Federal Reports

Federal law requires that each Medicare administrative contractor (MAC) have its information security program evaluated annually by an independent entity, and these evaluations must address the eight major requirements enumerated in the Federal Information Security Management Act of 2002 (FISMA). To comply with this provision, CMS contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the MACs using a set of agreed-upon procedures. To satisfy the requirement to evaluate the information security controls for a subset of systems, CMS expanded the scope of its evaluations to test segments of the Medicare claims processing systems hosted at the Medicare data centers, which support each of the MACs.

For the nine Medicaid managed-care organizations (MCOs) we reviewed, the Medicaid program would not have realized savings in 2014 if the California Department of Health Care Services (State agency) had required its MCOs to meet a minimum medical loss ratio (MLR) standard, similar to the Federal standards for private health insurers and Medicare Advantage plans, and had required remittances when that standard was not met. Although the State agency did not require its MCOs to achieve a minimum MLR standard, the State agency achieved savings similar to the savings it would have achieved with an MLR requirement by placing limits on the administrative costs that MCOs could incur. Because the MLRs we calculated for the nine MCOs were greater than 85 percent during 2014, the MCOs would not have had to issue remittances to the State agency.