare, LLC, refund to the Federal Government the $165,312 of net overpayments.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- $165,312
- Last Update Received
- -
- Next Update Expected
- 02/12/2025
- Legislative Related
- No
24-A-04-095.02We recommend that MMM Healthcare, LLC, continue to improve its policies and procedures to prevent, detect, and correct noncompliance with Federal requirements for diagnosis codes that are used to calculate risk-adjusted payments.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/12/2025
- Legislative Related
- No
-
Massachusetts Generally Completed Medicaid Eligibility Actions During the Unwinding Period in Accordance With Federal and State Requirements
24-A-02-096.01We recommend that the Massachusetts' Executive Office of Health and Human Services redetermine eligibility for the three sampled enrollees whose eligibility was incorrectly determined and take appropriate action.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/12/2025
- Legislative Related
- No
24-A-02-096.02We recommend that the Massachusetts' Executive Office of Health and Human Services provide periodic training to caseworkers about verifying and documenting enrollees' income and residency during the renewal process.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/12/2025
- Legislative Related
- No
24-A-02-096.03We recommend that the Massachusetts' Executive Office of Health and Human Services revise policies and procedures to be consistent with CMS guidance related to preparing unwinding data reports and any future reports of a similar nature.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/12/2025
- Legislative Related
- No
-
Medicare Improperly Paid Hospitals an Estimated $79 Million for Enrollees Who Had Received Mechanical Ventilation
24-A-09-094.01We recommend that the Centers for Medicare & Medicaid Services direct the MACs to recover from hospitals the portion of the $382,032 in identified overpayments for the sampled claims during our audit period that are within the 4-year reopening period in accordance with CMS's policies and procedures.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- $382,032
- Last Update Received
- -
- Next Update Expected
- 02/08/2025
- Legislative Related
- No
24-A-09-094.02We recommend that the Centers for Medicare & Medicaid Services educate hospitals on correctly counting the hours of mechanical ventilation and submitting claims with correct procedure and diagnosis codes, which could have saved an estimated $79,354,175 for our audit period.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- $79,354,175
- Last Update Received
- -
- Next Update Expected
- 02/08/2025
- Legislative Related
- No
-
Opioid Treatment Programs in Washington State Did Not Fully Comply With Federal and State Requirements, Which May Have Put Medicaid Enrollees at Risk for Poor Treatment Outcomes
24-A-09-093.01We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs complete required tests for enrollee admissions and adequately document enrollee admissions.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/04/2025
- Legislative Related
- No
24-A-09-093.02We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs adequately document treatment plans.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/04/2025
- Legislative Related
- No
24-A-09-093.03We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs provide take-home medications in accordance with Federal and State requirements.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/04/2025
- Legislative Related
- No
24-A-09-093.04We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs adequately document opioid treatment services.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/04/2025
- Legislative Related
- No
24-A-09-093.05We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs adequately document the results of drug screens.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/04/2025
- Legislative Related
- No
24-A-09-093.06We recommend that the Washington State Health Care Authority work with its contractedMCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs adequately document checks of Washington State PDMP prescription data to identify enrollees' prescriptions.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/04/2025
- Legislative Related
- No
24-A-09-093.07We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs adequately document enrollee assessments.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/04/2025
- Legislative Related
- No
24-A-09-093.08We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs demonstrate through documentation that treatment plans and progress notes are reviewed by qualified staff.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/04/2025
- Legislative Related
- No
24-A-09-093.09We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs complete and adequately document annual medical examinations.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/04/2025
- Legislative Related
- No
24-A-09-093.10We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs identify in the enrollee records the staff members who provided SUD assessments.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 02/04/2025
- Legislative Related
- No
-
Alaska Medicaid Fraud Control Unit: 2023 Inspection
24-E-12-026.01Revise its procedures for screening referrals to incorporate the expertise of each professional discipline and to reflect current Unit priorities and workloads- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.02Take steps to improve communication and collaboration across professional disciplines throughout the investigative phase of cases- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.03Revise its procedures for opening, assigning, and closing cases to better enable cases to be completed in an appropriate timeframe- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.04Implement a comprehensive case management system to manage its investigative case information in an efficient and secure manner- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.05Take steps to improve the accuracy and completeness of case information and performance data in its electronic case management system- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.06Take steps to maintain case files in a consistent and effective manner- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.07Take steps to improve its ability to staff its administrative functions consistently and appropriately- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.08Take steps to expand upon the Unit's efforts to encourage referrals to the Unit- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.09Establish procedures for regularly communicating and coordinating with OIG's Office of Investigations and the U.S. Attorney's Office- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.10Develop procedures to improve the accuracy of its inventory list and verify that all Unit property is properly secured- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.11Revise its policies and procedures for periodic supervisory reviews and conduct and document the reviews in accordance with its updated policies- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.12Modify its supervisory structure so that all Unit staff are under the supervision of the Unit Director or another Unit supervisor- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
24-E-12-026.13Include acknowledgments of Federal funding in its press releases and other public documents- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/29/2025
- Legislative Related
- No
-
Heluna Health May Not Have Used California’s CDC COVID-19 Funds in Accordance With Award Requirements
24-A-04-090.01We recommend that Heluna Health refund $3,585,834 to the Federal government.- Status
- Open Unimplemented
- Responsible Agency
- CDC
- Response
- Not Yet Due
- Potential Savings
- $3,585,834
- Last Update Received
- -
- Next Update Expected
- 01/25/2025
- Legislative Related
- No
24-A-04-090.02We recommend that Heluna Health develop and implement a policy that requires California Department of Public Health (CDPH) to provide adequate supporting documentation to ensure the costs claimed are allowable and allocable.- Status
- Open Unimplemented
- Responsible Agency
- CDC
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/25/2025
- Legislative Related
- No
24-A-04-090.03We recommend that Heluna Health work with CDC to determine the allowable portion of $366,850,858 related to local health jurisdiction (LHJ) start-up costs and refund to the Federal Government any unallowable amount.- Status
- Open Unimplemented
- Responsible Agency
- CDC
- Response
- Not Yet Due
- Potential Savings
- $366,850,858
- Last Update Received
- -
- Next Update Expected
- 01/25/2025
- Legislative Related
- No
-
California Made Capitation Payments for Enrollees Who Were Concurrently Enrolled in a Medicaid Managed Care Program in Another State
24-A-05-089.01We recommend that the California Department of Health Care Services resume and enhance procedures that are in accordance with current Federal requirements to identify and disenroll enrollees who are residing and enrolled in Medicaid managed care in another State.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/23/2025
- Legislative Related
- No
24-A-05-089.02We recommend that the California Department of Health Care Services work with CMS to consider the potential use of T-MSIS data to identify potential cases of concurrent enrollment.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/23/2025
- Legislative Related
- No
-
West Virginia Medicaid Fraud Control Unit: 2023 Inspection
24-E-12-023.01Eliminate access to sensitive case material for unauthorized staff- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/23/2025
- Legislative Related
- No
24-E-12-023.02Take steps to ensure that its new case management system allows for the accurate reporting of performance data- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/23/2025
- Legislative Related
- No
24-E-12-023.03Take steps to report adverse actions to the NPDB within the required timeframe- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/23/2025
- Legislative Related
- No
24-E-12-023.04Take steps to report all convictions to OIG within the required timeframe- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/23/2025
- Legislative Related
- No
24-E-12-023.05Implement a method to monitor the State's responses to the Unit's program recommendations- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/23/2025
- Legislative Related
- No
24-E-12-023.06Work with the Bureau of Medicaid Services to ensure the return of the Federal Government's share of all recoveries- Status
- Open Unimplemented
- Responsible Agency
- MFCU
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/23/2025
- Legislative Related
- No
-
HHS Office of the Secretary Needs to Improve Key Security Controls to Better Protect Certain Cloud Information Systems
24-A-18-088.01We recommend that the HHS Office of the Secretary develop a procedure to ensure cloud system inventories are accurate and completed in accordance with HHS security requirements.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/16/2025
- Legislative Related
- No
24-A-18-088.02We recommend that the HHS Office of the Secretary remediate the 12 control findings in accordance with NIST SP 800-53.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 08/21/2024
- Next Update Expected
- 02/21/2025
- Legislative Related
- No
24-A-18-088.03We recommend that the HHS Office of the Secretary implement a strategy that includes leveraging cloud security assessment tools that identify misconfigurations and other control weaknesses in its cloud services, and remediate weak controls in a timely manner.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/16/2025
- Legislative Related
- No
24-A-18-088.04We recommend that the HHS Office of the Secretary develop and implement a policy and process to ensure qualified staff are assigned as System Security Officers for its cloud systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/16/2025
- Legislative Related
- No
-
ASPR Did Not Consistently Comply With Federal Requirements for Awarding Research and Development Contracts
24-A-03-087.01We recommend that the Administration for Strategic Preparedness and Response note on the CPARS assessment report for the original contractor that the contractor failed to submit the novation to report the sale of the business interests and transfer of the contract.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/11/2025
- Legislative Related
- No
24-A-03-087.02We recommend that the Administration for Strategic Preparedness and Response provide technical assistance or education to the new contractor regarding novation procedures.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/11/2025
- Legislative Related
- No
24-A-03-087.03We recommend that the Administration for Strategic Preparedness and Response implement a review process to verify that Federal acquisition awarding procedures and contract funding are fully completed before contract performance begins.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/11/2025
- Legislative Related
- No
24-A-03-087.04We recommend that the Administration for Strategic Preparedness and Response correct the Recording Statute violation for the contract that was not properly finalized by ratifying the original contract and properly recording an obligation.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Not Yet Due
- Potential Savings
- $14,000
- Last Update Received
- -
- Next Update Expected
- 01/11/2025
- Legislative Related
- No
24-A-03-087.05We recommend that the Administration for Strategic Preparedness and Response correct the time violation for the improperly created purchase order by using no-year funds or multi-year funds available for obligation and report an Antideficiency Act violation if the time violation cannot be corrected.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Not Yet Due
- Potential Savings
- $14,000
- Last Update Received
- -
- Next Update Expected
- 01/11/2025
- Legislative Related
- No
24-A-03-087.06We recommend that the Administration for Strategic Preparedness and Response create policies and procedures for the maintenance and organization of electronic contract files.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/11/2025
- Legislative Related
- No
24-A-03-087.07We recommend that the Administration for Strategic Preparedness and Response implement a periodic documentation review process to assess completeness of contract files and provide training to address deficiencies identified from the review.- Status
- Open Unimplemented
- Responsible Agency
- ASPR
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 01/11/2025
- Legislative Related
- No
-
Medicare Advantage Compliance Audit of Specific Diagnosis Codes That Independent Health Association, Inc. (Contract H3362) Submitted to CMS
24-A-07-085.01We recommend that Independent Health Association, Inc. refund to the Federal Government the $646,217 of overpayments.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- $646,217
- Last Update Received
- 08/19/2024
- Next Update Expected
- 02/19/2025
- Legislative Related
- No
24-A-07-085.02We recommend that Independent Health Association, Inc. identify, for the high-risk diagnoses included in this report, similar instances of noncompliance that occurred before and after our audit period and refund any resulting overpayments to the Federal Government.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 08/19/2024
- Next Update Expected
- 02/19/2025
- Legislative Related
- No
24-A-07-085.03We recommend that Independent Health Association, Inc. continue its examination of its existing compliance procedures to identify areas where improvements can be made to ensure that diagnosis codes that are at high risk for being miscoded comply with Federal requirements (when submitted to CMS for use in CMS's risk adjustment program) and take the necessary steps to enhance those procedures.- Status
- Open Unimplemented
- Responsible Agency
- CMS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- 08/19/2024
- Next Update Expected
- 02/19/2025
- Legislative Related
- No
-
Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023
24-A-18-086.01Refine their enterprise architecture system inventory and software/hardware asset inventories to ensure the inclusion of the information systems and components active on the HHS network. HHS should utilize these inventories to monitor assets continuously and identify and remediate vulnerabilities timely to better manage the risks to these assets.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.02Require OpDivs to implement a cybersecurity risk management strategy to assess and respond to identified risks within the agency, watch for new risks, and monitor risks and confirm implementation. The strategy should define a standardized process to accept and monitor risks that cannot be adequately mitigated.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.03Confirm that all organization-wide and system-level risk assessments have been completed in an accurate and timely manner and include data points such as the threat vectors, likelihood, and tolerance level. This will help with the ability to address risks at the organization consistently and promptly.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.04Require OpDivs to implement an effective SCRM program that meets the defined standards across HHS and confirm implementation is consistent with established standard. HHS should ensure that all OpDivs are appropriately assessing vendors and submitting data points to assist with tracking and monitoring components on the network.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.05Require OpDivs to assess and inventory privileged user accounts across the agency by an established due date and confirm completion. HHS should confirm that OpDivs policies are defined to require privileged user account monitoring in both logging and activity reviews, preferably at an automated level.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.06Conduct an annual review of the System Security & Privacy Plan and annually perform risk assessments for all operational systems, according to organizational policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.07Appropriately track software license information and maintain an accessible, up-to-date inventory for all its software licenses.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.08Perform the SAR and ATO in accordance with the organization's policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.09Utilize automated solutions to provide a portfolio view of cybersecurity risk at the organization is consistently implemented in accordance with NIST standards.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.10Confirm OpDivs define and implement an OpDiv level supply chain risk management strategy based on HHS departmental policy and NIST standards.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.11Ensure that OpDivs' vulnerabilities are tracked and remediated in a timely manner and create POA&Ms for any vulnerabilities in accordance with the organization's policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.12Ensure that all OpDivs' baseline configurations are documented and tracked for each system in the OpDiv.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.13Ensure that all OpDivs' TIC 3.0 program use cases are reviewed for relevance and capabilities that are new to the latest revision of the TIC guidance are consistently implemented in accordance with HHS Policy for the Implementation of TIC and OMB M-19-26.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.14Ensure that all OpDivs acquire the resources to fully implement MFA or an alternative strong authentication and implement multi-factor authentication or an alternative strong authentication for both privileged and non-privileged users on all operational systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.15Ensure that all OpDivs provision, manage, and review privileged user accounts for operational systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.16Ensure that all OpDivs are properly implementing remote session timeouts of 30 minutes (or less) for operating systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.17Ensure that all OpDivs consistently implement access policies and procedures in accordance with the organization's Risk Management Safeguards policy across the organization.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.18Ensure that all OpDivs' operational systems have an approved and up-to-date PIA in accordance with the HHS Policy of Privacy Impact Assessment.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.19Ensure that all OpDivs implement data encryption methods to protect data determined to be PII or sensitive by the systems and enhanced network defenses in accordance with NIST standards.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.20Require and confirm that all OpDivs have a process in place to evaluate their workforce gaps. Furthermore, confirm that all OpDivs are implementing a compliant security training strategy as defined by overarching HHS policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.21Ensure that all OpDivs are inheriting and consistently implementing policies and procedures defined by HHS department level policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.22Inherit and consistently implement policies or procedures to govern their incident response strategy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.23Define common threat vector taxonomy for classifying incidents and its processes for detecting, analyzing, and prioritizing incidents in accordance with NIST standards, USCERT Federal Incident Notification Guidelines and OMB guidance across the organization.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.24Require and confirm that all OpDivs' operational systems have a complete and up-to-date BIA.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.25Require and confirm that all OpDivs' operational systems conduct Contingency Plan testing and exercises as required by their risk rating. Any testing and exercises conducted should be followed with after-action reports as necessary.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.26Confirm that all OpDivs' policies and procedures covering Contingency Plan testing are in accordance with policy requirements by Departmental policy, NIST standards, and OMB guidance.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No