Audit faults Md. health exchange on procurement, security

The Maryland Health Benefit exchange violated its procurement policies, didn’t obey the state’s Open Meetings Act and failed to adequately safeguard equipment and electronic personal information, according to a report released by state auditors Friday.

Maryland’s Office of Legislative Audits examined the exchange from its inception on June 1, 2011 through July 23, 2014.

Auditors faulted MHBE — which had to replace the original web portal for its health insurance marketplace after a problem-ridden initial roll-out in 2013 — on ten points.

Exchange officials dispute several of those findings but said in the agency’s written response to the audit that they concur with its recommendations and have already completed some of the suggested remedies, such as reviewing and tightening IT security procedures and maintaining more detailed inventory records.

“Since the audit, MHBE, which was still a young agency during the audit period, has made considerable progress in enhancing its infrastructure and improving overall operations, accountability, security and transparency,” Executive Director Carolyn Quattrocki wrote in the agency’s response to the audit.

Among the security concerns identified by auditors was that, as of April 28, the exchange’s database contained “sensitive personally identifiable information” and federal tax information for 591,858 people in unencrypted, clear text. Since July, MHBE has made sure that all such information is properly protected either by encryption or other security measures, according to the agency’s response.

One of the disputed findings is that MHBE violated its procurement policies by not adequately justifying some sole-source contacts and maintaining appropriate documentation.

“MHBE does not agree with [the Office of Legislative Audits] finding that it acted in violation of its Board of Trustees’ procurement policies,” Quattrocki wrote. Those policies “place discretion and approval for significant contracts with the Board of Trustees, which considered and approved all of the procurement reviewed by OLA,” she wrote.

The audit also found that the exchange paid certain vendors without always reviewing invoices and payroll records — an allegation with which the exchange concurred “in part” — and didn’t verify the propriety of some grant expenditures paid for by state and federal funds — a charge exchange officials deny, arguing that the organization makes quarterly reviews of the relevant expenditure reports, according to the agency’s response.

Auditors said the agency also didn’t submit some requests for federal Medicaid reimbursement on time, resulting in a loss of nearly $200,000 in interest revenue; the exchange concurred with that finding and said it has had a dedicated chief financial officer on staff since January 2014 to make sure the process is accurate and timely.

During the audit period, the MHBE board violated the state Open Meetings Act by allowing by discussion of certain topics in closed sessions that must be discussed publicly and did not regularly give the required written notice that a closed session would be held, according to the audit.

On the recommendations of the Maryland Open Meetings Law Compliance Board, the exchange board has been complying with the law since April 2014, according to the written response.