SPECIAL TEST AND PROVISIONS - ADP RISK ANALYSIS & SYSTEM SECURITY REVIEW Department of Health and Human Resources (DHHR) Assistance Listing Number 93.775, 93.777, COVID-19 93.777, 93.778, ARRA 93.778 The DHHR utilizes an external service organization for the design, development, implementation, an...
SPECIAL TEST AND PROVISIONS - ADP RISK ANALYSIS & SYSTEM SECURITY REVIEW Department of Health and Human Resources (DHHR) Assistance Listing Number 93.775, 93.777, COVID-19 93.777, 93.778, ARRA 93.778 The DHHR utilizes an external service organization for the design, development, implementation, and operation of the West Virginia Medicaid Management Information System (MMIS). The system furnishes the core MMIS functionality to support the State's Medicaid program, including maintaining provider, member/recipient, and reference/procedure code data, as well as processing and adjudication rules for claims, encounters, and prior authorizations. The system also provides configuration and system management tools to govern access to data, user security, and communications. The system is an object-oriented, rules-based software program that is designed to manage multiple lines of health care business. The system employs a unified relational database that enables efficient use of data and consistent information throughout all applications. The system includes functionality for claims processing and adjudication, provider administration, benefit plan and policy administration, member administration, and medical service authorization management. The service organization has developed a variety of policies and procedures including related control activities to help ensure their objectives are carried out and risks are mitigated. The control environment includes control objectives related to claims input (hard copy/paper claims and electronic claims); claims processing; claims payment; file maintenance (provider master file, recipient master file, and procedure codes); logical access (passwords and authentication, adding and modifying user access, terminating user access, access to privileged functions, and access review monitoring); change management; production scheduling; and backup procedures. Control activities are performed at a variety of levels throughout the organization and at various stages during the relevant business or information technology process. As expected, controls may be preventive or detective in nature and may encompass a range of manual and automated controls, including authorizations, reconciliations, and information technology controls. The service organization has a formal program in place to review and update the service organization's policies and procedures on at least an annual basis. Any changes to the policies and procedures are reviewed and approved by the service organization?s management and communicated to its employees. As indicated in the Condition section of this finding, the DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report from its service organization on an annual basis. For the period ended June 30, 2022, although the DHHR did not formally document its review of the service organization?s SOC 1 Type 2 report, the DHHR did indeed review it and can hereby confirm that the service organization provided an assertion about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. The service organization was responsible for preparing the description and assertion, including the completeness, accuracy, and method of presentation of the description and assertion; providing the services covered by the description; specifying the control objectives and stating them in the description; identifying the risks that threaten the achievement of the control objectives; selecting the criteria stated in the assertion; and designing, implementing, and documenting controls that are suitably designed and operating effectively to achieve the related control objectives stated in the description. The DHHR can also hereby confirm that the service organization?s service auditor conducted the examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards required the service auditor to plan and perform the examination to obtain reasonable assurance about whether, in all material respects, based on the criteria in the service organization?s assertion, the description is fairly presented, and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the specified period. Finally, the DHHR can hereby confirm that in the service auditor?s opinion, in all material respects, based on the criteria described in the service organization?s assertion: 1) the description fairly presented the West Virginia MMIS that was designed and implemented throughout the period July 1, 2021 to June 30, 2022; 2) the controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period July 1, 2021 to June 30, 2022 and the subservice organizations and the user entity applied the complementary controls assumed in the design of the service organization?s controls throughout the period July 1, 2021 to June 30, 2022; and 3) the controls operated effectively to provide reasonable assurance that the control objectives stated in the description were achieved throughout the period July 1, 2021 to June 30, 2022 if the complementary subservice organizations and the user entity controls assumed in the design of the service organization?s controls operated effectively throughout the period July 1, 2021 to June 30, 2022. The DHHR is of the opinion that it is in compliance with 45 CFR 95.621 since it receives and reviews the SOC 1 Type 2 report from the service organization and since the report documents that the service organization establishes and maintains a program for conducting periodic risk analyses to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems or whenever significant system changes occur. However, the DHHR recognizes the concern expressed within this finding, in that the DHHR does not include the SOC 1 Type 2 report as part of its own policies and procedures for ADP security over the MMIS. To enhance its controls, the DHHR will implement a policy and related procedures to document MMIS compliance with 45 CFR 95.621. The procedures will include but not be limited to a requirement to review and approve the SOC 1 Type 2 report from the MMIS service organization and document the review and approval process (e.g., for such matters as the service organization?s assertions, descriptions of its systems and controls, control objectives, and related controls, and the service auditor?s description of tests of controls and results). The anticipated date for implementation of the policy and related procedures is September 30, 2023, which is prior to the anticipated date for receipt of the next SOC 1 Type 2 report from the service organization.