OIG reviews MassHealth and its Medicaid data and information system safeguards

MassHealth failed to adequately safeguard data and information systems through its Medicaid Management Information System (MMIS) according to an audit by the HHS’ Office of Inspector General (OIG) undertaken to determine whether Massachusetts safeguarded MMIS data as required under federal requirements.

What is MMIS?

The MMIS is “an integrated group of procedures and computer processing operations (subsystems) developed at the general design level to meet principal objectives” which are: Title XIX program control and administrative costs; service to recipients, providers and inquiries; operations of claims control and computer capabilities; and management reporting for planning and control. States receive 90 percent federal financial participation (FFP) for design, development, or installation of MMIS and 75 percent FFP for operation of state mechanized claims processing and information retrieval systems.

MassHealth MMIS

The Massachusetts Executive Office of Health and Human Services is responsible for administering the state Medicaid program, commonly known as MassHealth, and information technology architecture, maintenance, and support is provided by the Massachusetts Office of Information Technology. Application support is provided through a contract with Hewlett-Packard.

The audit

Audits of information security controls are performed routinely on states’ computer systems used to administer HHS-funded programs and states are required to implement computer system security requirements and review them biennially. The OIG’s audit of MassHealth’s MMIS included MassHealth’s websites, databases, and other supporting information systems. The review was limited to security control areas and controls in place at the time of the visit. Specifically, the OIG looked at MassHealth’s implementation of federal requirements and National Institute of Standards and Technology guidelines regarding: system security plan, risk assessment, data encryption, web applications, vulnerability management, and database applications. Preliminary findings were communicated directly to MassHealth prior to the report’s issuance.

OIG’s findings

The OIG found MassHealth did not safeguard MMIS data and supporting systems as required by federal requirements. Vulnerabilities were discovered related to security management, configuration management, system software controls, and website and database vulnerability scans. Should exploitation of the vulnerabilities have occurred (and there was no evidence that it had), sensitive information could have been accessed and disclosed and operations of MassHealth could have been disrupted. Sufficient controls must be implemented over MassHealth Medicaid data and information systems.

Specific vulnerabilities uncovered were not detailed in the report because of the sensitive nature of the information. However, specific details were provided to MassHealth so it may address the issues. In response to the report, MassHealth described corrective actions it had taken or planned to take in response to the vulnerabilities.

Highlight on Massachusetts: Seeing the opioid crisis differently

Massachusetts, like many states, has an opioid epidemic. The number of individuals experiencing opioid-related overdose and death in Massachusetts was four-times higher in 2015 than it was in 2000. The crisis isn’t new, but state health officials have taken a new step to raise awareness and disseminate information concerning the epidemic. State health officials released an interactive website designed to display information graphically so that it will have a more profound impact.

Chapter 55

As part of an effort to combat the epidemic, Chapter 55 of the Acts of 2015 was signed into law—a piece of state legislation that permitted an analysis of government datasets to achieve better understanding of the opioid crisis. The Massachusetts Department of Public Health (DPH) led the data analysis, which culminated in a report: The Chapter 55 Report. The report identified a number of trends as well as analyzed key factors impacting the crisis, including: costs, growth of addiction, prescriptions, illegal drugs, and demographics.

Crisis

The crisis in Massachusetts is above the national average, due in part to a sharp rise in opioid-related deaths in the last two years. For example, 2014 was the first year since 1999 that the fatal overdose rate in Massachusetts was more than double the national average. Additionally, while, in 2000, about one third of admissions to substance abuse treatment centers were opioid-related, by 2015, opioid-related issues accounted for more than half of admissions. A similar pattern was documented by the Health Policy Commission in terms of emergency department visits and hospitalizations.

Deaths

The website offers novel displays of opioid-related death data, including state maps that demonstrate by county across three blocks of time—2001 to 2005, 2006 to 2010, and 2011 to 2015—the number of individuals, per 100,000 people, who died as the result of opioids. By scrolling over a county, the maps demonstrate the five-year death rate for that county and the death rate per 100,000 people. Some counties have undergone massive increases in their opioid-related death rate. For example, from 2001 to 2005, Eastham County had a five-year death count of zero and a death rate per 100,000 people of zero. In stark contrast, from 2011 to 2015, Eastham County had a five-year death count of nine and a death rate per 100,000 people of 36.3.

Heroin

Another set of maps demonstrates the percentage of patients in treatment who listed heroin as their primary substance of abuse. The four separate maps correspond to the frequency of that designation, by county, in 2000, 2005, 2010, and 2015. In 2000, only about 20 counties were identified as having over 46 percent  of substance abuse treatment patients indicating heroin as their primary substance of abuse—a designation shown as green on the map. The 2000 map is merely speckled with green. By 2015, however, the map is almost entirely green, with the majority of counties marked as having over 46 percent of patients indicating heroin as their primary substance of abuse.

Transition

The website also uses graphics to display the trends related to the transition between prescriptions and illegal opioids.  The graphics demonstrate, based upon specific drugs—heroin, fentanyl, prescription opioids, methadone—the likelihood that an individual had a legal opioid one, three, or six months before death.  For example, in Massachusetts, between 2013 and 2014, 867 individuals who died of an opioid-related overdose had a positive toxicology screen for heroin. Sixty-five percent of those individuals had a legal opioid prescription between 2011 and 2014.

Conclusion

The website offers information about addressing substance abuse and gives examples of steps that can still be taken to expand treatment options, tailor treatment and prevention efforts, and develop post-incarceration treatment plans. The Massachusetts DPH aims to continue to use data as a tool to obtain insight and solutions for the problem.  If nothing else, the agency’s graphic depiction of the Chapter 55 Report is successful in that it is a stark and dramatic way to say: something is wrong.

Massachusetts businesses relax for another year, rate setting waiver extended

In an effort to keep small business health insurance premiums low, the Commonwealth of Massachusetts has applied for and received an HHS waiver allowing it to use state small group rating factors. These factors, used to determine how rates should be set, are not aligned with the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148), but continued use is likely to preserve the current status of the market and avoid disruption.

Previous waivers

Massachusetts had received a waiver in 2013 allowing it to implement a slower transition to ACA compliance. This waiver, extended various times, covered state rating factors, allowing small group insurers to use two-thirds of the state factors established in July 2013 through January 1, 2017 (see Massachusetts granted extension on ACA requirement deadline, Health Reform WK-EDGE, April 30, 2014). The state rating factors would be further reduced to one-third until December 31, 2017, and then completely phased out. The waiver extension will allow one-third of the rating factors to be used through the end of 2018.

Rating factors

The rating factors in question apply to businesses with no more than 50 employees. An employer group, Associated Industries of Massachusetts, stated that insurance costs for some small businesses could have increased by as much as 50 percent without the temporary waiver, and expressed hopes that a permanent waiver would come. Massachusetts allows a company’s size and industry to be considered, but the ACA does not take these factors into account.

Highlight on Massachusetts: Will the CVS painkiller settlement be the first of many?

CVS Pharmacy, Inc. must essentially admit that it contributed to the opioid epidemic by filling forged prescription painkillers during what some consider to be the height of the epidemic. CVS has agreed to pay $3.5 million to resolve allegations that 50 of its stores violated the Controlled Substances Act by filling forged prescriptions for prescription painkillers more than 500 times between 2011 and 2014, which is currently one of the largest settlements of its kind.  The pharmacy has also entered into a three-year compliance agreement with the Drug Enforcement Administration (DEA) requiring it to maintain and enhance the programs it has developed in recent years for detecting and preventing diversion of controlled substances.

The allegations came after the federal government conducted two DEA investigations into CVS’ activities after receiving calls reporting forged oxycodone prescriptions. The first investigation involved CVS pharmacies throughout Massachusetts and New Hampshire and identified 403 instances at 40 CVS stores where forged prescriptions were filled. The second investigation, which focused solely on the Boston area, found over 120 filled forged prescriptions at 10 CVS locations. A handful of people were involved in nearly all of the forgeries involving an estimated street value of over $1 million.

Although the company had some protections in place, the government spent time looking into whether CVS pharmacists continually ignored red flags such as computer system band on individuals receiving addictive painkillers. “When pharmacies ignore red flags that a prescription is fraudulent, they miss a critical opportunity to prevent prescription drugs from entering the stream of illegal opiates on the black market…Although CVS is currently undertaking corrective steps to curb the tide of diversion, this settlement pushes CVS to go further and holds the company accountable for its past conduct,” said United States Attorney Carmen M. Ortiz commented on the settlement.

DEA regulations indicate that pharmacists have a responsibility to ensure that he or she is filling only valid prescriptions that were written for a legitimate medical purpose by a practitioner who is managing the care of that individual. The responsibility requires that pharmacists identify and resolve any red flags which may indicate that a prescription could be forged or is otherwise invalid.

“DEA registrants like CVS have a corresponding responsibility to dispense controlled substances in accordance with the Controlled Substance Act.  When pharmacies fail to adhere to these responsibilities, it allows for the diversion of prescription pain medication, which contributes to the widespread abuse of opiates, is the gateway to heroin addiction, and is devastating our communities,” said DEA Special Agent in Charge Michael J. Ferguson.

What this investigation makes clear is that authorities aren’t just looking at the forgers themselves. Pharmacies will need to ensure that they are complying with the DEA regulations and that they are keeping a lookout for any red flags. As is the case with CVS, pharmacists who look the other way will be forced to face stiff penalties for their failures to keep their eyes open.