Federal Reports

On the basis of our review of 41 subrecipients, we determined that the New Jersey Department of Human Services (State agency) budgeted appropriate costs and claimed Sandy Social Services Block Grant costs that were in accordance with Federal requirements as of March 31, 2014. However, the State agency should strengthen its internal controls over these funds. The State agency did not have procedures to ensure that subrecipients' claimed expenditures were not reimbursed by other sources, such as the Federal Emergency Management Agency (FEMA) or insurers. Further, the State agency awarded cash advances to some subrecipients in excess of their immediate cash needs.

Federal law requires that each Medicare administrative contractor (MAC) have its information security program evaluated annually by an independent entity, and these evaluations must address the eight major requirements enumerated in the Federal Information Security Management Act of 2002 (FISMA). To comply with this provision, CMS contracted with PricewaterhouseCoopers (PwC) to evaluate information security programs at the MACs using a set of agreed-upon procedures. To satisfy the requirement to evaluate the information security controls for a subset of systems, CMS expanded the scope of its evaluations to test segments of the Medicare claims processing systems hosted at the Medicare data centers, which support each of the MACs.

For the nine Medicaid managed-care organizations (MCOs) we reviewed, the Medicaid program would not have realized savings in 2014 if the California Department of Health Care Services (State agency) had required its MCOs to meet a minimum medical loss ratio (MLR) standard, similar to the Federal standards for private health insurers and Medicare Advantage plans, and had required remittances when that standard was not met. Although the State agency did not require its MCOs to achieve a minimum MLR standard, the State agency achieved savings similar to the savings it would have achieved with an MLR requirement by placing limits on the administrative costs that MCOs could incur. Because the MLRs we calculated for the nine MCOs were greater than 85 percent during 2014, the MCOs would not have had to issue remittances to the State agency.

This report provides the results of our review of the Centers for Disease Control and Prevention (CDC) detailed accounting submission, which includes the Table of Drug Control Obligations, related disclosures, and management's assertions for the fiscal year ended September 30, 2016. We also reviewed the Performance Summary Report, which includes management's assertions and related performance information for the fiscal year ended September 30, 2016.

TARP’s Hardest Hit Fund is an investment in American workers, providing a temporary safety net to help save the homes of unemployed and underemployed working class Americans in Rust Belt states (such as Ohio, Michigan, Indiana and Illinois), Southern states (such as North Carolina, South Carolina, Alabama, Tennessee, and Georgia), and 10 other states.HHF has helped more than a quarter of a million homeowners, but even good programs can be better. The program is meeting a real need, one that continues. The need for this unemployment bridge—and other Hardest Hit Fund programs, like blight demolition—remains so critical that, in December 2015, Members of Congress from Ohio and Michigan worked across the aisle to convince Congress to add $2 billion to the program.Hardest Hit Fund dollars have been slow to flow in many states, and more than 160,000 people were denied HHF assistance. SIGTARP analyzed data provided by state agencies on each person who was turned down for this program.

Emphasis on older grants with no reported expenditures or small balances

The OIG analyzed the metrics and associated maturity levels defined within the Fiscal Year (FY) 2016 Inspectors General (IG) Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics and found TVA's maturity levels for the five cybersecurity functional areas ranged from level 1, ad hoc, to level 3, consistently implemented. The Chief Information Officer (CIO), Information Technology ( IT), in consultation with TVA executive management, will continue to be responsible for determining the desired level of maturity to achieve in each of the five functional areas, and actions necessary to reach the desired maturity level, while considering efficiency and budgeting constraints. The OIG will continue to reassess progress and TVA status on an annual basis as prescribed by the Office of Management and Budget and the Department of Homeland Security, utilizing the annual IG metrics and maturity models prescribed by the Council of Inspectors General on Integrity and Efficiency. We recommended the CIO, IT, perform a risk assessment of the FY 2016 IG metrics not met and determine actions necessary to reduce cybersecurity risk to TVA in FY 2017.(Summary Only)

This report provides the results of our review of the Indian Health Service (IHS) detailed accounting submission, which includes the Table of Drug Control Obligations, related disclosures, and management's assertions for the fiscal year ended September 30, 2016. We also reviewed the Performance Summary Report, which includes management's assertions and related performance information for the fiscal year ended September 30, 2016.

This report provides the results of our review of the National Institutes of Health (NIH) detailed accounting submissions, which include the tables of Fiscal Year 2016 Actual Obligations, related disclosures, and management's assertions for the fiscal year ended September 30, 2016. We also reviewed the Performance Summary Report, which includes management's assertions and related performance information for the fiscal year ended September 30, 2016.

This report provides the results of our review of the Substance Abuse and Mental Health Services Administration (SAMHSA) detailed accounting submission, which includes the Table of Drug Control Obligations, related disclosures, and management's assertions for the fiscal year ended September 30, 2016. We also reviewed the Performance Summary Report, which includes management's assertions and related performance information for the fiscal year ended September 30, 2016.

This report provides the results of our review of the Health Resources and Services Administration (HRSA) detailed accounting submission, which includes the Table of Drug Control Obligations, related disclosures, and management's assertions for the fiscal year ended September 30, 2016. We also reviewed the Performance Summary Report, which includes management's assertions and related performance information for the fiscal year ended September 30, 2016.

This is the evaluation of the NEA's information technology systems security. Due to security concerns, this report is not published on the internet. The report may be obtained through a freedom of information request at the following link: https://www.arts.gov/freedom-information-act-guide

The information security landscape is constantly changing and, as such, it is critical that the Postal Service maintain information security policies that protect its critical applications and infrastructure. With an information security framework based on industry best practices in place, the Postal Service should maintain the confidentiality, integrity, and availability of its information technology.

Quarterly Summary Memorandum for the Lead Inspector General, Department of Defense:

DATA Act

At the request of the Tennessee Valley Authority's (TVA) Supply Chain, we examined the cost proposal submitted by a contractor for non-nuclear modification and supplemental maintenance services and technical support services. Our objective was to determine if the cost proposal was fairly stated for a planned $950 million contract. In our opinion, the cost proposal was overstated. Specifically, the proposal included overstated nonmanual payroll tax rates and fringe benefit rates. We estimated TVA could avoid $1.14 million on the planned $950 million contract by negotiating reduced (1) non-manual payroll tax rates that are fixed for the contract term and (2) fringe benefit rates.(Summary Only)

The Colorado Department of Health Care Policy and Financing (State agency) did not always comply with Federal Medicaid requirements for invoicing manufacturers for rebates for physician-administered drugs. The State agency did not invoice manufacturers for rebates associated with $13 million ($6.5 million Federal share) in physician-administered drugs. Of this amount, $10.5 million ($5.2 million Federal share) was for single-source drugs, and $2.6 million ($1.3 million Federal share) was for top-20 multiple-source drugs. Because the State agency's internal controls did not always ensure that it invoiced manufacturers to secure rebates, the State agency improperly claimed Federal reimbursement for these single-source drugs and top-20 multiple-source drugs.

Members of Congress and others have raised concerns about the high prices of certain drugs and the impact these high prices have on Medicare beneficiaries and the health care system. An important part of the Medicare Part D benefit is catastrophic coverage, which beneficiaries enter when their out-of-pocket costs exceed a certain threshold. In catastrophic coverage, most beneficiaries pay a 5-percent coinsurance for drugs, while the Federal Government pays the vast majority of the remaining costs. Understanding the effect that high drug prices have on spending in catastrophic coverage is crucial. In catastrophic coverage, beneficiaries' out-of-pocket costs are not capped, and the Federal Government's share of drug spending is the highest.

For Fiscal Year (FY) 2016, the U.S. Equal Employment Opportunity Commission (EEOC), Office of Inspector General (OIG) contracted with Brown & Company CPAs and Management Consultants, PLLC (Brown & Company) to conduct an independent evaluation of EEOC’s compliance with the provisions of the Federal Information Security Modernization Act of 2014 (FISMA). FISMA requires agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.Based on the results of our evaluation, Brown & Company concluded that the EEOC continues to make positive strides in addressing information security weaknesses; however, the agency still faces challenges to fully implement information security requirements as stipulated in various federal guidelines and mandates.

During the period April 1, 2013, through March 31, 2014, the Louisiana Department of Health and Hospitals (State agency) claimed Federal Medicaid reimbursement for some nonemergency medical transportation (NEMT) services claims submitted by transportation providers that did not comply with certain Federal and State requirements. Of the 120 NEMT claims in our sample, the State agency properly claimed Medicaid reimbursement for 83 claims. However, the remaining 37 claims contained services that did not comply with certain Federal and State regulations. Of the 37 claims, 14 contained more than 1 deficiency.

Qualified aliens are generally not permitted to receive Federal Medicaid benefits for 5 years from the date they enter the United States with qualified alien status. States are required to have a verification system to meet requirements for receiving Federal reimbursement for services provided to qualified aliens. To comply with those requirements, the California Department of Health Care Services (State agency) created the quarterly alien claiming adjustment report (adjustment report) in its Medicaid Management Information System (MMIS) to identify claims for services provided to qualified aliens who had not met, and were not otherwise excepted from, the 5-year waiting period.

Northside Medical Center (The Hospital), in Youngstown, Ohio complied with Medicare billing requirements for diagnosis codes 261 and 262 for 2 of the 100 claims that we reviewed. However, the Hospital did not comply with Medicare billing requirements for the remaining 98 claims. For two of these claims, the medical record documentation supported a secondary diagnosis code other than 261 or 262, but the error resulted in no change to the diagnosis-related group or payment. For the remaining 96 claims, the billing errors resulted in overpayments of $464,000. These errors occurred because the Hospital used diagnosis code 261 or 262 when it should have used codes for other forms of malnutrition or no malnutrition diagnosis code at all. On the basis of our sample results, we estimated that the Hospital received overpayments of at least $1.28 million over 2 and a half years.

For the period January 1 through December 31, 2013, the Delaware Department of Health and Social Services, Division of Medicaid and Medical Assistance (State agency) did not fully comply with Federal Medicaid requirements for billing manufacturers for some rebates for physician-administered drugs dispensed to enrollees of managed-care organizations (MCOs). The State agency properly billed for most rebates for MCO drug utilization in our judgmental sample. However, the State agency did not have valid National Drug Codes (NDCs) for other drug utilization data submitted by MCOs for physician-administered drugs, and the State agency did not bill manufacturers for rebates for these drugs. We estimate that the State agency did not bill manufacturers for rebates totaling $230,000 ($127,000 Federal share). We did not have enough information to determine an estimate for some of the utilization.

Most of the New Jersey Department of Human Services' (State agency) claims for Federal Medicaid reimbursement for partial care services did not comply with Federal and State requirements. The partial care services program provides individualized outpatient clinic services (e.g., group and individual therapy, prevocational services, and medication management) to beneficiaries with mental illness to reduce unnecessary hospitalization. On the basis of our sample results, we estimated that the State agency improperly claimed at least $94.8 million in Federal Medicaid reimbursement for partial care services that did not meet Federal and State requirements.

Connect for Health Colorado (Colorado marketplace), the health insurance exchange established by the State of Colorado under the provisions of the Patient Protection and Affordable Care Act, did not expend $9.7 million of Federal establishment grant funds in accordance with Federal requirements. Specifically, the Colorado marketplace (1) did not adequately document costs that it charged to the establishment grants ($4.4 million); (2) charged costs to the establishment grants for unallowable contract costs whose periods of benefit occurred after December 31, 2014 ($4.5 million), which was contrary to Centers for Medicare & Medicaid Services guidance regarding the expenditure of establishment grant funds; (3) improperly transferred costs from one establishment grant to another without demonstrating that the transfers were performed to correct bookkeeping or clerical errors ($312,000); and (4) did not efficiently and effectively administer establishment grant funds including improperly awarded bonuses, overpayments to subgrantees, unallowable promotional giveaway items, excessive and unreasonable tips, vendor rebates that were not credited to the establishment grants, and unallowable social activities ($463,000).

Claims for outpatient physical therapy services provided by a physical therapy practice (the practice), with offices located in Southern California, did not comply with Medicare requirements. Specifically, of the 100 beneficiary days in our random sample, the practice properly claimed Medicare reimbursement for 68 beneficiary days. However, the practice improperly claimed Medicare reimbursement for the remaining 32 beneficiary days, which had therapy services that were not medically necessary. On the basis of our sample results, we estimated that the practice improperly received at least $267,000 in Medicare reimbursement for outpatient physical therapy services that did not comply with Medicare requirements.

An audit report required by the Accountability of Tax Dollars Act of 2002.

Inpatient rehabilitation (rehab) hospitals are freestanding facilities that specialize in providing intensive rehab therapy to patients recovering from illness, injury, or surgery. This intensive therapy requires endurance that some patients receiving post-acute care do not have, potentially causing those patients to be better suited for an alternate setting such as a skilled nursing facility. Medicare criteria for admission to post-acute care help ensure that patients receive the most appropriate care for their conditions and needs. In conducting a medical review for a separate evaluation to identify adverse events in inpatient rehab hospitals, physician reviewers found a small number of hospital stays in which the patients appeared to be unsuited for intensive therapy. In response, we extended our medical review to provide additional information about these stays in which patients were unable to actively participate in and benefit significantly from intensive therapy.

The Ohio State University monitored subrecipients and claimed costs as a subrecipient in accordance with National Institutes of Health grant polices and Federal regulations. Accordingly, this report contains no recommendations.

Management Letter for the Fiscal Year 2016 Financial Statement Audit

This final report documents the results of our audit on the effectiveness of the National Telecommunications and Information Administration’s (NTIA’s) unliquidated obligation (ULO) review policies and procedures developed since our OIG audit report issued in June 2013 (OIG-13-026-A). In our 2013 report, we concluded that Department-wide controls over the management of ULOs needed strengthening. We also concluded that effective management of outstanding obligation balances allows bureaus to review and deobligate unneeded funds, promoting a better use of federal resources. Our objective for the current audit was to evaluate the effectiveness of NTIA obligation and deobligation practices, as well as review policies and procedures that were implemented, since our June 2013 audit report.

For the period January 1 through December 31, 2013, the Virginia Department of Medical Assistance Services, Division of Health Care Services (State agency), did not fully comply with Federal Medicaid requirements for billing manufacturers for some rebates for physician-administered drugs dispensed to enrollees of managed-care organizations (MCOs). The State agency properly billed manufacturers for rebates for drugs associated with the National Drug Codes (NDCs) in our judgmental sample. However, the State agency did not have valid NDCs for other drug utilization data submitted by MCOs for physician-administered drugs, and the State agency did not bill manufacturers for rebates for these drugs. The State agency estimated average rebates per claim billed to manufacturers, and we determined these estimates to be reasonable. We applied the estimates and determined that the State agency did not bill rebates of $5.8 million ($2.9 million Federal share) to manufacturers for physician-administered drug utilization without valid NDCs.

The University of Louisville did not always claim selected costs charged directly to HHS awards in accordance with Federal regulations and, where appropriate, NIH guidelines. In our sample of 120 salary transactions, 102 were allowable but 18 were not. In addition, in our sample of 100 nonsalary transactions, 61 were allowable but 39 were not. These unallowable transactions occurred because the University did not provide adequate oversight to ensure consistent compliance with Federal regulations.