Federal Reports

The Colorado Department of Health Care Policy and Financing (HCPF) had not implemented adequate information system general controls over the Colorado Medicaid eligibility determination and claims processing systems to fully comply with Federal requirements. The vulnerabilities that we identified increased the risk to the confidentiality, integrity, and availability of Colorado's Medicaid data. In evaluating HCPF's risk assessment, database security, Web site security, and universal serial bus (USB) device security for its Medicaid eligibility determination and claims processing information systems, we identified vulnerabilities related to inadequate risk assessment policies and procedures, improper administration of the Medicaid claims database, inadequate security of Medicaid databases, inadequate Web site security, and improper management of USB ports and devices.

Noridian Healthcare Solutions, LLC, a subsidiary of Noridian Mutual Insurance Company, did not claim $144,000 of allowable pension or postretirement benefit plan costs for Medicare reimbursement during fiscal years 2006 through 2008.

Bergan Mercy Medical Center (the Hospital) (operating in Omaha, Nebraska) complied with Medicare billing requirements for 219 of the 224 outpatient and inpatient claims we reviewed. However, the Hospital did not fully comply with Medicare billing requirements for the remaining five claims, resulting in overpayments of $70,000 for calendar years 2013 and 2014. Specifically, three outpatient claims had billing errors, resulting in overpayments of $63,000, and two inpatient claims had billing errors, resulting in overpayments of $7,000. These errors occurred primarily because the Hospital did not have adequate controls to prevent the incorrect billing of Medicare claims within the selected risk areas that contained errors.