Recommendations Tracker

We recommend the Massachusetts Executive Office of Health & Human Services follow up with the OTP providers to correct the three services that were not supported by the medical records.

We recommend that the South Carolina Department of Health and Human Services invoice for and collect manufacturers' rebates totaling $12,204,259 (Federal share) for single-source and top-20 multiple-source physician-administered drugs and refund the Federal share of rebates collected.

We recommend that the South Carolina Department of Health and Human Services ensure that all physician-administered drugs eligible for rebates after our audit period are processed for rebates.

We recommend that the Utah Department of Health and Human Services redetermine Medicaid eligibility for the six sampled enrollees whom we have identified as having had incorrectly completed eligibility determinations.

We recommend that the Utah Department of Health and Human Services identify and correct the eREP data limitations, which in some cases prevented proper reporting classification.

We recommend that the New Mexico Human Services Department work with the MCOs todevelop procedures to monitor PCS provider compliance with attendant qualifications, including those related to criminal background checks, abuse registry checks, TB tests, initial written competency tests, annual training, and CPR and first aid certifications; educate providers more frequently through methods such as guidance letters or webinars to increase PCS providers' understanding of attendant qualification requirements; and take corrective action against providers that do not ensure that attendants comply with qualification requirements, which could include removing providers that repeatedly fail to comply with the State's PCS program.

We recommend that the Kansas Department of Health and Education improve its electronic visit verification system by developing and implementing procedures to verify that in-home PCS claims are recorded and verified in its EVV system, and implementing edits to verify that tasks recorded on in-home PCS claims match allowable tasks approved in the PCSP.    

We recommend that the Kansas Department of Health and Education verify that providers are complying with the State agency's established policies and procedures to maintain documentation showing that service workers are registered, screened, and employable pursuant to background check requirements.

We recommend that the Centers for Medicare & Medicaid Services instruct the SSAs to follow up with the 24 nursing homes that may not have complied with Federal requirements to verify that they have taken corrective actions.

We recommend that the Illinois Department of Healthcare and Family Services remediate the four security control findings identified by OIG.

We recommend that the Illinois Department of Healthcare and Family Services enhance its testing procedures to include performing more robust technical testing of web-facing systems and emulation of an adversary's tactics and techniques on a defined reoccurring basis, in order to better assess the effectiveness of NIST SP 800-53 controls.

We recommend that MMM Healthcare, LLC, refund to the Federal Government the $165,312 of net overpayments.

We recommend that the Massachusetts' Executive Office of Health and Human Services redetermine eligibility for the three sampled enrollees whose eligibility was incorrectly determined and take appropriate action.

We recommend that the Massachusetts' Executive Office of Health and Human Services revise policies and procedures to be consistent with CMS guidance related to preparing unwinding data reports and any future reports of a similar nature.

We recommend that the Centers for Medicare & Medicaid Services direct the MACs to recover from hospitals the portion of the $382,032 in identified overpayments for the sampled claims during our audit period that are within the 4-year reopening period in accordance with CMS's policies and procedures.

We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs complete required tests for enrollee admissions and adequately document enrollee admissions.

We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs provide take-home medications in accordance with Federal and State requirements.

We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs adequately document the results of drug screens.

We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs adequately document enrollee assessments.

We recommend that the Washington State Health Care Authority work with its contracted MCOs and the Department of Health to ensure that OTPs comply with Federal and State requirements for providing and documenting OTP services, including ensuring that OTPs complete and adequately document annual medical examinations.

Revise its procedures for screening referrals to incorporate the expertise of each professional discipline and to reflect current Unit priorities and workloads

Revise its procedures for opening, assigning, and closing cases to better enable cases to be completed in an appropriate timeframe

Take steps to improve the accuracy and completeness of case information and performance data in its electronic case management system

Take steps to improve its ability to staff its administrative functions consistently and appropriately

Establish procedures for regularly communicating and coordinating with OIG's Office of Investigations and the U.S. Attorney's Office

Revise its policies and procedures for periodic supervisory reviews and conduct and document the reviews in accordance with its updated policies

Include acknowledgments of Federal funding in its press releases and other public documents

We recommend that Heluna Health refund $3,585,834 to the Federal government.

We recommend that Heluna Health work with CDC to determine the allowable portion of $366,850,858 related to local health jurisdiction (LHJ) start-up costs and refund to the Federal Government any unallowable amount.

We recommend that the California Department of Health Care Services resume and enhance procedures that are in accordance with current Federal requirements to identify and disenroll enrollees who are residing and enrolled in Medicaid managed care in another State.

Eliminate access to sensitive case material for unauthorized staff

Take steps to report adverse actions to the NPDB within the required timeframe

Implement a method to monitor the State's responses to the Unit's program recommendations

We recommend that the HHS Office of the Secretary develop a procedure to ensure cloud system inventories are accurate and completed in accordance with HHS security requirements.

We recommend that the HHS Office of the Secretary implement a strategy that includes leveraging cloud security assessment tools that identify misconfigurations and other control weaknesses in its cloud services, and remediate weak controls in a timely manner.

We recommend that the Administration for Strategic Preparedness and Response note on the CPARS assessment report for the original contractor that the contractor failed to submit the novation to report the sale of the business interests and transfer of the contract.

We recommend that the Administration for Strategic Preparedness and Response implement a review process to verify that Federal acquisition awarding procedures and contract funding are fully completed before contract performance begins.

We recommend that the Administration for Strategic Preparedness and Response correct the time violation for the improperly created purchase order by using no-year funds or multi-year funds available for obligation and report an Antideficiency Act violation if the time violation cannot be corrected.

We recommend that the Administration for Strategic Preparedness and Response implement a periodic documentation review process to assess completeness of contract files and provide training to address deficiencies identified from the review.

We recommend that Independent Health Association, Inc. refund to the Federal Government the $646,217 of overpayments.

We recommend that Independent Health Association, Inc. continue its examination of its existing compliance procedures to identify areas where improvements can be made to ensure that diagnosis codes that are at high risk for being miscoded comply with Federal requirements (when submitted to CMS for use in CMS's risk adjustment program) and take the necessary steps to enhance those procedures.

Refine their enterprise architecture system inventory and software/hardware asset inventories to ensure the inclusion of the information systems and components active on the HHS network. HHS should utilize these inventories to monitor assets continuously and identify and remediate vulnerabilities timely to better manage the risks to these assets.

We recommend that HHS confirm that all organization-wide and system-level risk assessments have been completed in an accurate and timely manner and include data points such as the threat vectors, likelihood, and tolerance level. This will help with the ability to address risks at the organization consistently and promptly.

We recommend that HHS require OpDivs to assess and inventory privileged user accounts across the agency by an established due date and confirm completion. HHS should confirm that OpDivs policies are defined to require privileged user account monitoring in both logging and activity reviews, preferably at an automated level.

We recommend that the HHS OCIO monitor and confirm that the OpDivs appropriately track software license information and maintain an accessible, up-to-date inventory for all its software licenses.

We recommend that the HHS OCIO monitor and confirm that the OpDivs utilize automated solutions to provide a portfolio view of cybersecurity risk at the organization is consistently implemented in accordance with NIST standards.

We recommend that the HHS OCIO ensure that OpDivs' vulnerabilities are tracked and remediated in a timely manner and create POA&Ms for any vulnerabilities in accordance with the organization's policy.

We recommend that the HHS OCIO ensure that all OpDivs' TIC 3.0 program use cases are reviewed for relevance and capabilities that are new to the latest revision of the TIC guidance are consistently implemented in accordance with HHS Policy for the Implementation of TIC and OMB M-19-26.

We recommend that the HHS OCIO ensure that all OpDivs provision, manage, and review privileged user accounts for operational systems.

We recommend that the HHS OCIO ensure that all OpDivs consistently implement access policies and procedures in accordance with the organization's Risk Management Safeguards policy across the organization.

We recommend that the HHS OCIO ensure that all OpDivs implement data encryption methods to protect data determined to be PII or sensitive by the systems and enhanced network defenses in accordance with NIST standards.

We recommend that the HHS OCIO ensure that all OpDivs are inheriting and consistently implementing policies and procedures defined by HHS department level policy.

We recommend that the HHS OCIO continuously monitor to ensure that all OpDivs define common threat vector taxonomy for classifying incidents and its processes for detecting, analyzing, and prioritizing incidents in accordance with NIST standards, USCERT Federal Incident Notification Guidelines and OMB guidance across the organization.

We recommend that the HHS OCIO work with the OpDivs to require and confirm that all OpDivs' operational systems conduct Contingency Plan testing and exercises as required by their risk rating. Any testing and exercises conducted should be followed with after-action reports as necessary.

We recommend that the National Institutes of Health formalize the recently implemented FRPPR monitoring control into NIH policy.

We recommend that the National Institutes of Health create policies and procedures for reporting award recipients in SAM.gov that do not submit the required final reports within 1 year of the award PPE date.