Federal Reports

The objective of the performance audit was to determine whether SSA's overall information security program and practices were effective and consistent with Federal Information Security Modernization Act of 2014 (FISMA) requirements, as defined by the Department of Homeland Security (DHS).

We audited the Tennessee Valley Authority’s (TVA) travel expenses reimbursed within 50 miles of an official station to determine if they complied with Federal Travel Regulation and TVA policies and procedures. Our audit scope included approximately $500,000 of travel expenses within 50 miles of a TVA employee's official duty station occurring from October 1, 2018, through March 26, 2020.We found that (1) TVA’s approval process did not ensure expenses for travel within 50 miles of an official station complied with TVA’s travel policy, (2) TVA does not have documented procedures to ensure flat-rate-travel reimbursements are being verified appropriately or reimbursed properly, (3) TVA’s human resources system had incorrect official stations shown for 25 of 74 employees included in our samples, and (4) TVA’s travel policy provides limited guidance addressing the assignment and review of official stations. We made four recommendations to TVA management to strengthen controls around travel expenses reimbursed within 50 miles of an official station. TVA management provided actions they plan to take to address each of our recommendations.

Several interested parties requested that we investigate whether U.S. Department of the Interior (DOI) officials disclosed sensitive or confidential tribal information to entities outside the U.S. Government. Some of these individuals also alleged that DOI or U.S. Department of the Treasury employees intentionally released confidential tribal information to Alaska Native Corporations (ANCs). We investigated these allegations in collaboration with the Treasury’s Office of Inspector General.We found that the Treasury emailed the DOI a spreadsheet of Coronavirus Aid, Relief, and Economic Security Act (CARES Act) tribal registration data the Treasury had requested and collected from tribes. The Bureau of Indian Affairs (BIA) requested this information from the Treasury to confirm whether the tribes had registered to receive CARES Act funding. When the Treasury emailed the information to the DOI as requested, it did not mark the data as confidential.We also found that four BIA regional employees forwarded the spreadsheet containing tribal registration data to officers of tribes (not ANCs) outside the Government. The evidence showed that the BIA employees did this in an effort to remind these tribes that, according to the spreadsheet, they had not yet registered for CARES Act funding. We found that forwarding the entire spreadsheet was inconsistent with DOI guidance.We did not find evidence that any DOI or Treasury employees intentionally released this data to ANCs.This management advisory provides a recommendation to help the DOI ensure proper identification and handling of potentially confidential tribal information and prevent future improper disclosures of this information.

The Medicaid drug rebate program became effective in 1991 (the Social Security Act (the Act)§ 1927). For a covered outpatient drug to be eligible for Federal reimbursement under the program, the drug’s manufacturer must enter into a rebate agreement that is administered by the Centers for Medicare & Medicaid Services (CMS) and pay quarterly rebates to the States. CMS, the States, and drug manufacturers each have specific functions under the program. Manufacturers are required to submit a list of all covered outpatient drugs to CMS and to report each drug’s average manufacturer price and, where applicable, best price. On the basis of this information, CMS calculates a unit rebate amount for each drug and provides the information to the States quarterly. Covered outpatient drugs reported by participating drug manufacturers are listed in the CMS Medicaid Drug File, which identifies drugs with such fields as National Drug Code (NDC), unit type, units per package size, and product name.Section 1903(i)(10) of the Act prohibits Federal reimbursement for States that do not capture the information necessary for invoicing manufacturers for rebates as described in section 1927 of the Act. To invoice for rebates, States capture drug utilization data that identifies, by NDC, the number of units of each drug for which the States reimbursed Medicaid providers and report the information to the manufacturers (the Act § 1927(b)(2)(A)). The number of units is multiplied by the unit rebate amount to determine the actual rebate amount due from each manufacturer.States report drug rebate accounts receivable data to CMS on the Medicaid Drug RebateSchedule. This schedule is part of the Quarterly Medicaid Statement of Expenditures for theMedical Assistance Program report, which contains a summary of actual Medicaid expenditures for each quarter and is used by CMS to reimburse States for the Federal share of Medicaid expenditures.Drugs administered by a physician are typically invoiced to the Medicaid program on a claim form using Healthcare Common Procedure Coding System (HCPCS) codes. For purposes of the Medicaid drug rebate program, physician-administered drugs are classified as either single-source or multiple-source. The Deficit Reduction Act of 2005 (DRA) amended section 1927 of the Act to specifically address the collection of rebates on physician-administered drugs for all single-source physician-administered drugs and for the top 20 multiple-source physician-administered drugs. Beginning on January 1, 2007, CMS was responsible for publishing annually the list of the top 20 multiple-source drugs by HCPCS codes that had the highest dollar volume dispensed. Before the DRA, many States did not collect rebates on physician-administered drugs if the drug claims did not contain NDCs. NDCs enable States to identify the drugs and their manufacturers and to facilitate the collection of rebates for the drugs.The State agency is responsible for paying claims and collecting Medicaid drug rebates for physician-administered drugs. The State agency uses a contractor to perform drug rebate processing and to submit invoices to manufacturers. The contractor uses claim utilization data for physician-administered drugs, which it derives from claims submitted by providers, to invoice manufacturers quarterly. The State agency maintains the record of rebate accounts receivable due from the manufacturers and collects the rebates from the manufacturer.In Massachusetts, there are two sources of claims for physician-administered drugs. Claims can come from hospital outpatient billings or physician billings.

The Cybersecurity and Infrastructure Security Agency (CISA) has improved coordination efforts to secure the Nation’s systems used for voting, but should take additional steps to protect the broader election infrastructure, which includes polling and voting locations and related storage facilities, among other things. For example, CISA has developed or updated a set of plans and guidance aimed at securing election systems for the 2020 election cycle. However, these documents do not sufficiently factor in risks associated with physical security, terrorism threats, and targeted violence to the election infrastructure. CISA can also improve the quality of information shared, as well as the timeliness of its assistance to election stakeholders. With the 2020 elections at hand and increased potential for revised election processes due to the COVID 19 pandemic, it is critical that CISA institute a well-coordinated approach and provide the guidance and assistance necessary to secure the Nation’s election infrastructure. We made three recommendations to CISA to address the deficiencies we identified. CISA concurred with all three recommendations.