By Megan Poinski
Because it did not verify information, the state Mental Hygiene Administration paid claims to people who might not have been eligible and were dead, an audit found.
The report, released Wednesday by legislative auditors, highlights problems with claims verification and digital security in the agency. The Mental Hygiene Administration, part of the Department of Health and Mental Hygiene, administers publicly funded services for the mentally ill and state mental health facilities. Some Marylanders who are not eligible for Medicaid are able to get their mental health services covered through the state’s General Fund.
Many of the agency’s problems stemmed from services contracted to an administrative services organization. This group was supposed to ensure eligibility, authorize services, and pay claims. The audit found that this organization was not always doing its job, and had paid claims to individuals who had not submitted all of the paperwork to determine their eligibility.
Auditors looked at claims from 16 people, who received a total of about $48,000 from the state’s general fund. Ten of those people did not have the required documentation of a Social Security number. Two had no proof of state residency. A dozen had said they received public mental health system coverage before, but there was no proof of that coverage for five people.
Auditors also discovered that claims worth $207,000 were paid to 106 individuals who had already died, according to the Social Security number database. Auditors chose five cases for a closer look, and instructed the contractor and the administration to investigate.
Three of those cases were people still living but erroneously marked as dead, two of them actually had died and received claims after they passed away. Those two cases were referred to the Medicaid fraud unit, the audit states.
The report recommends that the remaining 101 cases be given further investigation as well. The cases could be the result of clerical error or intentional fraud.
Another independent contractor is supposed to review the work of the primary administrative contractor. According to the report, that has not been happening, largely because there was no order in place to hire someone for that work. A review contract is still pending, according to the report.
Auditors also discovered there were some security risks with the way the administration stores its data. These include:
- Leaving out several provisions to guarantee data security and privacy in the contract with the primary administrative contractor. Data is stored on a remotely located computer server and can be accessed from many machines, a storage method called cloud computing. They recommended that the contract should include provisions to segregate the data, maintain it somewhere, figure out how to recover it, and come up with a plan to preserve the data in case of emergency.
- Creating more computer security so that few people can access the portal and server.
- No requirement that passwords are strong. Auditors found that user names and passwords were identical for 69 accounts on the system.
Additionally, auditors reported that the administration did not monitor contracts with local core service agencies to ensure that all services were being provided. Local agencies can subcontract parts of the services they are supposed to provide. Auditors looked at 26 subcontracts and found that four, worth a total of $787,000, did not live up to their expectations.
The administration also needs more controls over cash receipts, auditors found. More independent verification of money received, and quicker endorsement of checks are needed, they wrote.
The health department concurred with all the findings in the report and has begun taking corrective action, include review of past claims. In responding to the report, Health Secretary Joshua Sharfstein said, “I will work with the appropriate administration directors, program directors and deputy secretary to promptly address all audit exceptions. In addition, the Division of Internal Audits will follow up on the recommendations to insure compliance.”