Federal Reports

The Office of Inspector General evaluated NASA’s management of the Stratospheric Observatory for Infrared Astronomy (SOFIA) Program relative to cost, technical performance, and scientific return.

Our evaluation revealed that the U.S. Department of the Interior did not deploy and operate a secure wireless network infrastructure, as required by National Institute of Standards and Technology (NIST) guidance and industry best practices. We conducted reconnaissance and penetration testing of wireless networks representing each bureau and office using assembled portable test units we assembled for less than $200 and easily concealed in a backpack or purse. We operated these units with smartphones from publicly accessible areas and locations open to visitors.Our attacks simulated the techniques of malicious actors attempting to break into departmental wireless networks, such as eavesdropping, evil twin, and password cracking. These attacks went undetected by security guards and IT security staff as we explored Department facilities and were highly successful—we intercepted and decrypted wireless network traffic in multiple bureaus.We also found that several bureaus and offices did not implement measures to limit the potential adverse effect of breaching a wireless network. Because the bureaus did not have effective protective measures in place, such as network segmentation, we were able to identify assets containing sensitive data or supporting mission-critical operations. Further, we found that the Department:• Did not require regular testing of network security• Did not maintain complete inventories of their wireless network• Published contradictory, outdated, and incomplete guidanceThese deficiencies occurred because the Office of the Chief Information Officer (OCIO) did not provide effective leadership and guidance to the Department and failed to establish and enforce wireless security practices in accordance with NIST guidance and recommended best practices. Without operating secure wireless networks that include boundary controls between networks and active monitoring, the Department is vulnerable to the breach of a high-value IT asset, which could cripple Department operations and result in the loss of highly sensitive data.We make 14 recommendations to strengthen the Department’s wireless network security to prevent potential security breaches, which could have a severe adverse effect on Department operations, assets, or individuals. In response to our draft report, the OCIO concurred with all 14 recommendations and stated that it is working to implement them.

The objective for this report was to assess the effectiveness of the company’s efforts to plan and coordinate track outages. Ineffective track outage planning and coordination can negatively affect the company’s ability to achieve its state-of-good repair goal, which can impact revenue, customer service, and its relationship with external stakeholders. We found that, starting in 2018, the company has built a more disciplined process to plan and coordinate major track outages, such as implementing new procedures to prioritize capital projects and to identify and plan for outages needed to accomplish them. The company has not, however, institutionalized certain practices that will likely improve the company’s track outage planning and coordination process. We found that the company 1) does not have a multi-year companywide track outage plan, 2) relies on outdated technology and software to build the outage plan which inhibits timely updates, and 3) has not clearly defined each departments’ unique role in coordinating the outage plan with commuter railroads and other external organizations. We recommended that the company incorporate a multi-year focus into its planning process, research options with the Information Technology department on ways to update its system and/or software tools, and clearly define departmental roles in coordinating the plan with affected external organizations.

In accordance with our Annual Performance Plan Fiscal Year 2020, dated October 2019, the Office of Inspector General (OIG) conducted a review of  the United States Capitol Police's (USCP or the Department) Occupational Safety, Health and Environment Division (OSHE) to determine whether the Department (1) established controls and processes for ensuring compliance with select Department policies, and (2) complied with select policies and procedures, laws, regulations, and best practices. Our scope included occupational safety and health policies, procedures, practices, and training for Fiscal Year 2019 through March 31, 2020.

The Office of the Inspector General (OIG) conducted an inspection of GPO’s Electronic Waste (e-waste) Processes and Procedures to evaluate and e-waste accounting, sanitization, and disposal. We found that GPO has sufficient e-waste accounting policies. However, GPO can improve its oversight of e-waste disposal and accounting once assets are transferred to the contractor. In addition GPO can clarify e-waste related directives and procedures to alleviate confusion over sanitization procedures. Management provided comments and concurred with the finding and recommendations.

GHI, a subsidiary of EmblemHealth Services Company, LLC, administered Medicare operations under Coordination of Benefits (COB) contracts with CMS. During our audit period, GHI also performed Medicare work on the Medicare Secondary Payer Recovery and Benefit Coordination and Recovery (MSPRC) contracts. GHI also performed work as a subcontractor on the Retiree Drug Subsidy (RDS) contract. GHI participates in the EmblemHealth Services Health and Welfare Benefits Plan. The purpose of this plan is to provide medical and life coverage to eligible retirees and their eligible family members. Medicare Reimbursement of Postretirement Benefit Plan CostsCMS reimburses a portion of its contractors’ PRB costs. In claiming PRB costs, contractors must follow cost reimbursement principles contained in the FAR and applicable CAS as required by the Medicare contracts. To be allowable for Medicare reimbursement, pay-as-you-go PRB costs must be assigned to the period in which the benefits are actually provided, or when the costs are paid to an insurer, provider, or other recipient for current-year benefits or premiums. Incurred Cost Proposal AuditsAt CMS’s request, Figliozzi & Company, P.C. (Figliozzi), Kearney & Company, P.C. (Kearney), and Davis Farr, LLP (Farr), performed audits of the ICPs that GHI submitted for CYs 2009 through 2016. The objectives of the Figliozzi, Kearney, and Farr ICP audits were to determine whether costs were allowable in accordance with the FAR, the U.S. Department of Health and Human Services Acquisition Regulation, and the CAS. For our current audit, we relied on the Figliozzi, Kearney, and Farr ICP audit findings and recommendations when computing the allowable PRB costs discussed in this report. We incorporated the results of the Figliozzi, Kearney, and Farr ICP audits into our computations of the audited indirect cost rates, and ultimately the PRB costs claimed, for the contracts subject to the FAR. CMS will use our report on allowable PRB costs, as well as the Figliozzi, Kearney, and Farr ICP audit reports, to determine the final indirect cost rates and the total allowable contract costs for GHI for CYs 2009 through 2016.

GHI, a subsidiary of EmblemHealth Services Company, LLC, administered Medicare operations under a Coordination of Benefits (COB) contract with CMS. During our audit period, GHI also performed Medicare work on the Medicare Secondary Payer Recovery and Benefit Coordination and Recovery (MSPRC) contracts. GHI also performed work as a subcontractor on the Retiree Drug Subsidy (RDS) contract. During our audit period, GHI had three defined-benefit pension plans: the GHI Local 153 Pension Plan; the GHI Cash Balance Pension Plan; and the EmblemHealth Services Company, LLC, Employees’ Retirement Plan. Medicare segment employees of GHI participated in all three of these pension plans. This report addresses the allowable pension costs claimed by GHI under the provisions of its MAC contracts and CAS- and FAR-covered contracts. The disclosure statement that GHI submits to CMS states that GHI uses pooled cost accounting. Medicare contractors use pooled cost accounting to calculate the indirect cost rates (whose computations include pension, PRB, and Supplemental Executive Retirement Plan costs) that they submit on their ICPs. Medicare contractors use the indirect cost rates to calculate the contract costs that they report on their ICPs. In turn, CMS uses these indirect cost rates in determining the final indirect cost rates for each contract. CMS reimburses a portion of the annual contributions that contractors make to their pension plans. The pension costs are included in the computation of the indirect cost rates reported on the ICPs. In turn, CMS uses indirect cost rates in reimbursing costs under cost-reimbursement contracts. To be allowable for Medicare reimbursement, pension costs must be (1) measured, assigned, and allocated in accordance with CAS 412 and 413 and (2) funded as specified by part 31 of the FAR. In claiming costs, contractors must follow cost reimbursement principles contained in the FAR, the CAS, and the Medicare contracts. At CMS’s request, Figliozzi & Company, P.C. (Figliozzi), Kearney & Company, P.C. (Kearney), and Davis Farr, LLP (Farr), performed audits of the ICPs that GHI submitted for CYs 2009 through 2016. The objectives of the Figliozzi, Kearney, and Farr audits were to determine whether costs were allowable in accordance with the FAR, the U.S. Department of Health and Human Services Acquisition Regulation, and the CAS. For our current audit, we relied on the Figliozzi, Kearney, and Farr audit findings and recommendations when computing the allowable pension costs discussed in this report. We incorporated the results of the Figliozzi, Kearney, and Farr audits into our computations of the audited indirect cost rates, and ultimately the pension costs claimed, for the contracts subject to the FAR. CMS will use our report on allowable pension costs, as well as the Figliozzi, Kearney, and Farr audit reports, to determine the final indirect cost rates and the total allowable contract costs for GHI for CYs 2009 through 2016. The cognizant Contracting Officer will perform a final settlement with the contractor to determine the final indirect cost rates. These rates ultimately determine the final costs of each contract.

GHI, a subsidiary of EmblemHealth Services Company, LLC, administered Medicare operations under Coordination of Benefits (COB) contracts with CMS. During our audit period, GHI also performed Medicare work on the Medicare Secondary Payer Recovery and Benefit Coordination and Recovery (MSPRC) contracts. GHI also performed work as a subcontractor on the Retiree Drug Subsidy (RDS) contract. The disclosure statement that GHI submits to CMS states that GHI uses pooled cost accounting. Medicare contractors use pooled cost accounting to calculate the indirect cost rates (whose computations include pension, PRB, and SERP costs) that they submit on their ICPs. Medicare contractors use the indirect cost rates to calculate the contract costs that they report on their ICPs. In turn, CMS uses these indirect cost rates in determining the final indirect cost rates for each contract. Group Health Incorporated Supplemental Executive Retirement Plan CostsGHI sponsors two SERPs: the Supplemental Executive Retirement Plan for EmblemHealth Services Company, LLC (SERP I), and the Supplemental Executive Retirement Plan II for EmblemHealth Services Company, LLC (SERP II). Both the SERP I and SERP II plans’ purpose is to provide a competitive level of benefits in order to attract and retain well-qualified senior executives of EmblemHealth Services Company, LLC. GHI’s SERPs are thus designed to restore benefits to participants who lost benefits under the GHI Local 153 Pension Plan, GHI Cash Balance Pension Plan, and EmblemHealth Services Company, LLC, Employees’ Retirement Plan because of the Internal Revenue Code, sections 401(a) and 415, limits. , This report addresses both the SERP I and SERP II plan costs that GHI claimed under the provisions of its MAC-related contracts. Accounting MethodologiesThe Medicare contracts require GHI to calculate SERP costs in accordance with the FAR and CAS 412 and 413. The FAR and the CAS require that the costs for nonqualified defined-benefit plans be measured under either the accrual method or the pay-as-you-go method. Under the accrual method, allowable costs are based on the annual contributions that the employer deposits into its trust fund. For nonqualified defined-benefit plans that are not funded through the use of a funding agency, costs are to be accounted for under the pay-as-you-go method. This method is based on the actual benefits paid to participants, which are comprised of lump-sum payments and annuity payments. Incurred Cost Proposal Audits At CMS’s request, Figliozzi & Company, P.C. (Figliozzi), Kearney & Company, P.C. (Kearney), and Davis Farr, LLP (Farr), performed audits of the ICPs that GHI submitted for CYs 2009 through 2016. The objectives of the Figliozzi, Kearney, and Farr ICP audits were to determine whether costs were allowable in accordance with the FAR, the U.S. Department of Health and Human Services Acquisition Regulation, and the CAS. For this audit, we relied on the Figliozzi, Kearney, and Farr ICP audit findings and recommendations when computing the allowable SERP costs discussed in this report. We incorporated the results of the Figliozzi, Kearney, and Farr ICP audits into our computations of the audited indirect cost rates, and ultimately the SERP costs claimed, for the contracts subject to the FAR. CMS will use our report on allowable SERP costs, as well as the Figliozzi, Kearney, and Farr ICP audit reports, to determine the final indirect cost rates and the total allowable contract costs for GHI for CYs 2009 through 2016. The cognizant Contracting Officer will perform a final settlement with the contractor to determine the final indirect cost rates. These rates ultimately determine the final costs of each contract.

GHI, a subsidiary of EmblemHealth Services Company, LLC, administered Medicare operations under a Coordination of Benefits contract with CMS. During our audit period, GHI also performed Medicare work on the Medicare Secondary Payer Recovery and Benefit Coordination and Recovery contracts. GHI also performed work as a subcontractor on the Retiree Drug Subsidy contract. During our audit period, GHI had two defined-benefit pension plans: the GHI Local 153Pension Plan and the EHS Retirement Plan. This report addresses the Medicare segment pension assets for the EHS Retirement Plan for the period of January 1, 2015, through December 31, 2015. We are addressing the Medicare segment pension assets for the GHI Local 153 Pension Plan in a separate audit. Upon the curtailment of its pension plan, GHI identified Medicare’s share of the EHS Retirement Plan Medicare segment excess pension liabilities to be $778,811 as of December 31, 2015. We performed a prior pension segmentation audit of GHI (A-07-19-00561, July 25, 2019), which brought the EHS Retirement Plan Medicare segment pension assets to January 1, 2015. We recommended that GHI recognize $5,633,345 as the EHS Retirement Plan Medicare segment pension assets as of January 1, 2015.

GHI, a subsidiary of EmblemHealth Services Company, LLC, administered Medicare operations under a Coordination of Benefits contract with CMS. During our audit period, GHI also performed Medicare work on the Medicare Secondary Payer Recovery and Benefit Coordination and Recovery contracts. GHI also performed work as a subcontractor on the Retiree Drug Subsidy contract. During our audit period, GHI had two defined benefit pension plans: the Local 153 Plan and the EmblemHealth Services Company, LLC, Employees’ Retirement Plan. This report addresses the Medicare segment pension assets for the Local 153 Plan for the period of January 1, 2015, through August 31, 2016. We are addressing the Medicare segment pension assets for the EmblemHealth Services Company, LLC, Employees’ Retirement Plan in a separate audit. Upon the curtailment of its pension plan, GHI identified Medicare’s share of the Local 153 Plan Medicare segment excess pension liabilities to be $6,131,699 as of August 31, 2016. We performed a prior pension segmentation audit of GHI (A-07-19-00562, July 25, 2019), which brought the Local 153 Plan Medicare segment pension assets to January 1, 2015. We recommended that GHI recognize $31,821,914 as the Local 153 Plan Medicare segment pension assets as of January 1, 2015.

Medicare Parts A and B cover eligible home health services under a prospective payment system (PPS). The PPS covers part-time or intermittent skilled nursing care and home health aide visits, therapy (physical, occupational, and speech-language pathology), medical social services, and medical supplies. Under the home health PPS, CMS pays HHAs for each 60-day episode of care that a beneficiary receives.In prior years, our audits at other HHAs identified findings in the following areas:• beneficiaries did not always meet the definition of “confined to the home,”• beneficiaries were not always in need of skilled services,• HHAs did not always submit OASIS data in a timely fashion, and• services were not always adequately documented.For the purposes of this report, we refer to these areas of incorrect billing as “risk areas.”Our objective was to determine whether Mercy complied with Medicare requirements for billing home health services on selected types of claims.

The objective of our audit was to determine whether the University of North Georgia (North Georgia) had controls to ensure that it reported complete and accurate campus crime statistics under the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act). North Georgia did not have effective controls to ensure that it reported complete and accurate Clery Act crime statistics. North Georgia had processes for activities related to crime reporting under the Clery Act, including identifying its Clery Act geography, requesting crime statistics from local law enforcement agencies, identifying campus security authorities (CSAs) and collecting crime reports from CSAs, processing and compiling the crime information, and reporting the annual Clery Act crime statistics by the reporting deadline. However, these processes did not provide reasonable assurance that the reported crime statistics would be complete and accurate. Additionally, NorthGeorgia did not follow all applicable Clery Act requirements and guidance, which, if followed, would help support the completeness and accuracy of the reported crime statistics. For example, North Georgia did not properly identify its CSAs or follow all applicable requirements for identifying its Clery Act geography3 and requesting crime. statistics from local law enforcement.

See the additional details link below for the full report, report summary, multimedia or any agency follow-up.

The Veterans Benefits Administration (VBA) manages VA’s disability compensation program, which pays benefits based on a veteran's degree of disability, ranging from 0 to 100 percent. When veterans are found 100 percent disabled or unemployable due to service-connected disabilities, VBA must also consider whether veterans qualify for permanent and total (P&T) disability status. The VA Office of Inspector General (OIG) examined whether VBA staff cited adequate medical evidence demonstrating that veterans met statutory requirements for P&T status. The review team found that 61 percent of the decisions sampled did not cite adequate medical evidence, and about 15,100 veterans received P&T status without this evidence. As a result, VA may have improperly paid an estimated $38 million in additional benefits for P&T veterans for dental care, as well as education benefits and healthcare coverage for dependents between October 1, 2017, and December 31, 2019. The OIG further estimated that VA may improperly pay more than $84 million over the next five years for these benefits. The review team determined that VA’s adjudication procedures manual is inconsistent with the statute on P&T status. The statute requires decision makers to be “reasonably certain” that a total disability is likely to continue throughout a veteran’s lifetime, while the manual allows them to establish P&T status without using this standard. In addition, decision makers did not always explain the reasons why they established P&T status in the rating decisions as required. The OIG recommended that VBA ensure the adjudication procedures manual is reviewed and updated for consistency with statute; revise procedures to ensure staff support P&T status decisions by citing evidence; and revise the title and language used in the decisions to more clearly explain the establishment of P&T status. The OIG also recommended VBA provide staff with appropriate training on the updated procedures.

The U.S. Postal Service has a formal role in the federal National Response Framework, which guides the country’s response to disasters and emergencies like hurricanes, bioterrorism, pandemics and other incidents. The OIG examined how the Postal Service continues to support the American public during the ongoing COVID-19 pandemic, even as the outbreak affects postal operations. The Postal Service has delivered essential items like prescriptions, unemployment benefit and stimulus payments, personal protective equipment, and coronavirus test kits. The Postal Service also has provided a backbone for the surge in ecommerce as more consumers buy household goods online. Ensuring the continuation of mail service during this challenging time is helping to keep the American public stay safe, secure, and connected.

This Office of Inspector General (OIG) Comprehensive Healthcare Inspection Program report provides a focused evaluation of the quality of care delivered in the inpatient and outpatient settings of the Birmingham VA Medical Center and multiple outpatient clinics in Alabama. The inspection covers key clinical and administrative processes that are associated with promoting quality care. This inspection focused on Leadership and Organizational Risks; Quality, Safety, and Value; Medical Staff Privileging; Environment of Care; Medication Management: Long-Term Opioid Therapy for Pain; Mental Health: Suicide Prevention Program; Care Coordination: Life-Sustaining Treatment Decisions; Women’s Health: Comprehensive Care; and High-Risk Processes: Reusable Medical Equipment. At the time of this inspection, the medical center’s leaders had been working together for four days. Employee satisfaction scores were generally similar to or better than VHA averages. Selected patient experience scores generally reflected similar or lower ratings than the VHA average. The OIG’s review of the medical center’s accreditation findings, sentinel events, and disclosures did not identify any substantial organizational risk factors. However, the OIG identified a repeat finding related to dirty floors in patient care areas. The executive leaders were extremely knowledgeable within their scopes of responsibilities about VHA data and/or system-level factors contributing to specific poorly performing Strategic Analytics for Improvement and Learning measures. The OIG issued 18 recommendations for improvement across seven areas: (1) Quality, Safety, and Value • Root cause analyses (2) Medical Staff Privileging • Professional practice evaluations • Provider exit review processes (3) Environment of Care • Cleanliness and infection prevention procedures • Patient health information protection (4) Medication Management • Aberrant behavior risk assessment • Concurrent opioid and benzodiazepine therapy • Urine drug testing • Informed consent (5) Mental Health • Suicide safety plans • Suicide prevention training (6) Women’s Health • Women’s health primary care providers (7) High-Risk Processes • Annual risk analysis

This Office of Inspector General (OIG) Comprehensive Healthcare Inspection Program report provides a focused evaluation of the quality of care delivered in the inpatient and outpatient settings of the Central Alabama Veterans Health Care System and multiple outpatient clinics in Alabama and Georgia. The inspection covers key clinical and administrative processes associated with promoting quality care. This inspection focused on Leadership and Organizational Risks; Quality, Safety, and Value; Medical Staff Privileging; Environment of Care; Medication Management: Long-Term Opioid Therapy for Pain; Mental Health: Suicide Prevention Program; Care Coordination: Life-Sustaining Treatment Decisions; Women’s Health: Comprehensive Care; and High-Risk Processes: Reusable Medical Equipment. The executive leadership team had vacancies in four of the five key positions. The director, associate director for patient care services, and associate director roles had been vacant for at least six months; the chief of staff position had been vacant for two years. The Deputy Director was the only permanently-assigned leader. Employee satisfaction and patient experience survey scores were generally lower than VHA averages. Executive leaders were generally knowledgeable about facility Strategic Analytics for Improvement and Learning (SAIL) measures, but lacked understanding of Community Living Center SAIL measures. The OIG issued 30 recommendations for improvement in eight areas:(1) Quality, Safety, and Value • Peer review processes • Utilization management processes • Root cause analysis processes (2) Medical Staff Privileging • Professional practice evaluations • Provider exit reviews (3) Environment of Care • Environmental cleanliness (4) Medication Management • Behavior risk assessment • Concurrent therapy • Urine drug testing • Informed consent • Patient follow-up • Pain committee (5) Mental Health • Patient follow-up • Staff training (6) Care Coordination • Goals of care conversations (7) Women’s Health • Women Veterans Health Committee • Quality data monitoring (8) High-Risk Processes • Annual risk analysis • Airflow testing • Staff training

Our objective was to determine mailer compliance with Negotiated Service Agreement (NSA) provisions and evaluate the U.S. Postal Service’s oversight of NSA Contract #50593050. We selected the NSA based on the mailer’s 2019 volume and revenue.

Our objective was to assess the Social Security Administration's (SSA) actions to expand oversight of its hearing process after the Huntington fraud scheme, which involved an administrative law judge (ALJ).

Our objective was to assess the effectiveness of management controls over recoveries for private party damage to U.S. Postal Service vehicles.

OIG identified monitoring and reporting on the integrity of HHS programs, including responsible stewardship of HHS programs and protection of resources, as a top management and performance challenge for HHS. NIH operations are responsible for the prudent management and careful stewardship of approximately $1.8 billion in accountable personal property. The Department of Defense and Labor, Health and Human Services, and Education Appropriations Act, 2019 and the Continuing Appropriations Act, 2019, P.L. No. 115-245, provided HHS OIG with $5 million from the NIH appropriation for oversight of grant programs and operations of NIH.Our objective was to determine whether NIH had controls in place to effectively and efficiently track and monitor information technology (IT) resources and internet protocol (IP) addresses.

Our objective was to assess the cost, schedule, and technical performance of the Program’s acquisition and development effort for selected instruments. We found the following: (1) The Program exceeded contract definitization timelines and conducted late and abbreviated baseline reviews. (2) JPSS-2 Cross-track Infrared Sounder quality assurance did not adequately integrate contract risks into its surveillance activities. (3) Award-fee determinations did not motivate the contractor toward exceptional performance. We recommend that the NOAA Deputy Undersecretary for Operations do the following: (1) Require programs notify the Joint Agency Program Management Council before NOAA-funded NASA contracts exceed definitization timelines. (2) Require a Joint Agency Program Management Council assessment before an Integrated Baseline Review requirement is removed, abridged, or its timing adjusted, for NOAA-funded NASA contracts or major contract modifications requiring earned value management. We recommend that the NOAA Assistant Administrator for Satellite and Information Services do the following: (3) Ensure the Program adequately incorporates contract risks and executes prevention-focused surveillance as part of its quality assurance activities. We recommend that the NOAA Assistant Administrator for Satellite and Information Services coordinate with the Director of the NASA Goddard Space Flight Center to do the following: (4) Conduct a joint review of contractor performance evaluation practices and determine whether changes could more effectively motivate contractors to achieve desired outcomes for ongoing and future contract negotiations on NOAA-funded projects. (5) Establish a working definition of “significant” cost overrun to help inform strategies that progressively motivate contractors to improve before accumulating excessive cost and schedule performance deficits, for ongoing and future NOAA-funded NASA contracts.

This management information report provides the Office of Inspector General’s (OIG) perspective on challenges the U.S. Department of Education (Department) may face as it implements and oversees the Coronavirus, Aid, Relief, and Economic Security (CARES) Act. In preparing this report, we reviewed recent audit work performed by OIG and the Government Accountability Office (GAO) as well as OIG’s annual Management Challenges reports. We also reviewed challenges that the Department faced when administering education-related grant programs funded by the American Recovery and Reinvestment Act (Recovery Act), to include how the challenges were addressed andwhat lessons were noted as needing to be considered in the event that legislation providing a large yet temporary funding increase for new or existing programs (like the Recovery Act) was enacted in the future.We identified challenges related to grantee oversight and monitoring, student financial assistance oversight and monitoring, and data quality and reporting that the Department should consider as it implements and oversees the CARES Act.

We audited the U.S. Department of Housing and Urban Development’s (HUD) oversight of portability in the Housing Choice Voucher Program based on a congressional inquiry from Senator Grassley’s office. Our audit objective was to determine whether HUD had adequate oversight of portability in the Housing Choice Voucher Program; specifically, to determine whether (1) HUD had adequate policies and procedures to identify and evaluate the impacts portability may have on public housing agencies’ Housing Choice Voucher Programs and (2) HUD’s financial information relating to portability set-aside and additional administrative fees was correctly calculated and distributed in accordance with its requirements.HUD’s Office of Public and Indian Housing generally had adequate oversight of portability in the Housing Choice Voucher Program; however, improvements could be made. Although HUD reviews public housing agencies’ programs, it did not specifically identify and evaluate the effects of portability. As a result, HUD could miss the opportunity to assess the impact of portability on public housing agencies’ programs and use the information to make decisions that could (1) assist public housing agencies experiencing difficulties with managing the portability component of the program and (2) result in programmatic or process improvements. In addition, HUD generally calculated portability set-aside funding for increased costs and special administrative fees for portability correctly with a few exceptions. As a result, HUD overpaid $115,335 in set-aside funding and $133,179 in special administrative fees. It also underpaid $35,189 in special administrative fees.We recommend that HUD (1) conduct an assessment of the impact of portability and determine whether technical assistance is necessary for certain public housing agencies, (2) pursue collection or recapture $248,514 for the overpayments and distribute $35,189 for the underpayments of set-aside funds and special administrative fees, and (3) review the calculations and distributions of funds for category 2b portability set-aside and special administrative fees for portability to ensure accuracy.

Babar Iqbal, a doctor from Los Angeles, California, and owner of Riverside Regional Surgery Center, pleaded guilty on June 10, 2020, in Superior Court of California, Riverside to several charges related to health care insurance fraud. As part of the scheme, Iqbal targeted patients whose insurance paid higher reimbursement amounts to providers who were considered out of network and performed services that were medically unnecessary. Iqbal also conspired with marketers to obtain fraudulent insurance policies for individuals who did not have health insurance. The marketers then referred these individuals to Iqbal at the Riverside Regional Surgery Center. In return, the marketers received a commission based on the reimbursement amount the insurance companies paid Iqbal. The Amtrak health insurance plan was fraudulently billed approximately $1,653,210 as a result of the scheme. Iqbal will be sentenced at a future date.

Joseph Kieffer, a marketer from Los Angeles, California, pleaded guilty on July 20, 2020, in U.S. District Court, Central District of California, to conspiracy to pay illegal renumerations related to a health care fraud scheme. Kieffer paid kickbacks to patients and to marketers for patient referrals for medically unnecessary compounded drugs. As part of the scheme, Fusion RX Compounding Pharmacy then billed health care providers for the compounded drugs at rates much higher than average medications. The owner of Fusion Rx Compounding Pharmacy was also charged for his role in the scheme. The Amtrak health insurance plan was fraudulently billed approximately $17,000 as a result of the scheme. Criminal judicial proceedings are pending.

See the additional details link below for the full report, report summary, multimedia or any agency follow-up.

OIG issued this 2020 Census Alert due to our concerns—about the Census Bureau’s (Bureau’s) inconsistent implementation of safety procedures to prevent the spread of coronavirus 2019 (COVID-19) as it completed its 2020 Census operations—that required immediate attention. Based on the number and consistency of COVID-19-related OIG hotline complaints that we received, we were concerned that the Bureau was not fully complying with key elements of its own COVID-19 safety requirements—or operating fully in line with recommended guidance provided by the Department of Commerce (the Department), the U.S. Office of Personnel Management (OPM), the Centers for Disease Control and Prevention (CDC), and the U.S. Department of Labor (Labor)—and was not holding its managers, employees, and contractors fully accountable for noncompliance, thereby putting their health at risk.Between March 9 and August 21, 2020, OIG received multiple hotline complaints from 26 different Bureau locations in multiple states, alleging 76 instances3 of violations related to the Bureau’s COVID-19 safety protocol. These included at least one of the following allegations: that Bureau employees (a) did not follow proper protocol when staff were exposed to office colleagues who tested positive to the virus; (b) did not follow social distancing recommendations; and/or (c) did not properly implement the mandate to wear masks or facial coverings, even when supplied by the Bureau.

Prior Office of Inspector General and other reports indicated substantial improvements in States’ third-party liability (TPL) identification and recovery efforts. However, the reports also indicated longstanding challenges States had in their TPL efforts. We conducted an audit of Indiana’s efforts to determine whether Medicaid is paying too much for claims in which members were identified as having TPL. Our objective was to determine whether Indiana ensured that Medicaid payments were made properly for claims identified as having third-party coverage.

o We surveyed staff at Border Patrol stations and OFO ports of entry from April 22, 2020 to May 1, 2020. The 136 Border Patrol stations and 307 OFO ports of entry that responded to our survey described various actions they have taken to prevent and mitigate the pandemic’s spread among travelers, detained individuals, and staff. These actions include increased cleaning and disinfecting of common areas, and having personal protective equipment for staff, as well as supplies available to those individuals with whom they come into contact. However, facilities reported concerns with their inability to practice social distancing and the risk of exposure to COVID-19 due to the close-contact nature of their work. Regarding staffing, facilities reported decreases in current staff availability due to COVID-19, but have contingency plans in place to ensure continued operations. The facilities expressed concerns regarding staff availability, however, if there were an outbreak of COVID-19 at the facility. Overall, the majority of respondents reported that their facilities were prepared to address COVID-19

The Centers for Medicare & Medicaid Services administers the Medicare program, which includes coverage for hospital outpatient services under Part B. Under the outpatient prospective payment system, Medicare pays for hospital outpatient services on a rate-per-service basis that varies according to the assigned ambulatory payment classification. Healthcare Common Procedure Coding System codes and descriptors are used to identify and group the services within each ambulatory payment classification group. Outpatient prospective payment system provides outlier payments to hospitals to help mitigate the financial risk associated with high-cost and complex procedures, when a very costly service could present a hospital with significant financial loss. A service or group of services becomes eligible for outlier payments when the cost of the service or group of services estimated using the hospital’s most recent overall cost-to-charge ratio separately exceeds each relevant threshold. Medicare payments may not be made for items or services that “are not reasonable and necessary for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed body member.” Providers must furnish to the Medicare contractor sufficient information to determine whether payment is due and the amount of the payment. Upon receiving credible information of potential overpayments, providers must exercise reasonable diligence to identify overpayments (i.e., determine receipt of and quantify any overpayments) during a 6-year lookback period. Providers must report and return any identified overpayments by the later of (1) 60 days after identifying those overpayments or (2) the date that any corresponding cost report is due (if applicable). This is known as the 60-day rule. The 6-year lookback period is not limited by Office of Inspector General’s audit period or restrictions on the Government’s ability to reopen claims or cost reports. To report and return overpayments under the 60-day rule, providers can request the reopening of initial claims determinations, submit amended cost reports, or use any other appropriate reporting process. Each facility should have an established charge structure which is applied uniformly to each patient as services are furnished to the patient and which is reasonably and consistently related to the cost of providing the services. While the Medicare program cannot dictate to a provider what its charges or charge structure may be, the program may determine whether or not the charges are allowable for use in apportioning costs under the program. To promote correct coding by providers and to prevent Medicare payments for improperly coded services, Centers for Medicare & Medicaid Services developed the National Correct Coding Initiative. Medicare Administrative Contractors implemented National Correct Coding Initiative edits within their claim processing systems for dates of service on or after January 1, 1996. The National Correct Coding Initiative edits include procedure-to-procedure edits that define pairs of Healthcare Common Procedure Coding System codes and current procedural terminology codes (i.e., code pairs) that generally should not be reported together for the same beneficiary on the same date of service. Baylor Scott & White-College Station is a 142-bed acute care hospital, located in College Station, Texas. The hospital originally opened in 2013 and subsequently in 2013 merged with Baylor Health Care System.

The Office of the Inspector General conducted a review of the Watts Bar Nuclear Plant (WBN) Chemistry/Environmental (Chemistry) organization to identify factors that could impact WBN Chemistry’s organizational effectiveness. Our report identified behavioral risks that could have a negative impact on WBN Chemistry’s effectiveness, including those related to (1) interactions with certain management and (2) relationships between employees. We also identified operational risks that could hinder WBN Chemistry’s ability to execute its responsibilities and support Nuclear’s vision and core principles. These risks were comprised of (1) perceptions of inadequate qualified and/or experienced technicians and turnover in Nuclear Chemistry and (2) concerns with the technician training program. In addition, based on feedback received from other WBN organizations, we corroborated concerns about WBN Chemistry’s staffing and personnel knowledge.

We audited Mid America Mortgage’s, dba 1st Tribal Lending’s, Section 184 Indian Home Loan Guarantee program based on a previous U.S. Department of Housing and Urban Development (HUD), Office of Inspector General, audit and corrective action verification of the Section 184 program, which determined that HUD lacked proper oversight of the program and lenders did not always underwrite loans in accordance with HUD’s requirements. The lender was selected because it is the largest Section 184 program lender. Our audit objective was to determine whether the lender underwrote Section 184 loans in accordance with HUD’s requirements.The lender did not always follow HUD’s Section 184 program requirements. Specifically, it did not always (1) underwrite Section 184 loans in accordance with program requirements and (2) follow HUD’s quality control requirements when reviewing loan files. This condition occurred because the lender did not always exercise due diligence when underwriting loans and did not strictly follow HUD’s underwriting and quality control requirements. As a result, there was an increased risk to the Section 184 program and HUD’s Loan Guarantee Fund. There were 11 loans with material underwriting deficiencies and we recommend indemnification for 7 of these loans. The seven loans had a total unpaid mortgage balance of $1.3 million with an estimated potential loss to HUD of $607,598.We recommend that the Deputy Assistant Secretary for Native American Programs (1) request indemnification for 7 of the 11 loans that had material underwriting deficiencies and had an unpaid mortgage balance of $1.3 million with an estimated potential loss to HUD of $607,598, (2) require the lender to develop and implement enhanced policies and procedures to ensure electronic signatures from borrowers are properly supported, and (3) require the lender to fully implement its quality control plan with respect to reverifications and provide HUD with periodic reports for 12 months to ensure that its quality control reviews are conducted in accordance with the requirements.

The Child Care and Development Block Grant Act (CCDBG Act) of 2014 added new requirements for States that receive funding from the Child Care and Development Fund (CCDF) to conduct comprehensive criminal background checks on staff members and prospective staff members of child care providers every 5 years. Criminal background check requirements apply to any staff member who is employed by a child care provider for compensation or whose activities involve the care or supervision of children or unsupervised access to children.Our objective was to determine whether Hawaii’s monitoring of child care providers ensured provider compliance with State requirements related to criminal background checks established under the CCDBG Act.

The Federal Emergency Management Agency (FEMA) is not adequately managing severe repetitive loss (SRL) properties covered by the National Flood Insurance Program (NFIP). FEMA has not established an effective program to reduce or eliminate damage to SRL properties and disruption to life caused by the repeated flooding. Primarily, FEMA does not have reliable, accurate information about SRL properties. Secondly, FEMA’s Flood Mitigation Assistance (FMA) program, which aims to mitigate flood damage for NFIP policyholders, provides neither equitable nor timely relief for SRL applicants. We made three recommendations to FEMA to ensure the accuracy of the SRL list, as well as equitable and timely distribution of mitigation funding, and promoting the use of National Flood Insurance Program (NFIP) Increased Cost of Compliance coverage. FEMA concurred with all three of the recommendations

The VA Office of Inspector General (OIG) conducted a healthcare inspection to determine the validity of an allegation that a patient who sought treatment for insomnia and was out of psychiatric medications did not receive the care needed at the Memphis VA Medical Center (facility) in Tennessee. The patient died by suicide the day following a visit to the facility’s emergency department. The OIG substantiated that the patient presented to the facility’s emergency department for insomnia and psychiatric medication refills. The emergency department physician documented evaluating the patient and after a negative screen for suicidal thoughts, discharged the patient with instructions to go to the facility’s outpatient mental health clinic immediately for medication management. The OIG found no documentation that the patient registered or received treatment in the clinic. The OIG found the patient did not receive the care needed and the facility did not have a clear referral process for patients discharged from the emergency department who needed to be seen the same day in the outpatient mental health clinic.The patient received primary care from the facility and mental health care through the community. Several community care counseling sessions were not authorized timely due to deficiencies in coordination of care between the facility’s community care staff, community care providers, and the third-party administrator. Facility community care staff did not obtain medical record documentation for community care treatment and did not ensure care authorizations were current, resulting in the patient’s inability to receive several medication refills from the facility pharmacy. Facility leaders were aware of the patient’s death by suicide within three days of the patient’s death; however, the OIG could not find evidence that executive leaders were notified or that the family was contacted. The OIG made 16 recommendations to the facility director.

Our objective was to determine opportunities for the District to mitigate stamp stock shipment losses.

What We Looked AtThe United States has the largest and most diverse general aviation community in the world. In 2017, the Federal Aviation Administration (FAA) issued a new rule, referred to as BasicMed, which implemented an alternative way for many general aviation pilots to establish medical eligibility without having to undergo the previous medical certification process. As of April 2020, more than 55,000 pilots had been registered for BasicMed. To aid in their oversight of the new BasicMed process, then Chairmen Bill Shuster of the House Committee on Transportation and Infrastructure and Frank A. LoBiondo of the Subcommittee on Aviation requested that we examine FAA's implementation of the new BasicMed requirements. Our audit objectives were to assess FAA’s (1) procedures for implementing new medical requirements for certain small aircraft pilots, including identifying challenges to its implementation, and (2) plans for measuring the impact of the new BasicMed process on aviation safety. What We FoundFAA issued the BasicMed rule in compliance with the Act on January 11, 2017, and provided guidance and conducted outreach to stakeholders to implement the program. Under BasicMed, pilots can fly an aircraft the moment they complete the online medical course and submit other required information. However, FAA lacks an effective process to confirm pilots meet all eligibility requirements, such as whether they have a valid U.S. driver’s license. FAA also does not have a process to verify that pilots’ medical examinations are being performed by State-licensed physicians as required. In addition, FAA’s plan to measure the safety impact of the program is limited by a lack of available data. According to FAA, it may take several more years until there is sufficient data to identify trends and evaluate the rule’s safety impacts, due in part to the lengthy process for accident investigations. Our RecommendationsFAA concurred with our two recommendations to improve FAA’s process for verifying pilot’s eligibility for the BasicMed program and measuring the program’s impact on aviation safety.

What We Looked AtFAA oversees the safety of civil aviation through a complex network of information systems at air traffic control facilities. Cyber-based threats are rapidly evolving and may put air traffic control systems at risk for compromise. The FAA Extension, Safety, and Security Act of 2016 directs FAA to develop a comprehensive, strategic framework to reduce cybersecurity risks to civil aviation. Part of FAA’s efforts to implement this framework involves coordination and collaboration on aviation cybersecurity with the Departments of Homeland Security (DHS) and Defense (DOD) through the Aviation Cyber Initiative (ACI). The former Chairman of the House Committee on Transportation and Infrastructure requested that we examine FAA’s roles, responsibilities, and actions as an ACI member. Specifically, we assessed ACI’s progress in achieving its mission. What We FoundFor 3 years, FAA and its ACI partners have been providing regular updates to Federal agencies on their work, and are collaborating with Federal and aviation industry cybersecurity stakeholders. In May 2019, the Secretaries of DHS, DOD, and the Department of Transportation (DOT) finalized the approval of a charter that outlines ACI’s objectives. As DOT’s representative, FAA is an ACI co-chair with DHS and DOD. The co-chairs report to an Executive Committee of senior Agency executives. At the first ACI Executive Committee meeting in May 2019, 10 priorities were set for 2019 and 2020. ACI has implemented three of these priorities and they are on-going. ACI has also initiated work on the remaining seven. However, ACI has not developed mechanisms to monitor and evaluate results for meeting milestones and timetables for its priorities. ACI lacks an integrated budget and dedicated resources. As a result, FAA and its ACI partners face challenges in achieving its priorities; these challenges could inhibit FAA’s ability to develop a comprehensive and strategic framework for cybersecurity. RecommendationsTo enhance FAA’s progress in achieving ACI’s mission, we made one recommendation. FAA concurred with our recommendation.

The VA Office of Inspector General (OIG) reviewed whether the Veterans Health Administration (VHA) established adequate financial management practices at the VA Southeast Network and the VA Great Lakes Health Care System to promote the efficient use of their financial resources. The audit team found that VHA’s financial management practices did not include adequate controls, such as financial performance indicators, to assess whether its regional networks and medical centers used funds in a cost-effective manner. The use of financial performance indicators would allow VHA and its regional networks to identify inefficiencies that could indicate wasteful spending. VHA-wide indicators could also highlight trends and provide insights that help VHA develop best practices to enhance financial efficiency in its operations. VHA lacked an effective financial management structure to promote adequate controls. Under VHA’s current reporting structure, regional networks do not have uniform financial management functions and do not conduct oversight that promotes financial efficiency. Rather, regional oversight focuses on achieving reliable financial reporting, allocating financial resources, addressing budget excesses and shortfalls, and monitoring planned versus actual obligations of appropriated funds. The OIG recommended that VHA (1) establish key performance indicators that align with medical center operations and can be used to assess the efficient use of operating funds, (2) specify the office responsible for establishing financial controls that address the efficient use of funds at regional networks and medical centers, and (3) require VHA to establish and publish organizational charts that identify the appropriate financial management reporting lines of authority and to develop familiarization training on the reporting lines of authority at the VISN and medical center levels, as appropriate.

This Office of Inspector General (OIG) Comprehensive Healthcare Inspection Program report provides a focused evaluation of the quality of care delivered in the inpatient and outpatient settings of the Tuscaloosa VA Medical Center and one outpatient clinic in Alabama. The inspection covers key clinical and administrative processes that are associated with promoting quality care. For this inspection, the areas of focus were Leadership and Organizational Risks; Quality, Safety, and Value; Medical Staff Privileging; Environment of Care; Medication Management: Long-Term Opioid Therapy for Pain; Mental Health: Suicide Prevention Program; Care Coordination: Life-Sustaining Treatment Decisions; Women’s Health: Comprehensive Care; and High-Risk Processes: Reusable Medical Equipment. The executive leaders worked together for four months; however, the Director and the Associate Director for Patient Care Services had worked together since 2015. Survey results revealed opportunities for the Associate Director for Patient Care Services to improve employee satisfaction. Survey data indicated that patients were generally satisfied with their care experiences, but there were opportunities to improve appointment wait times. Review of the medical center’s accreditation findings, sentinel events, and disclosures did not identify any substantial organizational risks. However, the OIG identified concerns regarding peer review and patient safety programs. The executive leaders were extremely knowledgeable within their scope of responsibilities about Strategic Analytics for Improvement and Learning data and should continue to act to sustain and improve performance. The OIG issued 14 recommendations for improvement in five areas: (1) Environment of Care • Emergency egress accessible • Wheelchair maintenance (2) Mental Health • Community outreach • Patient follow-up (3) Care Coordination • Goals of care conversations • Multidisciplinary committee representatives and activities (4) Women’s Health • Staffing requirements (5) High-Risk Processes • Equipment inventory file • Instrument tracking system • Annual risk analysis • Environmental cleanliness • Sterile area climate control • Staff training

This memorandum is Sensitive But Unclassified. To obtain further information, please contact the OIG Office of Counsel at OIGCounsel@oig.treas.gov, (202) 927-0650, or by mail at Office of Treasury Inspector General, 1500 Pennsylvania Avenue, Washington DC 20220.

The unclassified version of the SAR covers the period from October 1, 2019 through March 31, 2020, and reflects what the NSA OIG could release publicly about its work for that reporting period. The OIG issued 10 reports and oversight memoranda during the period, making 94 recommendations to assist the Agency in addressing the findings and deficiencies identified. NSA's management agreed with all OIG recommendations made during this period. The Director of the NSA and Congress received the classified version of the SAR in accordance with the IG Act.

OIG PEER REVIEW

Medicare payments may not be made for items or services that “are not reasonable andnecessary for the diagnosis or treatment of illness or injury or to improve the functioning of amalformed body member” (Social Security Act (the Act) § 1862(a)(1)(A)). In addition, the Actprecludes payment to any provider of services or other person without information necessaryto determine the amount due the provider (§ 1815(a)).Federal regulations state that the provider must furnish to the Medicare contractor sufficientinformation to determine whether payment is due and the amount of the payment (42 CFR§ 424.5(a)(6)).Claims must be filed on forms prescribed by CMS in accordance with CMS instructions (42 CFR§ 424.32(a)(1)). The Medicare Claims Processing Manual (the Manual) requires providers tocomplete claims accurately so that Medicare contractors may process them correctly andpromptly (Pub. No. 100-04, chapter 1, § 80.3.2.2). The Manual states that providers must useHCPCS codes for most outpatient services (chapter 23, § 20.3).3The Office of Inspector General (OIG) believes that this audit report constitutes credibleinformation of potential overpayments. Upon receiving credible information of potentialoverpayments, providers must exercise reasonable diligence to identify overpayments (i.e.,determine receipt of and quantify any overpayments) during a 6-year lookback period.Providers must report and return any identified overpayments by the later of (1) 60 days afteridentifying those overpayments or (2) the date that any corresponding cost report is due (ifapplicable). This is known as the 60-day rule.4The 6-year lookback period is not limited by OIG’s audit period or restrictions on theGovernment’s ability to reopen claims or cost reports. To report and return overpaymentsunder the 60-day rule, providers can request the reopening of initial claims determinations,submit amended cost reports, or use any other appropriate reporting process.

In 2010, Congress passed the Patient Protection and Affordable Care Act (ACA). The ACA established enhanced Federal reimbursement rates for services provided to nondisabled, low-income adults without dependent children (new adult group). The enhanced reimbursement rates established under the ACA have raised concerns about the possibility that States could improperly enroll individuals for Medicaid coverage in the new adult group and, as a consequence, the potential for improper payments.Our objective was to determine whether Colorado complied with Federal and State requirements when claiming Federal Medicaid reimbursement for Medicaid services provided to beneficiar