The state health department has continued to fail to control issuance of birth certificates, leading to potential fraud, auditors have found — an ongoing problem they had identified a dozen years ago.
The Department of Health and Mental Hygiene has been unable to verify that birth and death certificates contain valid information, that certificates were only issued to the right people, and that payments for certificates were correctly collected, according to a report issued Thursday by the Office of Legislative Audits.
The attorney general is investigating an employee in one local health department’s office for potential fraud, the report states.
Legislative Auditor Bruce Myers said that serious problems with vital records have been found — and not corrected — in departmental audits since 1999.
“These documents can be used for other things,” Myers said. “This is not just about the money involved. There is potential for immigration fraud.”
The problems with vital records are not the only ones uncovered by auditors. They also found that employees did not always look into how services would be paid for or go after money they were owed.
They did not investigate issues about prescriptions after significant issues were found in pharmacy audits. And there were significant internal control issues with computer networks and IT security, government credit cards and payroll verification.
In his response to the audit, DHMH Secretary Joshua Sharfstein agreed with the majority of the findings.
“I will work with the appropriate Administrators, Executive Directors, and the Deputy Secretary to promptly address all audit exceptions,” he wrote.
The health department issues birth, death and marriage certificates. There are registration and copying fees for all of the certificates, which brought in $7 million in fiscal year 2010.
More important than revenues, birth certificates are used to prove citizenship and get important documents — like driver’s licenses and passports — as well as benefits like Social Security and temporary welfare.
At the state level, information for birth certificates is entered into a computer database. However, the audit noted, the information entered into the database had not been verified with hospitals since the employee who used to have that responsibility left state employment in 2008.
And when records were changed to reflect things like spelling errors or changes in paternity information, no one independently reviewed them. Auditors found that a total of 17 employees were able to make changes to birth certificates.
There was no review of applications for certified birth certificates, either, auditors found.
There were 26 users who could both create and print certified birth certificates; there was one who had access to blank certificates, and two with access to related collections.
This means fraudulent certified birth certificates could have been created and not caught. And there were no periodic checks on the blank and numbered birth certificates, meaning that no one made sure that all of the blanks were accounted for.
Additionally, the number of certificates issued was not reconciled with the amount of fees collected.
Auditors asked DHMH to try to come up with reconciliation numbers from department records, but they found problems. For example, one day, collections of $43,404 were reported — but that day’s deposit was just $21,552.
The same sorts of problems trickled into local health departments, most of which can also issue certified birth, death and marriage certificates. Auditors investigated four departments and found that:
-Employees could both issue birth certificates and process the payments. This means that they could misuse the funds and not be easily detected. An employee in one county health department has been under investigation by the criminal division of the attorney general’s office for this sort of misuse since 2009.
-Too many employees could issue birth and death certificates, even if they did not need to for their jobs. Ten employees at the four departments studied could print the certificates, but did not need to.
Auditors found problems with the department’s Division of Cost Accounting and Reimbursements, which is supposed to examine patients admitted to the state’s mental health and chronic disease facilities and determine their ability to pay for services. In fiscal year 2009, this division got $102 million from services, while $234 million was determined to be unrecoverable.
Auditors found that the division tended to wait too long to determine if treatment costs could be recovered, did not go after money that was owed, and sometimes made questionable determinations about patients’ ability to pay.
“This is a significant item, especially in these days when the state is watching every dollar,” Myers said. “This is an area where more diligence would have saved the state many, many dollars.”
Auditors looked at 10 accounts for which the division was supposedly investigating the patients’ ability to pay for more than six months. The audit found that seven of the accounts were under investigation for nine to 15 months. One of those belonged to a patient who had been undergoing treatment for 11 months and was not yet complete.
Most of the completed investigations were not subject to review by supervisors, even though there was paperwork — like tax returns — that was missing.
Auditors found that one investigation where it was determined there was no responsible party was particularly questionable — little work had been done and the patient’s Medical Care Program card was on file.
Additionally, the division did not always chase after unpaid funds or refer them to the state’s central collection unit.
Auditors looked at 10 accounts worth $2.8 million that had gone uncollected for about four months. The division had not taken adequate steps to get funds from six of them, they found.
DHMH is owed about $15 million from unpaid accounts, and $10 million of that has been unpaid for more than 120 days and therefore should be referred to the central collections unit, auditors found.
Previous audits found problems at several pharmacies, without proper documentation — like written prescriptions — for several medicines dispensed. DHMH was able to recover some money from the pharmacies, but did not act on the recommendation to expand the investigation at pharmacies to determine if the problem was larger.
Several internal control problems were also found, including:
-Inadequate review of security reports for the hospital management information system, meaning that billings and receivables data could be manipulated without being detected.
-Incomplete logs were kept of security issues — like granting and revoking database privileges — in the electronic vital records system database. Some incidents were logged, but not reviewed.
-Firewalls to protect internal network systems were more porous than they should be. Firewall security logs also were not reviewed.
-Servers were not configured to ensure privacy.
-Samples of manager signatures were not kept to ensure that actual managers were approving employee payroll sheets.
-Necessary documentation for employees working both for DHMH and other departments was not on file. This documentation would solidify working hours at each department