Federal Reports

Several interested parties requested that we investigate whether U.S. Department of the Interior (DOI) officials disclosed sensitive or confidential tribal information to entities outside the U.S. Government. Some of these individuals also alleged that DOI or U.S. Department of the Treasury employees intentionally released confidential tribal information to Alaska Native Corporations (ANCs). We investigated these allegations in collaboration with the Treasury’s Office of Inspector General.We found that the Treasury emailed the DOI a spreadsheet of Coronavirus Aid, Relief, and Economic Security Act (CARES Act) tribal registration data the Treasury had requested and collected from tribes. The Bureau of Indian Affairs (BIA) requested this information from the Treasury to confirm whether the tribes had registered to receive CARES Act funding. When the Treasury emailed the information to the DOI as requested, it did not mark the data as confidential.We also found that four BIA regional employees forwarded the spreadsheet containing tribal registration data to officers of tribes (not ANCs) outside the Government. The evidence showed that the BIA employees did this in an effort to remind these tribes that, according to the spreadsheet, they had not yet registered for CARES Act funding. We found that forwarding the entire spreadsheet was inconsistent with DOI guidance.We did not find evidence that any DOI or Treasury employees intentionally released this data to ANCs.This management advisory provides a recommendation to help the DOI ensure proper identification and handling of potentially confidential tribal information and prevent future improper disclosures of this information.

The Medicaid drug rebate program became effective in 1991 (the Social Security Act (the Act)§ 1927). For a covered outpatient drug to be eligible for Federal reimbursement under the program, the drug’s manufacturer must enter into a rebate agreement that is administered by the Centers for Medicare & Medicaid Services (CMS) and pay quarterly rebates to the States. CMS, the States, and drug manufacturers each have specific functions under the program. Manufacturers are required to submit a list of all covered outpatient drugs to CMS and to report each drug’s average manufacturer price and, where applicable, best price. On the basis of this information, CMS calculates a unit rebate amount for each drug and provides the information to the States quarterly. Covered outpatient drugs reported by participating drug manufacturers are listed in the CMS Medicaid Drug File, which identifies drugs with such fields as National Drug Code (NDC), unit type, units per package size, and product name.Section 1903(i)(10) of the Act prohibits Federal reimbursement for States that do not capture the information necessary for invoicing manufacturers for rebates as described in section 1927 of the Act. To invoice for rebates, States capture drug utilization data that identifies, by NDC, the number of units of each drug for which the States reimbursed Medicaid providers and report the information to the manufacturers (the Act § 1927(b)(2)(A)). The number of units is multiplied by the unit rebate amount to determine the actual rebate amount due from each manufacturer.States report drug rebate accounts receivable data to CMS on the Medicaid Drug RebateSchedule. This schedule is part of the Quarterly Medicaid Statement of Expenditures for theMedical Assistance Program report, which contains a summary of actual Medicaid expenditures for each quarter and is used by CMS to reimburse States for the Federal share of Medicaid expenditures.Drugs administered by a physician are typically invoiced to the Medicaid program on a claim form using Healthcare Common Procedure Coding System (HCPCS) codes. For purposes of the Medicaid drug rebate program, physician-administered drugs are classified as either single-source or multiple-source. The Deficit Reduction Act of 2005 (DRA) amended section 1927 of the Act to specifically address the collection of rebates on physician-administered drugs for all single-source physician-administered drugs and for the top 20 multiple-source physician-administered drugs. Beginning on January 1, 2007, CMS was responsible for publishing annually the list of the top 20 multiple-source drugs by HCPCS codes that had the highest dollar volume dispensed. Before the DRA, many States did not collect rebates on physician-administered drugs if the drug claims did not contain NDCs. NDCs enable States to identify the drugs and their manufacturers and to facilitate the collection of rebates for the drugs.The State agency is responsible for paying claims and collecting Medicaid drug rebates for physician-administered drugs. The State agency uses a contractor to perform drug rebate processing and to submit invoices to manufacturers. The contractor uses claim utilization data for physician-administered drugs, which it derives from claims submitted by providers, to invoice manufacturers quarterly. The State agency maintains the record of rebate accounts receivable due from the manufacturers and collects the rebates from the manufacturer.In Massachusetts, there are two sources of claims for physician-administered drugs. Claims can come from hospital outpatient billings or physician billings.

The Cybersecurity and Infrastructure Security Agency (CISA) has improved coordination efforts to secure the Nation’s systems used for voting, but should take additional steps to protect the broader election infrastructure, which includes polling and voting locations and related storage facilities, among other things. For example, CISA has developed or updated a set of plans and guidance aimed at securing election systems for the 2020 election cycle. However, these documents do not sufficiently factor in risks associated with physical security, terrorism threats, and targeted violence to the election infrastructure. CISA can also improve the quality of information shared, as well as the timeliness of its assistance to election stakeholders. With the 2020 elections at hand and increased potential for revised election processes due to the COVID 19 pandemic, it is critical that CISA institute a well-coordinated approach and provide the guidance and assistance necessary to secure the Nation’s election infrastructure. We made three recommendations to CISA to address the deficiencies we identified. CISA concurred with all three recommendations.

We audited TVA’s onboarding actions completed for all active IT contractors as of March 26, 2020, including background investigations and cybersecurity awareness training requirements to determine if IT contractors are granted logical access in accordance with TVA policy. TVA Information Technology and TVA Police require contractors have various levels of background investigations completed for logical access to different classifications of information. We found that (1) TVA policy does not align between business units, (2) the majority of Tier 1 IT contractor suitability background investigations were not in accordance with TVA policy, and (3) the majority of IT contractor higher level background investigations were not in accordance with TVA policy. TVA management agreed with the recommendations.

Our objective was to assess whether the Postal Service is effectively achieving EPS program objectives, controlling program costs, and accurately attributing costs to products. We began fieldwork before the President of the U.S. issued the national emergency declaration concerning the novel coronavirus disease (COVID-19) outbreak on March 13, 2020. The results of this audit do not reflect any management process changes related to the expedited packaging supplies program that may have occurred as a result of the pandemic.

Our objective was to determine whether the Social Security Administration (SSA) had taken appropriate actions for disabled beneficiaries whose benefits it suspended for address development, whereabouts unknown, or miscellaneous reasons.