2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-062 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Assistance Listing Number and Title: 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 ? State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 ? Medical Assistance Program Federal Grantor Name: U. S. Department of Health and Human Services Federal Award Number: 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 2205WA5MAP; 2205WA5ADM Pass-through Entity: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Test and Provisions: Medicaid Fraud Control Unit (MFCU) Known Questioned Cost Amount: $977,613 Background Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one-third of the State?s federal expenditures. During fiscal year 2022, the program spent about $17.6 billion in federal and state funds. The Health Care Authority is required to refer suspected fraud or other criminal violations to the Medicaid Fraud Control Division (MFCD) for investigation and prosecution. The Authority reports any overpayment recoveries resulting from MFCD actions on the CMS-64 report. The CMS-64 report is the quarterly statement of Medicaid Program expenditures that agencies use to report the actual program benefit costs and administrative expenses to the Centers for Medicare & Medicaid Services (CMS). CMS uses this information to compute the federal financial participation for the state?s Medicaid Program costs. When MFCD completes an investigation, it sends the final results over to the Authority for management review and signature. After a final judgement is made on an overpayment resulting from fraud, the State has 30 days to refund the entire federal share. Once the Authority receives the outcome, a Journal Voucher (JV) is created to move the federal portion of the overpayment over to state-only funding, which creates a credit on the CMS-64 report. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to report MCFD overpayment recoveries on the CMS-64 report. The prior finding numbers were 2021-052 and 2020-050. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Our audit found the Authority did not create JVs to move the entire federal portion of the two final judgments resulting from fraud over to state-only funding or report the entire overpayment on the CMS-64 report as a credit. Instead, the Authority only created JVs of the payments as they were made to the State. Additionally, the Authority did not have policies and procedures in place that described the process staff should follow for creating the JV or for reporting the MFCD overpayments on the CMS-64 report. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Management did not implement sufficient internal controls to ensure the Authority returned recoveries of fraudulent overpayments to the grantor in a timely manner. Additionally, the MFCD inadvertently did not notify the Authority at the time of final filing for one judgement resolution. Effect of Condition and Questioned Costs For fiscal year 2022, two final judgements were made totaling $2,792,013 in overpayments resulting from fraud. The Authority created JVs and reported $139,718 on the CMS-64 report dated June 30, 2022. JVs for the entire federal portion should have been processed and reported on the June 30, 2022 CMS-64 report. We are questioning the costs of $977,613 that the Authority did not report on the CMS-64 report or return to CMS, as federal regulations require. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Establish a formal process to ensure it properly reports recoveries of fraudulent overpayments on the quarterly CMS-64 report ? Consult with the federal grantor about whether or not the questioned costs identified in the finding should be repaid Authority?s Response The Authority partially concurs with the finding. It has documented the processes and procedures staff will follow to acknowledge and comply with the applicable federal rules and regulations concerning the timely return of federal revenue associated with fraudulent overpayments. The authority does not concur with repayment of $976,580 questioned costs related to one of the fraud referrals. The provider in this case was out of business and its business license expired May 2017, and then became inactive October 2017. The State pursued assets through available means and through the court. Final court rulings were made in June 2022, and in April 2023, within one year of the final rulings, the Attorney General?s Office certified that the defaulted corporation had no identifiable assets. In accordance with 42 CFR 433.318 (d) the provider is out of business and the Authority is not required to refund overpayment to CMS. The Authority will work with the Centers for Medicaid & Medicare Services to coordinate the return of the remaining $1,032 in identified questioned costs. Auditor?s Remarks The Authority states that the $976,580 in questioned costs is not required to be returned due to the corporation having no identifiable assets. While this may be the case since the Attorney General?s Office certified the corporation had no assets on April 13th, 2023, which was outside of our audit scope, the summary judgement order for this case was issued on May 2, 2022, and the overpayments were required to be returned within 30 days of that ruling. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 42 U.S. Code of Federal Regulations (CFR) Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers states in part: Section 433.300 Basis. This subpart implements - (a) Section 1903(d)(2)(A) of the Act, which directs that quarterly Federal payments to the States under title XIX (Medicaid) of the Act are to be reduced or increased to make adjustment for prior overpayments or underpayments that the Secretary determines have been made. (b) Section 1903(d)(2)(C) and (D) of the Act, which provides that a State has 1 year from discovery of an overpayment for Medicaid services to recover or attempt to recover the overpayment from the provider before adjustment in the Federal Medicaid payment to the State is made; and that adjustment will be made at the end of the 1-year period, whether or not recovery is made, unless the State is unable to recover from a provider because the overpayment is a debt that has been discharged in bankruptcy or is otherwise uncollectable. (c) Section 1903(d)(3) of the Act, which provides that the Secretary will consider the pro rata Federal share of the net amount recovered by a State during any quarter to be an overpayment. Section 433.312 Basic requirements for refunds. (a) Basic rules. (1) Except as provided in paragraph (b) of this section, the State Medicaid agency has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. (2) The State Medicaid agency must refund the Federal share of overpayments at the end of the 1-year period following discovery in accordance with the requirements of this subpart, whether or not the State has recovered the overpayment from the provider. (b) Exception. The agency is not required to refund the Federal share of an overpayment made to a provider when the State is unable to recover the overpayment amount because the provider has been determined bankrupt or out of business in accordance with ? 433.318. Section 433.316 When discovery of overpayment occurs and its significance. (a) General rule. The date on which an overpayment is discovered is the beginning date of the 1-year period allowed for a State to recover or seek to recover an overpayment before a refund of the Federal share of an overpayment must be made to CMS. (b) Requirements for notification. Unless a State official or fiscal agent of the State chooses to initiate a formal recoupment action against a provider without first giving written notification of its intent, a State Medicaid agency official or other State official must notify the provider in writing of any overpayment it discovers in accordance with State agency policies and procedures and must take reasonable actions to attempt to recover the overpayment in accordance with State law and procedures. (c) Overpayments resulting from situations other than fraud. An overpayment resulting from a situation other than fraud is discovered on the earliest of - - (1) The date on which any Medicaid agency official or other State official first notifies a provider in writing of an overpayment and specifies a dollar amount that is subject to recovery; (2) The date on which a provider initially acknowledges a specific overpaid amount in writing to the medicaid agency; or (3) The date on which any State official or fiscal agent of the State initiates a formal action to recoup a specific overpaid amount from a provider without having first notified the provider in writing. (d) Overpayments resulting from fraud. (1) An overpayment that results from fraud is discovered on the date of the final written notice (as defined in ? 433.304 of this subchapter) of the State's overpayment determination. (2) When the State is unable to recover a debt which represents an overpayment (or any portion thereof) resulting from fraud within 1 year of discovery because no final determination of the amount of the overpayment has been made under an administrative or judicial process (as applicable), including as a result of a judgment being under appeal, no adjustment shall be made in the Federal payment to such State on account of such overpayment (or any portion thereof) until 30 days after the date on which a final judgment (including, if applicable, a final determination on an appeal) is made. (3) The Medicaid agency may treat an overpayment made to a Medicaid provider as resulting from fraud under subsection (d) of this section only if it has referred a provider's case to the Medicaid fraud control unit, or appropriate law enforcement agency in States with no certified Medicaid fraud control unit, as required by ? 455.15, ? 455.21, or ? 455.23 of this chapter, and the Medicaid fraud control unit or appropriate law enforcement agency has provided the Medicaid agency with written notification of acceptance of the case; or if the Medicaid fraud control unit or appropriate law enforcement agency has filed a civil or criminal action against a provider and has notified the State Medicaid agency. (e) Overpayments identified through Federal reviews. If a Federal review at any time indicates that a State has failed to identify an overpayment or a State has identified an overpayment but has failed to either send written notice of the overpayment to the provider that specified a dollar amount subject to recovery or initiate a formal recoupment from the provider without having first notified the provider in writing, CMS will consider the overpayment as discovered on the date that the Federal official first notifies the State in writing of the overpayment and specifies a dollar amount subject to recovery. (f) Effect of changes in overpayment amount. Any adjustment in the amount of an overpayment during the 1-year period following discovery (made in accordance with the approved State plan, Federal law and regulations governing Medicaid, and the appeals resolution process specified in State administrative policies and procedures) has the following effect on the 1-year recovery period: (1) A downward adjustment in the amount of an overpayment subject to recovery that occurs after discovery does not change the original 1-year recovery period for the outstanding balance. (2) An upward adjustment in the amount of an overpayment subject to recovery that occurs during the 1-year period following discovery does not change the 1-year recovery period for the original overpayment amount. A new 1-year period begins for the incremental amount only, beginning with the date of the State's written notification to the provider regarding the upward adjustment. (g) Effect of partial collection by State. A partial collection of an overpayment amount by the State from a provider during the 1-year period following discovery does not change the 1-year recovery period for the balance of the original overpayment amount due to CMS. (h) Effect of administrative or judicial appeals. Any appeal rights extended to a provider do not extend Section 433.320 Procedures for Refunds to CMS. (a) Basic requirements. (1) The agency must refund the Federal share of overpayments that are subject to recovery to CMS through a credit on its Quarterly Statement of Expenditures (Form CMS-64). (2) The agency must credit CMS with the Federal share of overpayments subject to recovery on the earlier of - (i) The Form CMS-64 submission due to CMS for the quarter in which the State recovers the overpayment from the provider; or (ii) The Form CMS-64 due to CMS for the quarter in which the 1-year period following discovery, established in accordance with ? 433.316, ends. (3) A credit on the Form CMS-64 must be made whether or not the overpayment has been recovered by the State from the provider. (4) If the State does not refund the Federal share of such overpayment as indicated in paragraph (a)(2) of this section, the State will be liable for interest on the amount equal to the Federal share of the non-recovered, nonrefunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate (CVFR), and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment.
2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-062 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Assistance Listing Number and Title: 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 ? State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 ? Medical Assistance Program Federal Grantor Name: U. S. Department of Health and Human Services Federal Award Number: 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 2205WA5MAP; 2205WA5ADM Pass-through Entity: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Test and Provisions: Medicaid Fraud Control Unit (MFCU) Known Questioned Cost Amount: $977,613 Background Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one-third of the State?s federal expenditures. During fiscal year 2022, the program spent about $17.6 billion in federal and state funds. The Health Care Authority is required to refer suspected fraud or other criminal violations to the Medicaid Fraud Control Division (MFCD) for investigation and prosecution. The Authority reports any overpayment recoveries resulting from MFCD actions on the CMS-64 report. The CMS-64 report is the quarterly statement of Medicaid Program expenditures that agencies use to report the actual program benefit costs and administrative expenses to the Centers for Medicare & Medicaid Services (CMS). CMS uses this information to compute the federal financial participation for the state?s Medicaid Program costs. When MFCD completes an investigation, it sends the final results over to the Authority for management review and signature. After a final judgement is made on an overpayment resulting from fraud, the State has 30 days to refund the entire federal share. Once the Authority receives the outcome, a Journal Voucher (JV) is created to move the federal portion of the overpayment over to state-only funding, which creates a credit on the CMS-64 report. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to report MCFD overpayment recoveries on the CMS-64 report. The prior finding numbers were 2021-052 and 2020-050. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Our audit found the Authority did not create JVs to move the entire federal portion of the two final judgments resulting from fraud over to state-only funding or report the entire overpayment on the CMS-64 report as a credit. Instead, the Authority only created JVs of the payments as they were made to the State. Additionally, the Authority did not have policies and procedures in place that described the process staff should follow for creating the JV or for reporting the MFCD overpayments on the CMS-64 report. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Management did not implement sufficient internal controls to ensure the Authority returned recoveries of fraudulent overpayments to the grantor in a timely manner. Additionally, the MFCD inadvertently did not notify the Authority at the time of final filing for one judgement resolution. Effect of Condition and Questioned Costs For fiscal year 2022, two final judgements were made totaling $2,792,013 in overpayments resulting from fraud. The Authority created JVs and reported $139,718 on the CMS-64 report dated June 30, 2022. JVs for the entire federal portion should have been processed and reported on the June 30, 2022 CMS-64 report. We are questioning the costs of $977,613 that the Authority did not report on the CMS-64 report or return to CMS, as federal regulations require. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Establish a formal process to ensure it properly reports recoveries of fraudulent overpayments on the quarterly CMS-64 report ? Consult with the federal grantor about whether or not the questioned costs identified in the finding should be repaid Authority?s Response The Authority partially concurs with the finding. It has documented the processes and procedures staff will follow to acknowledge and comply with the applicable federal rules and regulations concerning the timely return of federal revenue associated with fraudulent overpayments. The authority does not concur with repayment of $976,580 questioned costs related to one of the fraud referrals. The provider in this case was out of business and its business license expired May 2017, and then became inactive October 2017. The State pursued assets through available means and through the court. Final court rulings were made in June 2022, and in April 2023, within one year of the final rulings, the Attorney General?s Office certified that the defaulted corporation had no identifiable assets. In accordance with 42 CFR 433.318 (d) the provider is out of business and the Authority is not required to refund overpayment to CMS. The Authority will work with the Centers for Medicaid & Medicare Services to coordinate the return of the remaining $1,032 in identified questioned costs. Auditor?s Remarks The Authority states that the $976,580 in questioned costs is not required to be returned due to the corporation having no identifiable assets. While this may be the case since the Attorney General?s Office certified the corporation had no assets on April 13th, 2023, which was outside of our audit scope, the summary judgement order for this case was issued on May 2, 2022, and the overpayments were required to be returned within 30 days of that ruling. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 42 U.S. Code of Federal Regulations (CFR) Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers states in part: Section 433.300 Basis. This subpart implements - (a) Section 1903(d)(2)(A) of the Act, which directs that quarterly Federal payments to the States under title XIX (Medicaid) of the Act are to be reduced or increased to make adjustment for prior overpayments or underpayments that the Secretary determines have been made. (b) Section 1903(d)(2)(C) and (D) of the Act, which provides that a State has 1 year from discovery of an overpayment for Medicaid services to recover or attempt to recover the overpayment from the provider before adjustment in the Federal Medicaid payment to the State is made; and that adjustment will be made at the end of the 1-year period, whether or not recovery is made, unless the State is unable to recover from a provider because the overpayment is a debt that has been discharged in bankruptcy or is otherwise uncollectable. (c) Section 1903(d)(3) of the Act, which provides that the Secretary will consider the pro rata Federal share of the net amount recovered by a State during any quarter to be an overpayment. Section 433.312 Basic requirements for refunds. (a) Basic rules. (1) Except as provided in paragraph (b) of this section, the State Medicaid agency has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. (2) The State Medicaid agency must refund the Federal share of overpayments at the end of the 1-year period following discovery in accordance with the requirements of this subpart, whether or not the State has recovered the overpayment from the provider. (b) Exception. The agency is not required to refund the Federal share of an overpayment made to a provider when the State is unable to recover the overpayment amount because the provider has been determined bankrupt or out of business in accordance with ? 433.318. Section 433.316 When discovery of overpayment occurs and its significance. (a) General rule. The date on which an overpayment is discovered is the beginning date of the 1-year period allowed for a State to recover or seek to recover an overpayment before a refund of the Federal share of an overpayment must be made to CMS. (b) Requirements for notification. Unless a State official or fiscal agent of the State chooses to initiate a formal recoupment action against a provider without first giving written notification of its intent, a State Medicaid agency official or other State official must notify the provider in writing of any overpayment it discovers in accordance with State agency policies and procedures and must take reasonable actions to attempt to recover the overpayment in accordance with State law and procedures. (c) Overpayments resulting from situations other than fraud. An overpayment resulting from a situation other than fraud is discovered on the earliest of - - (1) The date on which any Medicaid agency official or other State official first notifies a provider in writing of an overpayment and specifies a dollar amount that is subject to recovery; (2) The date on which a provider initially acknowledges a specific overpaid amount in writing to the medicaid agency; or (3) The date on which any State official or fiscal agent of the State initiates a formal action to recoup a specific overpaid amount from a provider without having first notified the provider in writing. (d) Overpayments resulting from fraud. (1) An overpayment that results from fraud is discovered on the date of the final written notice (as defined in ? 433.304 of this subchapter) of the State's overpayment determination. (2) When the State is unable to recover a debt which represents an overpayment (or any portion thereof) resulting from fraud within 1 year of discovery because no final determination of the amount of the overpayment has been made under an administrative or judicial process (as applicable), including as a result of a judgment being under appeal, no adjustment shall be made in the Federal payment to such State on account of such overpayment (or any portion thereof) until 30 days after the date on which a final judgment (including, if applicable, a final determination on an appeal) is made. (3) The Medicaid agency may treat an overpayment made to a Medicaid provider as resulting from fraud under subsection (d) of this section only if it has referred a provider's case to the Medicaid fraud control unit, or appropriate law enforcement agency in States with no certified Medicaid fraud control unit, as required by ? 455.15, ? 455.21, or ? 455.23 of this chapter, and the Medicaid fraud control unit or appropriate law enforcement agency has provided the Medicaid agency with written notification of acceptance of the case; or if the Medicaid fraud control unit or appropriate law enforcement agency has filed a civil or criminal action against a provider and has notified the State Medicaid agency. (e) Overpayments identified through Federal reviews. If a Federal review at any time indicates that a State has failed to identify an overpayment or a State has identified an overpayment but has failed to either send written notice of the overpayment to the provider that specified a dollar amount subject to recovery or initiate a formal recoupment from the provider without having first notified the provider in writing, CMS will consider the overpayment as discovered on the date that the Federal official first notifies the State in writing of the overpayment and specifies a dollar amount subject to recovery. (f) Effect of changes in overpayment amount. Any adjustment in the amount of an overpayment during the 1-year period following discovery (made in accordance with the approved State plan, Federal law and regulations governing Medicaid, and the appeals resolution process specified in State administrative policies and procedures) has the following effect on the 1-year recovery period: (1) A downward adjustment in the amount of an overpayment subject to recovery that occurs after discovery does not change the original 1-year recovery period for the outstanding balance. (2) An upward adjustment in the amount of an overpayment subject to recovery that occurs during the 1-year period following discovery does not change the 1-year recovery period for the original overpayment amount. A new 1-year period begins for the incremental amount only, beginning with the date of the State's written notification to the provider regarding the upward adjustment. (g) Effect of partial collection by State. A partial collection of an overpayment amount by the State from a provider during the 1-year period following discovery does not change the 1-year recovery period for the balance of the original overpayment amount due to CMS. (h) Effect of administrative or judicial appeals. Any appeal rights extended to a provider do not extend Section 433.320 Procedures for Refunds to CMS. (a) Basic requirements. (1) The agency must refund the Federal share of overpayments that are subject to recovery to CMS through a credit on its Quarterly Statement of Expenditures (Form CMS-64). (2) The agency must credit CMS with the Federal share of overpayments subject to recovery on the earlier of - (i) The Form CMS-64 submission due to CMS for the quarter in which the State recovers the overpayment from the provider; or (ii) The Form CMS-64 due to CMS for the quarter in which the 1-year period following discovery, established in accordance with ? 433.316, ends. (3) A credit on the Form CMS-64 must be made whether or not the overpayment has been recovered by the State from the provider. (4) If the State does not refund the Federal share of such overpayment as indicated in paragraph (a)(2) of this section, the State will be liable for interest on the amount equal to the Federal share of the non-recovered, nonrefunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate (CVFR), and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment.
2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-062 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Assistance Listing Number and Title: 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 ? State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 ? Medical Assistance Program Federal Grantor Name: U. S. Department of Health and Human Services Federal Award Number: 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 2205WA5MAP; 2205WA5ADM Pass-through Entity: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Test and Provisions: Medicaid Fraud Control Unit (MFCU) Known Questioned Cost Amount: $977,613 Background Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one-third of the State?s federal expenditures. During fiscal year 2022, the program spent about $17.6 billion in federal and state funds. The Health Care Authority is required to refer suspected fraud or other criminal violations to the Medicaid Fraud Control Division (MFCD) for investigation and prosecution. The Authority reports any overpayment recoveries resulting from MFCD actions on the CMS-64 report. The CMS-64 report is the quarterly statement of Medicaid Program expenditures that agencies use to report the actual program benefit costs and administrative expenses to the Centers for Medicare & Medicaid Services (CMS). CMS uses this information to compute the federal financial participation for the state?s Medicaid Program costs. When MFCD completes an investigation, it sends the final results over to the Authority for management review and signature. After a final judgement is made on an overpayment resulting from fraud, the State has 30 days to refund the entire federal share. Once the Authority receives the outcome, a Journal Voucher (JV) is created to move the federal portion of the overpayment over to state-only funding, which creates a credit on the CMS-64 report. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to report MCFD overpayment recoveries on the CMS-64 report. The prior finding numbers were 2021-052 and 2020-050. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Our audit found the Authority did not create JVs to move the entire federal portion of the two final judgments resulting from fraud over to state-only funding or report the entire overpayment on the CMS-64 report as a credit. Instead, the Authority only created JVs of the payments as they were made to the State. Additionally, the Authority did not have policies and procedures in place that described the process staff should follow for creating the JV or for reporting the MFCD overpayments on the CMS-64 report. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Management did not implement sufficient internal controls to ensure the Authority returned recoveries of fraudulent overpayments to the grantor in a timely manner. Additionally, the MFCD inadvertently did not notify the Authority at the time of final filing for one judgement resolution. Effect of Condition and Questioned Costs For fiscal year 2022, two final judgements were made totaling $2,792,013 in overpayments resulting from fraud. The Authority created JVs and reported $139,718 on the CMS-64 report dated June 30, 2022. JVs for the entire federal portion should have been processed and reported on the June 30, 2022 CMS-64 report. We are questioning the costs of $977,613 that the Authority did not report on the CMS-64 report or return to CMS, as federal regulations require. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Establish a formal process to ensure it properly reports recoveries of fraudulent overpayments on the quarterly CMS-64 report ? Consult with the federal grantor about whether or not the questioned costs identified in the finding should be repaid Authority?s Response The Authority partially concurs with the finding. It has documented the processes and procedures staff will follow to acknowledge and comply with the applicable federal rules and regulations concerning the timely return of federal revenue associated with fraudulent overpayments. The authority does not concur with repayment of $976,580 questioned costs related to one of the fraud referrals. The provider in this case was out of business and its business license expired May 2017, and then became inactive October 2017. The State pursued assets through available means and through the court. Final court rulings were made in June 2022, and in April 2023, within one year of the final rulings, the Attorney General?s Office certified that the defaulted corporation had no identifiable assets. In accordance with 42 CFR 433.318 (d) the provider is out of business and the Authority is not required to refund overpayment to CMS. The Authority will work with the Centers for Medicaid & Medicare Services to coordinate the return of the remaining $1,032 in identified questioned costs. Auditor?s Remarks The Authority states that the $976,580 in questioned costs is not required to be returned due to the corporation having no identifiable assets. While this may be the case since the Attorney General?s Office certified the corporation had no assets on April 13th, 2023, which was outside of our audit scope, the summary judgement order for this case was issued on May 2, 2022, and the overpayments were required to be returned within 30 days of that ruling. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 42 U.S. Code of Federal Regulations (CFR) Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers states in part: Section 433.300 Basis. This subpart implements - (a) Section 1903(d)(2)(A) of the Act, which directs that quarterly Federal payments to the States under title XIX (Medicaid) of the Act are to be reduced or increased to make adjustment for prior overpayments or underpayments that the Secretary determines have been made. (b) Section 1903(d)(2)(C) and (D) of the Act, which provides that a State has 1 year from discovery of an overpayment for Medicaid services to recover or attempt to recover the overpayment from the provider before adjustment in the Federal Medicaid payment to the State is made; and that adjustment will be made at the end of the 1-year period, whether or not recovery is made, unless the State is unable to recover from a provider because the overpayment is a debt that has been discharged in bankruptcy or is otherwise uncollectable. (c) Section 1903(d)(3) of the Act, which provides that the Secretary will consider the pro rata Federal share of the net amount recovered by a State during any quarter to be an overpayment. Section 433.312 Basic requirements for refunds. (a) Basic rules. (1) Except as provided in paragraph (b) of this section, the State Medicaid agency has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. (2) The State Medicaid agency must refund the Federal share of overpayments at the end of the 1-year period following discovery in accordance with the requirements of this subpart, whether or not the State has recovered the overpayment from the provider. (b) Exception. The agency is not required to refund the Federal share of an overpayment made to a provider when the State is unable to recover the overpayment amount because the provider has been determined bankrupt or out of business in accordance with ? 433.318. Section 433.316 When discovery of overpayment occurs and its significance. (a) General rule. The date on which an overpayment is discovered is the beginning date of the 1-year period allowed for a State to recover or seek to recover an overpayment before a refund of the Federal share of an overpayment must be made to CMS. (b) Requirements for notification. Unless a State official or fiscal agent of the State chooses to initiate a formal recoupment action against a provider without first giving written notification of its intent, a State Medicaid agency official or other State official must notify the provider in writing of any overpayment it discovers in accordance with State agency policies and procedures and must take reasonable actions to attempt to recover the overpayment in accordance with State law and procedures. (c) Overpayments resulting from situations other than fraud. An overpayment resulting from a situation other than fraud is discovered on the earliest of - - (1) The date on which any Medicaid agency official or other State official first notifies a provider in writing of an overpayment and specifies a dollar amount that is subject to recovery; (2) The date on which a provider initially acknowledges a specific overpaid amount in writing to the medicaid agency; or (3) The date on which any State official or fiscal agent of the State initiates a formal action to recoup a specific overpaid amount from a provider without having first notified the provider in writing. (d) Overpayments resulting from fraud. (1) An overpayment that results from fraud is discovered on the date of the final written notice (as defined in ? 433.304 of this subchapter) of the State's overpayment determination. (2) When the State is unable to recover a debt which represents an overpayment (or any portion thereof) resulting from fraud within 1 year of discovery because no final determination of the amount of the overpayment has been made under an administrative or judicial process (as applicable), including as a result of a judgment being under appeal, no adjustment shall be made in the Federal payment to such State on account of such overpayment (or any portion thereof) until 30 days after the date on which a final judgment (including, if applicable, a final determination on an appeal) is made. (3) The Medicaid agency may treat an overpayment made to a Medicaid provider as resulting from fraud under subsection (d) of this section only if it has referred a provider's case to the Medicaid fraud control unit, or appropriate law enforcement agency in States with no certified Medicaid fraud control unit, as required by ? 455.15, ? 455.21, or ? 455.23 of this chapter, and the Medicaid fraud control unit or appropriate law enforcement agency has provided the Medicaid agency with written notification of acceptance of the case; or if the Medicaid fraud control unit or appropriate law enforcement agency has filed a civil or criminal action against a provider and has notified the State Medicaid agency. (e) Overpayments identified through Federal reviews. If a Federal review at any time indicates that a State has failed to identify an overpayment or a State has identified an overpayment but has failed to either send written notice of the overpayment to the provider that specified a dollar amount subject to recovery or initiate a formal recoupment from the provider without having first notified the provider in writing, CMS will consider the overpayment as discovered on the date that the Federal official first notifies the State in writing of the overpayment and specifies a dollar amount subject to recovery. (f) Effect of changes in overpayment amount. Any adjustment in the amount of an overpayment during the 1-year period following discovery (made in accordance with the approved State plan, Federal law and regulations governing Medicaid, and the appeals resolution process specified in State administrative policies and procedures) has the following effect on the 1-year recovery period: (1) A downward adjustment in the amount of an overpayment subject to recovery that occurs after discovery does not change the original 1-year recovery period for the outstanding balance. (2) An upward adjustment in the amount of an overpayment subject to recovery that occurs during the 1-year period following discovery does not change the 1-year recovery period for the original overpayment amount. A new 1-year period begins for the incremental amount only, beginning with the date of the State's written notification to the provider regarding the upward adjustment. (g) Effect of partial collection by State. A partial collection of an overpayment amount by the State from a provider during the 1-year period following discovery does not change the 1-year recovery period for the balance of the original overpayment amount due to CMS. (h) Effect of administrative or judicial appeals. Any appeal rights extended to a provider do not extend Section 433.320 Procedures for Refunds to CMS. (a) Basic requirements. (1) The agency must refund the Federal share of overpayments that are subject to recovery to CMS through a credit on its Quarterly Statement of Expenditures (Form CMS-64). (2) The agency must credit CMS with the Federal share of overpayments subject to recovery on the earlier of - (i) The Form CMS-64 submission due to CMS for the quarter in which the State recovers the overpayment from the provider; or (ii) The Form CMS-64 due to CMS for the quarter in which the 1-year period following discovery, established in accordance with ? 433.316, ends. (3) A credit on the Form CMS-64 must be made whether or not the overpayment has been recovered by the State from the provider. (4) If the State does not refund the Federal share of such overpayment as indicated in paragraph (a)(2) of this section, the State will be liable for interest on the amount equal to the Federal share of the non-recovered, nonrefunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate (CVFR), and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment.
2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-062 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Assistance Listing Number and Title: 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 ? State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 ? Medical Assistance Program Federal Grantor Name: U. S. Department of Health and Human Services Federal Award Number: 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 2205WA5MAP; 2205WA5ADM Pass-through Entity: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Test and Provisions: Medicaid Fraud Control Unit (MFCU) Known Questioned Cost Amount: $977,613 Background Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one-third of the State?s federal expenditures. During fiscal year 2022, the program spent about $17.6 billion in federal and state funds. The Health Care Authority is required to refer suspected fraud or other criminal violations to the Medicaid Fraud Control Division (MFCD) for investigation and prosecution. The Authority reports any overpayment recoveries resulting from MFCD actions on the CMS-64 report. The CMS-64 report is the quarterly statement of Medicaid Program expenditures that agencies use to report the actual program benefit costs and administrative expenses to the Centers for Medicare & Medicaid Services (CMS). CMS uses this information to compute the federal financial participation for the state?s Medicaid Program costs. When MFCD completes an investigation, it sends the final results over to the Authority for management review and signature. After a final judgement is made on an overpayment resulting from fraud, the State has 30 days to refund the entire federal share. Once the Authority receives the outcome, a Journal Voucher (JV) is created to move the federal portion of the overpayment over to state-only funding, which creates a credit on the CMS-64 report. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to report MCFD overpayment recoveries on the CMS-64 report. The prior finding numbers were 2021-052 and 2020-050. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Our audit found the Authority did not create JVs to move the entire federal portion of the two final judgments resulting from fraud over to state-only funding or report the entire overpayment on the CMS-64 report as a credit. Instead, the Authority only created JVs of the payments as they were made to the State. Additionally, the Authority did not have policies and procedures in place that described the process staff should follow for creating the JV or for reporting the MFCD overpayments on the CMS-64 report. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Management did not implement sufficient internal controls to ensure the Authority returned recoveries of fraudulent overpayments to the grantor in a timely manner. Additionally, the MFCD inadvertently did not notify the Authority at the time of final filing for one judgement resolution. Effect of Condition and Questioned Costs For fiscal year 2022, two final judgements were made totaling $2,792,013 in overpayments resulting from fraud. The Authority created JVs and reported $139,718 on the CMS-64 report dated June 30, 2022. JVs for the entire federal portion should have been processed and reported on the June 30, 2022 CMS-64 report. We are questioning the costs of $977,613 that the Authority did not report on the CMS-64 report or return to CMS, as federal regulations require. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Establish a formal process to ensure it properly reports recoveries of fraudulent overpayments on the quarterly CMS-64 report ? Consult with the federal grantor about whether or not the questioned costs identified in the finding should be repaid Authority?s Response The Authority partially concurs with the finding. It has documented the processes and procedures staff will follow to acknowledge and comply with the applicable federal rules and regulations concerning the timely return of federal revenue associated with fraudulent overpayments. The authority does not concur with repayment of $976,580 questioned costs related to one of the fraud referrals. The provider in this case was out of business and its business license expired May 2017, and then became inactive October 2017. The State pursued assets through available means and through the court. Final court rulings were made in June 2022, and in April 2023, within one year of the final rulings, the Attorney General?s Office certified that the defaulted corporation had no identifiable assets. In accordance with 42 CFR 433.318 (d) the provider is out of business and the Authority is not required to refund overpayment to CMS. The Authority will work with the Centers for Medicaid & Medicare Services to coordinate the return of the remaining $1,032 in identified questioned costs. Auditor?s Remarks The Authority states that the $976,580 in questioned costs is not required to be returned due to the corporation having no identifiable assets. While this may be the case since the Attorney General?s Office certified the corporation had no assets on April 13th, 2023, which was outside of our audit scope, the summary judgement order for this case was issued on May 2, 2022, and the overpayments were required to be returned within 30 days of that ruling. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 42 U.S. Code of Federal Regulations (CFR) Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers states in part: Section 433.300 Basis. This subpart implements - (a) Section 1903(d)(2)(A) of the Act, which directs that quarterly Federal payments to the States under title XIX (Medicaid) of the Act are to be reduced or increased to make adjustment for prior overpayments or underpayments that the Secretary determines have been made. (b) Section 1903(d)(2)(C) and (D) of the Act, which provides that a State has 1 year from discovery of an overpayment for Medicaid services to recover or attempt to recover the overpayment from the provider before adjustment in the Federal Medicaid payment to the State is made; and that adjustment will be made at the end of the 1-year period, whether or not recovery is made, unless the State is unable to recover from a provider because the overpayment is a debt that has been discharged in bankruptcy or is otherwise uncollectable. (c) Section 1903(d)(3) of the Act, which provides that the Secretary will consider the pro rata Federal share of the net amount recovered by a State during any quarter to be an overpayment. Section 433.312 Basic requirements for refunds. (a) Basic rules. (1) Except as provided in paragraph (b) of this section, the State Medicaid agency has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. (2) The State Medicaid agency must refund the Federal share of overpayments at the end of the 1-year period following discovery in accordance with the requirements of this subpart, whether or not the State has recovered the overpayment from the provider. (b) Exception. The agency is not required to refund the Federal share of an overpayment made to a provider when the State is unable to recover the overpayment amount because the provider has been determined bankrupt or out of business in accordance with ? 433.318. Section 433.316 When discovery of overpayment occurs and its significance. (a) General rule. The date on which an overpayment is discovered is the beginning date of the 1-year period allowed for a State to recover or seek to recover an overpayment before a refund of the Federal share of an overpayment must be made to CMS. (b) Requirements for notification. Unless a State official or fiscal agent of the State chooses to initiate a formal recoupment action against a provider without first giving written notification of its intent, a State Medicaid agency official or other State official must notify the provider in writing of any overpayment it discovers in accordance with State agency policies and procedures and must take reasonable actions to attempt to recover the overpayment in accordance with State law and procedures. (c) Overpayments resulting from situations other than fraud. An overpayment resulting from a situation other than fraud is discovered on the earliest of - - (1) The date on which any Medicaid agency official or other State official first notifies a provider in writing of an overpayment and specifies a dollar amount that is subject to recovery; (2) The date on which a provider initially acknowledges a specific overpaid amount in writing to the medicaid agency; or (3) The date on which any State official or fiscal agent of the State initiates a formal action to recoup a specific overpaid amount from a provider without having first notified the provider in writing. (d) Overpayments resulting from fraud. (1) An overpayment that results from fraud is discovered on the date of the final written notice (as defined in ? 433.304 of this subchapter) of the State's overpayment determination. (2) When the State is unable to recover a debt which represents an overpayment (or any portion thereof) resulting from fraud within 1 year of discovery because no final determination of the amount of the overpayment has been made under an administrative or judicial process (as applicable), including as a result of a judgment being under appeal, no adjustment shall be made in the Federal payment to such State on account of such overpayment (or any portion thereof) until 30 days after the date on which a final judgment (including, if applicable, a final determination on an appeal) is made. (3) The Medicaid agency may treat an overpayment made to a Medicaid provider as resulting from fraud under subsection (d) of this section only if it has referred a provider's case to the Medicaid fraud control unit, or appropriate law enforcement agency in States with no certified Medicaid fraud control unit, as required by ? 455.15, ? 455.21, or ? 455.23 of this chapter, and the Medicaid fraud control unit or appropriate law enforcement agency has provided the Medicaid agency with written notification of acceptance of the case; or if the Medicaid fraud control unit or appropriate law enforcement agency has filed a civil or criminal action against a provider and has notified the State Medicaid agency. (e) Overpayments identified through Federal reviews. If a Federal review at any time indicates that a State has failed to identify an overpayment or a State has identified an overpayment but has failed to either send written notice of the overpayment to the provider that specified a dollar amount subject to recovery or initiate a formal recoupment from the provider without having first notified the provider in writing, CMS will consider the overpayment as discovered on the date that the Federal official first notifies the State in writing of the overpayment and specifies a dollar amount subject to recovery. (f) Effect of changes in overpayment amount. Any adjustment in the amount of an overpayment during the 1-year period following discovery (made in accordance with the approved State plan, Federal law and regulations governing Medicaid, and the appeals resolution process specified in State administrative policies and procedures) has the following effect on the 1-year recovery period: (1) A downward adjustment in the amount of an overpayment subject to recovery that occurs after discovery does not change the original 1-year recovery period for the outstanding balance. (2) An upward adjustment in the amount of an overpayment subject to recovery that occurs during the 1-year period following discovery does not change the 1-year recovery period for the original overpayment amount. A new 1-year period begins for the incremental amount only, beginning with the date of the State's written notification to the provider regarding the upward adjustment. (g) Effect of partial collection by State. A partial collection of an overpayment amount by the State from a provider during the 1-year period following discovery does not change the 1-year recovery period for the balance of the original overpayment amount due to CMS. (h) Effect of administrative or judicial appeals. Any appeal rights extended to a provider do not extend Section 433.320 Procedures for Refunds to CMS. (a) Basic requirements. (1) The agency must refund the Federal share of overpayments that are subject to recovery to CMS through a credit on its Quarterly Statement of Expenditures (Form CMS-64). (2) The agency must credit CMS with the Federal share of overpayments subject to recovery on the earlier of - (i) The Form CMS-64 submission due to CMS for the quarter in which the State recovers the overpayment from the provider; or (ii) The Form CMS-64 due to CMS for the quarter in which the 1-year period following discovery, established in accordance with ? 433.316, ends. (3) A credit on the Form CMS-64 must be made whether or not the overpayment has been recovered by the State from the provider. (4) If the State does not refund the Federal share of such overpayment as indicated in paragraph (a)(2) of this section, the State will be liable for interest on the amount equal to the Federal share of the non-recovered, nonrefunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate (CVFR), and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment.
2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-062 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Assistance Listing Number and Title: 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 ? State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 ? Medical Assistance Program Federal Grantor Name: U. S. Department of Health and Human Services Federal Award Number: 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 2205WA5MAP; 2205WA5ADM Pass-through Entity: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Test and Provisions: Medicaid Fraud Control Unit (MFCU) Known Questioned Cost Amount: $977,613 Background Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one-third of the State?s federal expenditures. During fiscal year 2022, the program spent about $17.6 billion in federal and state funds. The Health Care Authority is required to refer suspected fraud or other criminal violations to the Medicaid Fraud Control Division (MFCD) for investigation and prosecution. The Authority reports any overpayment recoveries resulting from MFCD actions on the CMS-64 report. The CMS-64 report is the quarterly statement of Medicaid Program expenditures that agencies use to report the actual program benefit costs and administrative expenses to the Centers for Medicare & Medicaid Services (CMS). CMS uses this information to compute the federal financial participation for the state?s Medicaid Program costs. When MFCD completes an investigation, it sends the final results over to the Authority for management review and signature. After a final judgement is made on an overpayment resulting from fraud, the State has 30 days to refund the entire federal share. Once the Authority receives the outcome, a Journal Voucher (JV) is created to move the federal portion of the overpayment over to state-only funding, which creates a credit on the CMS-64 report. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to report MCFD overpayment recoveries on the CMS-64 report. The prior finding numbers were 2021-052 and 2020-050. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Our audit found the Authority did not create JVs to move the entire federal portion of the two final judgments resulting from fraud over to state-only funding or report the entire overpayment on the CMS-64 report as a credit. Instead, the Authority only created JVs of the payments as they were made to the State. Additionally, the Authority did not have policies and procedures in place that described the process staff should follow for creating the JV or for reporting the MFCD overpayments on the CMS-64 report. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Management did not implement sufficient internal controls to ensure the Authority returned recoveries of fraudulent overpayments to the grantor in a timely manner. Additionally, the MFCD inadvertently did not notify the Authority at the time of final filing for one judgement resolution. Effect of Condition and Questioned Costs For fiscal year 2022, two final judgements were made totaling $2,792,013 in overpayments resulting from fraud. The Authority created JVs and reported $139,718 on the CMS-64 report dated June 30, 2022. JVs for the entire federal portion should have been processed and reported on the June 30, 2022 CMS-64 report. We are questioning the costs of $977,613 that the Authority did not report on the CMS-64 report or return to CMS, as federal regulations require. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Establish a formal process to ensure it properly reports recoveries of fraudulent overpayments on the quarterly CMS-64 report ? Consult with the federal grantor about whether or not the questioned costs identified in the finding should be repaid Authority?s Response The Authority partially concurs with the finding. It has documented the processes and procedures staff will follow to acknowledge and comply with the applicable federal rules and regulations concerning the timely return of federal revenue associated with fraudulent overpayments. The authority does not concur with repayment of $976,580 questioned costs related to one of the fraud referrals. The provider in this case was out of business and its business license expired May 2017, and then became inactive October 2017. The State pursued assets through available means and through the court. Final court rulings were made in June 2022, and in April 2023, within one year of the final rulings, the Attorney General?s Office certified that the defaulted corporation had no identifiable assets. In accordance with 42 CFR 433.318 (d) the provider is out of business and the Authority is not required to refund overpayment to CMS. The Authority will work with the Centers for Medicaid & Medicare Services to coordinate the return of the remaining $1,032 in identified questioned costs. Auditor?s Remarks The Authority states that the $976,580 in questioned costs is not required to be returned due to the corporation having no identifiable assets. While this may be the case since the Attorney General?s Office certified the corporation had no assets on April 13th, 2023, which was outside of our audit scope, the summary judgement order for this case was issued on May 2, 2022, and the overpayments were required to be returned within 30 days of that ruling. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 42 U.S. Code of Federal Regulations (CFR) Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers states in part: Section 433.300 Basis. This subpart implements - (a) Section 1903(d)(2)(A) of the Act, which directs that quarterly Federal payments to the States under title XIX (Medicaid) of the Act are to be reduced or increased to make adjustment for prior overpayments or underpayments that the Secretary determines have been made. (b) Section 1903(d)(2)(C) and (D) of the Act, which provides that a State has 1 year from discovery of an overpayment for Medicaid services to recover or attempt to recover the overpayment from the provider before adjustment in the Federal Medicaid payment to the State is made; and that adjustment will be made at the end of the 1-year period, whether or not recovery is made, unless the State is unable to recover from a provider because the overpayment is a debt that has been discharged in bankruptcy or is otherwise uncollectable. (c) Section 1903(d)(3) of the Act, which provides that the Secretary will consider the pro rata Federal share of the net amount recovered by a State during any quarter to be an overpayment. Section 433.312 Basic requirements for refunds. (a) Basic rules. (1) Except as provided in paragraph (b) of this section, the State Medicaid agency has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. (2) The State Medicaid agency must refund the Federal share of overpayments at the end of the 1-year period following discovery in accordance with the requirements of this subpart, whether or not the State has recovered the overpayment from the provider. (b) Exception. The agency is not required to refund the Federal share of an overpayment made to a provider when the State is unable to recover the overpayment amount because the provider has been determined bankrupt or out of business in accordance with ? 433.318. Section 433.316 When discovery of overpayment occurs and its significance. (a) General rule. The date on which an overpayment is discovered is the beginning date of the 1-year period allowed for a State to recover or seek to recover an overpayment before a refund of the Federal share of an overpayment must be made to CMS. (b) Requirements for notification. Unless a State official or fiscal agent of the State chooses to initiate a formal recoupment action against a provider without first giving written notification of its intent, a State Medicaid agency official or other State official must notify the provider in writing of any overpayment it discovers in accordance with State agency policies and procedures and must take reasonable actions to attempt to recover the overpayment in accordance with State law and procedures. (c) Overpayments resulting from situations other than fraud. An overpayment resulting from a situation other than fraud is discovered on the earliest of - - (1) The date on which any Medicaid agency official or other State official first notifies a provider in writing of an overpayment and specifies a dollar amount that is subject to recovery; (2) The date on which a provider initially acknowledges a specific overpaid amount in writing to the medicaid agency; or (3) The date on which any State official or fiscal agent of the State initiates a formal action to recoup a specific overpaid amount from a provider without having first notified the provider in writing. (d) Overpayments resulting from fraud. (1) An overpayment that results from fraud is discovered on the date of the final written notice (as defined in ? 433.304 of this subchapter) of the State's overpayment determination. (2) When the State is unable to recover a debt which represents an overpayment (or any portion thereof) resulting from fraud within 1 year of discovery because no final determination of the amount of the overpayment has been made under an administrative or judicial process (as applicable), including as a result of a judgment being under appeal, no adjustment shall be made in the Federal payment to such State on account of such overpayment (or any portion thereof) until 30 days after the date on which a final judgment (including, if applicable, a final determination on an appeal) is made. (3) The Medicaid agency may treat an overpayment made to a Medicaid provider as resulting from fraud under subsection (d) of this section only if it has referred a provider's case to the Medicaid fraud control unit, or appropriate law enforcement agency in States with no certified Medicaid fraud control unit, as required by ? 455.15, ? 455.21, or ? 455.23 of this chapter, and the Medicaid fraud control unit or appropriate law enforcement agency has provided the Medicaid agency with written notification of acceptance of the case; or if the Medicaid fraud control unit or appropriate law enforcement agency has filed a civil or criminal action against a provider and has notified the State Medicaid agency. (e) Overpayments identified through Federal reviews. If a Federal review at any time indicates that a State has failed to identify an overpayment or a State has identified an overpayment but has failed to either send written notice of the overpayment to the provider that specified a dollar amount subject to recovery or initiate a formal recoupment from the provider without having first notified the provider in writing, CMS will consider the overpayment as discovered on the date that the Federal official first notifies the State in writing of the overpayment and specifies a dollar amount subject to recovery. (f) Effect of changes in overpayment amount. Any adjustment in the amount of an overpayment during the 1-year period following discovery (made in accordance with the approved State plan, Federal law and regulations governing Medicaid, and the appeals resolution process specified in State administrative policies and procedures) has the following effect on the 1-year recovery period: (1) A downward adjustment in the amount of an overpayment subject to recovery that occurs after discovery does not change the original 1-year recovery period for the outstanding balance. (2) An upward adjustment in the amount of an overpayment subject to recovery that occurs during the 1-year period following discovery does not change the 1-year recovery period for the original overpayment amount. A new 1-year period begins for the incremental amount only, beginning with the date of the State's written notification to the provider regarding the upward adjustment. (g) Effect of partial collection by State. A partial collection of an overpayment amount by the State from a provider during the 1-year period following discovery does not change the 1-year recovery period for the balance of the original overpayment amount due to CMS. (h) Effect of administrative or judicial appeals. Any appeal rights extended to a provider do not extend Section 433.320 Procedures for Refunds to CMS. (a) Basic requirements. (1) The agency must refund the Federal share of overpayments that are subject to recovery to CMS through a credit on its Quarterly Statement of Expenditures (Form CMS-64). (2) The agency must credit CMS with the Federal share of overpayments subject to recovery on the earlier of - (i) The Form CMS-64 submission due to CMS for the quarter in which the State recovers the overpayment from the provider; or (ii) The Form CMS-64 due to CMS for the quarter in which the 1-year period following discovery, established in accordance with ? 433.316, ends. (3) A credit on the Form CMS-64 must be made whether or not the overpayment has been recovered by the State from the provider. (4) If the State does not refund the Federal share of such overpayment as indicated in paragraph (a)(2) of this section, the State will be liable for interest on the amount equal to the Federal share of the non-recovered, nonrefunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate (CVFR), and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment.
2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-062 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Assistance Listing Number and Title: 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 ? State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 ? Medical Assistance Program Federal Grantor Name: U. S. Department of Health and Human Services Federal Award Number: 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 2205WA5MAP; 2205WA5ADM Pass-through Entity: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Test and Provisions: Medicaid Fraud Control Unit (MFCU) Known Questioned Cost Amount: $977,613 Background Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one-third of the State?s federal expenditures. During fiscal year 2022, the program spent about $17.6 billion in federal and state funds. The Health Care Authority is required to refer suspected fraud or other criminal violations to the Medicaid Fraud Control Division (MFCD) for investigation and prosecution. The Authority reports any overpayment recoveries resulting from MFCD actions on the CMS-64 report. The CMS-64 report is the quarterly statement of Medicaid Program expenditures that agencies use to report the actual program benefit costs and administrative expenses to the Centers for Medicare & Medicaid Services (CMS). CMS uses this information to compute the federal financial participation for the state?s Medicaid Program costs. When MFCD completes an investigation, it sends the final results over to the Authority for management review and signature. After a final judgement is made on an overpayment resulting from fraud, the State has 30 days to refund the entire federal share. Once the Authority receives the outcome, a Journal Voucher (JV) is created to move the federal portion of the overpayment over to state-only funding, which creates a credit on the CMS-64 report. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to report MCFD overpayment recoveries on the CMS-64 report. The prior finding numbers were 2021-052 and 2020-050. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Our audit found the Authority did not create JVs to move the entire federal portion of the two final judgments resulting from fraud over to state-only funding or report the entire overpayment on the CMS-64 report as a credit. Instead, the Authority only created JVs of the payments as they were made to the State. Additionally, the Authority did not have policies and procedures in place that described the process staff should follow for creating the JV or for reporting the MFCD overpayments on the CMS-64 report. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Management did not implement sufficient internal controls to ensure the Authority returned recoveries of fraudulent overpayments to the grantor in a timely manner. Additionally, the MFCD inadvertently did not notify the Authority at the time of final filing for one judgement resolution. Effect of Condition and Questioned Costs For fiscal year 2022, two final judgements were made totaling $2,792,013 in overpayments resulting from fraud. The Authority created JVs and reported $139,718 on the CMS-64 report dated June 30, 2022. JVs for the entire federal portion should have been processed and reported on the June 30, 2022 CMS-64 report. We are questioning the costs of $977,613 that the Authority did not report on the CMS-64 report or return to CMS, as federal regulations require. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Establish a formal process to ensure it properly reports recoveries of fraudulent overpayments on the quarterly CMS-64 report ? Consult with the federal grantor about whether or not the questioned costs identified in the finding should be repaid Authority?s Response The Authority partially concurs with the finding. It has documented the processes and procedures staff will follow to acknowledge and comply with the applicable federal rules and regulations concerning the timely return of federal revenue associated with fraudulent overpayments. The authority does not concur with repayment of $976,580 questioned costs related to one of the fraud referrals. The provider in this case was out of business and its business license expired May 2017, and then became inactive October 2017. The State pursued assets through available means and through the court. Final court rulings were made in June 2022, and in April 2023, within one year of the final rulings, the Attorney General?s Office certified that the defaulted corporation had no identifiable assets. In accordance with 42 CFR 433.318 (d) the provider is out of business and the Authority is not required to refund overpayment to CMS. The Authority will work with the Centers for Medicaid & Medicare Services to coordinate the return of the remaining $1,032 in identified questioned costs. Auditor?s Remarks The Authority states that the $976,580 in questioned costs is not required to be returned due to the corporation having no identifiable assets. While this may be the case since the Attorney General?s Office certified the corporation had no assets on April 13th, 2023, which was outside of our audit scope, the summary judgement order for this case was issued on May 2, 2022, and the overpayments were required to be returned within 30 days of that ruling. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 42 U.S. Code of Federal Regulations (CFR) Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers states in part: Section 433.300 Basis. This subpart implements - (a) Section 1903(d)(2)(A) of the Act, which directs that quarterly Federal payments to the States under title XIX (Medicaid) of the Act are to be reduced or increased to make adjustment for prior overpayments or underpayments that the Secretary determines have been made. (b) Section 1903(d)(2)(C) and (D) of the Act, which provides that a State has 1 year from discovery of an overpayment for Medicaid services to recover or attempt to recover the overpayment from the provider before adjustment in the Federal Medicaid payment to the State is made; and that adjustment will be made at the end of the 1-year period, whether or not recovery is made, unless the State is unable to recover from a provider because the overpayment is a debt that has been discharged in bankruptcy or is otherwise uncollectable. (c) Section 1903(d)(3) of the Act, which provides that the Secretary will consider the pro rata Federal share of the net amount recovered by a State during any quarter to be an overpayment. Section 433.312 Basic requirements for refunds. (a) Basic rules. (1) Except as provided in paragraph (b) of this section, the State Medicaid agency has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. (2) The State Medicaid agency must refund the Federal share of overpayments at the end of the 1-year period following discovery in accordance with the requirements of this subpart, whether or not the State has recovered the overpayment from the provider. (b) Exception. The agency is not required to refund the Federal share of an overpayment made to a provider when the State is unable to recover the overpayment amount because the provider has been determined bankrupt or out of business in accordance with ? 433.318. Section 433.316 When discovery of overpayment occurs and its significance. (a) General rule. The date on which an overpayment is discovered is the beginning date of the 1-year period allowed for a State to recover or seek to recover an overpayment before a refund of the Federal share of an overpayment must be made to CMS. (b) Requirements for notification. Unless a State official or fiscal agent of the State chooses to initiate a formal recoupment action against a provider without first giving written notification of its intent, a State Medicaid agency official or other State official must notify the provider in writing of any overpayment it discovers in accordance with State agency policies and procedures and must take reasonable actions to attempt to recover the overpayment in accordance with State law and procedures. (c) Overpayments resulting from situations other than fraud. An overpayment resulting from a situation other than fraud is discovered on the earliest of - - (1) The date on which any Medicaid agency official or other State official first notifies a provider in writing of an overpayment and specifies a dollar amount that is subject to recovery; (2) The date on which a provider initially acknowledges a specific overpaid amount in writing to the medicaid agency; or (3) The date on which any State official or fiscal agent of the State initiates a formal action to recoup a specific overpaid amount from a provider without having first notified the provider in writing. (d) Overpayments resulting from fraud. (1) An overpayment that results from fraud is discovered on the date of the final written notice (as defined in ? 433.304 of this subchapter) of the State's overpayment determination. (2) When the State is unable to recover a debt which represents an overpayment (or any portion thereof) resulting from fraud within 1 year of discovery because no final determination of the amount of the overpayment has been made under an administrative or judicial process (as applicable), including as a result of a judgment being under appeal, no adjustment shall be made in the Federal payment to such State on account of such overpayment (or any portion thereof) until 30 days after the date on which a final judgment (including, if applicable, a final determination on an appeal) is made. (3) The Medicaid agency may treat an overpayment made to a Medicaid provider as resulting from fraud under subsection (d) of this section only if it has referred a provider's case to the Medicaid fraud control unit, or appropriate law enforcement agency in States with no certified Medicaid fraud control unit, as required by ? 455.15, ? 455.21, or ? 455.23 of this chapter, and the Medicaid fraud control unit or appropriate law enforcement agency has provided the Medicaid agency with written notification of acceptance of the case; or if the Medicaid fraud control unit or appropriate law enforcement agency has filed a civil or criminal action against a provider and has notified the State Medicaid agency. (e) Overpayments identified through Federal reviews. If a Federal review at any time indicates that a State has failed to identify an overpayment or a State has identified an overpayment but has failed to either send written notice of the overpayment to the provider that specified a dollar amount subject to recovery or initiate a formal recoupment from the provider without having first notified the provider in writing, CMS will consider the overpayment as discovered on the date that the Federal official first notifies the State in writing of the overpayment and specifies a dollar amount subject to recovery. (f) Effect of changes in overpayment amount. Any adjustment in the amount of an overpayment during the 1-year period following discovery (made in accordance with the approved State plan, Federal law and regulations governing Medicaid, and the appeals resolution process specified in State administrative policies and procedures) has the following effect on the 1-year recovery period: (1) A downward adjustment in the amount of an overpayment subject to recovery that occurs after discovery does not change the original 1-year recovery period for the outstanding balance. (2) An upward adjustment in the amount of an overpayment subject to recovery that occurs during the 1-year period following discovery does not change the 1-year recovery period for the original overpayment amount. A new 1-year period begins for the incremental amount only, beginning with the date of the State's written notification to the provider regarding the upward adjustment. (g) Effect of partial collection by State. A partial collection of an overpayment amount by the State from a provider during the 1-year period following discovery does not change the 1-year recovery period for the balance of the original overpayment amount due to CMS. (h) Effect of administrative or judicial appeals. Any appeal rights extended to a provider do not extend Section 433.320 Procedures for Refunds to CMS. (a) Basic requirements. (1) The agency must refund the Federal share of overpayments that are subject to recovery to CMS through a credit on its Quarterly Statement of Expenditures (Form CMS-64). (2) The agency must credit CMS with the Federal share of overpayments subject to recovery on the earlier of - (i) The Form CMS-64 submission due to CMS for the quarter in which the State recovers the overpayment from the provider; or (ii) The Form CMS-64 due to CMS for the quarter in which the 1-year period following discovery, established in accordance with ? 433.316, ends. (3) A credit on the Form CMS-64 must be made whether or not the overpayment has been recovered by the State from the provider. (4) If the State does not refund the Federal share of such overpayment as indicated in paragraph (a)(2) of this section, the State will be liable for interest on the amount equal to the Federal share of the non-recovered, nonrefunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate (CVFR), and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment.
2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-062 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Assistance Listing Number and Title: 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 ? State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 ? Medical Assistance Program Federal Grantor Name: U. S. Department of Health and Human Services Federal Award Number: 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 2205WA5MAP; 2205WA5ADM Pass-through Entity: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Test and Provisions: Medicaid Fraud Control Unit (MFCU) Known Questioned Cost Amount: $977,613 Background Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one-third of the State?s federal expenditures. During fiscal year 2022, the program spent about $17.6 billion in federal and state funds. The Health Care Authority is required to refer suspected fraud or other criminal violations to the Medicaid Fraud Control Division (MFCD) for investigation and prosecution. The Authority reports any overpayment recoveries resulting from MFCD actions on the CMS-64 report. The CMS-64 report is the quarterly statement of Medicaid Program expenditures that agencies use to report the actual program benefit costs and administrative expenses to the Centers for Medicare & Medicaid Services (CMS). CMS uses this information to compute the federal financial participation for the state?s Medicaid Program costs. When MFCD completes an investigation, it sends the final results over to the Authority for management review and signature. After a final judgement is made on an overpayment resulting from fraud, the State has 30 days to refund the entire federal share. Once the Authority receives the outcome, a Journal Voucher (JV) is created to move the federal portion of the overpayment over to state-only funding, which creates a credit on the CMS-64 report. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to report MCFD overpayment recoveries on the CMS-64 report. The prior finding numbers were 2021-052 and 2020-050. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Our audit found the Authority did not create JVs to move the entire federal portion of the two final judgments resulting from fraud over to state-only funding or report the entire overpayment on the CMS-64 report as a credit. Instead, the Authority only created JVs of the payments as they were made to the State. Additionally, the Authority did not have policies and procedures in place that described the process staff should follow for creating the JV or for reporting the MFCD overpayments on the CMS-64 report. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Management did not implement sufficient internal controls to ensure the Authority returned recoveries of fraudulent overpayments to the grantor in a timely manner. Additionally, the MFCD inadvertently did not notify the Authority at the time of final filing for one judgement resolution. Effect of Condition and Questioned Costs For fiscal year 2022, two final judgements were made totaling $2,792,013 in overpayments resulting from fraud. The Authority created JVs and reported $139,718 on the CMS-64 report dated June 30, 2022. JVs for the entire federal portion should have been processed and reported on the June 30, 2022 CMS-64 report. We are questioning the costs of $977,613 that the Authority did not report on the CMS-64 report or return to CMS, as federal regulations require. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Establish a formal process to ensure it properly reports recoveries of fraudulent overpayments on the quarterly CMS-64 report ? Consult with the federal grantor about whether or not the questioned costs identified in the finding should be repaid Authority?s Response The Authority partially concurs with the finding. It has documented the processes and procedures staff will follow to acknowledge and comply with the applicable federal rules and regulations concerning the timely return of federal revenue associated with fraudulent overpayments. The authority does not concur with repayment of $976,580 questioned costs related to one of the fraud referrals. The provider in this case was out of business and its business license expired May 2017, and then became inactive October 2017. The State pursued assets through available means and through the court. Final court rulings were made in June 2022, and in April 2023, within one year of the final rulings, the Attorney General?s Office certified that the defaulted corporation had no identifiable assets. In accordance with 42 CFR 433.318 (d) the provider is out of business and the Authority is not required to refund overpayment to CMS. The Authority will work with the Centers for Medicaid & Medicare Services to coordinate the return of the remaining $1,032 in identified questioned costs. Auditor?s Remarks The Authority states that the $976,580 in questioned costs is not required to be returned due to the corporation having no identifiable assets. While this may be the case since the Attorney General?s Office certified the corporation had no assets on April 13th, 2023, which was outside of our audit scope, the summary judgement order for this case was issued on May 2, 2022, and the overpayments were required to be returned within 30 days of that ruling. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 42 U.S. Code of Federal Regulations (CFR) Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers states in part: Section 433.300 Basis. This subpart implements - (a) Section 1903(d)(2)(A) of the Act, which directs that quarterly Federal payments to the States under title XIX (Medicaid) of the Act are to be reduced or increased to make adjustment for prior overpayments or underpayments that the Secretary determines have been made. (b) Section 1903(d)(2)(C) and (D) of the Act, which provides that a State has 1 year from discovery of an overpayment for Medicaid services to recover or attempt to recover the overpayment from the provider before adjustment in the Federal Medicaid payment to the State is made; and that adjustment will be made at the end of the 1-year period, whether or not recovery is made, unless the State is unable to recover from a provider because the overpayment is a debt that has been discharged in bankruptcy or is otherwise uncollectable. (c) Section 1903(d)(3) of the Act, which provides that the Secretary will consider the pro rata Federal share of the net amount recovered by a State during any quarter to be an overpayment. Section 433.312 Basic requirements for refunds. (a) Basic rules. (1) Except as provided in paragraph (b) of this section, the State Medicaid agency has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. (2) The State Medicaid agency must refund the Federal share of overpayments at the end of the 1-year period following discovery in accordance with the requirements of this subpart, whether or not the State has recovered the overpayment from the provider. (b) Exception. The agency is not required to refund the Federal share of an overpayment made to a provider when the State is unable to recover the overpayment amount because the provider has been determined bankrupt or out of business in accordance with ? 433.318. Section 433.316 When discovery of overpayment occurs and its significance. (a) General rule. The date on which an overpayment is discovered is the beginning date of the 1-year period allowed for a State to recover or seek to recover an overpayment before a refund of the Federal share of an overpayment must be made to CMS. (b) Requirements for notification. Unless a State official or fiscal agent of the State chooses to initiate a formal recoupment action against a provider without first giving written notification of its intent, a State Medicaid agency official or other State official must notify the provider in writing of any overpayment it discovers in accordance with State agency policies and procedures and must take reasonable actions to attempt to recover the overpayment in accordance with State law and procedures. (c) Overpayments resulting from situations other than fraud. An overpayment resulting from a situation other than fraud is discovered on the earliest of - - (1) The date on which any Medicaid agency official or other State official first notifies a provider in writing of an overpayment and specifies a dollar amount that is subject to recovery; (2) The date on which a provider initially acknowledges a specific overpaid amount in writing to the medicaid agency; or (3) The date on which any State official or fiscal agent of the State initiates a formal action to recoup a specific overpaid amount from a provider without having first notified the provider in writing. (d) Overpayments resulting from fraud. (1) An overpayment that results from fraud is discovered on the date of the final written notice (as defined in ? 433.304 of this subchapter) of the State's overpayment determination. (2) When the State is unable to recover a debt which represents an overpayment (or any portion thereof) resulting from fraud within 1 year of discovery because no final determination of the amount of the overpayment has been made under an administrative or judicial process (as applicable), including as a result of a judgment being under appeal, no adjustment shall be made in the Federal payment to such State on account of such overpayment (or any portion thereof) until 30 days after the date on which a final judgment (including, if applicable, a final determination on an appeal) is made. (3) The Medicaid agency may treat an overpayment made to a Medicaid provider as resulting from fraud under subsection (d) of this section only if it has referred a provider's case to the Medicaid fraud control unit, or appropriate law enforcement agency in States with no certified Medicaid fraud control unit, as required by ? 455.15, ? 455.21, or ? 455.23 of this chapter, and the Medicaid fraud control unit or appropriate law enforcement agency has provided the Medicaid agency with written notification of acceptance of the case; or if the Medicaid fraud control unit or appropriate law enforcement agency has filed a civil or criminal action against a provider and has notified the State Medicaid agency. (e) Overpayments identified through Federal reviews. If a Federal review at any time indicates that a State has failed to identify an overpayment or a State has identified an overpayment but has failed to either send written notice of the overpayment to the provider that specified a dollar amount subject to recovery or initiate a formal recoupment from the provider without having first notified the provider in writing, CMS will consider the overpayment as discovered on the date that the Federal official first notifies the State in writing of the overpayment and specifies a dollar amount subject to recovery. (f) Effect of changes in overpayment amount. Any adjustment in the amount of an overpayment during the 1-year period following discovery (made in accordance with the approved State plan, Federal law and regulations governing Medicaid, and the appeals resolution process specified in State administrative policies and procedures) has the following effect on the 1-year recovery period: (1) A downward adjustment in the amount of an overpayment subject to recovery that occurs after discovery does not change the original 1-year recovery period for the outstanding balance. (2) An upward adjustment in the amount of an overpayment subject to recovery that occurs during the 1-year period following discovery does not change the 1-year recovery period for the original overpayment amount. A new 1-year period begins for the incremental amount only, beginning with the date of the State's written notification to the provider regarding the upward adjustment. (g) Effect of partial collection by State. A partial collection of an overpayment amount by the State from a provider during the 1-year period following discovery does not change the 1-year recovery period for the balance of the original overpayment amount due to CMS. (h) Effect of administrative or judicial appeals. Any appeal rights extended to a provider do not extend Section 433.320 Procedures for Refunds to CMS. (a) Basic requirements. (1) The agency must refund the Federal share of overpayments that are subject to recovery to CMS through a credit on its Quarterly Statement of Expenditures (Form CMS-64). (2) The agency must credit CMS with the Federal share of overpayments subject to recovery on the earlier of - (i) The Form CMS-64 submission due to CMS for the quarter in which the State recovers the overpayment from the provider; or (ii) The Form CMS-64 due to CMS for the quarter in which the 1-year period following discovery, established in accordance with ? 433.316, ends. (3) A credit on the Form CMS-64 must be made whether or not the overpayment has been recovered by the State from the provider. (4) If the State does not refund the Federal share of such overpayment as indicated in paragraph (a)(2) of this section, the State will be liable for interest on the amount equal to the Federal share of the non-recovered, nonrefunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate (CVFR), and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment.
2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-062 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Assistance Listing Number and Title: 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 ? State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 ? Medical Assistance Program Federal Grantor Name: U. S. Department of Health and Human Services Federal Award Number: 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 2205WA5MAP; 2205WA5ADM Pass-through Entity: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Test and Provisions: Medicaid Fraud Control Unit (MFCU) Known Questioned Cost Amount: $977,613 Background Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one-third of the State?s federal expenditures. During fiscal year 2022, the program spent about $17.6 billion in federal and state funds. The Health Care Authority is required to refer suspected fraud or other criminal violations to the Medicaid Fraud Control Division (MFCD) for investigation and prosecution. The Authority reports any overpayment recoveries resulting from MFCD actions on the CMS-64 report. The CMS-64 report is the quarterly statement of Medicaid Program expenditures that agencies use to report the actual program benefit costs and administrative expenses to the Centers for Medicare & Medicaid Services (CMS). CMS uses this information to compute the federal financial participation for the state?s Medicaid Program costs. When MFCD completes an investigation, it sends the final results over to the Authority for management review and signature. After a final judgement is made on an overpayment resulting from fraud, the State has 30 days to refund the entire federal share. Once the Authority receives the outcome, a Journal Voucher (JV) is created to move the federal portion of the overpayment over to state-only funding, which creates a credit on the CMS-64 report. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to report MCFD overpayment recoveries on the CMS-64 report. The prior finding numbers were 2021-052 and 2020-050. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to report recoveries of fraudulent overpayments on the CMS-64 report. Our audit found the Authority did not create JVs to move the entire federal portion of the two final judgments resulting from fraud over to state-only funding or report the entire overpayment on the CMS-64 report as a credit. Instead, the Authority only created JVs of the payments as they were made to the State. Additionally, the Authority did not have policies and procedures in place that described the process staff should follow for creating the JV or for reporting the MFCD overpayments on the CMS-64 report. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Management did not implement sufficient internal controls to ensure the Authority returned recoveries of fraudulent overpayments to the grantor in a timely manner. Additionally, the MFCD inadvertently did not notify the Authority at the time of final filing for one judgement resolution. Effect of Condition and Questioned Costs For fiscal year 2022, two final judgements were made totaling $2,792,013 in overpayments resulting from fraud. The Authority created JVs and reported $139,718 on the CMS-64 report dated June 30, 2022. JVs for the entire federal portion should have been processed and reported on the June 30, 2022 CMS-64 report. We are questioning the costs of $977,613 that the Authority did not report on the CMS-64 report or return to CMS, as federal regulations require. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Establish a formal process to ensure it properly reports recoveries of fraudulent overpayments on the quarterly CMS-64 report ? Consult with the federal grantor about whether or not the questioned costs identified in the finding should be repaid Authority?s Response The Authority partially concurs with the finding. It has documented the processes and procedures staff will follow to acknowledge and comply with the applicable federal rules and regulations concerning the timely return of federal revenue associated with fraudulent overpayments. The authority does not concur with repayment of $976,580 questioned costs related to one of the fraud referrals. The provider in this case was out of business and its business license expired May 2017, and then became inactive October 2017. The State pursued assets through available means and through the court. Final court rulings were made in June 2022, and in April 2023, within one year of the final rulings, the Attorney General?s Office certified that the defaulted corporation had no identifiable assets. In accordance with 42 CFR 433.318 (d) the provider is out of business and the Authority is not required to refund overpayment to CMS. The Authority will work with the Centers for Medicaid & Medicare Services to coordinate the return of the remaining $1,032 in identified questioned costs. Auditor?s Remarks The Authority states that the $976,580 in questioned costs is not required to be returned due to the corporation having no identifiable assets. While this may be the case since the Attorney General?s Office certified the corporation had no assets on April 13th, 2023, which was outside of our audit scope, the summary judgement order for this case was issued on May 2, 2022, and the overpayments were required to be returned within 30 days of that ruling. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 42 U.S. Code of Federal Regulations (CFR) Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers states in part: Section 433.300 Basis. This subpart implements - (a) Section 1903(d)(2)(A) of the Act, which directs that quarterly Federal payments to the States under title XIX (Medicaid) of the Act are to be reduced or increased to make adjustment for prior overpayments or underpayments that the Secretary determines have been made. (b) Section 1903(d)(2)(C) and (D) of the Act, which provides that a State has 1 year from discovery of an overpayment for Medicaid services to recover or attempt to recover the overpayment from the provider before adjustment in the Federal Medicaid payment to the State is made; and that adjustment will be made at the end of the 1-year period, whether or not recovery is made, unless the State is unable to recover from a provider because the overpayment is a debt that has been discharged in bankruptcy or is otherwise uncollectable. (c) Section 1903(d)(3) of the Act, which provides that the Secretary will consider the pro rata Federal share of the net amount recovered by a State during any quarter to be an overpayment. Section 433.312 Basic requirements for refunds. (a) Basic rules. (1) Except as provided in paragraph (b) of this section, the State Medicaid agency has 1 year from the date of discovery of an overpayment to a provider to recover or seek to recover the overpayment before the Federal share must be refunded to CMS. (2) The State Medicaid agency must refund the Federal share of overpayments at the end of the 1-year period following discovery in accordance with the requirements of this subpart, whether or not the State has recovered the overpayment from the provider. (b) Exception. The agency is not required to refund the Federal share of an overpayment made to a provider when the State is unable to recover the overpayment amount because the provider has been determined bankrupt or out of business in accordance with ? 433.318. Section 433.316 When discovery of overpayment occurs and its significance. (a) General rule. The date on which an overpayment is discovered is the beginning date of the 1-year period allowed for a State to recover or seek to recover an overpayment before a refund of the Federal share of an overpayment must be made to CMS. (b) Requirements for notification. Unless a State official or fiscal agent of the State chooses to initiate a formal recoupment action against a provider without first giving written notification of its intent, a State Medicaid agency official or other State official must notify the provider in writing of any overpayment it discovers in accordance with State agency policies and procedures and must take reasonable actions to attempt to recover the overpayment in accordance with State law and procedures. (c) Overpayments resulting from situations other than fraud. An overpayment resulting from a situation other than fraud is discovered on the earliest of - - (1) The date on which any Medicaid agency official or other State official first notifies a provider in writing of an overpayment and specifies a dollar amount that is subject to recovery; (2) The date on which a provider initially acknowledges a specific overpaid amount in writing to the medicaid agency; or (3) The date on which any State official or fiscal agent of the State initiates a formal action to recoup a specific overpaid amount from a provider without having first notified the provider in writing. (d) Overpayments resulting from fraud. (1) An overpayment that results from fraud is discovered on the date of the final written notice (as defined in ? 433.304 of this subchapter) of the State's overpayment determination. (2) When the State is unable to recover a debt which represents an overpayment (or any portion thereof) resulting from fraud within 1 year of discovery because no final determination of the amount of the overpayment has been made under an administrative or judicial process (as applicable), including as a result of a judgment being under appeal, no adjustment shall be made in the Federal payment to such State on account of such overpayment (or any portion thereof) until 30 days after the date on which a final judgment (including, if applicable, a final determination on an appeal) is made. (3) The Medicaid agency may treat an overpayment made to a Medicaid provider as resulting from fraud under subsection (d) of this section only if it has referred a provider's case to the Medicaid fraud control unit, or appropriate law enforcement agency in States with no certified Medicaid fraud control unit, as required by ? 455.15, ? 455.21, or ? 455.23 of this chapter, and the Medicaid fraud control unit or appropriate law enforcement agency has provided the Medicaid agency with written notification of acceptance of the case; or if the Medicaid fraud control unit or appropriate law enforcement agency has filed a civil or criminal action against a provider and has notified the State Medicaid agency. (e) Overpayments identified through Federal reviews. If a Federal review at any time indicates that a State has failed to identify an overpayment or a State has identified an overpayment but has failed to either send written notice of the overpayment to the provider that specified a dollar amount subject to recovery or initiate a formal recoupment from the provider without having first notified the provider in writing, CMS will consider the overpayment as discovered on the date that the Federal official first notifies the State in writing of the overpayment and specifies a dollar amount subject to recovery. (f) Effect of changes in overpayment amount. Any adjustment in the amount of an overpayment during the 1-year period following discovery (made in accordance with the approved State plan, Federal law and regulations governing Medicaid, and the appeals resolution process specified in State administrative policies and procedures) has the following effect on the 1-year recovery period: (1) A downward adjustment in the amount of an overpayment subject to recovery that occurs after discovery does not change the original 1-year recovery period for the outstanding balance. (2) An upward adjustment in the amount of an overpayment subject to recovery that occurs during the 1-year period following discovery does not change the 1-year recovery period for the original overpayment amount. A new 1-year period begins for the incremental amount only, beginning with the date of the State's written notification to the provider regarding the upward adjustment. (g) Effect of partial collection by State. A partial collection of an overpayment amount by the State from a provider during the 1-year period following discovery does not change the 1-year recovery period for the balance of the original overpayment amount due to CMS. (h) Effect of administrative or judicial appeals. Any appeal rights extended to a provider do not extend Section 433.320 Procedures for Refunds to CMS. (a) Basic requirements. (1) The agency must refund the Federal share of overpayments that are subject to recovery to CMS through a credit on its Quarterly Statement of Expenditures (Form CMS-64). (2) The agency must credit CMS with the Federal share of overpayments subject to recovery on the earlier of - (i) The Form CMS-64 submission due to CMS for the quarter in which the State recovers the overpayment from the provider; or (ii) The Form CMS-64 due to CMS for the quarter in which the 1-year period following discovery, established in accordance with ? 433.316, ends. (3) A credit on the Form CMS-64 must be made whether or not the overpayment has been recovered by the State from the provider. (4) If the State does not refund the Federal share of such overpayment as indicated in paragraph (a)(2) of this section, the State will be liable for interest on the amount equal to the Federal share of the non-recovered, nonrefunded overpayment amount. Interest during this period will be at the Current Value of Funds Rate (CVFR), and will accrue beginning on the day after the end of the 1-year period following discovery until the last day of the quarter for which the State submits a CMS-64 report refunding the Federal share of the overpayment.
Assistance Listing Number: 84.367 Program Title: Title II Improving Teacher Quality - Staff Development Federal Award Number: Not applicable Federal Award Year: 2021/2022 Pass Through Entity: Chicago Public Schools Criteria or specific requirement ? Per 2 CFR 200.430 (a) and 200.431 (a), charges to Federal awards for salaries and wages (may also include benefits) must be supported by a system of internal control which provides reasonable assurance that the charges are accurate, allowable, and properly allocated. The percent of compensation for personnel services paid currently to employees rendered during the period of performance under the federal award, cannot exceed the percentage of costs approved in the consolidated grants application. Condition ? Title I wages and salaries (including benefits if applicable) paid currently does not equal (is less or greater than) the percentage of personnel costs approved in the grant. Questioned costs ? $416.00 Context ? Monitoring activities were conducted based on a questionnaire developed to help determine whether the appropriate program and fiscal components were in place and documentation maintained was on file as per grant requirements. The review consisted of examining records on file at the school, classroom observations, reviewing the school's organizational chart, and discussions with school staff, the principal and/or principal's designee. Cause ? This finding occurred, in part, due to employee turnover in the past year. There were no controls in place to ensure that all administrative requirements were met, and proper reviews and procedures were not being used for expenses that flow into the claim reimbursement. Effect - Without the proper review controls, there is a heightened risk that the Organization's report may not be accurate and could lead to funds having to be returned. Repeat Finding: No Recommendation ? Effective control and accountability must be maintained for all funds. Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed, according to 2 CFR 200.62, 200.302, and 200.303. Per 2 CFR 200.308 (b), recipients are required to report deviations from budget or project scope or objective, and request prior approval from the federal awarding agency. Copies of approved amendment(s) must be maintained on file to support any changes to the original approved application. For all unallowable claimed expenditures, funds must be returned to the Board to comply with Federal reporting requirements per 2 CFR 200.410. The school administrator is required to submit a claims adjustment in Oracle to start this process. View of Responsible Officials - Management agrees with the finding and is implementing a corrective action plan in November 2022.
Assistance Listing Number: 84.425D Program Title: American Rescue Plan - Emergency and Secondary School Emergency Relief Fund III - MFT Federal Award Number: Not applicable Federal Award Year: 2021/2022 Pass Through Entity: Chicago Public Schools Criteria or specific requirement ? Violation of the administrative requirements at 29 CFR Part 200, which require proper internal controls over procedures and requirements in the administration of grant funds. The Organization over claimed expenditures during the fiscal year ended June 30, 2022. Condition - The following discrepancies and inconsistencies were identified: administrative procedures and requirements of the grantor were not followed; there was no proper review or approval of required reporting prior to submission. Questioned costs - None Context - A non-statistical sample of 45 were selected for testing. We noted the one instance of the same invoice submitted twice for reimbursement through two separate claims during fiscal year 2022. We also noted one instance of payroll claim amount exceeded the actual expenditure amount. Cause - This finding occurred, in part, due to employee turnover in the past year. There were no controls in place to ensure that all administrative requirements were met, and proper reviews and procedures were not being used for expenses that flow into the claim reimbursement. Effect - Without the proper review controls, there is a heightened risk that the Organization's report may not be accurate and could lead to funds having to be returned. Repeat Finding: No Recommendation - Effective control and accountability must be maintained for all funds. Charges to federal awards must be based on records that are properly processed and accurately reflect the cost. EPIC should strengthen processes surrounding administering and monitoring of all programs to ensure that their policies are consistently and properly applied. Management should perform proper monitoring and review of all claims for reimbursement. Management should also provide regular training to ensure all personnel are current and up to date with regulations and requirements. For all unallowable claimed expenditures, funds must be returned to the pass-through grantor to comply with federal reporting requirements per 2 CFR 200.410. View of Responsible Officials - Management agrees with the finding and is implementing a corrective action plan in November 2022. See management?s corrective action plan on page 17.
2022-031 The Department of Health did not have adequate internal controls over and did not comply with requirements to ensure payments to providers were allowable, met cost principles, and were within the period of performance for the Immunization Cooperative Agreements program. Assistance Listing Number and Title: 93.268 Immunization Cooperative Agreements 93.268 COVID-19 Immunization Cooperative Agreements Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 5 NH23IP922619-03-00; 6 NH23IP922619-03-01; 6 NH23IP922619-03-02; 6 NH23IP922619-02-01; 6 NH23IP922619-02-02; 6 NH23IP922619-02-03; 6 NH23IP922619-02-04; 6 NH23IP922619-02-06 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: $4,287,159 Background The Department of Health administers the Immunization Cooperative Agreements program, which aims to reduce and ultimately eliminate vaccine-preventable diseases by increasing and maintaining high immunization coverage. Emphasis is placed on populations at highest risk for underimmunization and disease, including children eligible under the Vaccines for Children program. In fiscal year 2022, the Department spent more than $44.2 million in federal program funds, about $14.2 million of which it disbursed to subrecipients. The Department also received more than $94.5 million in non-cash assistance from the federal grantor in the form of vaccines. To help carry out the program?s objectives, the Department issues consolidated contracts to Local Health Jurisdictions that are classified as subrecipients. A consolidated contract is for one subrecipient that combines funding for multiple federal programs. Subrecipients are awarded federal funds on a reimbursement basis only. The Department assigns each subrecipient a risk level based on standardized criteria, and it maintains a matrix that specifies the documentation that subrecipients at each risk level are required to submit with every reimbursement. There are varying requirements among low, moderate and high-risk subrecipients for each of the following expense categories: ? Salaries and benefits ? Equipment ($5,000 or more) ? Materials, supplies, and other ? Travel (in-state and out-of-state) ? Contracts and sub-subrecipients ? Administrative/indirect costs The Department?s Fiscal Monitoring Unit (FMU) also conducts fiscal reviews of each subrecipient to review source documentation to ensure payments are for allowable activities and within the period of performance. During the audit period, subrecipients submitted invoices to the Department?s accounting unit where staff, on a weekly basis, compiled a list of all consolidated contract invoices into one email. The emails were sent to Department program staff requesting review to ensure the payment was allowable and within the period of performance. The emails consisted of 30 to 50 invoice requests with hundreds of pages of supporting documentation. Each invoice listed in the email would be considered approved if program staff did not respond. To address concerns about an invoice, program staff were required to email the accounting unit within 10 business days to withhold payment until the items in question were resolved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department did not have adequate internal controls over and did not comply with requirements to ensure payments to providers were allowable, met cost principles, and were within the program?s period of performance. Department program staff used the documentation matrix when reviewing subrecipient payments to ensure they were for allowable activities, met cost principles, were within the period of performance, and included required supporting documentation. However, program staff did not document their review or approval, so we were unable to determine if the proper reviews occurred. During the audit period, the FMU conducted a fiscal monitoring review for four subrecipients that received program funds. We reviewed the fiscal monitoring activity for all four subrecipients and determined none of the four reviews included a detailed transaction review of program payments to ensure they had adequate supporting documentation. We used a statistical sampling method to randomly select and review 55 out of 432 provider payments. Additionally, we judgmentally reviewed two individually significant payments that exceeded $1.2 million each. In total, we examined more than $9.3 million in provider payments as part of the audit. Of the 57 payments examined, we identified 27 payments that did not have the required supporting documentation for the subrecipients? assigned risk level. This included one of the individually significant payments. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition The Department?s established procedures allowed for paying providers without ensuring program staff reviewed and determined the payment was allowable, within the grant?s period of performance, and adequately supported. Furthermore, program management did not ensure staff followed the existing review procedures. In addition, management had not established guidance for how many transactions a fiscal reviewer needed to review to source documentation in order to have assurance the program funds were spent in accordance with grant requirements. Management also did not ensure transactions selected for review by the FMU represented all subawards issued to the subrecipient. Effect of Condition and Questioned Costs Without establishing adequate internal controls, the Department cannot reasonably ensure it is using federal funds for allowable purposes. By not ensuring subrecipients submitted required supporting documentation, staff could not adequately verify the reimbursement claims, and the Department could not ensure its subrecipients complied with the subaward?s terms and conditions. The 27 payments for which the Department did not have required supporting documentation from subrecipients totaled $4,287,159 in known questioned costs. Based on these results, we estimate that the total amount of likely improper payments using federal funds to be $5,503,611. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). To ensure a representative sample, we stratified the population by dollar amount. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Department: ? Improve internal controls to ensure that it obtains adequate supporting documentation from subrecipients before reimbursing them ? Improve internal controls to ensure program staff review and approve expenditures to verify they are for allowable activities and within the period of performance prior to payment ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Department?s Response We appreciate the State Auditor?s Office (SAO) audit of the Immunization Cooperative Agreement. The Department is committed to ensuring our programs comply with federal regulations and understand that it is SAO?s point of view that we did not have adequate controls over provider payments to ensure allowability in meeting cost principles and meeting period of performance. The Department partially agrees with SAO?s findings. The Department does agree and has already taken steps to improve internal controls over ensuring payments to providers contain support in line with our A-19 matrix and risk assessed of our subrecipients. Immunization staff who review invoices have been provided additional training and tracking sheets have been developed which enables staff to record details from backup documentation reviews. This ensures the proper level of review is completed and aligns with the agency?s A-19 documentation matrix. We will also be addressing the control weakness identified with the consolidated contract payment process and documenting our review and approval by program staff to ensure allowability and that funds were spent within the period of performance. It should be noted that the current process over provider payments at the Department of Health has been in place for well over a decade and has been through several annual audits by the State Auditor?s Office and separate federal reviews by our federal funders without issue. The defined process of consolidated contract payments was in response to issues arising with timely payment of funds to our local government partners. The consolidated contracts are an essential tool in providing such funding on a large scale. This process balances many needs in tracking payments, providing documentation to the programs for review as well as allowing for timely distribution of funding to the local health jurisdictions (LHJs) for state and federal programs in order to serve the residents of the State of Washington. It also simplifies the invoicing and payment process as well as reconciliation between DOH and the LHJs. We would also note that for the exceptions identified with the Fiscal Monitoring Unit (FMU) visits, for all four reviews the totality of costs charged to Immunizations during the scope of those reviews were for staffing costs. FMU test staffing as a centralized function to determine if appropriate internal controls are being utilized to ensure costs are reasonable, necessary, allowable, and allocable. During review of these agencies, FMU did not find any instances of unallowable salary costs for time keeping samples that were tested. We would respectfully disagree with the number of exceptions and questioned costs identified. While the level of support did not meet our internal policies, which are held to a higher standard than federal requirements, the level of documentation received from the subrecipient accounting system gave us assurance that the transactions/costs questioned met federal cost principles for allowability and period of performance. This, along with the following additional overall internal monitoring and policy processes support our overall assurance of the allowability of payments: ? Program staff maintain detailed budget information for each subrecipient by project area, and as A-19s are submitted, program and accounting staff update budget spreadsheets. When reviewing the support provided by the subrecipient, they ensure amounts submitted by project are reasonable and are in alignment with expectations for the budget period submitted. ? The immunization program refers to the federal Immunization Program Operations Manual (IPOM) to determine allowable costs, purchase, and procurement procedures. This information is available to all subrecipients. ? FMU provides technical assistance and training, not only to program staff, but to the subrecipients while onsite and at the request of the entities receiving funding. ? Program staff provide technical assistance, policies, and training to Immunization subrecipients related to both allowability and compliance as it relates to programmatic processes. As a compensating control, each subrecipient of federal funds receive a monitoring visit from our Fiscal Monitoring Unit (FMU) once every two years. During the course of these visits monitoring staff perform walk-throughs and assessments of the internal controls surrounding the A19 payment process. They select the most recent three A19?s submitted for funding and review all charges to appropriate source documentation to ensure allowability using cost principles as a basis. Auditor?s Remarks Department management has implemented procedures to ensure adequate documentation is reviewed to support reimbursement requests from subrecipients receiving federal funds. Our testing was based on these documentation requirements, but we do not agree that these requirements are higher than the Uniform Guidance requires. We found that payments were made without the required level of support to ensure they were allowable and met cost principles. The Department asserts that the fiscal monitoring performed every two years compensates for the lack of adequate documentation. However, we found the fiscal monitoring transaction level review for payroll and vendor reimbursement requests did not include a review of any Immunization program payments and therefore gave no assurance that grant funds were spent on allowable activities and were adequately supported. We reaffirm our finding and will follow up on the status of the Department?s corrective action during our next audit period. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 403, Factors affecting allowability of costs, describes the general criteria in order for a cost to be allowable under federal awards, including being adequately documented. Washington State Department of Health A-19 Documentation Matrix Approved by FMU 11/30/20 This is the backup documentation required based on the determined risk level. Please ensure the detailed GL expenditure report clearly aligns with the A19 form. More supporting documentation may be requested by programs at any time due to programmatic requirements regardless of risk category. Expenditure Category Low-Risk Moderate-Risk High-Risk Salaries and Benefits A-19 and a detailed GL expenditure report for all employees who are charged to the grant for the period with the following information: ? Salaries & Wages ? Employee name ? Employee rates of pay ? Hours worked Note: Salaries and benefits must be broken out as separate line items. A-19 and a detailed GL expenditure report for all employees who are charged to the grant for the period with the following information: ? Salaries & Wages ? Employee name ? Employee rates of pay ? Hours worked Note: Salaries and benefits must be broken out as separate line items. A-19 and a detailed GL expenditure report for all employees who are charged to the grant for the period with the following information: ? Salaries & Wages ? Employee name ? Employee rates of pay ? Hours worked AND ? Time Sheets for all staff direct charging to the award Note: Salaries and benefits must be broken out as separate line items. Equipment ($5,000 or more) A-19 and a detailed GL expenditure report that provides vendor name and amount Note: Pre-approval documentation must be provided A-19 and a detailed GL expenditure report that provides vendor name, amount AND ? Item Description Note: Pre-approval documentation must be provided A-19 and a detailed GL expenditure report that provides vendor name, amount, item description AND ? Invoice ? Supporting documentation reflecting authorizing official?s approval. Materials, Supplies, and Other A-19 and a detailed GL expenditure report that provides: ? Vendor Name ? Item description ? Cost of item Note: If the entity has a petty cash fund, they must supply 100% of the supporting documentation. A-19 and a detailed GL expenditure report that provides: ? Vendor Name ? Item description ? Cost of item AND Invoices for transactions over $1,000 Note: If the entity has a petty cash fund, they must supply 100% of the supporting documentation. A-19 and detailed GL expenditure report that provides: ? Vendor Name ? Item description ? Cost of item AND Invoices for transactions over $200. Note: If the entity has a petty cash fund, they must supply 100% of the supporting documentation Travel A-19 and a detailed GL expenditure report that provides: ? Employee name Note: Pre-approval documentation from DOH for any out of state travel must be provided. A-19 and a detailed GL expenditure report that provides: ? Employee name AND ? Travel expense form* ? All itemized receipts * Travel expense form should include employee signature, supervisor approval and purpose. Note: Pre-approval documentation from DOH for any out of state travel must be provided. A-19 and a detailed GL expenditure report that provides: ? Employee name ? Travel expense form* ? All itemized receipts AND Pre-approval required for any flights and overnight stays. *Travel expense form should include employee signature, supervisor approval and purpose. Note: Pre-approval documentation from DOH for any out of state travel must be provided. Contracts and Sub-Subrecipients A-19 and a detailed GL expenditure report that provides: ? Contractor/ Subrecipient Name A-19 and a detailed GL expenditure report that provides: ? Contractor/ Subrecipient Name AND ? Invoices for individual transactions over $1,000.00 A-19 and a detailed GL expenditure report that provides: ? Contractor/ Subrecipient Name AND ? Invoices for individual transactions over $200.00. NOTE: Indirect costs included on A19s must include verification of the following: ? Indirect plan is current and on file with DOH ? Indirect rate is being applied accurately to allowable expenditures ? If the indirect cost rate plan has expired, no indirect costs can be charged
2022-031 The Department of Health did not have adequate internal controls over and did not comply with requirements to ensure payments to providers were allowable, met cost principles, and were within the period of performance for the Immunization Cooperative Agreements program. Assistance Listing Number and Title: 93.268 Immunization Cooperative Agreements 93.268 COVID-19 Immunization Cooperative Agreements Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 5 NH23IP922619-03-00; 6 NH23IP922619-03-01; 6 NH23IP922619-03-02; 6 NH23IP922619-02-01; 6 NH23IP922619-02-02; 6 NH23IP922619-02-03; 6 NH23IP922619-02-04; 6 NH23IP922619-02-06 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: $4,287,159 Background The Department of Health administers the Immunization Cooperative Agreements program, which aims to reduce and ultimately eliminate vaccine-preventable diseases by increasing and maintaining high immunization coverage. Emphasis is placed on populations at highest risk for underimmunization and disease, including children eligible under the Vaccines for Children program. In fiscal year 2022, the Department spent more than $44.2 million in federal program funds, about $14.2 million of which it disbursed to subrecipients. The Department also received more than $94.5 million in non-cash assistance from the federal grantor in the form of vaccines. To help carry out the program?s objectives, the Department issues consolidated contracts to Local Health Jurisdictions that are classified as subrecipients. A consolidated contract is for one subrecipient that combines funding for multiple federal programs. Subrecipients are awarded federal funds on a reimbursement basis only. The Department assigns each subrecipient a risk level based on standardized criteria, and it maintains a matrix that specifies the documentation that subrecipients at each risk level are required to submit with every reimbursement. There are varying requirements among low, moderate and high-risk subrecipients for each of the following expense categories: ? Salaries and benefits ? Equipment ($5,000 or more) ? Materials, supplies, and other ? Travel (in-state and out-of-state) ? Contracts and sub-subrecipients ? Administrative/indirect costs The Department?s Fiscal Monitoring Unit (FMU) also conducts fiscal reviews of each subrecipient to review source documentation to ensure payments are for allowable activities and within the period of performance. During the audit period, subrecipients submitted invoices to the Department?s accounting unit where staff, on a weekly basis, compiled a list of all consolidated contract invoices into one email. The emails were sent to Department program staff requesting review to ensure the payment was allowable and within the period of performance. The emails consisted of 30 to 50 invoice requests with hundreds of pages of supporting documentation. Each invoice listed in the email would be considered approved if program staff did not respond. To address concerns about an invoice, program staff were required to email the accounting unit within 10 business days to withhold payment until the items in question were resolved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department did not have adequate internal controls over and did not comply with requirements to ensure payments to providers were allowable, met cost principles, and were within the program?s period of performance. Department program staff used the documentation matrix when reviewing subrecipient payments to ensure they were for allowable activities, met cost principles, were within the period of performance, and included required supporting documentation. However, program staff did not document their review or approval, so we were unable to determine if the proper reviews occurred. During the audit period, the FMU conducted a fiscal monitoring review for four subrecipients that received program funds. We reviewed the fiscal monitoring activity for all four subrecipients and determined none of the four reviews included a detailed transaction review of program payments to ensure they had adequate supporting documentation. We used a statistical sampling method to randomly select and review 55 out of 432 provider payments. Additionally, we judgmentally reviewed two individually significant payments that exceeded $1.2 million each. In total, we examined more than $9.3 million in provider payments as part of the audit. Of the 57 payments examined, we identified 27 payments that did not have the required supporting documentation for the subrecipients? assigned risk level. This included one of the individually significant payments. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition The Department?s established procedures allowed for paying providers without ensuring program staff reviewed and determined the payment was allowable, within the grant?s period of performance, and adequately supported. Furthermore, program management did not ensure staff followed the existing review procedures. In addition, management had not established guidance for how many transactions a fiscal reviewer needed to review to source documentation in order to have assurance the program funds were spent in accordance with grant requirements. Management also did not ensure transactions selected for review by the FMU represented all subawards issued to the subrecipient. Effect of Condition and Questioned Costs Without establishing adequate internal controls, the Department cannot reasonably ensure it is using federal funds for allowable purposes. By not ensuring subrecipients submitted required supporting documentation, staff could not adequately verify the reimbursement claims, and the Department could not ensure its subrecipients complied with the subaward?s terms and conditions. The 27 payments for which the Department did not have required supporting documentation from subrecipients totaled $4,287,159 in known questioned costs. Based on these results, we estimate that the total amount of likely improper payments using federal funds to be $5,503,611. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). To ensure a representative sample, we stratified the population by dollar amount. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Department: ? Improve internal controls to ensure that it obtains adequate supporting documentation from subrecipients before reimbursing them ? Improve internal controls to ensure program staff review and approve expenditures to verify they are for allowable activities and within the period of performance prior to payment ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Department?s Response We appreciate the State Auditor?s Office (SAO) audit of the Immunization Cooperative Agreement. The Department is committed to ensuring our programs comply with federal regulations and understand that it is SAO?s point of view that we did not have adequate controls over provider payments to ensure allowability in meeting cost principles and meeting period of performance. The Department partially agrees with SAO?s findings. The Department does agree and has already taken steps to improve internal controls over ensuring payments to providers contain support in line with our A-19 matrix and risk assessed of our subrecipients. Immunization staff who review invoices have been provided additional training and tracking sheets have been developed which enables staff to record details from backup documentation reviews. This ensures the proper level of review is completed and aligns with the agency?s A-19 documentation matrix. We will also be addressing the control weakness identified with the consolidated contract payment process and documenting our review and approval by program staff to ensure allowability and that funds were spent within the period of performance. It should be noted that the current process over provider payments at the Department of Health has been in place for well over a decade and has been through several annual audits by the State Auditor?s Office and separate federal reviews by our federal funders without issue. The defined process of consolidated contract payments was in response to issues arising with timely payment of funds to our local government partners. The consolidated contracts are an essential tool in providing such funding on a large scale. This process balances many needs in tracking payments, providing documentation to the programs for review as well as allowing for timely distribution of funding to the local health jurisdictions (LHJs) for state and federal programs in order to serve the residents of the State of Washington. It also simplifies the invoicing and payment process as well as reconciliation between DOH and the LHJs. We would also note that for the exceptions identified with the Fiscal Monitoring Unit (FMU) visits, for all four reviews the totality of costs charged to Immunizations during the scope of those reviews were for staffing costs. FMU test staffing as a centralized function to determine if appropriate internal controls are being utilized to ensure costs are reasonable, necessary, allowable, and allocable. During review of these agencies, FMU did not find any instances of unallowable salary costs for time keeping samples that were tested. We would respectfully disagree with the number of exceptions and questioned costs identified. While the level of support did not meet our internal policies, which are held to a higher standard than federal requirements, the level of documentation received from the subrecipient accounting system gave us assurance that the transactions/costs questioned met federal cost principles for allowability and period of performance. This, along with the following additional overall internal monitoring and policy processes support our overall assurance of the allowability of payments: ? Program staff maintain detailed budget information for each subrecipient by project area, and as A-19s are submitted, program and accounting staff update budget spreadsheets. When reviewing the support provided by the subrecipient, they ensure amounts submitted by project are reasonable and are in alignment with expectations for the budget period submitted. ? The immunization program refers to the federal Immunization Program Operations Manual (IPOM) to determine allowable costs, purchase, and procurement procedures. This information is available to all subrecipients. ? FMU provides technical assistance and training, not only to program staff, but to the subrecipients while onsite and at the request of the entities receiving funding. ? Program staff provide technical assistance, policies, and training to Immunization subrecipients related to both allowability and compliance as it relates to programmatic processes. As a compensating control, each subrecipient of federal funds receive a monitoring visit from our Fiscal Monitoring Unit (FMU) once every two years. During the course of these visits monitoring staff perform walk-throughs and assessments of the internal controls surrounding the A19 payment process. They select the most recent three A19?s submitted for funding and review all charges to appropriate source documentation to ensure allowability using cost principles as a basis. Auditor?s Remarks Department management has implemented procedures to ensure adequate documentation is reviewed to support reimbursement requests from subrecipients receiving federal funds. Our testing was based on these documentation requirements, but we do not agree that these requirements are higher than the Uniform Guidance requires. We found that payments were made without the required level of support to ensure they were allowable and met cost principles. The Department asserts that the fiscal monitoring performed every two years compensates for the lack of adequate documentation. However, we found the fiscal monitoring transaction level review for payroll and vendor reimbursement requests did not include a review of any Immunization program payments and therefore gave no assurance that grant funds were spent on allowable activities and were adequately supported. We reaffirm our finding and will follow up on the status of the Department?s corrective action during our next audit period. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 403, Factors affecting allowability of costs, describes the general criteria in order for a cost to be allowable under federal awards, including being adequately documented. Washington State Department of Health A-19 Documentation Matrix Approved by FMU 11/30/20 This is the backup documentation required based on the determined risk level. Please ensure the detailed GL expenditure report clearly aligns with the A19 form. More supporting documentation may be requested by programs at any time due to programmatic requirements regardless of risk category. Expenditure Category Low-Risk Moderate-Risk High-Risk Salaries and Benefits A-19 and a detailed GL expenditure report for all employees who are charged to the grant for the period with the following information: ? Salaries & Wages ? Employee name ? Employee rates of pay ? Hours worked Note: Salaries and benefits must be broken out as separate line items. A-19 and a detailed GL expenditure report for all employees who are charged to the grant for the period with the following information: ? Salaries & Wages ? Employee name ? Employee rates of pay ? Hours worked Note: Salaries and benefits must be broken out as separate line items. A-19 and a detailed GL expenditure report for all employees who are charged to the grant for the period with the following information: ? Salaries & Wages ? Employee name ? Employee rates of pay ? Hours worked AND ? Time Sheets for all staff direct charging to the award Note: Salaries and benefits must be broken out as separate line items. Equipment ($5,000 or more) A-19 and a detailed GL expenditure report that provides vendor name and amount Note: Pre-approval documentation must be provided A-19 and a detailed GL expenditure report that provides vendor name, amount AND ? Item Description Note: Pre-approval documentation must be provided A-19 and a detailed GL expenditure report that provides vendor name, amount, item description AND ? Invoice ? Supporting documentation reflecting authorizing official?s approval. Materials, Supplies, and Other A-19 and a detailed GL expenditure report that provides: ? Vendor Name ? Item description ? Cost of item Note: If the entity has a petty cash fund, they must supply 100% of the supporting documentation. A-19 and a detailed GL expenditure report that provides: ? Vendor Name ? Item description ? Cost of item AND Invoices for transactions over $1,000 Note: If the entity has a petty cash fund, they must supply 100% of the supporting documentation. A-19 and detailed GL expenditure report that provides: ? Vendor Name ? Item description ? Cost of item AND Invoices for transactions over $200. Note: If the entity has a petty cash fund, they must supply 100% of the supporting documentation Travel A-19 and a detailed GL expenditure report that provides: ? Employee name Note: Pre-approval documentation from DOH for any out of state travel must be provided. A-19 and a detailed GL expenditure report that provides: ? Employee name AND ? Travel expense form* ? All itemized receipts * Travel expense form should include employee signature, supervisor approval and purpose. Note: Pre-approval documentation from DOH for any out of state travel must be provided. A-19 and a detailed GL expenditure report that provides: ? Employee name ? Travel expense form* ? All itemized receipts AND Pre-approval required for any flights and overnight stays. *Travel expense form should include employee signature, supervisor approval and purpose. Note: Pre-approval documentation from DOH for any out of state travel must be provided. Contracts and Sub-Subrecipients A-19 and a detailed GL expenditure report that provides: ? Contractor/ Subrecipient Name A-19 and a detailed GL expenditure report that provides: ? Contractor/ Subrecipient Name AND ? Invoices for individual transactions over $1,000.00 A-19 and a detailed GL expenditure report that provides: ? Contractor/ Subrecipient Name AND ? Invoices for individual transactions over $200.00. NOTE: Indirect costs included on A19s must include verification of the following: ? Indirect plan is current and on file with DOH ? Indirect rate is being applied accurately to allowable expenditures ? If the indirect cost rate plan has expired, no indirect costs can be charged
2022-031 The Department of Health did not have adequate internal controls over and did not comply with requirements to ensure payments to providers were allowable, met cost principles, and were within the period of performance for the Immunization Cooperative Agreements program. Assistance Listing Number and Title: 93.268 Immunization Cooperative Agreements 93.268 COVID-19 Immunization Cooperative Agreements Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 5 NH23IP922619-03-00; 6 NH23IP922619-03-01; 6 NH23IP922619-03-02; 6 NH23IP922619-02-01; 6 NH23IP922619-02-02; 6 NH23IP922619-02-03; 6 NH23IP922619-02-04; 6 NH23IP922619-02-06 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: $4,287,159 Background The Department of Health administers the Immunization Cooperative Agreements program, which aims to reduce and ultimately eliminate vaccine-preventable diseases by increasing and maintaining high immunization coverage. Emphasis is placed on populations at highest risk for underimmunization and disease, including children eligible under the Vaccines for Children program. In fiscal year 2022, the Department spent more than $44.2 million in federal program funds, about $14.2 million of which it disbursed to subrecipients. The Department also received more than $94.5 million in non-cash assistance from the federal grantor in the form of vaccines. To help carry out the program?s objectives, the Department issues consolidated contracts to Local Health Jurisdictions that are classified as subrecipients. A consolidated contract is for one subrecipient that combines funding for multiple federal programs. Subrecipients are awarded federal funds on a reimbursement basis only. The Department assigns each subrecipient a risk level based on standardized criteria, and it maintains a matrix that specifies the documentation that subrecipients at each risk level are required to submit with every reimbursement. There are varying requirements among low, moderate and high-risk subrecipients for each of the following expense categories: ? Salaries and benefits ? Equipment ($5,000 or more) ? Materials, supplies, and other ? Travel (in-state and out-of-state) ? Contracts and sub-subrecipients ? Administrative/indirect costs The Department?s Fiscal Monitoring Unit (FMU) also conducts fiscal reviews of each subrecipient to review source documentation to ensure payments are for allowable activities and within the period of performance. During the audit period, subrecipients submitted invoices to the Department?s accounting unit where staff, on a weekly basis, compiled a list of all consolidated contract invoices into one email. The emails were sent to Department program staff requesting review to ensure the payment was allowable and within the period of performance. The emails consisted of 30 to 50 invoice requests with hundreds of pages of supporting documentation. Each invoice listed in the email would be considered approved if program staff did not respond. To address concerns about an invoice, program staff were required to email the accounting unit within 10 business days to withhold payment until the items in question were resolved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department did not have adequate internal controls over and did not comply with requirements to ensure payments to providers were allowable, met cost principles, and were within the program?s period of performance. Department program staff used the documentation matrix when reviewing subrecipient payments to ensure they were for allowable activities, met cost principles, were within the period of performance, and included required supporting documentation. However, program staff did not document their review or approval, so we were unable to determine if the proper reviews occurred. During the audit period, the FMU conducted a fiscal monitoring review for four subrecipients that received program funds. We reviewed the fiscal monitoring activity for all four subrecipients and determined none of the four reviews included a detailed transaction review of program payments to ensure they had adequate supporting documentation. We used a statistical sampling method to randomly select and review 55 out of 432 provider payments. Additionally, we judgmentally reviewed two individually significant payments that exceeded $1.2 million each. In total, we examined more than $9.3 million in provider payments as part of the audit. Of the 57 payments examined, we identified 27 payments that did not have the required supporting documentation for the subrecipients? assigned risk level. This included one of the individually significant payments. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition The Department?s established procedures allowed for paying providers without ensuring program staff reviewed and determined the payment was allowable, within the grant?s period of performance, and adequately supported. Furthermore, program management did not ensure staff followed the existing review procedures. In addition, management had not established guidance for how many transactions a fiscal reviewer needed to review to source documentation in order to have assurance the program funds were spent in accordance with grant requirements. Management also did not ensure transactions selected for review by the FMU represented all subawards issued to the subrecipient. Effect of Condition and Questioned Costs Without establishing adequate internal controls, the Department cannot reasonably ensure it is using federal funds for allowable purposes. By not ensuring subrecipients submitted required supporting documentation, staff could not adequately verify the reimbursement claims, and the Department could not ensure its subrecipients complied with the subaward?s terms and conditions. The 27 payments for which the Department did not have required supporting documentation from subrecipients totaled $4,287,159 in known questioned costs. Based on these results, we estimate that the total amount of likely improper payments using federal funds to be $5,503,611. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). To ensure a representative sample, we stratified the population by dollar amount. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Department: ? Improve internal controls to ensure that it obtains adequate supporting documentation from subrecipients before reimbursing them ? Improve internal controls to ensure program staff review and approve expenditures to verify they are for allowable activities and within the period of performance prior to payment ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Department?s Response We appreciate the State Auditor?s Office (SAO) audit of the Immunization Cooperative Agreement. The Department is committed to ensuring our programs comply with federal regulations and understand that it is SAO?s point of view that we did not have adequate controls over provider payments to ensure allowability in meeting cost principles and meeting period of performance. The Department partially agrees with SAO?s findings. The Department does agree and has already taken steps to improve internal controls over ensuring payments to providers contain support in line with our A-19 matrix and risk assessed of our subrecipients. Immunization staff who review invoices have been provided additional training and tracking sheets have been developed which enables staff to record details from backup documentation reviews. This ensures the proper level of review is completed and aligns with the agency?s A-19 documentation matrix. We will also be addressing the control weakness identified with the consolidated contract payment process and documenting our review and approval by program staff to ensure allowability and that funds were spent within the period of performance. It should be noted that the current process over provider payments at the Department of Health has been in place for well over a decade and has been through several annual audits by the State Auditor?s Office and separate federal reviews by our federal funders without issue. The defined process of consolidated contract payments was in response to issues arising with timely payment of funds to our local government partners. The consolidated contracts are an essential tool in providing such funding on a large scale. This process balances many needs in tracking payments, providing documentation to the programs for review as well as allowing for timely distribution of funding to the local health jurisdictions (LHJs) for state and federal programs in order to serve the residents of the State of Washington. It also simplifies the invoicing and payment process as well as reconciliation between DOH and the LHJs. We would also note that for the exceptions identified with the Fiscal Monitoring Unit (FMU) visits, for all four reviews the totality of costs charged to Immunizations during the scope of those reviews were for staffing costs. FMU test staffing as a centralized function to determine if appropriate internal controls are being utilized to ensure costs are reasonable, necessary, allowable, and allocable. During review of these agencies, FMU did not find any instances of unallowable salary costs for time keeping samples that were tested. We would respectfully disagree with the number of exceptions and questioned costs identified. While the level of support did not meet our internal policies, which are held to a higher standard than federal requirements, the level of documentation received from the subrecipient accounting system gave us assurance that the transactions/costs questioned met federal cost principles for allowability and period of performance. This, along with the following additional overall internal monitoring and policy processes support our overall assurance of the allowability of payments: ? Program staff maintain detailed budget information for each subrecipient by project area, and as A-19s are submitted, program and accounting staff update budget spreadsheets. When reviewing the support provided by the subrecipient, they ensure amounts submitted by project are reasonable and are in alignment with expectations for the budget period submitted. ? The immunization program refers to the federal Immunization Program Operations Manual (IPOM) to determine allowable costs, purchase, and procurement procedures. This information is available to all subrecipients. ? FMU provides technical assistance and training, not only to program staff, but to the subrecipients while onsite and at the request of the entities receiving funding. ? Program staff provide technical assistance, policies, and training to Immunization subrecipients related to both allowability and compliance as it relates to programmatic processes. As a compensating control, each subrecipient of federal funds receive a monitoring visit from our Fiscal Monitoring Unit (FMU) once every two years. During the course of these visits monitoring staff perform walk-throughs and assessments of the internal controls surrounding the A19 payment process. They select the most recent three A19?s submitted for funding and review all charges to appropriate source documentation to ensure allowability using cost principles as a basis. Auditor?s Remarks Department management has implemented procedures to ensure adequate documentation is reviewed to support reimbursement requests from subrecipients receiving federal funds. Our testing was based on these documentation requirements, but we do not agree that these requirements are higher than the Uniform Guidance requires. We found that payments were made without the required level of support to ensure they were allowable and met cost principles. The Department asserts that the fiscal monitoring performed every two years compensates for the lack of adequate documentation. However, we found the fiscal monitoring transaction level review for payroll and vendor reimbursement requests did not include a review of any Immunization program payments and therefore gave no assurance that grant funds were spent on allowable activities and were adequately supported. We reaffirm our finding and will follow up on the status of the Department?s corrective action during our next audit period. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 403, Factors affecting allowability of costs, describes the general criteria in order for a cost to be allowable under federal awards, including being adequately documented. Washington State Department of Health A-19 Documentation Matrix Approved by FMU 11/30/20 This is the backup documentation required based on the determined risk level. Please ensure the detailed GL expenditure report clearly aligns with the A19 form. More supporting documentation may be requested by programs at any time due to programmatic requirements regardless of risk category. Expenditure Category Low-Risk Moderate-Risk High-Risk Salaries and Benefits A-19 and a detailed GL expenditure report for all employees who are charged to the grant for the period with the following information: ? Salaries & Wages ? Employee name ? Employee rates of pay ? Hours worked Note: Salaries and benefits must be broken out as separate line items. A-19 and a detailed GL expenditure report for all employees who are charged to the grant for the period with the following information: ? Salaries & Wages ? Employee name ? Employee rates of pay ? Hours worked Note: Salaries and benefits must be broken out as separate line items. A-19 and a detailed GL expenditure report for all employees who are charged to the grant for the period with the following information: ? Salaries & Wages ? Employee name ? Employee rates of pay ? Hours worked AND ? Time Sheets for all staff direct charging to the award Note: Salaries and benefits must be broken out as separate line items. Equipment ($5,000 or more) A-19 and a detailed GL expenditure report that provides vendor name and amount Note: Pre-approval documentation must be provided A-19 and a detailed GL expenditure report that provides vendor name, amount AND ? Item Description Note: Pre-approval documentation must be provided A-19 and a detailed GL expenditure report that provides vendor name, amount, item description AND ? Invoice ? Supporting documentation reflecting authorizing official?s approval. Materials, Supplies, and Other A-19 and a detailed GL expenditure report that provides: ? Vendor Name ? Item description ? Cost of item Note: If the entity has a petty cash fund, they must supply 100% of the supporting documentation. A-19 and a detailed GL expenditure report that provides: ? Vendor Name ? Item description ? Cost of item AND Invoices for transactions over $1,000 Note: If the entity has a petty cash fund, they must supply 100% of the supporting documentation. A-19 and detailed GL expenditure report that provides: ? Vendor Name ? Item description ? Cost of item AND Invoices for transactions over $200. Note: If the entity has a petty cash fund, they must supply 100% of the supporting documentation Travel A-19 and a detailed GL expenditure report that provides: ? Employee name Note: Pre-approval documentation from DOH for any out of state travel must be provided. A-19 and a detailed GL expenditure report that provides: ? Employee name AND ? Travel expense form* ? All itemized receipts * Travel expense form should include employee signature, supervisor approval and purpose. Note: Pre-approval documentation from DOH for any out of state travel must be provided. A-19 and a detailed GL expenditure report that provides: ? Employee name ? Travel expense form* ? All itemized receipts AND Pre-approval required for any flights and overnight stays. *Travel expense form should include employee signature, supervisor approval and purpose. Note: Pre-approval documentation from DOH for any out of state travel must be provided. Contracts and Sub-Subrecipients A-19 and a detailed GL expenditure report that provides: ? Contractor/ Subrecipient Name A-19 and a detailed GL expenditure report that provides: ? Contractor/ Subrecipient Name AND ? Invoices for individual transactions over $1,000.00 A-19 and a detailed GL expenditure report that provides: ? Contractor/ Subrecipient Name AND ? Invoices for individual transactions over $200.00. NOTE: Indirect costs included on A19s must include verification of the following: ? Indirect plan is current and on file with DOH ? Indirect rate is being applied accurately to allowable expenditures ? If the indirect cost rate plan has expired, no indirect costs can be charged
2022-035 The Department of Children, Youth, and Families did not have adequate internal controls over and did not comply with requirements to ensure payments to child care providers paid with Temporary Assistance for Needy Families funds were allowable and properly supported. Assistance Listing Number and Title: 93.558 Temporary Assistance for Needy Families Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2101WATANF; 2201WATANF Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Known Questioned Cost Amount: $67,699,429 Background The Department of Social and Health Services (DSHS), Community Services Office, administers the Temporary Assistance for Needy Families (TANF) grant that provides temporary cash assistance for families in need. To receive TANF benefits, participants must be engaged in activities listed in the Individual Responsibility Plan through the WorkFirst program, unless the TANF benefits are received only on behalf of a child. TANF grant funds are also used to pay clients? child care costs to meet one of the program?s primary purposes of helping clients obtain employment. Washington has established the Working Connections Child Care (WCCC) program to help eligible working families pay for child care. Both the Department of Children, Youth, and Families (Department) and DSHS administer the program. The Department is responsible for establishing policies and procedures for licensing child care providers and paying them for allowable child care services. DSHS determines TANF client eligibility and reimburses the Department for child care payments under an agreement between the two agencies. The Department uses its Social Service Payment System (SSPS) to process the payments it makes to child care providers. The system allocates payments to various funding sources, based on the eligibility of the client. These funding sources include multiple federal programs, multiple Child Care Development Fund (CCDF) federal grant awards, and state funding. The Department uploads the payment data into the state?s accounting system at a summary level based on the various funding sources. DSHS worked with the Department to setup coding in the Payment Allocating Model (PAM) system that looks at the client-level information and then assigns the correct TANF source of funds. Once source of funds is identified, that information is then sent to SSPS for allocation assignment. The Department prepares electronic reports for funds allocated to TANF funding sources and sends DSHS a monthly bill. There is always a need to transfer the funding sources for some payments throughout the year to manage federal and state funds properly. Prior to state fiscal year 2021, the Department prepared supporting documentation for transfers that included details of what payments it was transferring. The purpose of documenting this detail was to maintain proper support for federal expenditures. Some payments the Department makes for child care are funded by both the CCDF and TANF grants. While the two federal programs are separate, the requirements and policies in Washington for child care payments are consolidated under the WCCC program. Federal regulations require grant fund expenditures to be adequately supported to show that they have been used in accordance with program requirements. In fiscal year 2022, DSHS incurred $67,699,429 in child care service-related expenditures. Federal regulations require recipients to establish and follow internal controls that ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the Department did not have adequate internal controls over and did not comply with requirements to ensure payments to child care providers paid with TANF funds were allowable and properly supported. The prior finding number was 2021-028. Description of Condition The Department did not have adequate internal controls over and did not comply with requirements to ensure payments to child care providers paid with TANF funds were allowable and properly supported. In order to identify TANF-funded payments the Department made to child care providers, we requested a population of payments charged to TANF sources from SSPS. However, during the fiscal year 2021 audit, management informed us the Department had changed its grant management practices to process expenditure transfers at the grant level. This new process made the original expenditure coding in SSPS inaccurate and unreliable for testing. As a result, we could not trace the federal funds to a level of expenditure adequate to establish whether the Department spent TANF funds in accordance with federal and state regulations. As a result, we could not test the Department?s payments to child care providers for compliance with activities allowed and cost principles. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The Department is required to maintain sufficient documentation for each payment it makes with federal dollars. Management decided to modify the Department?s accounting practices in a way that now prevents it from meeting this requirement. The Department implemented what management referred to as fund-level accounting. This consisted of making significant accounting adjustments between funding sources in its general ledger without identifying the underlying transactions from SSPS that supported the adjustments. This affected all populations of child care expenditures for every month of the fiscal year. Officials from the U.S. Department of Health and Human Services informed the Department that these accounting practices do not comply with federal law, but management said they believe they are compliant. Effect of Condition and Questioned Costs By not complying with federal law regarding maintaining adequate supporting documentation for expenditures, the Department created a condition that made it impossible for our Office to audit the federal dollars it used for payments to child care providers. Because we could not test transaction-level detail, we also could not determine whether the issues we identified in prior audits had improved or worsened, including the Department?s lack of adequate internal controls and significant rate of noncompliance for payments to child care providers. Because the Department did not comply with federal requirements to allow for the tracing of grant expenditures to a payment level, we are questioning all $67,699,429 in federal program costs for child care payments that DSHS incurred during the audit period. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Department: ? Design and implement internal controls to ensure transaction-level data is sufficient to comply with federal law and state rules ? Update service level agreements with DSHS to ensure payments are sufficient and properly supported ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Department?s Response The Working Connections Child Care (WCCC) program was previously managed by the Department of Social and Health Services (DSHS) and the Department of Early Learning. Since the program transitioned in 2019, the Department has been making efforts to strengthen internal controls over payments to child care providers and other grant requirements. The Department implemented grant-level management of all federal funds, including the TANF grant. The Department allocated the TANF grant to eligible clients and allowable activities in compliance with 45 CFR 98.67. For the fiscal year 2021 program audit, the State Auditor?s Office (SAO) issued a finding with $32 questioned costs for non-compliance with the CCDF eligibility requirement. No other findings, management letters, or exit items were reported in this compliance area or the cost allocation of funds based on eligibility for the CCDF or TANF grants. Given that eligibility or cost allocation has not been an area of concern, and transfers were processed between TANF and CCDF source of funds with the same eligibility criteria, the Department is assured that TANF funding was spent appropriately within federal regulations. In the Cause of Condition, the SAO stated, ?HHS officials informed the Department that these accounting practices do not comply with federal law, but management said they believe they are compliant.? The Department does not agree with this interpretation of the meeting outcome. During this informal meeting, on February 23, 2022, the State Auditor?s Office, Office of Financial Management, and the Department met with HHS and they stated they would not offer an opinion until they received the completed finding from the state. As part of the audit resolution process, HHS Administration for Children and Families?, which oversees the TANF and CCDF programs at the federal level, reviews all SAO findings and issues management decision letters. The letters will reflect the grantor?s determination of whether an audit finding is sustained, the reasons for the decision, and the required actions by the auditee. When a management decision is issued for the fiscal year 2022 finding, the Department will work with HHS and follow the audit resolution process. The Department is committed to improving internal controls. The Department does not currently have the resources to develop and maintain the business process redesign, as well as the information technology initiatives necessary to meet the level of assurance recommended by SAO. In response to prior year?s audit recommendations, the Department has submitted a budget request to the Legislature in the 2023-2025 biennial budget for additional resources to process adjustments to include transaction-level data. Auditor?s Remarks The level of assurance needed to support grant expenditures is not established by our Office, but in titles 2 and 45 of the Code of Federal Regulations and the State?s grant award. We appreciate the Department?s commitment to resolving these matters and will review the status of the Department?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.53 defines improper payments. Part 200.403 establishes factors affecting allowability of costs. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.
2022-036 The Department of Children, Youth, and Families did not have adequate internal controls over and did not comply with client eligibility requirements for child care services paid with the Child Care and Development Fund and Temporary Assistance for Needy Families funds. Assistance Listing Number and Title: 93.558, Temporary Assistance for Needy Families 93.575, Child Care and Development Block Grant 93.575, COVID-19 Child Care and Development Block Grant 93.596, Child Care Mandatory and Matching Funds of the Child Care and Development Fund Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2003WACCDF; 2103WACCDF; 2203WACCDF; 2003WACCC3; 2103WACDC6; 2103WACSC6; 2103WACCC5; 2103WACCDD; 2203WACCDD; 2101WATANF; 2201WATANF Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Eligibility Known Questioned Cost Amount: Temporary Assistance for Needy Families ? $5,689 Child Care and Development Fund ? $5,078 Background The Department of Children, Youth, and Families administers the federal Child Care and Development Fund (CCDF) grant to help eligible working families pay for child care. In fiscal year 2022, the Department spent $668.6 million in CCDF federal funding. The Department of Social and Health Services (DSHS) administers the Temporary Assistance for Needy Families (TANF) grant. To meet one of the program?s primary purposes of helping clients obtain employment, TANF grant funds may be used to pay clients? child care costs. If a client obtains employment and is no longer eligible for the program, TANF funds may still be used to pay child care costs to help the client maintain employment. In fiscal year 2022, the Department spent more than $260.5 million in CCDF and $67.7 million in TANF federal grant funds on child care subsidy payments to providers. Some payments made for child care are paid for by both the CCDF and TANF grants. While the two federal programs are separate, the requirements and policies in Washington for child care payments are consolidated under the Working Connections Child Care program. As of July 1, 2019, the responsibility for making and documenting child care eligibility determinations under the CCDF and TANF grants was transferred from DSHS to the Department. For a family to be eligible for child care assistance, state and federal rules require that at the time of application or reapplication, children must: ? Reside in Washington and be a citizen or legal resident of the United States; ? Be younger than 13 years, or if for verified special needs, be younger than 19 years; ? Reside with a parent(s) or guardian whose countable income does not exceed 200 percent of the federal poverty level at application or 220 percent at reapplication for July, August and September 2021 but in October 2021 changed to 60 percent of the state median income at application or 65 percent of the state median income at reapplication; ? Reside with a parent(s) or guardian who works or attends a job-training or education program, or needs to be receiving protective services. State rules describe the information clients must provide to the Department to verify their eligibility. The information must be accurate, complete, consistent and from a reliable source. This information includes, but is not limited to, employer and hourly wage information, proof of an approved activity under TANF, and family household size and composition. Once determined to be eligible for the program, a client is eligible for one year unless a change in income causes the client to exceed 85 percent of the state?s median income The Department requires that clients self-report such income changes. A written notice communicates the recipients? reporting requirement and the specific dollar threshold applicable to the household?s annual income. Once the client?s income exceeds this cutoff level, the Department terminates services. The Department has access to systems that contain wage and household benefit and composition data for some, but not all, child care recipients. The Department uses this information in part to determine program eligibility, benefit level, including client copayment, and the amount of child care the family is eligible to receive. If an ineligible client receives assistance, the payment made to the child care provider is not allowable and the client must repay the ineligible amount. The Department also uses household income to determine the amount families must contribute for their monthly copay to providers. Beginning July 1, 2021, monthly copayments were calculated using an updated schedule described in Washington Administrative Code 110-15-0075. Federal regulations require the Department to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the past 10 audits, we reported findings related to eligibility for the Working Connections Child Care program. In these prior audits, we reported the Department did not have adequate internal controls over the eligibility process for child care subsidy recipients. These were reported as finding numbers 2021-035, 2020-039, 2019-032, 2018-030, 2017-026, 2016-023, 2015-026, 2014-026, 2013-017 and 2012-30. Description of Condition The Department did not have adequate internal controls over and did not comply with client eligibility requirements for CCDF and TANF. During the audit period the Department determined 69,815 children were eligible for child care. We used a statistical sampling method to randomly select and examine 59 of these determinations. In four instances (6.8 percent), we found the Department made eligibility determinations improperly, did not obtain required documentation, incorrectly assessed copayment, or did not verify information before authorizing services. Specifically, we found: ? Two cases (3.4 percent) where the Department had incorrectly determined household composition and did not obtain sufficient data for all parents in the household to make an accurate eligibility determination. ? One case (1.7 percent) where the Department did not follow procedure for verifying employment, which led to an incorrect household income calculation. ? One case (1.7 percent) where the copay was incorrectly assessed, which resulted in an underpayment due to a system error. Though the Department has established internal controls, they were insufficient for ensuring material compliance with client eligibility requirements. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Department staff made eligibility determinations without obtaining sufficient supporting documentation to ensure households were eligible to receive assistance. This deviated from the standard policies and procedures the Department has established, and management did not monitor sufficiently to ensure staff made proper eligibility determinations. Further, the incorrect copay calculation was due to system error. Effect of Condition and Questioned Costs By not implementing adequate internal controls, the Department is at higher risk of paying providers for child care services when clients are ineligible. Of the four client eligibility determinations that had errors, three resulted in $10,767 of federal overpayments to providers. The Department used $5,078 in CCDF grant funds and $5,689 in TANF grant funds for these payments. Because we used a statistical sampling method to randomly select the payments examined in the audit, we estimate the amount of likely improper payments to be $6,008,693 for the CCDF grant and $6,731,953 for the TANF grant. Although we identified known and likely questioned costs, we do not have reasonable assurance that the payments in question are appropriately represented in the Department?s accounting records because of the grant management practice issue reported in findings 2022-035 and 2022-041. Additionally, the payments in question are duplicative of the costs already questioned in the aforementioned provider payment findings. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Department improve its internal controls over determining client eligibility to ensure it: ? Reviews eligibility determinations sufficiently to detect improper eligibility determinations ? Reviews sufficient support for clients? income and household composition information for accuracy We also recommend the Department consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Department`s Response The Department appreciates, acknowledges, and supports SAO?s mission, which is to hold state and local government accountable for the use of public resources. Further, we appreciate SAO?s work with us over the past year to strengthen the auditing process. Due to recent changes to CCSP directed by the Legislature, the Department anticipates continued reduction in eligibility determination errors. The Fair Start for Kids Act (FSKA) required the Department to make several changes that expanded eligibility during SFY 2022. The FSKA increased the State Median Income (SMI) threshold, allowing more two parent households to be eligible for child care subsidy. The FSKA also capped copayments to $115 for applicants and $215 for reapplicants, greatly reducing the copay amounts for typical two parent households. These changes are disincentives for fraud as struggling families receive needed benefits and are more likely to provide accurate and complete information. This is supported by the overall reduction in investigation requests submitted to the Office of Fraud and Accountability. In the federal fiscal year prior to the implementation of the FSKA, the Department submitted 1,405 requests for investigations. The year following FSKA implementation requests for investigations fell to 912. The Department continues to explore ways to remove the possibility for improper use of CCDF funds. The Department agrees with the SAO that there is a need to review household composition at application and reapplication to improve reliability of eligibility decisions. The Department accesses data across available state systems to confirm information, including household composition provided by clients. Unfortunately, there is no household composition verification system, and information provided to other state agencies is often provided by client self-attestation. The Department continues to balance verification requirements with providing timely benefit decisions to support family access to high quality child care. Eighty-six percent of households receiving child care subsidies are headed by single parents. Supporting these families with child care is essential for their continued participation in work, education, and other social service programs. The Department provides training for eligibility in the specific areas of household composition and income determination and improvements to training are ongoing. The Department recently made changes to the professional development and training process to improve staff skills and accuracy. Staff training is in a continuous improvement cycle and evolves with staff needs and changes in rule. The Department will continue to improve processes and internal controls and create and deliver staff training based on current data trends and patterns. Auditor?s Remarks We thank the Department for its cooperation and assistance throughout the audit. We will review the status of the Department?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Washington Administrative Code (WAC) 110-15-0015 ? Determining family size, states in part: (1) DCYF determines a consumer?s family size as follows: (a) For a single parent, including a minor parent living independently, DCYF counts the consumer and the consumer?s children; (b) For unmarried parents who have at least one mutual child, DCYF counts both parents and all of their children living in the household; (c) Unmarried parents who have no mutual children are counted as separate WCCC households, the unmarried parents and their respective children living in the household; (d) For married parents, DCYF counts both parents and all of their children living in the household; (e) For parents who are undocumented aliens as defined in WAC 388-424-0001, DCYF counts the parents and children, documented and undocumented, and all other family rules in this section apply. Children needing care must meet citizenship requirements described in WAC 110-15-0005; (f) For a legal guardian verified by a legal or court document, adult sibling or step-sibling, nephew, niece, aunt, uncle, grandparent, any of these relatives with the prefix ?great,? such as a ?great-nephew,? or an in loco parentis custodian who is not related to the child as described in WAC 110-15-0005, DCYF counts only the children and only the children?s income is counted; (g) For a parent who is out of the household because of employer requirements, such as training or military service, and expected to return to the household, DCYF counts the consumer, the absent parent, and the children; (h) For a parent who is voluntarily out of the household for reasons other than requirements of the employer, such as unapproved schooling and visiting family members, and is expected to return to the household, DCYF counts the consumer, the absent parent, and the children. WAC 110-15-0020 and all other family and household rules in this section apply; (i) For a parent who is out of the country and waiting for legal reentry in to the United States, DCYF counts only the consumer and children residing in the United States and all other family and household rules in this section apply; (j) An incarcerated parent is not part of the household count for determining income and eligibility. DCYF counts the remaining household members using all other family rules in this section; and (k) For a parent incarcerated at a Washington state correctional facility whose child lives with them at the facility, DCYF counts the parent and child as their own household. (2) When the household consists of the consumer?s own child and another child identified in subsection (1)(f) of this section, the household may be combined into one household or kept as distinct households for the benefit of the consumer. WAC 110-15-0065 ? Calculation of income, states in part: DSHS uses a consumer?s countable income when determining income eligibility and copayment. A consumer?s countable income is the sum of all income listed in WAC 110-15-0060 minus any child support paid out through a court order, division of child support administrative order, or tribal government order. (1) To determine a consumer?s income, DSHS either: (a) Calculates an average monthly income by: (i) Determining the number of months, weeks or pay periods it took the consumer?s WCCC household to earn the income; and dividing the income by the same number of months, weeks or pay periods. (ii) If the past wages are no longer reflective of the current income, DSHS may accept the employer?s statement of current, anticipated wages for future income determination. (b) When the consumer begins new employment and has less than three months of wages, DSHS uses the best available estimate of the consumer?s WCCC household?s current income: (i) As verified by the consumer?s employer; or (ii) As provided by the consumer through a verbal or written statement documenting the new employment at the time of application, reapplication or change reporting, and wage verification within sixty days of DSHS request. (2) If a consumer receives a lump sum payment (such as money from the sale of property or back child support payment) in the month of application or during the consumer?s WCCC eligibility: (a) DSHS calculates a monthly amount by dividing the lump sum payment by twelve; (b) DSHS adds the monthly amount to the consumer?s expected average monthly income: (i) For the month it was received; and (ii) For the remaining months of the current eligibility period; and (c) To remain eligible for WCCC the consumer must meet WCCC income guidelines after the lump sum payment is applied. WAC 110-15-0075 ? Determining income eligibility and copayment amounts, states (effective prior to October 1, 2021): (1) DCYF takes the following steps to determine a consumer?s eligibility and copayment, whether care is provided under a WCCC voucher or contract: (a) Determine the consumer?s family size (under WAC 110-15-0015); (b) Determine the consumer?s countable income (under WAC 110-15-0065). (2) DCYF calculates the consumer?s copayment as follows: If a consumer?s income is: Then the consumer?s copayment is: (a) At or below 82% of the federal poverty guidelines (FPG). $15 (b) Above 82% of the FPG up to 137.5% of the FPG. $65 (c) Above 137.5% of the FPG through 200% of the FPG. The dollar amount equal to subtracting 137.5% of the FPG from countable income, multiplying by 50%, then adding $65, up to a maximum of $115. (3) DCYF does not prorate the copayment when a consumer uses care for part of a month. (4) The FPG is updated every year. The WCCC eligibility level is updated at the same time every year to remain current with the FPG. WAC 110-15-0075 ? Determining income eligibility and copayment amounts, states (effective beginning October 1, 2021): (1) DCYF takes the following steps to determine consumers? eligibility and copayments, when care is provided under a WCCC voucher or contract: (a) Determine their family size as described in WAC 110-15-0015; and (b) Determine their countable income as described in WAC 110-15-0065. (2) DCYF calculates consumers? copayments as follows: If the household?s income is: Then the household?s maximum monthly copayment is: At or below 20 percent of the SMI Waived Above 20 percent and at or below 36 percent of the SMI $65 Above 36 percent and at or below 50 percent of the SMI $90 Above 50 percent and at or below 60 percent of the SMI $115 At reapplication, above 60 percent and at or below 65 percent of the SMI $215 (3) DCYF does not prorate copayments when consumers use care for only part of a month. (4) For parents age 21 years or younger who attend high school or are working towards completing a high school equivalency certificate, copayments are not required.
2022-035 The Department of Children, Youth, and Families did not have adequate internal controls over and did not comply with requirements to ensure payments to child care providers paid with Temporary Assistance for Needy Families funds were allowable and properly supported. Assistance Listing Number and Title: 93.558 Temporary Assistance for Needy Families Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2101WATANF; 2201WATANF Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Known Questioned Cost Amount: $67,699,429 Background The Department of Social and Health Services (DSHS), Community Services Office, administers the Temporary Assistance for Needy Families (TANF) grant that provides temporary cash assistance for families in need. To receive TANF benefits, participants must be engaged in activities listed in the Individual Responsibility Plan through the WorkFirst program, unless the TANF benefits are received only on behalf of a child. TANF grant funds are also used to pay clients? child care costs to meet one of the program?s primary purposes of helping clients obtain employment. Washington has established the Working Connections Child Care (WCCC) program to help eligible working families pay for child care. Both the Department of Children, Youth, and Families (Department) and DSHS administer the program. The Department is responsible for establishing policies and procedures for licensing child care providers and paying them for allowable child care services. DSHS determines TANF client eligibility and reimburses the Department for child care payments under an agreement between the two agencies. The Department uses its Social Service Payment System (SSPS) to process the payments it makes to child care providers. The system allocates payments to various funding sources, based on the eligibility of the client. These funding sources include multiple federal programs, multiple Child Care Development Fund (CCDF) federal grant awards, and state funding. The Department uploads the payment data into the state?s accounting system at a summary level based on the various funding sources. DSHS worked with the Department to setup coding in the Payment Allocating Model (PAM) system that looks at the client-level information and then assigns the correct TANF source of funds. Once source of funds is identified, that information is then sent to SSPS for allocation assignment. The Department prepares electronic reports for funds allocated to TANF funding sources and sends DSHS a monthly bill. There is always a need to transfer the funding sources for some payments throughout the year to manage federal and state funds properly. Prior to state fiscal year 2021, the Department prepared supporting documentation for transfers that included details of what payments it was transferring. The purpose of documenting this detail was to maintain proper support for federal expenditures. Some payments the Department makes for child care are funded by both the CCDF and TANF grants. While the two federal programs are separate, the requirements and policies in Washington for child care payments are consolidated under the WCCC program. Federal regulations require grant fund expenditures to be adequately supported to show that they have been used in accordance with program requirements. In fiscal year 2022, DSHS incurred $67,699,429 in child care service-related expenditures. Federal regulations require recipients to establish and follow internal controls that ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit, we reported the Department did not have adequate internal controls over and did not comply with requirements to ensure payments to child care providers paid with TANF funds were allowable and properly supported. The prior finding number was 2021-028. Description of Condition The Department did not have adequate internal controls over and did not comply with requirements to ensure payments to child care providers paid with TANF funds were allowable and properly supported. In order to identify TANF-funded payments the Department made to child care providers, we requested a population of payments charged to TANF sources from SSPS. However, during the fiscal year 2021 audit, management informed us the Department had changed its grant management practices to process expenditure transfers at the grant level. This new process made the original expenditure coding in SSPS inaccurate and unreliable for testing. As a result, we could not trace the federal funds to a level of expenditure adequate to establish whether the Department spent TANF funds in accordance with federal and state regulations. As a result, we could not test the Department?s payments to child care providers for compliance with activities allowed and cost principles. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition The Department is required to maintain sufficient documentation for each payment it makes with federal dollars. Management decided to modify the Department?s accounting practices in a way that now prevents it from meeting this requirement. The Department implemented what management referred to as fund-level accounting. This consisted of making significant accounting adjustments between funding sources in its general ledger without identifying the underlying transactions from SSPS that supported the adjustments. This affected all populations of child care expenditures for every month of the fiscal year. Officials from the U.S. Department of Health and Human Services informed the Department that these accounting practices do not comply with federal law, but management said they believe they are compliant. Effect of Condition and Questioned Costs By not complying with federal law regarding maintaining adequate supporting documentation for expenditures, the Department created a condition that made it impossible for our Office to audit the federal dollars it used for payments to child care providers. Because we could not test transaction-level detail, we also could not determine whether the issues we identified in prior audits had improved or worsened, including the Department?s lack of adequate internal controls and significant rate of noncompliance for payments to child care providers. Because the Department did not comply with federal requirements to allow for the tracing of grant expenditures to a payment level, we are questioning all $67,699,429 in federal program costs for child care payments that DSHS incurred during the audit period. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Department: ? Design and implement internal controls to ensure transaction-level data is sufficient to comply with federal law and state rules ? Update service level agreements with DSHS to ensure payments are sufficient and properly supported ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Department?s Response The Working Connections Child Care (WCCC) program was previously managed by the Department of Social and Health Services (DSHS) and the Department of Early Learning. Since the program transitioned in 2019, the Department has been making efforts to strengthen internal controls over payments to child care providers and other grant requirements. The Department implemented grant-level management of all federal funds, including the TANF grant. The Department allocated the TANF grant to eligible clients and allowable activities in compliance with 45 CFR 98.67. For the fiscal year 2021 program audit, the State Auditor?s Office (SAO) issued a finding with $32 questioned costs for non-compliance with the CCDF eligibility requirement. No other findings, management letters, or exit items were reported in this compliance area or the cost allocation of funds based on eligibility for the CCDF or TANF grants. Given that eligibility or cost allocation has not been an area of concern, and transfers were processed between TANF and CCDF source of funds with the same eligibility criteria, the Department is assured that TANF funding was spent appropriately within federal regulations. In the Cause of Condition, the SAO stated, ?HHS officials informed the Department that these accounting practices do not comply with federal law, but management said they believe they are compliant.? The Department does not agree with this interpretation of the meeting outcome. During this informal meeting, on February 23, 2022, the State Auditor?s Office, Office of Financial Management, and the Department met with HHS and they stated they would not offer an opinion until they received the completed finding from the state. As part of the audit resolution process, HHS Administration for Children and Families?, which oversees the TANF and CCDF programs at the federal level, reviews all SAO findings and issues management decision letters. The letters will reflect the grantor?s determination of whether an audit finding is sustained, the reasons for the decision, and the required actions by the auditee. When a management decision is issued for the fiscal year 2022 finding, the Department will work with HHS and follow the audit resolution process. The Department is committed to improving internal controls. The Department does not currently have the resources to develop and maintain the business process redesign, as well as the information technology initiatives necessary to meet the level of assurance recommended by SAO. In response to prior year?s audit recommendations, the Department has submitted a budget request to the Legislature in the 2023-2025 biennial budget for additional resources to process adjustments to include transaction-level data. Auditor?s Remarks The level of assurance needed to support grant expenditures is not established by our Office, but in titles 2 and 45 of the Code of Federal Regulations and the State?s grant award. We appreciate the Department?s commitment to resolving these matters and will review the status of the Department?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.53 defines improper payments. Part 200.403 establishes factors affecting allowability of costs. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11.
2022-036 The Department of Children, Youth, and Families did not have adequate internal controls over and did not comply with client eligibility requirements for child care services paid with the Child Care and Development Fund and Temporary Assistance for Needy Families funds. Assistance Listing Number and Title: 93.558, Temporary Assistance for Needy Families 93.575, Child Care and Development Block Grant 93.575, COVID-19 Child Care and Development Block Grant 93.596, Child Care Mandatory and Matching Funds of the Child Care and Development Fund Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2003WACCDF; 2103WACCDF; 2203WACCDF; 2003WACCC3; 2103WACDC6; 2103WACSC6; 2103WACCC5; 2103WACCDD; 2203WACCDD; 2101WATANF; 2201WATANF Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Eligibility Known Questioned Cost Amount: Temporary Assistance for Needy Families ? $5,689 Child Care and Development Fund ? $5,078 Background The Department of Children, Youth, and Families administers the federal Child Care and Development Fund (CCDF) grant to help eligible working families pay for child care. In fiscal year 2022, the Department spent $668.6 million in CCDF federal funding. The Department of Social and Health Services (DSHS) administers the Temporary Assistance for Needy Families (TANF) grant. To meet one of the program?s primary purposes of helping clients obtain employment, TANF grant funds may be used to pay clients? child care costs. If a client obtains employment and is no longer eligible for the program, TANF funds may still be used to pay child care costs to help the client maintain employment. In fiscal year 2022, the Department spent more than $260.5 million in CCDF and $67.7 million in TANF federal grant funds on child care subsidy payments to providers. Some payments made for child care are paid for by both the CCDF and TANF grants. While the two federal programs are separate, the requirements and policies in Washington for child care payments are consolidated under the Working Connections Child Care program. As of July 1, 2019, the responsibility for making and documenting child care eligibility determinations under the CCDF and TANF grants was transferred from DSHS to the Department. For a family to be eligible for child care assistance, state and federal rules require that at the time of application or reapplication, children must: ? Reside in Washington and be a citizen or legal resident of the United States; ? Be younger than 13 years, or if for verified special needs, be younger than 19 years; ? Reside with a parent(s) or guardian whose countable income does not exceed 200 percent of the federal poverty level at application or 220 percent at reapplication for July, August and September 2021 but in October 2021 changed to 60 percent of the state median income at application or 65 percent of the state median income at reapplication; ? Reside with a parent(s) or guardian who works or attends a job-training or education program, or needs to be receiving protective services. State rules describe the information clients must provide to the Department to verify their eligibility. The information must be accurate, complete, consistent and from a reliable source. This information includes, but is not limited to, employer and hourly wage information, proof of an approved activity under TANF, and family household size and composition. Once determined to be eligible for the program, a client is eligible for one year unless a change in income causes the client to exceed 85 percent of the state?s median income The Department requires that clients self-report such income changes. A written notice communicates the recipients? reporting requirement and the specific dollar threshold applicable to the household?s annual income. Once the client?s income exceeds this cutoff level, the Department terminates services. The Department has access to systems that contain wage and household benefit and composition data for some, but not all, child care recipients. The Department uses this information in part to determine program eligibility, benefit level, including client copayment, and the amount of child care the family is eligible to receive. If an ineligible client receives assistance, the payment made to the child care provider is not allowable and the client must repay the ineligible amount. The Department also uses household income to determine the amount families must contribute for their monthly copay to providers. Beginning July 1, 2021, monthly copayments were calculated using an updated schedule described in Washington Administrative Code 110-15-0075. Federal regulations require the Department to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the past 10 audits, we reported findings related to eligibility for the Working Connections Child Care program. In these prior audits, we reported the Department did not have adequate internal controls over the eligibility process for child care subsidy recipients. These were reported as finding numbers 2021-035, 2020-039, 2019-032, 2018-030, 2017-026, 2016-023, 2015-026, 2014-026, 2013-017 and 2012-30. Description of Condition The Department did not have adequate internal controls over and did not comply with client eligibility requirements for CCDF and TANF. During the audit period the Department determined 69,815 children were eligible for child care. We used a statistical sampling method to randomly select and examine 59 of these determinations. In four instances (6.8 percent), we found the Department made eligibility determinations improperly, did not obtain required documentation, incorrectly assessed copayment, or did not verify information before authorizing services. Specifically, we found: ? Two cases (3.4 percent) where the Department had incorrectly determined household composition and did not obtain sufficient data for all parents in the household to make an accurate eligibility determination. ? One case (1.7 percent) where the Department did not follow procedure for verifying employment, which led to an incorrect household income calculation. ? One case (1.7 percent) where the copay was incorrectly assessed, which resulted in an underpayment due to a system error. Though the Department has established internal controls, they were insufficient for ensuring material compliance with client eligibility requirements. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Department staff made eligibility determinations without obtaining sufficient supporting documentation to ensure households were eligible to receive assistance. This deviated from the standard policies and procedures the Department has established, and management did not monitor sufficiently to ensure staff made proper eligibility determinations. Further, the incorrect copay calculation was due to system error. Effect of Condition and Questioned Costs By not implementing adequate internal controls, the Department is at higher risk of paying providers for child care services when clients are ineligible. Of the four client eligibility determinations that had errors, three resulted in $10,767 of federal overpayments to providers. The Department used $5,078 in CCDF grant funds and $5,689 in TANF grant funds for these payments. Because we used a statistical sampling method to randomly select the payments examined in the audit, we estimate the amount of likely improper payments to be $6,008,693 for the CCDF grant and $6,731,953 for the TANF grant. Although we identified known and likely questioned costs, we do not have reasonable assurance that the payments in question are appropriately represented in the Department?s accounting records because of the grant management practice issue reported in findings 2022-035 and 2022-041. Additionally, the payments in question are duplicative of the costs already questioned in the aforementioned provider payment findings. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Department improve its internal controls over determining client eligibility to ensure it: ? Reviews eligibility determinations sufficiently to detect improper eligibility determinations ? Reviews sufficient support for clients? income and household composition information for accuracy We also recommend the Department consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Department`s Response The Department appreciates, acknowledges, and supports SAO?s mission, which is to hold state and local government accountable for the use of public resources. Further, we appreciate SAO?s work with us over the past year to strengthen the auditing process. Due to recent changes to CCSP directed by the Legislature, the Department anticipates continued reduction in eligibility determination errors. The Fair Start for Kids Act (FSKA) required the Department to make several changes that expanded eligibility during SFY 2022. The FSKA increased the State Median Income (SMI) threshold, allowing more two parent households to be eligible for child care subsidy. The FSKA also capped copayments to $115 for applicants and $215 for reapplicants, greatly reducing the copay amounts for typical two parent households. These changes are disincentives for fraud as struggling families receive needed benefits and are more likely to provide accurate and complete information. This is supported by the overall reduction in investigation requests submitted to the Office of Fraud and Accountability. In the federal fiscal year prior to the implementation of the FSKA, the Department submitted 1,405 requests for investigations. The year following FSKA implementation requests for investigations fell to 912. The Department continues to explore ways to remove the possibility for improper use of CCDF funds. The Department agrees with the SAO that there is a need to review household composition at application and reapplication to improve reliability of eligibility decisions. The Department accesses data across available state systems to confirm information, including household composition provided by clients. Unfortunately, there is no household composition verification system, and information provided to other state agencies is often provided by client self-attestation. The Department continues to balance verification requirements with providing timely benefit decisions to support family access to high quality child care. Eighty-six percent of households receiving child care subsidies are headed by single parents. Supporting these families with child care is essential for their continued participation in work, education, and other social service programs. The Department provides training for eligibility in the specific areas of household composition and income determination and improvements to training are ongoing. The Department recently made changes to the professional development and training process to improve staff skills and accuracy. Staff training is in a continuous improvement cycle and evolves with staff needs and changes in rule. The Department will continue to improve processes and internal controls and create and deliver staff training based on current data trends and patterns. Auditor?s Remarks We thank the Department for its cooperation and assistance throughout the audit. We will review the status of the Department?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Washington Administrative Code (WAC) 110-15-0015 ? Determining family size, states in part: (1) DCYF determines a consumer?s family size as follows: (a) For a single parent, including a minor parent living independently, DCYF counts the consumer and the consumer?s children; (b) For unmarried parents who have at least one mutual child, DCYF counts both parents and all of their children living in the household; (c) Unmarried parents who have no mutual children are counted as separate WCCC households, the unmarried parents and their respective children living in the household; (d) For married parents, DCYF counts both parents and all of their children living in the household; (e) For parents who are undocumented aliens as defined in WAC 388-424-0001, DCYF counts the parents and children, documented and undocumented, and all other family rules in this section apply. Children needing care must meet citizenship requirements described in WAC 110-15-0005; (f) For a legal guardian verified by a legal or court document, adult sibling or step-sibling, nephew, niece, aunt, uncle, grandparent, any of these relatives with the prefix ?great,? such as a ?great-nephew,? or an in loco parentis custodian who is not related to the child as described in WAC 110-15-0005, DCYF counts only the children and only the children?s income is counted; (g) For a parent who is out of the household because of employer requirements, such as training or military service, and expected to return to the household, DCYF counts the consumer, the absent parent, and the children; (h) For a parent who is voluntarily out of the household for reasons other than requirements of the employer, such as unapproved schooling and visiting family members, and is expected to return to the household, DCYF counts the consumer, the absent parent, and the children. WAC 110-15-0020 and all other family and household rules in this section apply; (i) For a parent who is out of the country and waiting for legal reentry in to the United States, DCYF counts only the consumer and children residing in the United States and all other family and household rules in this section apply; (j) An incarcerated parent is not part of the household count for determining income and eligibility. DCYF counts the remaining household members using all other family rules in this section; and (k) For a parent incarcerated at a Washington state correctional facility whose child lives with them at the facility, DCYF counts the parent and child as their own household. (2) When the household consists of the consumer?s own child and another child identified in subsection (1)(f) of this section, the household may be combined into one household or kept as distinct households for the benefit of the consumer. WAC 110-15-0065 ? Calculation of income, states in part: DSHS uses a consumer?s countable income when determining income eligibility and copayment. A consumer?s countable income is the sum of all income listed in WAC 110-15-0060 minus any child support paid out through a court order, division of child support administrative order, or tribal government order. (1) To determine a consumer?s income, DSHS either: (a) Calculates an average monthly income by: (i) Determining the number of months, weeks or pay periods it took the consumer?s WCCC household to earn the income; and dividing the income by the same number of months, weeks or pay periods. (ii) If the past wages are no longer reflective of the current income, DSHS may accept the employer?s statement of current, anticipated wages for future income determination. (b) When the consumer begins new employment and has less than three months of wages, DSHS uses the best available estimate of the consumer?s WCCC household?s current income: (i) As verified by the consumer?s employer; or (ii) As provided by the consumer through a verbal or written statement documenting the new employment at the time of application, reapplication or change reporting, and wage verification within sixty days of DSHS request. (2) If a consumer receives a lump sum payment (such as money from the sale of property or back child support payment) in the month of application or during the consumer?s WCCC eligibility: (a) DSHS calculates a monthly amount by dividing the lump sum payment by twelve; (b) DSHS adds the monthly amount to the consumer?s expected average monthly income: (i) For the month it was received; and (ii) For the remaining months of the current eligibility period; and (c) To remain eligible for WCCC the consumer must meet WCCC income guidelines after the lump sum payment is applied. WAC 110-15-0075 ? Determining income eligibility and copayment amounts, states (effective prior to October 1, 2021): (1) DCYF takes the following steps to determine a consumer?s eligibility and copayment, whether care is provided under a WCCC voucher or contract: (a) Determine the consumer?s family size (under WAC 110-15-0015); (b) Determine the consumer?s countable income (under WAC 110-15-0065). (2) DCYF calculates the consumer?s copayment as follows: If a consumer?s income is: Then the consumer?s copayment is: (a) At or below 82% of the federal poverty guidelines (FPG). $15 (b) Above 82% of the FPG up to 137.5% of the FPG. $65 (c) Above 137.5% of the FPG through 200% of the FPG. The dollar amount equal to subtracting 137.5% of the FPG from countable income, multiplying by 50%, then adding $65, up to a maximum of $115. (3) DCYF does not prorate the copayment when a consumer uses care for part of a month. (4) The FPG is updated every year. The WCCC eligibility level is updated at the same time every year to remain current with the FPG. WAC 110-15-0075 ? Determining income eligibility and copayment amounts, states (effective beginning October 1, 2021): (1) DCYF takes the following steps to determine consumers? eligibility and copayments, when care is provided under a WCCC voucher or contract: (a) Determine their family size as described in WAC 110-15-0015; and (b) Determine their countable income as described in WAC 110-15-0065. (2) DCYF calculates consumers? copayments as follows: If the household?s income is: Then the household?s maximum monthly copayment is: At or below 20 percent of the SMI Waived Above 20 percent and at or below 36 percent of the SMI $65 Above 36 percent and at or below 50 percent of the SMI $90 Above 50 percent and at or below 60 percent of the SMI $115 At reapplication, above 60 percent and at or below 65 percent of the SMI $215 (3) DCYF does not prorate copayments when consumers use care for only part of a month. (4) For parents age 21 years or younger who attend high school or are working towards completing a high school equivalency certificate, copayments are not required.
2022-053 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure clients were eligible for the Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 1905WA5021; 2105WA5021; 2205WA5021; Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Eligibility Known Questioned Cost Amount: $3,036,657 Background The Health Care Authority administers the Children?s Health Insurance Program (CHIP). CHIP is a jointly funded state and federal partnership providing insurance coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. Federal CHIP financing is capped, and each state operates under an allotment. During fiscal year 2022, the Authority spent more than $229 million in state and federal funds to administer CHIP. To determine initial eligibility for CHIP, families must complete an application in the Washington Health Benefit Exchange, known as Washington Healthplanfinder, or through a streamlined paper application. Once families complete their applications, electronic verification sources confirm their income, immigration status and Social Security numbers (SSNs). The Authority automatically reviews applicants? eligibility first for Medicaid and then for CHIP if they are ineligible for Medicaid. Children in low-income families who are ineligible for Medicaid are enrolled in CHIP under the state CHIP plan. Washington has also elected to cover the prenatal period of some low-income pregnant people under the state CHIP plan. CHIP clients must be either U.S. citizens or lawfully present qualified noncitizens, and their eligibility is based on self-attested income in their applications; therefore, clients with verified citizenship and SSNs would be determined eligible if their reported income was between 210 percent and 312 percent of the federal poverty level. Once the Authority determines clients? initial eligibility, their start date is recorded as the first of the month in which their application was submitted, thus allowing for payments prior to approval to be processed after the fact. Children found eligible for medical assistance remain continuously eligible for a full 12 months, regardless of any changes in their household income or third-party liability. Households must report financial and nonfinancial changes, but these will not render them ineligible during the continuous eligibility period. However, if recipients? household income decreases, the Authority can move children to a more favorable program, such as Medicaid, to eliminate the premium payment requirements. Termination during the continuous eligibility period is acceptable only for the following reasons: ? Changes in residency (permanent move out of state) ? Death ? Fraud (unless it is going to prosecution) ? Failure to pay the premium for more than three months ? The child turns 19 years old (remains eligible through the end of their birth month) ? After the end of the month in which the postpartum period ends for pregnant people ? When a client requests to be removed from the program In response to the COVID-19 pandemic, the Centers for Medicare and Medicaid Services (CMS) approved waivers and disaster relief state plan amendments (SPA), effective March 1, 2020, through the end of the public health emergency declaration, allowing flexibilities to ensure the continuity of coverage through the public health emergency. The waivers and SPA allowed the Authority to implement flexibilities, including the following: ? Allow self-attestations for all eligibility requirements, excluding citizenship and immigration status, on a case-by-case basis ? Extend the redetermination timeline for current CHIP enrollees in the state to maintain continuity of coverage as permissible From the start of the pandemic, CMS kept an ongoing Frequently Asked Questions (FAQs) document to aid state Medicaid and CHIP agencies in their response to COVID-19, including guidance on eligibility, benefits and financing regarding the pandemic. This document was finalized on January 6, 2021. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit we reported the Authority did not have adequate internal controls to ensure clients were eligible for CHIP. The prior finding number was 2021-046. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure clients were eligible for CHIP. We used a statistically valid sampling method to randomly select and examine 59 out of a total population of 93,793 clients who had a federally verified SSN. We also used a statistically valid sampling method to randomly select and examine 59 out of a total population of 10,933 clients who did not have a federally verified SSN. For the sample of clients who had a verified SSN, we identified: ? One instance where the client aged out of services and was not referred to Washington Healthplanfinder to be redetermined eligible for Medicaid during the COVID-19 pandemic, as required. ? One instance where the Authority continued CHIP coverage for a client after the allowable postpartum period. For the sample of clients who did not have a federally verified SSN, we identified: ? Seventeen instances where the Authority continued CHIP coverage for clients after the allowable postpartum period. We also used computer-assisted audit techniques to analyze the entire client population. We found 3,416 clients who were over the age of 19 that were still receiving CHIP services during fiscal year 2022. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition The Authority chose not to remove clients from CHIP even when they aged out of coverage or their postpartum period ended. Effect of Condition and Questioned Costs By not having adequate internal controls, the Authority is at risk of not detecting or preventing ineligible payments of federal CHIP funds on behalf of recipients. We determined the following questioned costs: Audit Area Known Questions Costs (state and federal) Known questioned costs ? Federal portion only Likely improper payments (state and federal) Likely improper payments ? federal portion only Verified SSNs $ 2,117 $ 1,468 $ 3,365,166 $ 2,333,411 Non-Verified SSNs $14,760 $ 10,236 $ 2,735,142 $ 1,896,870 Over 19 years old $ 4,353,425 $ 3,024,953 $ 0 $ 0 Totals $ 4,370,302 $ 3,036,657 $ 6,100,308 $ 4,230,281 Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflect this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendation We recommend the Authority: ? Implement internal controls to ensure all clients meet CHIP eligibility requirements ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Authority?s Response The Authority does not concur with any of the results cited by the auditor related to CHIP program eligibility. The agency has worked with the Governor?s Office and the Office of Financial Management to continue equity of state funded coverage for all individuals during the public health emergency, including CHIPRA pregnancy coverage. The postpartum period in CHIPRA coverage is state-funded. The State Auditor?s Office did not allow the Authority enough time to obtain the journal vouchers from our accounting partners that show the use of state funds for these expenditures. Regarding the clients receiving CHIP benefits who were aged 19 and over, the agency has pursued, and been notified of approval for, an 1115 disaster waiver from the Centers for Medicare & Medicaid Services. The waiver approves funding for CHIP clients aged 19 and over during the public health emergency and is retroactive to March 18, 2020. Once the approval letter is received by the Authority, the associated federal expenditures identified by the auditor will be valid. The agency was provided very little time and flexibility to respond to the audit results during a time when the agency and its federal counterparts are inundated and backlogged with unwinding the public health emergency. Auditor?s Remarks We provided the Authority with preliminary exceptions on February 27, 2023 and on March 15th, the Authority provided additional information that cleared some of the exceptions. The draft finding was provided to the Authority on April 17, 2023. It was not until April 18th, after audit work was concluded, that the Authority asserted the postpartum exceptions we identified were transferred from federal funding to state funding with journal vouchers. Despite not conveying this information to us timely, we requested copies of the journal vouchers to attempt to confirm the Authority?s assertion. On April 25, 2023, the Authority informed us that staff were not able to pull the journal vouchers and we therefore could not determine whether any of the federally funded payments were subsequently transferred to state funding. For the clients aged 19 and over, there was no formal approval from CMS in place during the audit period or currently. Therefore, we conducted our audit in accordance with codified eligibility rules. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Title 42 CFR, Public Health Part 435 Subpart J, Eligibility in the States and District of Columbia, establishes the following applicable requirements: Section 435.926 Continuous eligibility for children, states in part: (b) Eligibility. The agency may provide continuous eligibility for the period specified in paragraph (c) of this section for an individual who is: (1) Under age 19 or under a younger age specified by the agency in its State plan; and (2) Eligible and enrolled for mandatory or optional coverage under the State plan in accordance with subpart B or C of this part. (c) Continuous eligibility period. (1) The agency must specify in the State plan the length of the continuous eligibility period, not to exceed 12 months. (2) A continuous eligibility period begins on the effective date of the individual?s eligibility under ? 435.915 or most recent redetermination or renewal of eligibility under ? 435.916 and ends after the period specified by the agency under paragraph (c)(1) of this section. (d) Applicability. A child?s eligibility may not be terminated during a continuous eligibility period, regardless of any changes in circumstances, unless: (1) The child attains the maximum age specified in accordance with paragraph (b)(1) of this section; (2) The child or child?s representative requests a voluntary termination of eligibility; (3) The child ceases to be a resident of the State; (4) The agency determines that eligibility was erroneously granted at the most recent determination, redetermination or renewal of eligibility because of agency error or fraud, abuse, or perjury attributed to the child or the child?s representative; or (5) The child dies. Title 42 CFR, Public Health, Part 457 establishes the following applicable requirements: Section 457.342 Continuous eligibility for children, states in part: (a) A State may provide continuous eligibility for children under a separate CHIP in accordance with the terms of ? 435.926 of this chapter, and subject to a child remaining ineligible for Medicaid, as required by section 2110(b)(1) of the Act and ? 457.310 (related to the definition and standards for being a targeted low-income child) and the requirements of section 2102(b)(3) of the Act and ? 457.350 (related to eligibility screening and enrollment). Section 457.380 Eligibility verification. (a) General requirements. Except where law requires other procedures (such as for citizenship and immigration status information), the State may accept attestation of information needed to determine the eligibility of an individual for CHIP (either self-attestation by the individual or attestation by an adult who is in the applicant?s household, as defined in ? 435.603(f) of this subchapter, or family, as defined in section 36B(d)(1) of the Internal Revenue Code, an authorized representative, or if the individual is a minor or incapacitated, someone acting responsibly for the individual) without requiring further information (including documentation) from the individual. (b) Status as a citizen, national or a non-citizen. (1) Except for newborns identified in ? 435.406(a)(1)(iii)(E) of this chapter, who are exempt from any requirement to verify citizenship, the agency must ? (i) Verify citizenship or immigration status in accordance with ? 435.956(a) of this chapter, except that the reference to ? 435.945(k) is read as a reference to paragraph (i) of this section; and (ii) Provide a reasonable opportunity period to verify such status in accordance with ? 435.956(a)(5) and (b) of this chapter and provide benefits during such reasonable opportunity period to individuals determined to be otherwise eligible for CHIP. (2) [Reserved] (c) State residents. If the State does not accept self-attestation of residency, the State must verify residency in accordance with ? 435.956(c) of this chapter. (d) Income. If the State does not accept self-attestation of income, the State must verify the income of an individual by using the data sources and following standards and procedures for verification of financial eligibility consistent with ? 435.945(a), ? 435.948 and ? 435.952 of this chapter. (e) Verification of other factors of eligibility. For eligibility requirements not described in paragraphs (c) or (d) of this section, a State may adopt reasonable verification procedures, consistent with the requirements in ? 435.952 of this chapter, except that the State must accept self-attestation of pregnancy unless the State has information that is not reasonably compatible with such attestation. (f) Requesting information. The terms of ? 435.952 of this chapter apply equally to the State in administering a separate CHIP. (g) Electronic service. Except to the extent permitted under paragraph (i) of this section, to the extent that information sought under this section is available through the electronic service described in ? 435.949 of this chapter, the State must obtain the information through that service. (h) Interaction with program integrity requirements. Nothing in this section should be construed as limiting the State?s program integrity measures or affecting the State's obligation to ensure that only eligible individuals receive benefits or its obligation to provide for methods of administration that are in the best interest of applicants and enrollees and are necessary for the proper and efficient operation of the plan. (i) Flexibility in information collection and verification. Subject to approval by the Secretary, the State may modify the methods to be used for collection of information and verification of information as set forth in this section, provided that such alternative source will reduce the administrative costs and burdens on individuals and States while maximizing accuracy, minimizing delay, meeting applicable requirements relating to the confidentiality, disclosure, maintenance, or use of information, and promoting coordination with other insurance affordability programs. (j) Verification plan. The State must develop, and update as modified, and submit to the Secretary, upon request, a verification plan describing the verification policies and procedures adopted by the State to implement the provisions set forth in this section in a format and manner prescribed by the Secretary. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Plan Amendment Approval Letter from CMS dated July 15, 2020 states in part: This letter is to inform you that your title XXI Children?s Health Insurance Program (CHIP) state plan amendment (SPA), WA-20-0001, submitted on May 4, 2020, has been approved. This SPA has an effective date of March 1, 2020. This amendment, as it applies to the COVID-19 public health emergency (PHE), makes the following changes beginning March 18, 2020, unless otherwise noted, through the duration of the Federally-declared PHE: ? Delay acting on changes in circumstances for CHIP beneficiaries other than the required changes in circumstances described in 42 CFR 457.342(a) cross-referencing 42 CFR 435.926(d); COVID-19 Frequently Asked Questions (FAQs) for State Medicaid and Children?s Health Insurance Program (CHIP) Agencies (Last Updated January 6, 2021) Section J. Children?s Health Insurance Program (CHIP) states in part: 4. Can states continue coverage for the duration of the Public Health Emergency for individuals in a separate CHIP who are aging out of eligibility or ending their postpartum period? No. The requirement in section 6008(b)(3) of the FFCRA to maintain coverage in Medicaid in order to receive the temporary increase in the Medicaid federal medical assistance percentage does not apply to separate CHIPs. Therefore, states may not continue to provide separate CHIP coverage to young adults aging out or women ending their postpartum period. If the state determines that the individual is eligible for Medicaid, they may be transitioned to the appropriate Medicaid eligibility group. States may not transition individuals to Medicaid without first determining them eligible in accordance with 42 C.F.R ? 457.350(b). States are required to transfer the accounts of individuals losing CHIP eligibility who are determined to be ineligible for Medicaid to the Exchange, in accordance with 42 C.F.R ? 457.350(b)(3) and (i).
2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-053 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure clients were eligible for the Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 1905WA5021; 2105WA5021; 2205WA5021; Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Eligibility Known Questioned Cost Amount: $3,036,657 Background The Health Care Authority administers the Children?s Health Insurance Program (CHIP). CHIP is a jointly funded state and federal partnership providing insurance coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. Federal CHIP financing is capped, and each state operates under an allotment. During fiscal year 2022, the Authority spent more than $229 million in state and federal funds to administer CHIP. To determine initial eligibility for CHIP, families must complete an application in the Washington Health Benefit Exchange, known as Washington Healthplanfinder, or through a streamlined paper application. Once families complete their applications, electronic verification sources confirm their income, immigration status and Social Security numbers (SSNs). The Authority automatically reviews applicants? eligibility first for Medicaid and then for CHIP if they are ineligible for Medicaid. Children in low-income families who are ineligible for Medicaid are enrolled in CHIP under the state CHIP plan. Washington has also elected to cover the prenatal period of some low-income pregnant people under the state CHIP plan. CHIP clients must be either U.S. citizens or lawfully present qualified noncitizens, and their eligibility is based on self-attested income in their applications; therefore, clients with verified citizenship and SSNs would be determined eligible if their reported income was between 210 percent and 312 percent of the federal poverty level. Once the Authority determines clients? initial eligibility, their start date is recorded as the first of the month in which their application was submitted, thus allowing for payments prior to approval to be processed after the fact. Children found eligible for medical assistance remain continuously eligible for a full 12 months, regardless of any changes in their household income or third-party liability. Households must report financial and nonfinancial changes, but these will not render them ineligible during the continuous eligibility period. However, if recipients? household income decreases, the Authority can move children to a more favorable program, such as Medicaid, to eliminate the premium payment requirements. Termination during the continuous eligibility period is acceptable only for the following reasons: ? Changes in residency (permanent move out of state) ? Death ? Fraud (unless it is going to prosecution) ? Failure to pay the premium for more than three months ? The child turns 19 years old (remains eligible through the end of their birth month) ? After the end of the month in which the postpartum period ends for pregnant people ? When a client requests to be removed from the program In response to the COVID-19 pandemic, the Centers for Medicare and Medicaid Services (CMS) approved waivers and disaster relief state plan amendments (SPA), effective March 1, 2020, through the end of the public health emergency declaration, allowing flexibilities to ensure the continuity of coverage through the public health emergency. The waivers and SPA allowed the Authority to implement flexibilities, including the following: ? Allow self-attestations for all eligibility requirements, excluding citizenship and immigration status, on a case-by-case basis ? Extend the redetermination timeline for current CHIP enrollees in the state to maintain continuity of coverage as permissible From the start of the pandemic, CMS kept an ongoing Frequently Asked Questions (FAQs) document to aid state Medicaid and CHIP agencies in their response to COVID-19, including guidance on eligibility, benefits and financing regarding the pandemic. This document was finalized on January 6, 2021. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit we reported the Authority did not have adequate internal controls to ensure clients were eligible for CHIP. The prior finding number was 2021-046. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure clients were eligible for CHIP. We used a statistically valid sampling method to randomly select and examine 59 out of a total population of 93,793 clients who had a federally verified SSN. We also used a statistically valid sampling method to randomly select and examine 59 out of a total population of 10,933 clients who did not have a federally verified SSN. For the sample of clients who had a verified SSN, we identified: ? One instance where the client aged out of services and was not referred to Washington Healthplanfinder to be redetermined eligible for Medicaid during the COVID-19 pandemic, as required. ? One instance where the Authority continued CHIP coverage for a client after the allowable postpartum period. For the sample of clients who did not have a federally verified SSN, we identified: ? Seventeen instances where the Authority continued CHIP coverage for clients after the allowable postpartum period. We also used computer-assisted audit techniques to analyze the entire client population. We found 3,416 clients who were over the age of 19 that were still receiving CHIP services during fiscal year 2022. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition The Authority chose not to remove clients from CHIP even when they aged out of coverage or their postpartum period ended. Effect of Condition and Questioned Costs By not having adequate internal controls, the Authority is at risk of not detecting or preventing ineligible payments of federal CHIP funds on behalf of recipients. We determined the following questioned costs: Audit Area Known Questions Costs (state and federal) Known questioned costs ? Federal portion only Likely improper payments (state and federal) Likely improper payments ? federal portion only Verified SSNs $ 2,117 $ 1,468 $ 3,365,166 $ 2,333,411 Non-Verified SSNs $14,760 $ 10,236 $ 2,735,142 $ 1,896,870 Over 19 years old $ 4,353,425 $ 3,024,953 $ 0 $ 0 Totals $ 4,370,302 $ 3,036,657 $ 6,100,308 $ 4,230,281 Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflect this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendation We recommend the Authority: ? Implement internal controls to ensure all clients meet CHIP eligibility requirements ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Authority?s Response The Authority does not concur with any of the results cited by the auditor related to CHIP program eligibility. The agency has worked with the Governor?s Office and the Office of Financial Management to continue equity of state funded coverage for all individuals during the public health emergency, including CHIPRA pregnancy coverage. The postpartum period in CHIPRA coverage is state-funded. The State Auditor?s Office did not allow the Authority enough time to obtain the journal vouchers from our accounting partners that show the use of state funds for these expenditures. Regarding the clients receiving CHIP benefits who were aged 19 and over, the agency has pursued, and been notified of approval for, an 1115 disaster waiver from the Centers for Medicare & Medicaid Services. The waiver approves funding for CHIP clients aged 19 and over during the public health emergency and is retroactive to March 18, 2020. Once the approval letter is received by the Authority, the associated federal expenditures identified by the auditor will be valid. The agency was provided very little time and flexibility to respond to the audit results during a time when the agency and its federal counterparts are inundated and backlogged with unwinding the public health emergency. Auditor?s Remarks We provided the Authority with preliminary exceptions on February 27, 2023 and on March 15th, the Authority provided additional information that cleared some of the exceptions. The draft finding was provided to the Authority on April 17, 2023. It was not until April 18th, after audit work was concluded, that the Authority asserted the postpartum exceptions we identified were transferred from federal funding to state funding with journal vouchers. Despite not conveying this information to us timely, we requested copies of the journal vouchers to attempt to confirm the Authority?s assertion. On April 25, 2023, the Authority informed us that staff were not able to pull the journal vouchers and we therefore could not determine whether any of the federally funded payments were subsequently transferred to state funding. For the clients aged 19 and over, there was no formal approval from CMS in place during the audit period or currently. Therefore, we conducted our audit in accordance with codified eligibility rules. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Title 42 CFR, Public Health Part 435 Subpart J, Eligibility in the States and District of Columbia, establishes the following applicable requirements: Section 435.926 Continuous eligibility for children, states in part: (b) Eligibility. The agency may provide continuous eligibility for the period specified in paragraph (c) of this section for an individual who is: (1) Under age 19 or under a younger age specified by the agency in its State plan; and (2) Eligible and enrolled for mandatory or optional coverage under the State plan in accordance with subpart B or C of this part. (c) Continuous eligibility period. (1) The agency must specify in the State plan the length of the continuous eligibility period, not to exceed 12 months. (2) A continuous eligibility period begins on the effective date of the individual?s eligibility under ? 435.915 or most recent redetermination or renewal of eligibility under ? 435.916 and ends after the period specified by the agency under paragraph (c)(1) of this section. (d) Applicability. A child?s eligibility may not be terminated during a continuous eligibility period, regardless of any changes in circumstances, unless: (1) The child attains the maximum age specified in accordance with paragraph (b)(1) of this section; (2) The child or child?s representative requests a voluntary termination of eligibility; (3) The child ceases to be a resident of the State; (4) The agency determines that eligibility was erroneously granted at the most recent determination, redetermination or renewal of eligibility because of agency error or fraud, abuse, or perjury attributed to the child or the child?s representative; or (5) The child dies. Title 42 CFR, Public Health, Part 457 establishes the following applicable requirements: Section 457.342 Continuous eligibility for children, states in part: (a) A State may provide continuous eligibility for children under a separate CHIP in accordance with the terms of ? 435.926 of this chapter, and subject to a child remaining ineligible for Medicaid, as required by section 2110(b)(1) of the Act and ? 457.310 (related to the definition and standards for being a targeted low-income child) and the requirements of section 2102(b)(3) of the Act and ? 457.350 (related to eligibility screening and enrollment). Section 457.380 Eligibility verification. (a) General requirements. Except where law requires other procedures (such as for citizenship and immigration status information), the State may accept attestation of information needed to determine the eligibility of an individual for CHIP (either self-attestation by the individual or attestation by an adult who is in the applicant?s household, as defined in ? 435.603(f) of this subchapter, or family, as defined in section 36B(d)(1) of the Internal Revenue Code, an authorized representative, or if the individual is a minor or incapacitated, someone acting responsibly for the individual) without requiring further information (including documentation) from the individual. (b) Status as a citizen, national or a non-citizen. (1) Except for newborns identified in ? 435.406(a)(1)(iii)(E) of this chapter, who are exempt from any requirement to verify citizenship, the agency must ? (i) Verify citizenship or immigration status in accordance with ? 435.956(a) of this chapter, except that the reference to ? 435.945(k) is read as a reference to paragraph (i) of this section; and (ii) Provide a reasonable opportunity period to verify such status in accordance with ? 435.956(a)(5) and (b) of this chapter and provide benefits during such reasonable opportunity period to individuals determined to be otherwise eligible for CHIP. (2) [Reserved] (c) State residents. If the State does not accept self-attestation of residency, the State must verify residency in accordance with ? 435.956(c) of this chapter. (d) Income. If the State does not accept self-attestation of income, the State must verify the income of an individual by using the data sources and following standards and procedures for verification of financial eligibility consistent with ? 435.945(a), ? 435.948 and ? 435.952 of this chapter. (e) Verification of other factors of eligibility. For eligibility requirements not described in paragraphs (c) or (d) of this section, a State may adopt reasonable verification procedures, consistent with the requirements in ? 435.952 of this chapter, except that the State must accept self-attestation of pregnancy unless the State has information that is not reasonably compatible with such attestation. (f) Requesting information. The terms of ? 435.952 of this chapter apply equally to the State in administering a separate CHIP. (g) Electronic service. Except to the extent permitted under paragraph (i) of this section, to the extent that information sought under this section is available through the electronic service described in ? 435.949 of this chapter, the State must obtain the information through that service. (h) Interaction with program integrity requirements. Nothing in this section should be construed as limiting the State?s program integrity measures or affecting the State's obligation to ensure that only eligible individuals receive benefits or its obligation to provide for methods of administration that are in the best interest of applicants and enrollees and are necessary for the proper and efficient operation of the plan. (i) Flexibility in information collection and verification. Subject to approval by the Secretary, the State may modify the methods to be used for collection of information and verification of information as set forth in this section, provided that such alternative source will reduce the administrative costs and burdens on individuals and States while maximizing accuracy, minimizing delay, meeting applicable requirements relating to the confidentiality, disclosure, maintenance, or use of information, and promoting coordination with other insurance affordability programs. (j) Verification plan. The State must develop, and update as modified, and submit to the Secretary, upon request, a verification plan describing the verification policies and procedures adopted by the State to implement the provisions set forth in this section in a format and manner prescribed by the Secretary. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Plan Amendment Approval Letter from CMS dated July 15, 2020 states in part: This letter is to inform you that your title XXI Children?s Health Insurance Program (CHIP) state plan amendment (SPA), WA-20-0001, submitted on May 4, 2020, has been approved. This SPA has an effective date of March 1, 2020. This amendment, as it applies to the COVID-19 public health emergency (PHE), makes the following changes beginning March 18, 2020, unless otherwise noted, through the duration of the Federally-declared PHE: ? Delay acting on changes in circumstances for CHIP beneficiaries other than the required changes in circumstances described in 42 CFR 457.342(a) cross-referencing 42 CFR 435.926(d); COVID-19 Frequently Asked Questions (FAQs) for State Medicaid and Children?s Health Insurance Program (CHIP) Agencies (Last Updated January 6, 2021) Section J. Children?s Health Insurance Program (CHIP) states in part: 4. Can states continue coverage for the duration of the Public Health Emergency for individuals in a separate CHIP who are aging out of eligibility or ending their postpartum period? No. The requirement in section 6008(b)(3) of the FFCRA to maintain coverage in Medicaid in order to receive the temporary increase in the Medicaid federal medical assistance percentage does not apply to separate CHIPs. Therefore, states may not continue to provide separate CHIP coverage to young adults aging out or women ending their postpartum period. If the state determines that the individual is eligible for Medicaid, they may be transitioned to the appropriate Medicaid eligibility group. States may not transition individuals to Medicaid without first determining them eligible in accordance with 42 C.F.R ? 457.350(b). States are required to transfer the accounts of individuals losing CHIP eligibility who are determined to be ineligible for Medicaid to the Exchange, in accordance with 42 C.F.R ? 457.350(b)(3) and (i).
2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-053 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure clients were eligible for the Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 1905WA5021; 2105WA5021; 2205WA5021; Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Eligibility Known Questioned Cost Amount: $3,036,657 Background The Health Care Authority administers the Children?s Health Insurance Program (CHIP). CHIP is a jointly funded state and federal partnership providing insurance coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. Federal CHIP financing is capped, and each state operates under an allotment. During fiscal year 2022, the Authority spent more than $229 million in state and federal funds to administer CHIP. To determine initial eligibility for CHIP, families must complete an application in the Washington Health Benefit Exchange, known as Washington Healthplanfinder, or through a streamlined paper application. Once families complete their applications, electronic verification sources confirm their income, immigration status and Social Security numbers (SSNs). The Authority automatically reviews applicants? eligibility first for Medicaid and then for CHIP if they are ineligible for Medicaid. Children in low-income families who are ineligible for Medicaid are enrolled in CHIP under the state CHIP plan. Washington has also elected to cover the prenatal period of some low-income pregnant people under the state CHIP plan. CHIP clients must be either U.S. citizens or lawfully present qualified noncitizens, and their eligibility is based on self-attested income in their applications; therefore, clients with verified citizenship and SSNs would be determined eligible if their reported income was between 210 percent and 312 percent of the federal poverty level. Once the Authority determines clients? initial eligibility, their start date is recorded as the first of the month in which their application was submitted, thus allowing for payments prior to approval to be processed after the fact. Children found eligible for medical assistance remain continuously eligible for a full 12 months, regardless of any changes in their household income or third-party liability. Households must report financial and nonfinancial changes, but these will not render them ineligible during the continuous eligibility period. However, if recipients? household income decreases, the Authority can move children to a more favorable program, such as Medicaid, to eliminate the premium payment requirements. Termination during the continuous eligibility period is acceptable only for the following reasons: ? Changes in residency (permanent move out of state) ? Death ? Fraud (unless it is going to prosecution) ? Failure to pay the premium for more than three months ? The child turns 19 years old (remains eligible through the end of their birth month) ? After the end of the month in which the postpartum period ends for pregnant people ? When a client requests to be removed from the program In response to the COVID-19 pandemic, the Centers for Medicare and Medicaid Services (CMS) approved waivers and disaster relief state plan amendments (SPA), effective March 1, 2020, through the end of the public health emergency declaration, allowing flexibilities to ensure the continuity of coverage through the public health emergency. The waivers and SPA allowed the Authority to implement flexibilities, including the following: ? Allow self-attestations for all eligibility requirements, excluding citizenship and immigration status, on a case-by-case basis ? Extend the redetermination timeline for current CHIP enrollees in the state to maintain continuity of coverage as permissible From the start of the pandemic, CMS kept an ongoing Frequently Asked Questions (FAQs) document to aid state Medicaid and CHIP agencies in their response to COVID-19, including guidance on eligibility, benefits and financing regarding the pandemic. This document was finalized on January 6, 2021. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit we reported the Authority did not have adequate internal controls to ensure clients were eligible for CHIP. The prior finding number was 2021-046. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure clients were eligible for CHIP. We used a statistically valid sampling method to randomly select and examine 59 out of a total population of 93,793 clients who had a federally verified SSN. We also used a statistically valid sampling method to randomly select and examine 59 out of a total population of 10,933 clients who did not have a federally verified SSN. For the sample of clients who had a verified SSN, we identified: ? One instance where the client aged out of services and was not referred to Washington Healthplanfinder to be redetermined eligible for Medicaid during the COVID-19 pandemic, as required. ? One instance where the Authority continued CHIP coverage for a client after the allowable postpartum period. For the sample of clients who did not have a federally verified SSN, we identified: ? Seventeen instances where the Authority continued CHIP coverage for clients after the allowable postpartum period. We also used computer-assisted audit techniques to analyze the entire client population. We found 3,416 clients who were over the age of 19 that were still receiving CHIP services during fiscal year 2022. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition The Authority chose not to remove clients from CHIP even when they aged out of coverage or their postpartum period ended. Effect of Condition and Questioned Costs By not having adequate internal controls, the Authority is at risk of not detecting or preventing ineligible payments of federal CHIP funds on behalf of recipients. We determined the following questioned costs: Audit Area Known Questions Costs (state and federal) Known questioned costs ? Federal portion only Likely improper payments (state and federal) Likely improper payments ? federal portion only Verified SSNs $ 2,117 $ 1,468 $ 3,365,166 $ 2,333,411 Non-Verified SSNs $14,760 $ 10,236 $ 2,735,142 $ 1,896,870 Over 19 years old $ 4,353,425 $ 3,024,953 $ 0 $ 0 Totals $ 4,370,302 $ 3,036,657 $ 6,100,308 $ 4,230,281 Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflect this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendation We recommend the Authority: ? Implement internal controls to ensure all clients meet CHIP eligibility requirements ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Authority?s Response The Authority does not concur with any of the results cited by the auditor related to CHIP program eligibility. The agency has worked with the Governor?s Office and the Office of Financial Management to continue equity of state funded coverage for all individuals during the public health emergency, including CHIPRA pregnancy coverage. The postpartum period in CHIPRA coverage is state-funded. The State Auditor?s Office did not allow the Authority enough time to obtain the journal vouchers from our accounting partners that show the use of state funds for these expenditures. Regarding the clients receiving CHIP benefits who were aged 19 and over, the agency has pursued, and been notified of approval for, an 1115 disaster waiver from the Centers for Medicare & Medicaid Services. The waiver approves funding for CHIP clients aged 19 and over during the public health emergency and is retroactive to March 18, 2020. Once the approval letter is received by the Authority, the associated federal expenditures identified by the auditor will be valid. The agency was provided very little time and flexibility to respond to the audit results during a time when the agency and its federal counterparts are inundated and backlogged with unwinding the public health emergency. Auditor?s Remarks We provided the Authority with preliminary exceptions on February 27, 2023 and on March 15th, the Authority provided additional information that cleared some of the exceptions. The draft finding was provided to the Authority on April 17, 2023. It was not until April 18th, after audit work was concluded, that the Authority asserted the postpartum exceptions we identified were transferred from federal funding to state funding with journal vouchers. Despite not conveying this information to us timely, we requested copies of the journal vouchers to attempt to confirm the Authority?s assertion. On April 25, 2023, the Authority informed us that staff were not able to pull the journal vouchers and we therefore could not determine whether any of the federally funded payments were subsequently transferred to state funding. For the clients aged 19 and over, there was no formal approval from CMS in place during the audit period or currently. Therefore, we conducted our audit in accordance with codified eligibility rules. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Title 42 CFR, Public Health Part 435 Subpart J, Eligibility in the States and District of Columbia, establishes the following applicable requirements: Section 435.926 Continuous eligibility for children, states in part: (b) Eligibility. The agency may provide continuous eligibility for the period specified in paragraph (c) of this section for an individual who is: (1) Under age 19 or under a younger age specified by the agency in its State plan; and (2) Eligible and enrolled for mandatory or optional coverage under the State plan in accordance with subpart B or C of this part. (c) Continuous eligibility period. (1) The agency must specify in the State plan the length of the continuous eligibility period, not to exceed 12 months. (2) A continuous eligibility period begins on the effective date of the individual?s eligibility under ? 435.915 or most recent redetermination or renewal of eligibility under ? 435.916 and ends after the period specified by the agency under paragraph (c)(1) of this section. (d) Applicability. A child?s eligibility may not be terminated during a continuous eligibility period, regardless of any changes in circumstances, unless: (1) The child attains the maximum age specified in accordance with paragraph (b)(1) of this section; (2) The child or child?s representative requests a voluntary termination of eligibility; (3) The child ceases to be a resident of the State; (4) The agency determines that eligibility was erroneously granted at the most recent determination, redetermination or renewal of eligibility because of agency error or fraud, abuse, or perjury attributed to the child or the child?s representative; or (5) The child dies. Title 42 CFR, Public Health, Part 457 establishes the following applicable requirements: Section 457.342 Continuous eligibility for children, states in part: (a) A State may provide continuous eligibility for children under a separate CHIP in accordance with the terms of ? 435.926 of this chapter, and subject to a child remaining ineligible for Medicaid, as required by section 2110(b)(1) of the Act and ? 457.310 (related to the definition and standards for being a targeted low-income child) and the requirements of section 2102(b)(3) of the Act and ? 457.350 (related to eligibility screening and enrollment). Section 457.380 Eligibility verification. (a) General requirements. Except where law requires other procedures (such as for citizenship and immigration status information), the State may accept attestation of information needed to determine the eligibility of an individual for CHIP (either self-attestation by the individual or attestation by an adult who is in the applicant?s household, as defined in ? 435.603(f) of this subchapter, or family, as defined in section 36B(d)(1) of the Internal Revenue Code, an authorized representative, or if the individual is a minor or incapacitated, someone acting responsibly for the individual) without requiring further information (including documentation) from the individual. (b) Status as a citizen, national or a non-citizen. (1) Except for newborns identified in ? 435.406(a)(1)(iii)(E) of this chapter, who are exempt from any requirement to verify citizenship, the agency must ? (i) Verify citizenship or immigration status in accordance with ? 435.956(a) of this chapter, except that the reference to ? 435.945(k) is read as a reference to paragraph (i) of this section; and (ii) Provide a reasonable opportunity period to verify such status in accordance with ? 435.956(a)(5) and (b) of this chapter and provide benefits during such reasonable opportunity period to individuals determined to be otherwise eligible for CHIP. (2) [Reserved] (c) State residents. If the State does not accept self-attestation of residency, the State must verify residency in accordance with ? 435.956(c) of this chapter. (d) Income. If the State does not accept self-attestation of income, the State must verify the income of an individual by using the data sources and following standards and procedures for verification of financial eligibility consistent with ? 435.945(a), ? 435.948 and ? 435.952 of this chapter. (e) Verification of other factors of eligibility. For eligibility requirements not described in paragraphs (c) or (d) of this section, a State may adopt reasonable verification procedures, consistent with the requirements in ? 435.952 of this chapter, except that the State must accept self-attestation of pregnancy unless the State has information that is not reasonably compatible with such attestation. (f) Requesting information. The terms of ? 435.952 of this chapter apply equally to the State in administering a separate CHIP. (g) Electronic service. Except to the extent permitted under paragraph (i) of this section, to the extent that information sought under this section is available through the electronic service described in ? 435.949 of this chapter, the State must obtain the information through that service. (h) Interaction with program integrity requirements. Nothing in this section should be construed as limiting the State?s program integrity measures or affecting the State's obligation to ensure that only eligible individuals receive benefits or its obligation to provide for methods of administration that are in the best interest of applicants and enrollees and are necessary for the proper and efficient operation of the plan. (i) Flexibility in information collection and verification. Subject to approval by the Secretary, the State may modify the methods to be used for collection of information and verification of information as set forth in this section, provided that such alternative source will reduce the administrative costs and burdens on individuals and States while maximizing accuracy, minimizing delay, meeting applicable requirements relating to the confidentiality, disclosure, maintenance, or use of information, and promoting coordination with other insurance affordability programs. (j) Verification plan. The State must develop, and update as modified, and submit to the Secretary, upon request, a verification plan describing the verification policies and procedures adopted by the State to implement the provisions set forth in this section in a format and manner prescribed by the Secretary. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Plan Amendment Approval Letter from CMS dated July 15, 2020 states in part: This letter is to inform you that your title XXI Children?s Health Insurance Program (CHIP) state plan amendment (SPA), WA-20-0001, submitted on May 4, 2020, has been approved. This SPA has an effective date of March 1, 2020. This amendment, as it applies to the COVID-19 public health emergency (PHE), makes the following changes beginning March 18, 2020, unless otherwise noted, through the duration of the Federally-declared PHE: ? Delay acting on changes in circumstances for CHIP beneficiaries other than the required changes in circumstances described in 42 CFR 457.342(a) cross-referencing 42 CFR 435.926(d); COVID-19 Frequently Asked Questions (FAQs) for State Medicaid and Children?s Health Insurance Program (CHIP) Agencies (Last Updated January 6, 2021) Section J. Children?s Health Insurance Program (CHIP) states in part: 4. Can states continue coverage for the duration of the Public Health Emergency for individuals in a separate CHIP who are aging out of eligibility or ending their postpartum period? No. The requirement in section 6008(b)(3) of the FFCRA to maintain coverage in Medicaid in order to receive the temporary increase in the Medicaid federal medical assistance percentage does not apply to separate CHIPs. Therefore, states may not continue to provide separate CHIP coverage to young adults aging out or women ending their postpartum period. If the state determines that the individual is eligible for Medicaid, they may be transitioned to the appropriate Medicaid eligibility group. States may not transition individuals to Medicaid without first determining them eligible in accordance with 42 C.F.R ? 457.350(b). States are required to transfer the accounts of individuals losing CHIP eligibility who are determined to be ineligible for Medicaid to the Exchange, in accordance with 42 C.F.R ? 457.350(b)(3) and (i).
2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-053 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure clients were eligible for the Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 1905WA5021; 2105WA5021; 2205WA5021; Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Eligibility Known Questioned Cost Amount: $3,036,657 Background The Health Care Authority administers the Children?s Health Insurance Program (CHIP). CHIP is a jointly funded state and federal partnership providing insurance coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. Federal CHIP financing is capped, and each state operates under an allotment. During fiscal year 2022, the Authority spent more than $229 million in state and federal funds to administer CHIP. To determine initial eligibility for CHIP, families must complete an application in the Washington Health Benefit Exchange, known as Washington Healthplanfinder, or through a streamlined paper application. Once families complete their applications, electronic verification sources confirm their income, immigration status and Social Security numbers (SSNs). The Authority automatically reviews applicants? eligibility first for Medicaid and then for CHIP if they are ineligible for Medicaid. Children in low-income families who are ineligible for Medicaid are enrolled in CHIP under the state CHIP plan. Washington has also elected to cover the prenatal period of some low-income pregnant people under the state CHIP plan. CHIP clients must be either U.S. citizens or lawfully present qualified noncitizens, and their eligibility is based on self-attested income in their applications; therefore, clients with verified citizenship and SSNs would be determined eligible if their reported income was between 210 percent and 312 percent of the federal poverty level. Once the Authority determines clients? initial eligibility, their start date is recorded as the first of the month in which their application was submitted, thus allowing for payments prior to approval to be processed after the fact. Children found eligible for medical assistance remain continuously eligible for a full 12 months, regardless of any changes in their household income or third-party liability. Households must report financial and nonfinancial changes, but these will not render them ineligible during the continuous eligibility period. However, if recipients? household income decreases, the Authority can move children to a more favorable program, such as Medicaid, to eliminate the premium payment requirements. Termination during the continuous eligibility period is acceptable only for the following reasons: ? Changes in residency (permanent move out of state) ? Death ? Fraud (unless it is going to prosecution) ? Failure to pay the premium for more than three months ? The child turns 19 years old (remains eligible through the end of their birth month) ? After the end of the month in which the postpartum period ends for pregnant people ? When a client requests to be removed from the program In response to the COVID-19 pandemic, the Centers for Medicare and Medicaid Services (CMS) approved waivers and disaster relief state plan amendments (SPA), effective March 1, 2020, through the end of the public health emergency declaration, allowing flexibilities to ensure the continuity of coverage through the public health emergency. The waivers and SPA allowed the Authority to implement flexibilities, including the following: ? Allow self-attestations for all eligibility requirements, excluding citizenship and immigration status, on a case-by-case basis ? Extend the redetermination timeline for current CHIP enrollees in the state to maintain continuity of coverage as permissible From the start of the pandemic, CMS kept an ongoing Frequently Asked Questions (FAQs) document to aid state Medicaid and CHIP agencies in their response to COVID-19, including guidance on eligibility, benefits and financing regarding the pandemic. This document was finalized on January 6, 2021. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior audit we reported the Authority did not have adequate internal controls to ensure clients were eligible for CHIP. The prior finding number was 2021-046. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure clients were eligible for CHIP. We used a statistically valid sampling method to randomly select and examine 59 out of a total population of 93,793 clients who had a federally verified SSN. We also used a statistically valid sampling method to randomly select and examine 59 out of a total population of 10,933 clients who did not have a federally verified SSN. For the sample of clients who had a verified SSN, we identified: ? One instance where the client aged out of services and was not referred to Washington Healthplanfinder to be redetermined eligible for Medicaid during the COVID-19 pandemic, as required. ? One instance where the Authority continued CHIP coverage for a client after the allowable postpartum period. For the sample of clients who did not have a federally verified SSN, we identified: ? Seventeen instances where the Authority continued CHIP coverage for clients after the allowable postpartum period. We also used computer-assisted audit techniques to analyze the entire client population. We found 3,416 clients who were over the age of 19 that were still receiving CHIP services during fiscal year 2022. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition The Authority chose not to remove clients from CHIP even when they aged out of coverage or their postpartum period ended. Effect of Condition and Questioned Costs By not having adequate internal controls, the Authority is at risk of not detecting or preventing ineligible payments of federal CHIP funds on behalf of recipients. We determined the following questioned costs: Audit Area Known Questions Costs (state and federal) Known questioned costs ? Federal portion only Likely improper payments (state and federal) Likely improper payments ? federal portion only Verified SSNs $ 2,117 $ 1,468 $ 3,365,166 $ 2,333,411 Non-Verified SSNs $14,760 $ 10,236 $ 2,735,142 $ 1,896,870 Over 19 years old $ 4,353,425 $ 3,024,953 $ 0 $ 0 Totals $ 4,370,302 $ 3,036,657 $ 6,100,308 $ 4,230,281 Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflect this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendation We recommend the Authority: ? Implement internal controls to ensure all clients meet CHIP eligibility requirements ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Authority?s Response The Authority does not concur with any of the results cited by the auditor related to CHIP program eligibility. The agency has worked with the Governor?s Office and the Office of Financial Management to continue equity of state funded coverage for all individuals during the public health emergency, including CHIPRA pregnancy coverage. The postpartum period in CHIPRA coverage is state-funded. The State Auditor?s Office did not allow the Authority enough time to obtain the journal vouchers from our accounting partners that show the use of state funds for these expenditures. Regarding the clients receiving CHIP benefits who were aged 19 and over, the agency has pursued, and been notified of approval for, an 1115 disaster waiver from the Centers for Medicare & Medicaid Services. The waiver approves funding for CHIP clients aged 19 and over during the public health emergency and is retroactive to March 18, 2020. Once the approval letter is received by the Authority, the associated federal expenditures identified by the auditor will be valid. The agency was provided very little time and flexibility to respond to the audit results during a time when the agency and its federal counterparts are inundated and backlogged with unwinding the public health emergency. Auditor?s Remarks We provided the Authority with preliminary exceptions on February 27, 2023 and on March 15th, the Authority provided additional information that cleared some of the exceptions. The draft finding was provided to the Authority on April 17, 2023. It was not until April 18th, after audit work was concluded, that the Authority asserted the postpartum exceptions we identified were transferred from federal funding to state funding with journal vouchers. Despite not conveying this information to us timely, we requested copies of the journal vouchers to attempt to confirm the Authority?s assertion. On April 25, 2023, the Authority informed us that staff were not able to pull the journal vouchers and we therefore could not determine whether any of the federally funded payments were subsequently transferred to state funding. For the clients aged 19 and over, there was no formal approval from CMS in place during the audit period or currently. Therefore, we conducted our audit in accordance with codified eligibility rules. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Title 42 CFR, Public Health Part 435 Subpart J, Eligibility in the States and District of Columbia, establishes the following applicable requirements: Section 435.926 Continuous eligibility for children, states in part: (b) Eligibility. The agency may provide continuous eligibility for the period specified in paragraph (c) of this section for an individual who is: (1) Under age 19 or under a younger age specified by the agency in its State plan; and (2) Eligible and enrolled for mandatory or optional coverage under the State plan in accordance with subpart B or C of this part. (c) Continuous eligibility period. (1) The agency must specify in the State plan the length of the continuous eligibility period, not to exceed 12 months. (2) A continuous eligibility period begins on the effective date of the individual?s eligibility under ? 435.915 or most recent redetermination or renewal of eligibility under ? 435.916 and ends after the period specified by the agency under paragraph (c)(1) of this section. (d) Applicability. A child?s eligibility may not be terminated during a continuous eligibility period, regardless of any changes in circumstances, unless: (1) The child attains the maximum age specified in accordance with paragraph (b)(1) of this section; (2) The child or child?s representative requests a voluntary termination of eligibility; (3) The child ceases to be a resident of the State; (4) The agency determines that eligibility was erroneously granted at the most recent determination, redetermination or renewal of eligibility because of agency error or fraud, abuse, or perjury attributed to the child or the child?s representative; or (5) The child dies. Title 42 CFR, Public Health, Part 457 establishes the following applicable requirements: Section 457.342 Continuous eligibility for children, states in part: (a) A State may provide continuous eligibility for children under a separate CHIP in accordance with the terms of ? 435.926 of this chapter, and subject to a child remaining ineligible for Medicaid, as required by section 2110(b)(1) of the Act and ? 457.310 (related to the definition and standards for being a targeted low-income child) and the requirements of section 2102(b)(3) of the Act and ? 457.350 (related to eligibility screening and enrollment). Section 457.380 Eligibility verification. (a) General requirements. Except where law requires other procedures (such as for citizenship and immigration status information), the State may accept attestation of information needed to determine the eligibility of an individual for CHIP (either self-attestation by the individual or attestation by an adult who is in the applicant?s household, as defined in ? 435.603(f) of this subchapter, or family, as defined in section 36B(d)(1) of the Internal Revenue Code, an authorized representative, or if the individual is a minor or incapacitated, someone acting responsibly for the individual) without requiring further information (including documentation) from the individual. (b) Status as a citizen, national or a non-citizen. (1) Except for newborns identified in ? 435.406(a)(1)(iii)(E) of this chapter, who are exempt from any requirement to verify citizenship, the agency must ? (i) Verify citizenship or immigration status in accordance with ? 435.956(a) of this chapter, except that the reference to ? 435.945(k) is read as a reference to paragraph (i) of this section; and (ii) Provide a reasonable opportunity period to verify such status in accordance with ? 435.956(a)(5) and (b) of this chapter and provide benefits during such reasonable opportunity period to individuals determined to be otherwise eligible for CHIP. (2) [Reserved] (c) State residents. If the State does not accept self-attestation of residency, the State must verify residency in accordance with ? 435.956(c) of this chapter. (d) Income. If the State does not accept self-attestation of income, the State must verify the income of an individual by using the data sources and following standards and procedures for verification of financial eligibility consistent with ? 435.945(a), ? 435.948 and ? 435.952 of this chapter. (e) Verification of other factors of eligibility. For eligibility requirements not described in paragraphs (c) or (d) of this section, a State may adopt reasonable verification procedures, consistent with the requirements in ? 435.952 of this chapter, except that the State must accept self-attestation of pregnancy unless the State has information that is not reasonably compatible with such attestation. (f) Requesting information. The terms of ? 435.952 of this chapter apply equally to the State in administering a separate CHIP. (g) Electronic service. Except to the extent permitted under paragraph (i) of this section, to the extent that information sought under this section is available through the electronic service described in ? 435.949 of this chapter, the State must obtain the information through that service. (h) Interaction with program integrity requirements. Nothing in this section should be construed as limiting the State?s program integrity measures or affecting the State's obligation to ensure that only eligible individuals receive benefits or its obligation to provide for methods of administration that are in the best interest of applicants and enrollees and are necessary for the proper and efficient operation of the plan. (i) Flexibility in information collection and verification. Subject to approval by the Secretary, the State may modify the methods to be used for collection of information and verification of information as set forth in this section, provided that such alternative source will reduce the administrative costs and burdens on individuals and States while maximizing accuracy, minimizing delay, meeting applicable requirements relating to the confidentiality, disclosure, maintenance, or use of information, and promoting coordination with other insurance affordability programs. (j) Verification plan. The State must develop, and update as modified, and submit to the Secretary, upon request, a verification plan describing the verification policies and procedures adopted by the State to implement the provisions set forth in this section in a format and manner prescribed by the Secretary. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Plan Amendment Approval Letter from CMS dated July 15, 2020 states in part: This letter is to inform you that your title XXI Children?s Health Insurance Program (CHIP) state plan amendment (SPA), WA-20-0001, submitted on May 4, 2020, has been approved. This SPA has an effective date of March 1, 2020. This amendment, as it applies to the COVID-19 public health emergency (PHE), makes the following changes beginning March 18, 2020, unless otherwise noted, through the duration of the Federally-declared PHE: ? Delay acting on changes in circumstances for CHIP beneficiaries other than the required changes in circumstances described in 42 CFR 457.342(a) cross-referencing 42 CFR 435.926(d); COVID-19 Frequently Asked Questions (FAQs) for State Medicaid and Children?s Health Insurance Program (CHIP) Agencies (Last Updated January 6, 2021) Section J. Children?s Health Insurance Program (CHIP) states in part: 4. Can states continue coverage for the duration of the Public Health Emergency for individuals in a separate CHIP who are aging out of eligibility or ending their postpartum period? No. The requirement in section 6008(b)(3) of the FFCRA to maintain coverage in Medicaid in order to receive the temporary increase in the Medicaid federal medical assistance percentage does not apply to separate CHIPs. Therefore, states may not continue to provide separate CHIP coverage to young adults aging out or women ending their postpartum period. If the state determines that the individual is eligible for Medicaid, they may be transitioned to the appropriate Medicaid eligibility group. States may not transition individuals to Medicaid without first determining them eligible in accordance with 42 C.F.R ? 457.350(b). States are required to transfer the accounts of individuals losing CHIP eligibility who are determined to be ineligible for Medicaid to the Exchange, in accordance with 42 C.F.R ? 457.350(b)(3) and (i).
2022-055 The Health Care Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and Children?s Health Insurance Program. Assistance Listing Number and Title: 93.767 Children?s Health Insurance Program 93.767 COVID-19 Children?s Health Insurance Program 93.775 State Medicaid Fraud Control Units 93.777 State Survey and Certification of Health Care Providers and Suppliers 93.777 COVID-19 State Survey and Certification of Health Care Providers and Suppliers 93.778 Medical Assistance Program 93.778 COVID-19 Medical Assistance Program Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 2005WA5021; 2105WAINCT; 2105WAIMPL; 2105WA5MAP; 2105WA5ADM; 1905WA5021; 2105WA5021; 2205WA5021; 2205WA5MAP; 2205WA5ADM Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Special Tests and Provisions ? Provider Eligibility (Screening and Enrollment) Known Questioned Cost Amount: $612,277 Background The Health Care Authority administers both Medicaid and the Children?s Health Insurance Program (CHIP). Medicaid is a jointly funded state and federal partnership providing coverage for about 2.3 million eligible low-income Washington residents who otherwise might go without medical care. Medicaid is Washington?s largest public assistance program and usually accounts for about one third of the state?s federal expenditures. CHIP provides health coverage for almost 90,000 children and pregnant people in families with incomes too high to qualify for Medicaid. During fiscal year 2022, the Medicaid program spent more than $17.6 billion in federal and state funds, and CHIP spent more than $229 million in federal and state funds. The Authority ensures medical providers for both programs are eligible to provide services for clients. Providers must continue to meet eligibility requirements to receive payments under the programs. Washington had more than 127,000 participating providers in fiscal year 2022. During that time, the Authority paid more than $6.6 billion to providers for direct client services under the programs. The Authority is responsible for performing screening measures appropriate for the provider type at application and initial enrollment. Federal regulations require state Medicaid agencies to revalidate the enrollment of all Medicaid and CHIP providers at least every five years. To meet this requirement, the Authority has implemented an automated revalidation notification process that is supposed to send a letter to providers in time for them to be revalidated before the end of the five-year period. Federal law also requires state Medicaid agencies to check federal databases at least monthly to confirm the identity and exclusion status of providers, as well as any person with ownership, controlling interest, or acting as an agent or managing employee of the provider. The provider enrollment and revalidation processes are similar. The first step in both processes is to determine the provider?s screening risk level. A provider can be designated as one of three risk levels: limited, moderate or high. Each risk level requires progressively greater scrutiny of the provider before it can be enrolled or revalidated. For providers enrolled with both Medicare and Medicaid, state Medicaid agencies must assign them to the same or higher risk category applicable under Medicare. Additionally, certain provider behaviors require them to be moved to a higher screening level. The following are the required screening procedures for all risk types: ? Verify that the provider meets applicable federal regulations or state requirements for the provider type before making an enrollment determination ? Conduct license verifications, including for licenses in states other than where the provider is enrolling ? Conduct database checks to ensure providers continue to meet the enrollment criteria for their provider type. Such database checks include the National Plan and Provider Enumeration System, List of Excluded Individuals/Entities, Excluded Parties List System, and Death Master File index. If state Medicaid agencies assess providers at a moderate or high risk, they are required to conduct onsite visits for those that did not have one as part of their Medicare enrollment. Federal regulations require a high-risk provider, or a person with a 5 percent or more direct or indirect ownership in the provider, to receive a fingerprint-based criminal background check. The deadline to fully implement a fingerprint-based criminal background check was July 1, 2018. The Authority is also responsible for ensuring that providers obtain the proper signed attestations and disclosures. For servicing only providers, a direct link must be made to a billing provider that has an active Core Provider Agreement (CPA) on file. A CPA contains the required attestation and disclosures of the billing provider to allow for the payment of medical claims. To ensure the Authority has completed all applicable screening and enrollment or revalidation steps before enrolling or revalidating providers, staff members use checklists for each enrollment and revalidation. The staff member signs and dates the checklist to indicate the provider is eligible to render services and receive payments. In response to the COVID-19 pandemic, the Authority obtained flexibilities under blanket waivers approved by the Centers for Medicare and Medicaid Services (CMS), which were effective March 1, 2020, through the end of the emergency declaration period. These included the waiving of provider application fees and fingerprint-based criminal background checks. The CMS waivers also allowed for expedited processing of any new or pending provider applications, as well as the postponement of all revalidation actions until November 1, 2020. Also in response to the COVID-19 pandemic, the Authority?s Chief Medical Officer approved a blanket waiver for the backdating of all providers effective dates, as allowed by CMS and Washington Administrative Code. This waiver allows providers to submit claims for services provided before their enrollment and revalidation applications are approved. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In prior audits, we reported the Authority did not have adequate internal controls over and did not comply with requirements to ensure it revalidated providers every five years and met screening requirements. The prior finding numbers were 2021-047, 2020-046, 2019-048, 2018-042, 2017-033, and 2016-035. Description of Condition The Authority did not have adequate internal controls over and did not comply with federal provider eligibility requirements for the Medicaid and CHIP programs. During the audit period, the Authority processed 10,959 new provider enrollments and was required to perform ongoing eligibility determinations for 114,427 active providers. We used a statistical sampling method to randomly select and examine 59 newly enrolled providers and 59 active providers to determine if the Authority properly screened them based on their enrollment status and correctly determined their eligibility status. Of the 118 providers examined, we found seven instances for six providers (5 percent) when the Authority did not take the appropriate actions to ensure providers met eligibility requirements. Specifically, we found: ? Staff enrolled three providers without a valid CPA on file. Because the providers were not covered by a CPA, they were improperly enrolled. ? Staff did not conduct a proper license check for three providers. A proper license check for these providers would have led staff to identify that their license was either expired or did not cover the enrollment period, and, therefore, were ineligible. ? Staff did not properly screen one provider based on a moderate risk level. The improper screening checklist was used and the risk level was not properly addressed. To determine if the Authority had revalidated providers every five years or had taken actions to deactivate providers, we used computer-assisted audit techniques to analyze the entire population of 2,049 providers that should have been revalidated or deactivated during the fiscal year. We found the Authority?s internal controls were insufficient and resulted in none of the 2,049 providers (100 percent) being revalidated before the due date. We determined 648 providers were subsequently revalidated, and the Authority backdated them. We also determined 1,242 providers were deactivated, but the Authority did not process the deactivation until at least 30 days after the eligibility end date. There were an additional 159 providers that should have been deactivated, but the Authority did not take actions to deactivate or revalidate them. Federal law requires the Authority to check federal databases at least monthly to confirm the identity and exclusion status of providers. However, the automated system that performs these checks and notifies the Authority of possible problems with providers was not operating correctly, and it frequently provided incorrect information. Management decided to ignore this information and stopped performing the monthly database checks. The Authority did review the results of the check once during the fiscal year, in July of 2021. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition Although the Authority has established internal controls over screening and enrolling providers, they were ineffective for preventing or detecting noncompliance. Management also did not ensure staff consistently followed the procedures in place. Additionally, the automated revalidation notification was inadequate for ensuring the Authority complied with the five-year revalidation requirement. To comply with this requirement, the Authority should notify providers about their revalidations and ensure they are started and completed before the due date. Our audit found that the Authority?s automated system is designed to notify providers of their revalidations one day after the due date. Due to this inadequate system design, all provider revalidations were completed after their due dates. Although management directed staff to stop performing the monthly database checks because of issues with the automated system, they did not reinstate the procedures used before the system was implemented so staff could continue verifying providers? identity and exclusion status. Effect of Condition and Questioned Costs By not conducting required licensing, screening, and enrollment processes in a timely manner, the Authority is at risk of not detecting or preventing ineligible providers from providing services to clients and receiving federal Medicaid and CHIP funds. Payments to providers who are ineligible are unallowable, and the Authority could be required to repay the grantor for these payments. We identified the following payments made to ineligible providers: Audit Area Known questioned costs (state and federal) Known questioned costs (federal portion only) Likely improper payments (state and federal) Likely improper payments (federal portion only) New Providers $7,092 $3,985 $1,317,224 $740,280 Deactivated Providers $302,372 $292,051 $399,999 $351,698 Not Revalidated or Deactivated $509,702 $316,241 Total $819,166 $612,277 $1,717,223 $1,091,978 In addition to the questioned costs in the table above, we also identified $26,148,599 in costs at risk for those providers whose revalidations were backdated. If the providers had not been revalidated, these costs would also be considered questioned costs. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflects this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs,? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Strengthen internal controls to ensure providers are adequately screened, licensed, enrolled, and eligible to provide and bill for services ? Implement internal controls designed to bring it into material compliance with the provider revalidation process Authority?s Response The Authority partially concurs with the finding. The Authority agrees that ProviderOne sends revalidation notifications one day after the due date rather than before the due date to allow time for the revalidation process. A system revision is in process, and we expect this issue to be resolved by the beginning of 2024. The Authority does not concur with the remainder of the auditor?s findings. The auditor provided the final exceptions and this finding at the close of the audit. The document with the final exceptions did not contain enough information for the Authority to adequately review the results of the auditor?s testing or the methodology used to calculate questioned costs. The time allotted to the Authority to review the testing results, seek clarification, and provide an agency response was not sufficient to analyze the results and provide an informed response. Due to the lack of complete information and time provided, the Authority is unable to agree or disagree with the results of the audit. Finally, on March 19, 2020, the Centers for Medicare & Medicaid Services (CMS) approved Washington?s request for an 1135 COVID-19 Emergency Declaration Blanket Waiver for Health Care Providers, effective through the end of the federal Public Health Emergency. This waiver temporarily suspended provider enrollment and revalidation requirements. Should the Authority agree with any or all of the results from the audit, it would not concur that questioned costs be returned because provider enrollment and revalidations requirements were temporarily suspended by CMS. Auditor?s Remarks We provided the Authority with preliminary exceptions on December 20, 2022 for ?Not Revalidated or Deactivated Providers? and on December 30, 2022 for ?New Providers?, ?Active Providers?, and ?Deactivated Providers?. The Authority provided additional information on January 31, 2023 that cleared some of the exceptions. We provided final exceptions on March 3, 2023 which included the unique transaction identifier for each exception. The Authority requested that we perform additional testing for the ?Deactivated Providers? on March 15th. The draft finding was provided to the Authority on April 14, 2023 and the Authority provided their response on May 3rd. Despite several years of the known system weaknesses, the Authority has not updated the system or implemented compensating processes to ensure providers are eligible to provide Medicaid and Chip services. Regarding the 1135 COVID-19 Emergency Declaration Blanket Waiver, the Authority informed us that beginning October 1, 2020, Authority management had reinstated the majority of provider eligibility requirements that had been waived. We reaffirm our finding with questioned costs and will follow up on the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200, Uniform Guidance, section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 42 CFR Part 433, State Fiscal Administration, Subpart F ? Refunding of Federal Share of Medicaid Overpayments to Providers, describes the requirements for identifying, reporting, collecting, and remitting Medicaid overpayments. Title 42 CFR section 438 subpart H ? Additional Program Integrity Safeguards, states in part: Section 438.602 State responsibilities. (a) Monitoring contractor compliance. Consistent with ? 438.66, the State must monitor the MCO?s, PIHP?s, PAHP?s, PCCM?s or PCCM entity?s compliance, as applicable, with ?? 438.604, 438.606, 438.608, 438.610, 438.230, and 438.808. (b) Screening and enrollment and revalidation of providers. (1) The State must screen and enroll, and periodically revalidate, all network providers of MCOs, PIHPs, and PAHPs, in accordance with the requirements of part 455, subparts B and E of this chapter. This requirement extends to PCCMs and PCCM entities to the extent the primary care case manager is not otherwise enrolled with the State to provide services to FFS beneficiaries. This provision does not require the network provider to render services to FFS beneficiaries. (2) MCOs, PIHPs, and PAHPs may execute network provider agreements pending the outcome of the process in paragraph (b)(1) of this section of up to 120 days, but must terminate a network provider immediately upon notification from the State that the network provider cannot be enrolled, or the expiration of one 120 day period without enrollment of the provider, and notify affected enrollees. (c) Ownership and control information. The State must review the ownership and control disclosures submitted by the MCO, PIHP, PAHP, PCCM or PCCM entity, and any subcontractors as required in ? 438.608(c). (d) Federal database checks. Consistent with the requirements at ? 455.436 of this chapter, the State must confirm the identity and determine the exclusion status of the MCO, PIHP, PAHP, PCCM or PCCM entity, any subcontractor, as well as any person with an ownership or control interest, or who is an agent or managing employee of the MCO, PIHP, PAHP, PCCM or PCCM entity through routine checks of Federal databases. This includes the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the System for Award Management (SAM), and any other databases as the State or Secretary may prescribe. These databases must be consulted upon contracting and no less frequently than monthly thereafter. If the State finds a party that is excluded, it must promptly notify the MCO, PIHP, PAHP, PCCM, or PCCM entity and take action consistent with ? 438.610(c). Title 42 CFR section 455 Subpart B ? Disclosure of Information by Providers and Fiscal Agents, states in part: Section 455.104 Disclosure by Medicaid providers and fiscal agents: Information on ownership and control. (a) Who must provide disclosures. The Medicaid agency must obtain disclosures from disclosing entities, fiscal agents, and managed care entities. (b) What disclosures must be provided. The Medicaid agency must require that disclosing entities, fiscal agents, and managed care entities provide the following disclosures: (1) (i) The name and address of any person (individual or corporation) with an ownership or control interest in the disclosing entity, fiscal agent, or managed care entity. The address for corporate entities must include as applicable primary business address, every business location, and P.O. Box address. (ii) Date of birth and Social Security Number (in the case of an individual). (iii) Other tax identification number (in the case of a corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) or in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest. (2) Whether the person (individual or corporation) with an ownership or control interest in the disclosing entity (or fiscal agent or managed care entity) is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling; or whether the person (individual or corporation) with an ownership or control interest in any subcontractor in which the disclosing entity (or fiscal agent or managed care entity) has a 5 percent or more interest is related to another person with ownership or control interest in the disclosing entity as a spouse, parent, child, or sibling. (3) The name of any other disclosing entity (or fiscal agent or managed care entity) in which an owner of the disclosing entity (or fiscal agent or managed care entity) has an ownership or control interest. (4) The name, address, date of birth, and Social Security Number of any managing employee of the disclosing entity (or fiscal agent or managed care entity). (c) When the disclosures must be provided ? (1) Disclosures from providers or disclosing entities. Disclosure from any provider or disclosing entity is due at any of the following times: (i) Upon the provider or disclosing entity submitting the provider application. (ii) Upon the provider or disclosing entity executing the provider agreement. (iii) Upon request of the Medicaid agency during the re-validation of enrollment process under ? 455.414. (iv) Within 35 days after any change in ownership of the disclosing entity. (2) Disclosures from fiscal agents. Disclosures from fiscal agents are due at any of the following times: (i) Upon the fiscal agent submitting the proposal in accordance with the State?s procurement process. (ii) Upon the fiscal agent executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the fiscal agent. (3) Disclosures from managed care entities. Disclosures from managed care entities (MCOs, PIHPs, PAHPs, and HIOs), except PCCMs are due at any of the following times: (i) Upon the managed care entity submitting the proposal in accordance with the State?s procurement process. (ii) Upon the managed care entity executing the contract with the State. (iii) Upon renewal or extension of the contract. (iv) Within 35 days after any change in ownership of the managed care entity. (4) Disclosures from PCCMs. PCCMs will comply with disclosure requirements under paragraph (c)(1) of this section. (d) To whom must the disclosures be provided. All disclosures must be provided to the Medicaid agency. (e) Consequences for failure to provide required disclosures. Federal financial participation (FFP) is not available in payments made to a disclosing entity that fails to disclose ownership or control information as required by this section. Title 42 CFR section 455 Subpart E ? Provider Screening and Enrollment, states in part: Section 455.410 Enrollment and screening of providers (a) The State Medicaid agency must require all enrolled providers to be screened under to this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children?s Health Insurance Programs of other States. Section 455.412 Verification of provider licenses The State Medicaid agency must ? (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider?s license has not expired and that there are no current limitations on the provider?s license. Section 455.414 Revalidation of enrollment The State Medicaid agency must revalidate the enrollment of all providers regardless of provider type at least every 5 years. Section 455.436 Federal database checks The State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration?s Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Section 455.450 Screening levels for Medicaid providers. A State Medicaid agency must screen all initial applications, including applications for a new practice location, and any applications received in response to a re-enrollment or revalidation of enrollment request based on a categorical risk level of ?limited,? ?moderate,? or ?high.? If a provider could fit within more than one risk level described in this section, the highest level of screening is applicable. (a) Screening for providers designated as limited categorical risk. When the State Medicaid agency designates a provider as a limited categorical risk, the State Medicaid agency must do all of the following: (1) Verify that a provider meets any applicable Federal regulations, or State requirements for the provider type prior to making an enrollment determination. (2) Conduct license verifications, including State licensure verifications in States other than where the provider is enrolling, in accordance with ? 455.412. (3) Conduct database checks on a pre- and post-enrollment basis to ensure that providers continue to meet the enrollment criteria for their provider type, in accordance with ? 455.436. (b) Screening for providers designated as moderate categorical risk. When the State Medicaid agency designates a provider as a ?moderate? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? screening requirements described in paragraph (a) of this section. (2) Conduct on-site visits in accordance with ? 455.432. (c) Screening for providers designated as high categorical risk. When the State Medicaid agency designates a provider as a ?high? categorical risk, a State Medicaid agency must do both of the following: (1) Perform the ?limited? and ?moderate? screening requirements described in paragraphs (a) and (b) of this section. (2) (i) Conduct a criminal background check; and (ii) Require the submission of a set of fingerprints in accordance with ? 455.434. (d) Denial or termination of enrollment. A provider, or any person with 5 percent or greater direct or indirect ownership in the provider, who is required by the State Medicaid agency or CMS to submit a set of fingerprints and fails to do so may have its - (1) Application denied under ? 455.434; or (2) Enrollment terminated under ? 455.416. (e) Adjustment of risk level. The State agency must adjust the categorical risk level from ?limited? or ?moderate? to ?high? when any of the following occurs: (1) The State Medicaid agency imposes a payment suspension on a provider based on credible allegation of fraud, waste or abuse, the provider has an existing Medicaid overpayment, or the provider has been excluded by the OIG or another State?s Medicaid program within the previous 10 years. (2) The State Medicaid agency or CMS in the previous 6 months lifted a temporary moratorium for the particular provider type and a provider that was prevented from enrolling based on the moratorium applies for enrollment as a provider at any time within 6 months from the date the moratorium was lifted. Medicaid Provider Enrollment Compendium (MPEC) B. Enrolled Provider?s Payment Eligibility for Retroactive Dates of Service The practice of ?backdating? enrollment involves approving an enrollment with a retroactive billing date. This practice allows a provider, once enrolled, to submit claims for services dated prior to the date upon which the SMA approved the enrollment. As discussed earlier, provider screening enables states to identify ineligible parties before they are able to enroll and start billing. Components of provider screening include database and licensure checks, and may also include site visits and FCBCs. To the extent a SMA approves the enrollment of a new provider and permits the provider to bill for services dated prior to applicable screening(s), this practice creates risk. For example, if a newly enrolling provider is subject to a site visit, and the SMA completes a site visit for the provider but nonetheless permits the provider to bill for services dated prior to the date on which the site visit occurred, there is risk the prov
2022-063 The Health Care Authority did not have adequate controls over and did not comply with requirements to ensure payments to providers for the Block Grants for Community Mental Health Services were allowable and met period of performance requirements. Assistance Listing Number and Title: 93.958 Block Grants for Community Mental Health Services 93.958 COVID-19 Block Grants for Community Mental Health Services Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B09SM082638-01; 6B09SM082638-01M001; 6N09SM082638-01M004; 6B09SM082638-01M002; 6B09SM082638-01M003; 6N09SM083829-01M001; 1B09SM083829-01; 1B09SM086035-01; 6B09SM086035-01M001; 6B09SM086035-01M002; 6B09SM086035-01M003; 1B09SM085384-01; 1B09SM085912-01; 1B09SM083998-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: $8,668,982 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grant for Community Mental Health Service (MHBG). The Authority subawards federal funds to counties, tribes, and nonprofit organizations to provide mental health treatment and crisis service to adults diagnosed with serious mental illness and children diagnosed with serious emotional disturbances. In fiscal year 2022, the Authority spent about $31.7 million in federal program funds, $20.5 million of which it paid to subrecipients. The Authority can use grant funds only for costs that are allowable and incurred during the period of performance, as specified in the grant?s terms and conditions. At the beginning of each federal fiscal year and whenever the Authority receives a new federal grant, it establishes new cost objectives and allocation codes to ensure expenditures are charged to the proper grants. When the Authority receives reimbursement requests, program managers are responsible for reviewing supporting documentation to determine if the services billed meet the period of performance requirements under the grant. Fiscal managers are also responsible for ensuring that payments are coded to the correct period. The Authority follows the accrual basis of accounting and uses the Agency Financial Reporting System (AFRS), which is the state?s central accounting system, to record federal expenditures. At the end of the fiscal year, the Authority?s federal financial reporting (FFR) unit estimates the amount of outstanding obligations to providers. These amounts are recorded in AFRS as an accrued expenditure for MHBG and subsequently reported to OFM for the compilation of the Schedule of Expenditures of Federal Awards. FFR has written procedures for calculating its estimated accruals. The calculation begins by using a spreadsheet that tracks contractual obligations to MHBG subrecipients and vendors to determine the total state obligation amount through the end of the subaward or contract, which usually extend past the end of the current state fiscal year. This total is then reduced by the amount of actual payments made to the subrecipients and vendors, and is also reduced an additional 2 percent to account for anticipated underspending. The remaining total is then recorded as an estimated accrual for the fiscal year. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the MHBG program were allowable and met period of performance requirements. During the audit period, the FFR unit recorded two state fiscal year-end estimated accruals totaling $8,668,982. The Authority did not retain the obligation workbook used at the time of calculating these estimated accruals. Without this documentation, we were unable to assess the accuracy of the obligated amount. However, the Authority confirmed that the obligation amount used in the calculation included expenditures that were incurred after the state fiscal year. Any expenditures incurred after the state fiscal year has ended are not allowed to be included in an accrual. Furthermore, provider payments liquidated after the state fiscal year are not assigned to the estimated accrual in the accounting system. Therefore, we could not determine if the estimated accrual amount was reasonable and accurately reflected expenditures that occurred within the state fiscal year. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition While the Authority has written procedures for the year-end estimated accruals, management did not ensure that only obligations within the state fiscal year were included. Furthermore, the Authority does not have a process in place to review estimated year-end accruals to verify the reasonableness of the accrual calculation. Effect of Condition and Questioned Costs Without retaining adequate support for the estimated year-end accruals and having a process to verify the reasonableness of the estimated calculation, the Authority cannot reasonably ensure that its MHBG expenditures are for allowable activities and within the period of performance. We identified $8,668,982 in known questioned costs related to the estimated year-end accruals. Without establishing adequate internal controls, the Authority cannot reasonably ensure it is using federal funds for allowable purposes and that spending occurs within the allowed period of performance. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve its internal controls to ensure estimated accruals are reasonable and supported ? Improve its internal controls to ensure payments are within the award?s period of performance ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Authority?s Response HCA concurs in part. HCA acknowledges that the version of the document used to determine year-end accruals was not retained as a supporting document. We also acknowledge that some portion of the accrued amount could have included obligations beyond state fiscal year 2022. HCA does not agree that we cannot reasonably ensure that MHBG expenditures are for allowable activities and within the period of performance. Expenditures reported on MHBG are prepared based on cash and liquidations and all costs are reviewed to ensure they meet the period of performance. While the year-end accruals may included some amounts beyond the state fiscal year, the amounts accrued were based on four quarters of activity. This would not result in errors in federal reporting or federal cash draws. To question the year-end accruals in their entirety is an overstatement of any potential error that was made. The year-end accruals were solely recorded as estimates, and were not used to make any program payments or draw funds from the grantor. HCA only makes program payments to subrecipients and contractors after receiving invoices which are reviewed by staff, including review that the expenditures are within the grant period of performance. HCA does not agree with repayment of the $8,668,982 questioned costs associated with year-end accruals. HCA notes that the $8,668,982 questioned costs, do not meet the definition of Improper Payments as defined in Uniform Guidance 2 CFR 200.1. Based on preliminary discussions with the grantor, HCA should expect that repayment of questioned costs related to the accruals will not be requested as no funds were drawn. This information was shared with the auditor. Auditor?s Remarks In its response, the Authority acknowledged it did not retain supporting documentation to verify the year-end estimated accrual expenditures were incurred during the state fiscal year. Furthermore, the Authority acknowledged that the year-end estimated accruals likely included expenditures incurred after the state fiscal year. The Authority reports cash and accrued expenditures on the Schedule of Expenditures of Federal Awards and, as such, the accruals are required to be audited. In our judgment, the Authority does not have sufficient processes in place to verify the reasonableness of the year-end estimated accrual calculations. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit period. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments, which states impart: (2) Where the costs, at the time of the audit are not supported by adequate documentation. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 502, Basis for determining Federal awards expended, states in part: (a) Determining Federal awards expended. The determination of when a Federal award is expended must be based on when the activity related to the Federal award occurs. Generally, the activity pertains to events that require the non-Federal entity to comply with Federal statutes, regulations, and the terms and conditions of Federal awards, such as: expenditure/expense transactions associated with awards including grants, cost-reimbursement contracts under FAR, compacts with Indian Tribes, cooperative agreements, and direct appropriations; the disbursement of funds to subrecipients, the use of loan proceeds under loan and loan guarantee programs; the receipt of property; the receipt of surplus property; the receipt or use of program income? the distribution or use of food commodities; the disbursement of amounts entitling the non-Federal entity to an interest subsidy; and the period when insurance is in force. Title 2 CFR Part 200, Uniform Guidance, section 510, Financial statements, states in part: (b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee?s financial statements which must include the total Federal awards expended as determined in accordance with 200.52. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Behavioral Health Grant Unit Procedures, state in part: WHAT IS ACCRUAL: Fiscal year end and end of biennium contract subsequent payments. PURPOSE: To prepare contact accruals for the end of the fiscal year or biennium and the subsequent payment of those invoices by the Behavioral Health Grant Unit. BACKGROUND: Accruals and liquidations are looked at a high-level by program, fund, and fund sources (GF-S/GF-F), to see if the agency has over liquidated our authority. Some accruals are based on actual billings/claims, but a good chunk is based on estimates, because of the lag in billings, as well as the amount of contracts per grant; mainly block and SOR. BLOCK GRANT AND SOR PROCESS 1. Create a SFYXX Accrual workbook using a JV workbook template. 2. Pull grant direct expenditure data to date including GL 0159 (liquidations), cash expenditures (6510), and accruals (6505), using your grant Webi criteria. a. We pull in accruals (GL6505), because we want to see accruals that have already been booked by AP, so we don?t double book them. b. Expenditures paid in the new SFY will automatically need to be accrued since they weren?t paid in by the end of the SFY. c. Filter out/do not accrue on any interagency transactions including state universities. Those are processed outside of our unit. 3. Take total SFY of year processing obligation from grant spreadsheet. ? NOTE: For auditing purposes, if one was to reproduce the obligation amount it could change if you refer to the original document later than the date that we established the original obligation amount. Please always refer to the accrual spreadsheet for the obligation amount pulled at the time for the purpose of accruals. 4. Reduce the obligation amount by 2% so that we don?t over accrue (The percentage was recommended?due to not spending everything that is obligated.). 5. First pivot to run is to identify total expenditures and accruals for SFY being processed. Use the expenditure amount for the second pivot table. 6. Second pivot to run is to figure out the split out the expenditure between ER and NB, because they are the most common. Calculate the left to accrue amount by taking the obligations with 2% reduction subtracting the expenditures as well as the previous accrual amount. To see what you need to accrue. 7. Third and Fourth pivot tables find the most common PI for each of the subobjects. 8. Fifth pivot table identifies most common org index. 9. Calculate percentages to spread the accrual across ER and /or NB in allocations, per grant. 10. Complete the rest of the workbook following our JV process with obtaining the JV log number, filling out the JV log, adding the explanation and backup data for the upload and release tab. On the JV tab complete the TC to be 736 and include GL 5111. If we need to complete a reversal the TC would be 736R. 11. Upload and email the JV to Supervisor and Lead. 12. Supervisor and Lead review, approve, and release the JV.
2022-063 The Health Care Authority did not have adequate controls over and did not comply with requirements to ensure payments to providers for the Block Grants for Community Mental Health Services were allowable and met period of performance requirements. Assistance Listing Number and Title: 93.958 Block Grants for Community Mental Health Services 93.958 COVID-19 Block Grants for Community Mental Health Services Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B09SM082638-01; 6B09SM082638-01M001; 6N09SM082638-01M004; 6B09SM082638-01M002; 6B09SM082638-01M003; 6N09SM083829-01M001; 1B09SM083829-01; 1B09SM086035-01; 6B09SM086035-01M001; 6B09SM086035-01M002; 6B09SM086035-01M003; 1B09SM085384-01; 1B09SM085912-01; 1B09SM083998-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: $8,668,982 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grant for Community Mental Health Service (MHBG). The Authority subawards federal funds to counties, tribes, and nonprofit organizations to provide mental health treatment and crisis service to adults diagnosed with serious mental illness and children diagnosed with serious emotional disturbances. In fiscal year 2022, the Authority spent about $31.7 million in federal program funds, $20.5 million of which it paid to subrecipients. The Authority can use grant funds only for costs that are allowable and incurred during the period of performance, as specified in the grant?s terms and conditions. At the beginning of each federal fiscal year and whenever the Authority receives a new federal grant, it establishes new cost objectives and allocation codes to ensure expenditures are charged to the proper grants. When the Authority receives reimbursement requests, program managers are responsible for reviewing supporting documentation to determine if the services billed meet the period of performance requirements under the grant. Fiscal managers are also responsible for ensuring that payments are coded to the correct period. The Authority follows the accrual basis of accounting and uses the Agency Financial Reporting System (AFRS), which is the state?s central accounting system, to record federal expenditures. At the end of the fiscal year, the Authority?s federal financial reporting (FFR) unit estimates the amount of outstanding obligations to providers. These amounts are recorded in AFRS as an accrued expenditure for MHBG and subsequently reported to OFM for the compilation of the Schedule of Expenditures of Federal Awards. FFR has written procedures for calculating its estimated accruals. The calculation begins by using a spreadsheet that tracks contractual obligations to MHBG subrecipients and vendors to determine the total state obligation amount through the end of the subaward or contract, which usually extend past the end of the current state fiscal year. This total is then reduced by the amount of actual payments made to the subrecipients and vendors, and is also reduced an additional 2 percent to account for anticipated underspending. The remaining total is then recorded as an estimated accrual for the fiscal year. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the MHBG program were allowable and met period of performance requirements. During the audit period, the FFR unit recorded two state fiscal year-end estimated accruals totaling $8,668,982. The Authority did not retain the obligation workbook used at the time of calculating these estimated accruals. Without this documentation, we were unable to assess the accuracy of the obligated amount. However, the Authority confirmed that the obligation amount used in the calculation included expenditures that were incurred after the state fiscal year. Any expenditures incurred after the state fiscal year has ended are not allowed to be included in an accrual. Furthermore, provider payments liquidated after the state fiscal year are not assigned to the estimated accrual in the accounting system. Therefore, we could not determine if the estimated accrual amount was reasonable and accurately reflected expenditures that occurred within the state fiscal year. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition While the Authority has written procedures for the year-end estimated accruals, management did not ensure that only obligations within the state fiscal year were included. Furthermore, the Authority does not have a process in place to review estimated year-end accruals to verify the reasonableness of the accrual calculation. Effect of Condition and Questioned Costs Without retaining adequate support for the estimated year-end accruals and having a process to verify the reasonableness of the estimated calculation, the Authority cannot reasonably ensure that its MHBG expenditures are for allowable activities and within the period of performance. We identified $8,668,982 in known questioned costs related to the estimated year-end accruals. Without establishing adequate internal controls, the Authority cannot reasonably ensure it is using federal funds for allowable purposes and that spending occurs within the allowed period of performance. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve its internal controls to ensure estimated accruals are reasonable and supported ? Improve its internal controls to ensure payments are within the award?s period of performance ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Authority?s Response HCA concurs in part. HCA acknowledges that the version of the document used to determine year-end accruals was not retained as a supporting document. We also acknowledge that some portion of the accrued amount could have included obligations beyond state fiscal year 2022. HCA does not agree that we cannot reasonably ensure that MHBG expenditures are for allowable activities and within the period of performance. Expenditures reported on MHBG are prepared based on cash and liquidations and all costs are reviewed to ensure they meet the period of performance. While the year-end accruals may included some amounts beyond the state fiscal year, the amounts accrued were based on four quarters of activity. This would not result in errors in federal reporting or federal cash draws. To question the year-end accruals in their entirety is an overstatement of any potential error that was made. The year-end accruals were solely recorded as estimates, and were not used to make any program payments or draw funds from the grantor. HCA only makes program payments to subrecipients and contractors after receiving invoices which are reviewed by staff, including review that the expenditures are within the grant period of performance. HCA does not agree with repayment of the $8,668,982 questioned costs associated with year-end accruals. HCA notes that the $8,668,982 questioned costs, do not meet the definition of Improper Payments as defined in Uniform Guidance 2 CFR 200.1. Based on preliminary discussions with the grantor, HCA should expect that repayment of questioned costs related to the accruals will not be requested as no funds were drawn. This information was shared with the auditor. Auditor?s Remarks In its response, the Authority acknowledged it did not retain supporting documentation to verify the year-end estimated accrual expenditures were incurred during the state fiscal year. Furthermore, the Authority acknowledged that the year-end estimated accruals likely included expenditures incurred after the state fiscal year. The Authority reports cash and accrued expenditures on the Schedule of Expenditures of Federal Awards and, as such, the accruals are required to be audited. In our judgment, the Authority does not have sufficient processes in place to verify the reasonableness of the year-end estimated accrual calculations. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit period. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments, which states impart: (2) Where the costs, at the time of the audit are not supported by adequate documentation. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 502, Basis for determining Federal awards expended, states in part: (a) Determining Federal awards expended. The determination of when a Federal award is expended must be based on when the activity related to the Federal award occurs. Generally, the activity pertains to events that require the non-Federal entity to comply with Federal statutes, regulations, and the terms and conditions of Federal awards, such as: expenditure/expense transactions associated with awards including grants, cost-reimbursement contracts under FAR, compacts with Indian Tribes, cooperative agreements, and direct appropriations; the disbursement of funds to subrecipients, the use of loan proceeds under loan and loan guarantee programs; the receipt of property; the receipt of surplus property; the receipt or use of program income? the distribution or use of food commodities; the disbursement of amounts entitling the non-Federal entity to an interest subsidy; and the period when insurance is in force. Title 2 CFR Part 200, Uniform Guidance, section 510, Financial statements, states in part: (b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee?s financial statements which must include the total Federal awards expended as determined in accordance with 200.52. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Behavioral Health Grant Unit Procedures, state in part: WHAT IS ACCRUAL: Fiscal year end and end of biennium contract subsequent payments. PURPOSE: To prepare contact accruals for the end of the fiscal year or biennium and the subsequent payment of those invoices by the Behavioral Health Grant Unit. BACKGROUND: Accruals and liquidations are looked at a high-level by program, fund, and fund sources (GF-S/GF-F), to see if the agency has over liquidated our authority. Some accruals are based on actual billings/claims, but a good chunk is based on estimates, because of the lag in billings, as well as the amount of contracts per grant; mainly block and SOR. BLOCK GRANT AND SOR PROCESS 1. Create a SFYXX Accrual workbook using a JV workbook template. 2. Pull grant direct expenditure data to date including GL 0159 (liquidations), cash expenditures (6510), and accruals (6505), using your grant Webi criteria. a. We pull in accruals (GL6505), because we want to see accruals that have already been booked by AP, so we don?t double book them. b. Expenditures paid in the new SFY will automatically need to be accrued since they weren?t paid in by the end of the SFY. c. Filter out/do not accrue on any interagency transactions including state universities. Those are processed outside of our unit. 3. Take total SFY of year processing obligation from grant spreadsheet. ? NOTE: For auditing purposes, if one was to reproduce the obligation amount it could change if you refer to the original document later than the date that we established the original obligation amount. Please always refer to the accrual spreadsheet for the obligation amount pulled at the time for the purpose of accruals. 4. Reduce the obligation amount by 2% so that we don?t over accrue (The percentage was recommended?due to not spending everything that is obligated.). 5. First pivot to run is to identify total expenditures and accruals for SFY being processed. Use the expenditure amount for the second pivot table. 6. Second pivot to run is to figure out the split out the expenditure between ER and NB, because they are the most common. Calculate the left to accrue amount by taking the obligations with 2% reduction subtracting the expenditures as well as the previous accrual amount. To see what you need to accrue. 7. Third and Fourth pivot tables find the most common PI for each of the subobjects. 8. Fifth pivot table identifies most common org index. 9. Calculate percentages to spread the accrual across ER and /or NB in allocations, per grant. 10. Complete the rest of the workbook following our JV process with obtaining the JV log number, filling out the JV log, adding the explanation and backup data for the upload and release tab. On the JV tab complete the TC to be 736 and include GL 5111. If we need to complete a reversal the TC would be 736R. 11. Upload and email the JV to Supervisor and Lead. 12. Supervisor and Lead review, approve, and release the JV.
2022-063 The Health Care Authority did not have adequate controls over and did not comply with requirements to ensure payments to providers for the Block Grants for Community Mental Health Services were allowable and met period of performance requirements. Assistance Listing Number and Title: 93.958 Block Grants for Community Mental Health Services 93.958 COVID-19 Block Grants for Community Mental Health Services Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B09SM082638-01; 6B09SM082638-01M001; 6N09SM082638-01M004; 6B09SM082638-01M002; 6B09SM082638-01M003; 6N09SM083829-01M001; 1B09SM083829-01; 1B09SM086035-01; 6B09SM086035-01M001; 6B09SM086035-01M002; 6B09SM086035-01M003; 1B09SM085384-01; 1B09SM085912-01; 1B09SM083998-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: $8,668,982 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grant for Community Mental Health Service (MHBG). The Authority subawards federal funds to counties, tribes, and nonprofit organizations to provide mental health treatment and crisis service to adults diagnosed with serious mental illness and children diagnosed with serious emotional disturbances. In fiscal year 2022, the Authority spent about $31.7 million in federal program funds, $20.5 million of which it paid to subrecipients. The Authority can use grant funds only for costs that are allowable and incurred during the period of performance, as specified in the grant?s terms and conditions. At the beginning of each federal fiscal year and whenever the Authority receives a new federal grant, it establishes new cost objectives and allocation codes to ensure expenditures are charged to the proper grants. When the Authority receives reimbursement requests, program managers are responsible for reviewing supporting documentation to determine if the services billed meet the period of performance requirements under the grant. Fiscal managers are also responsible for ensuring that payments are coded to the correct period. The Authority follows the accrual basis of accounting and uses the Agency Financial Reporting System (AFRS), which is the state?s central accounting system, to record federal expenditures. At the end of the fiscal year, the Authority?s federal financial reporting (FFR) unit estimates the amount of outstanding obligations to providers. These amounts are recorded in AFRS as an accrued expenditure for MHBG and subsequently reported to OFM for the compilation of the Schedule of Expenditures of Federal Awards. FFR has written procedures for calculating its estimated accruals. The calculation begins by using a spreadsheet that tracks contractual obligations to MHBG subrecipients and vendors to determine the total state obligation amount through the end of the subaward or contract, which usually extend past the end of the current state fiscal year. This total is then reduced by the amount of actual payments made to the subrecipients and vendors, and is also reduced an additional 2 percent to account for anticipated underspending. The remaining total is then recorded as an estimated accrual for the fiscal year. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the MHBG program were allowable and met period of performance requirements. During the audit period, the FFR unit recorded two state fiscal year-end estimated accruals totaling $8,668,982. The Authority did not retain the obligation workbook used at the time of calculating these estimated accruals. Without this documentation, we were unable to assess the accuracy of the obligated amount. However, the Authority confirmed that the obligation amount used in the calculation included expenditures that were incurred after the state fiscal year. Any expenditures incurred after the state fiscal year has ended are not allowed to be included in an accrual. Furthermore, provider payments liquidated after the state fiscal year are not assigned to the estimated accrual in the accounting system. Therefore, we could not determine if the estimated accrual amount was reasonable and accurately reflected expenditures that occurred within the state fiscal year. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition While the Authority has written procedures for the year-end estimated accruals, management did not ensure that only obligations within the state fiscal year were included. Furthermore, the Authority does not have a process in place to review estimated year-end accruals to verify the reasonableness of the accrual calculation. Effect of Condition and Questioned Costs Without retaining adequate support for the estimated year-end accruals and having a process to verify the reasonableness of the estimated calculation, the Authority cannot reasonably ensure that its MHBG expenditures are for allowable activities and within the period of performance. We identified $8,668,982 in known questioned costs related to the estimated year-end accruals. Without establishing adequate internal controls, the Authority cannot reasonably ensure it is using federal funds for allowable purposes and that spending occurs within the allowed period of performance. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve its internal controls to ensure estimated accruals are reasonable and supported ? Improve its internal controls to ensure payments are within the award?s period of performance ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Authority?s Response HCA concurs in part. HCA acknowledges that the version of the document used to determine year-end accruals was not retained as a supporting document. We also acknowledge that some portion of the accrued amount could have included obligations beyond state fiscal year 2022. HCA does not agree that we cannot reasonably ensure that MHBG expenditures are for allowable activities and within the period of performance. Expenditures reported on MHBG are prepared based on cash and liquidations and all costs are reviewed to ensure they meet the period of performance. While the year-end accruals may included some amounts beyond the state fiscal year, the amounts accrued were based on four quarters of activity. This would not result in errors in federal reporting or federal cash draws. To question the year-end accruals in their entirety is an overstatement of any potential error that was made. The year-end accruals were solely recorded as estimates, and were not used to make any program payments or draw funds from the grantor. HCA only makes program payments to subrecipients and contractors after receiving invoices which are reviewed by staff, including review that the expenditures are within the grant period of performance. HCA does not agree with repayment of the $8,668,982 questioned costs associated with year-end accruals. HCA notes that the $8,668,982 questioned costs, do not meet the definition of Improper Payments as defined in Uniform Guidance 2 CFR 200.1. Based on preliminary discussions with the grantor, HCA should expect that repayment of questioned costs related to the accruals will not be requested as no funds were drawn. This information was shared with the auditor. Auditor?s Remarks In its response, the Authority acknowledged it did not retain supporting documentation to verify the year-end estimated accrual expenditures were incurred during the state fiscal year. Furthermore, the Authority acknowledged that the year-end estimated accruals likely included expenditures incurred after the state fiscal year. The Authority reports cash and accrued expenditures on the Schedule of Expenditures of Federal Awards and, as such, the accruals are required to be audited. In our judgment, the Authority does not have sufficient processes in place to verify the reasonableness of the year-end estimated accrual calculations. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit period. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments, which states impart: (2) Where the costs, at the time of the audit are not supported by adequate documentation. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 502, Basis for determining Federal awards expended, states in part: (a) Determining Federal awards expended. The determination of when a Federal award is expended must be based on when the activity related to the Federal award occurs. Generally, the activity pertains to events that require the non-Federal entity to comply with Federal statutes, regulations, and the terms and conditions of Federal awards, such as: expenditure/expense transactions associated with awards including grants, cost-reimbursement contracts under FAR, compacts with Indian Tribes, cooperative agreements, and direct appropriations; the disbursement of funds to subrecipients, the use of loan proceeds under loan and loan guarantee programs; the receipt of property; the receipt of surplus property; the receipt or use of program income? the distribution or use of food commodities; the disbursement of amounts entitling the non-Federal entity to an interest subsidy; and the period when insurance is in force. Title 2 CFR Part 200, Uniform Guidance, section 510, Financial statements, states in part: (b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee?s financial statements which must include the total Federal awards expended as determined in accordance with 200.52. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Behavioral Health Grant Unit Procedures, state in part: WHAT IS ACCRUAL: Fiscal year end and end of biennium contract subsequent payments. PURPOSE: To prepare contact accruals for the end of the fiscal year or biennium and the subsequent payment of those invoices by the Behavioral Health Grant Unit. BACKGROUND: Accruals and liquidations are looked at a high-level by program, fund, and fund sources (GF-S/GF-F), to see if the agency has over liquidated our authority. Some accruals are based on actual billings/claims, but a good chunk is based on estimates, because of the lag in billings, as well as the amount of contracts per grant; mainly block and SOR. BLOCK GRANT AND SOR PROCESS 1. Create a SFYXX Accrual workbook using a JV workbook template. 2. Pull grant direct expenditure data to date including GL 0159 (liquidations), cash expenditures (6510), and accruals (6505), using your grant Webi criteria. a. We pull in accruals (GL6505), because we want to see accruals that have already been booked by AP, so we don?t double book them. b. Expenditures paid in the new SFY will automatically need to be accrued since they weren?t paid in by the end of the SFY. c. Filter out/do not accrue on any interagency transactions including state universities. Those are processed outside of our unit. 3. Take total SFY of year processing obligation from grant spreadsheet. ? NOTE: For auditing purposes, if one was to reproduce the obligation amount it could change if you refer to the original document later than the date that we established the original obligation amount. Please always refer to the accrual spreadsheet for the obligation amount pulled at the time for the purpose of accruals. 4. Reduce the obligation amount by 2% so that we don?t over accrue (The percentage was recommended?due to not spending everything that is obligated.). 5. First pivot to run is to identify total expenditures and accruals for SFY being processed. Use the expenditure amount for the second pivot table. 6. Second pivot to run is to figure out the split out the expenditure between ER and NB, because they are the most common. Calculate the left to accrue amount by taking the obligations with 2% reduction subtracting the expenditures as well as the previous accrual amount. To see what you need to accrue. 7. Third and Fourth pivot tables find the most common PI for each of the subobjects. 8. Fifth pivot table identifies most common org index. 9. Calculate percentages to spread the accrual across ER and /or NB in allocations, per grant. 10. Complete the rest of the workbook following our JV process with obtaining the JV log number, filling out the JV log, adding the explanation and backup data for the upload and release tab. On the JV tab complete the TC to be 736 and include GL 5111. If we need to complete a reversal the TC would be 736R. 11. Upload and email the JV to Supervisor and Lead. 12. Supervisor and Lead review, approve, and release the JV.
2022-063 The Health Care Authority did not have adequate controls over and did not comply with requirements to ensure payments to providers for the Block Grants for Community Mental Health Services were allowable and met period of performance requirements. Assistance Listing Number and Title: 93.958 Block Grants for Community Mental Health Services 93.958 COVID-19 Block Grants for Community Mental Health Services Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B09SM082638-01; 6B09SM082638-01M001; 6N09SM082638-01M004; 6B09SM082638-01M002; 6B09SM082638-01M003; 6N09SM083829-01M001; 1B09SM083829-01; 1B09SM086035-01; 6B09SM086035-01M001; 6B09SM086035-01M002; 6B09SM086035-01M003; 1B09SM085384-01; 1B09SM085912-01; 1B09SM083998-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs / Cost Principles Period of Performance Known Questioned Cost Amount: $8,668,982 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grant for Community Mental Health Service (MHBG). The Authority subawards federal funds to counties, tribes, and nonprofit organizations to provide mental health treatment and crisis service to adults diagnosed with serious mental illness and children diagnosed with serious emotional disturbances. In fiscal year 2022, the Authority spent about $31.7 million in federal program funds, $20.5 million of which it paid to subrecipients. The Authority can use grant funds only for costs that are allowable and incurred during the period of performance, as specified in the grant?s terms and conditions. At the beginning of each federal fiscal year and whenever the Authority receives a new federal grant, it establishes new cost objectives and allocation codes to ensure expenditures are charged to the proper grants. When the Authority receives reimbursement requests, program managers are responsible for reviewing supporting documentation to determine if the services billed meet the period of performance requirements under the grant. Fiscal managers are also responsible for ensuring that payments are coded to the correct period. The Authority follows the accrual basis of accounting and uses the Agency Financial Reporting System (AFRS), which is the state?s central accounting system, to record federal expenditures. At the end of the fiscal year, the Authority?s federal financial reporting (FFR) unit estimates the amount of outstanding obligations to providers. These amounts are recorded in AFRS as an accrued expenditure for MHBG and subsequently reported to OFM for the compilation of the Schedule of Expenditures of Federal Awards. FFR has written procedures for calculating its estimated accruals. The calculation begins by using a spreadsheet that tracks contractual obligations to MHBG subrecipients and vendors to determine the total state obligation amount through the end of the subaward or contract, which usually extend past the end of the current state fiscal year. This total is then reduced by the amount of actual payments made to the subrecipients and vendors, and is also reduced an additional 2 percent to account for anticipated underspending. The remaining total is then recorded as an estimated accrual for the fiscal year. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the MHBG program were allowable and met period of performance requirements. During the audit period, the FFR unit recorded two state fiscal year-end estimated accruals totaling $8,668,982. The Authority did not retain the obligation workbook used at the time of calculating these estimated accruals. Without this documentation, we were unable to assess the accuracy of the obligated amount. However, the Authority confirmed that the obligation amount used in the calculation included expenditures that were incurred after the state fiscal year. Any expenditures incurred after the state fiscal year has ended are not allowed to be included in an accrual. Furthermore, provider payments liquidated after the state fiscal year are not assigned to the estimated accrual in the accounting system. Therefore, we could not determine if the estimated accrual amount was reasonable and accurately reflected expenditures that occurred within the state fiscal year. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. This issue was not reported as a finding in the prior audit. Cause of Condition While the Authority has written procedures for the year-end estimated accruals, management did not ensure that only obligations within the state fiscal year were included. Furthermore, the Authority does not have a process in place to review estimated year-end accruals to verify the reasonableness of the accrual calculation. Effect of Condition and Questioned Costs Without retaining adequate support for the estimated year-end accruals and having a process to verify the reasonableness of the estimated calculation, the Authority cannot reasonably ensure that its MHBG expenditures are for allowable activities and within the period of performance. We identified $8,668,982 in known questioned costs related to the estimated year-end accruals. Without establishing adequate internal controls, the Authority cannot reasonably ensure it is using federal funds for allowable purposes and that spending occurs within the allowed period of performance. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve its internal controls to ensure estimated accruals are reasonable and supported ? Improve its internal controls to ensure payments are within the award?s period of performance ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Authority?s Response HCA concurs in part. HCA acknowledges that the version of the document used to determine year-end accruals was not retained as a supporting document. We also acknowledge that some portion of the accrued amount could have included obligations beyond state fiscal year 2022. HCA does not agree that we cannot reasonably ensure that MHBG expenditures are for allowable activities and within the period of performance. Expenditures reported on MHBG are prepared based on cash and liquidations and all costs are reviewed to ensure they meet the period of performance. While the year-end accruals may included some amounts beyond the state fiscal year, the amounts accrued were based on four quarters of activity. This would not result in errors in federal reporting or federal cash draws. To question the year-end accruals in their entirety is an overstatement of any potential error that was made. The year-end accruals were solely recorded as estimates, and were not used to make any program payments or draw funds from the grantor. HCA only makes program payments to subrecipients and contractors after receiving invoices which are reviewed by staff, including review that the expenditures are within the grant period of performance. HCA does not agree with repayment of the $8,668,982 questioned costs associated with year-end accruals. HCA notes that the $8,668,982 questioned costs, do not meet the definition of Improper Payments as defined in Uniform Guidance 2 CFR 200.1. Based on preliminary discussions with the grantor, HCA should expect that repayment of questioned costs related to the accruals will not be requested as no funds were drawn. This information was shared with the auditor. Auditor?s Remarks In its response, the Authority acknowledged it did not retain supporting documentation to verify the year-end estimated accrual expenditures were incurred during the state fiscal year. Furthermore, the Authority acknowledged that the year-end estimated accruals likely included expenditures incurred after the state fiscal year. The Authority reports cash and accrued expenditures on the Schedule of Expenditures of Federal Awards and, as such, the accruals are required to be audited. In our judgment, the Authority does not have sufficient processes in place to verify the reasonableness of the year-end estimated accrual calculations. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit period. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments, which states impart: (2) Where the costs, at the time of the audit are not supported by adequate documentation. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 502, Basis for determining Federal awards expended, states in part: (a) Determining Federal awards expended. The determination of when a Federal award is expended must be based on when the activity related to the Federal award occurs. Generally, the activity pertains to events that require the non-Federal entity to comply with Federal statutes, regulations, and the terms and conditions of Federal awards, such as: expenditure/expense transactions associated with awards including grants, cost-reimbursement contracts under FAR, compacts with Indian Tribes, cooperative agreements, and direct appropriations; the disbursement of funds to subrecipients, the use of loan proceeds under loan and loan guarantee programs; the receipt of property; the receipt of surplus property; the receipt or use of program income? the distribution or use of food commodities; the disbursement of amounts entitling the non-Federal entity to an interest subsidy; and the period when insurance is in force. Title 2 CFR Part 200, Uniform Guidance, section 510, Financial statements, states in part: (b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee?s financial statements which must include the total Federal awards expended as determined in accordance with 200.52. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Behavioral Health Grant Unit Procedures, state in part: WHAT IS ACCRUAL: Fiscal year end and end of biennium contract subsequent payments. PURPOSE: To prepare contact accruals for the end of the fiscal year or biennium and the subsequent payment of those invoices by the Behavioral Health Grant Unit. BACKGROUND: Accruals and liquidations are looked at a high-level by program, fund, and fund sources (GF-S/GF-F), to see if the agency has over liquidated our authority. Some accruals are based on actual billings/claims, but a good chunk is based on estimates, because of the lag in billings, as well as the amount of contracts per grant; mainly block and SOR. BLOCK GRANT AND SOR PROCESS 1. Create a SFYXX Accrual workbook using a JV workbook template. 2. Pull grant direct expenditure data to date including GL 0159 (liquidations), cash expenditures (6510), and accruals (6505), using your grant Webi criteria. a. We pull in accruals (GL6505), because we want to see accruals that have already been booked by AP, so we don?t double book them. b. Expenditures paid in the new SFY will automatically need to be accrued since they weren?t paid in by the end of the SFY. c. Filter out/do not accrue on any interagency transactions including state universities. Those are processed outside of our unit. 3. Take total SFY of year processing obligation from grant spreadsheet. ? NOTE: For auditing purposes, if one was to reproduce the obligation amount it could change if you refer to the original document later than the date that we established the original obligation amount. Please always refer to the accrual spreadsheet for the obligation amount pulled at the time for the purpose of accruals. 4. Reduce the obligation amount by 2% so that we don?t over accrue (The percentage was recommended?due to not spending everything that is obligated.). 5. First pivot to run is to identify total expenditures and accruals for SFY being processed. Use the expenditure amount for the second pivot table. 6. Second pivot to run is to figure out the split out the expenditure between ER and NB, because they are the most common. Calculate the left to accrue amount by taking the obligations with 2% reduction subtracting the expenditures as well as the previous accrual amount. To see what you need to accrue. 7. Third and Fourth pivot tables find the most common PI for each of the subobjects. 8. Fifth pivot table identifies most common org index. 9. Calculate percentages to spread the accrual across ER and /or NB in allocations, per grant. 10. Complete the rest of the workbook following our JV process with obtaining the JV log number, filling out the JV log, adding the explanation and backup data for the upload and release tab. On the JV tab complete the TC to be 736 and include GL 5111. If we need to complete a reversal the TC would be 736R. 11. Upload and email the JV to Supervisor and Lead. 12. Supervisor and Lead review, approve, and release the JV.
2022-067 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the Block Grants for Prevention and Treatment of Substance Abuse program were allowable and met period of performance requirements. Assistance Listing Number and Title: 93.959 Block Grants for Prevention and Treatment of Substance Abuse 93.959 COVID-19 Block Grants for Prevention and Substance Abuse Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B08TI083138-01; 6B08TI083138-01M003; 6B08TI083138-01M004; 6B08TI083486-01M001; 6B08TI083486-01M002; 6B08TI083486-01M004; 1B08TI83519-01; 1B08TI084681-01; 1B08TI083977-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs/Cost Principles Period of Performance Known Questioned Cost Amount: $19,959,714 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grants for Prevention and Treatment of Substance Abuse (SABG). The Authority subawards federal funds to counties, tribes, and nonprofit organizations to develop prevention programs and provide treatment and support services. In fiscal year 2022, the Authority spent about $67.3 million in federal program funds, $52 million of which it paid to subrecipients. The Authority can use grant funds only for costs that are allowable and incurred during the period of performance, as specified in the grant?s terms and conditions. At the beginning of each federal fiscal year, and whenever the Authority receives a new federal grant, it establishes new cost objectives and allocation codes to ensure expenditures are charged to the proper grants. When the Authority receives reimbursement requests, program managers are responsible for reviewing supporting documentation to determine if the services billed meet the period of performance requirements under the grant. Fiscal managers are also responsible for ensuring that payments are coded to the correct period. The Authority follows the accrual basis of accounting and uses the Agency Financial Reporting System (AFRS), which is the state?s central accounting system, to record federal expenditures. At the end of the fiscal year, the Authority?s federal financial reporting (FFR) unit estimates the amount of outstanding obligations to providers. These amounts are recorded in AFRS as an accrued expenditure for SABG and subsequently reported to OFM for the compilation of the Schedule of Expenditures of Federal Awards. FFR has written procedures for calculating its estimated accruals. The calculation begins by using a spreadsheet that tracks contractual obligations to SABG subrecipients and vendors to determine the total state obligation amount through the end of the subaward or contract, which usually extend past the end of the current state fiscal year. This total is then reduced by the number of actual payments made to the subrecipients and vendors, and is also reduced an additional 2 percent to account for anticipated underspending. The remaining total is then recorded as an estimated accrual for the fiscal year. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior two audits, we reported the Authority did not have adequate internal controls to ensure payments made under the SABG program met the period of performance requirements. The prior finding numbers were 2020-059 and 2021-057. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the SABG program were allowable and met period of performance requirements. Year-end Estimated Accruals During the audit period, the FFR unit recorded two state fiscal year-end estimated accruals totaling $19,870,537. The Authority did not retain the obligation workbook used at the time of calculating these estimated accruals. Without this documentation, we were unable to assess the accuracy of the obligated amount. However, the Authority confirmed that the obligation amount used in the calculation included expenditures that were incurred after the state fiscal year. Any expenditures incurred after the state fiscal year has ended are not allowed to be included in an accrual. Furthermore, provider payments liquidated after the state fiscal year are not assigned to the estimated accrual in the accounting system. Therefore, we could not determine if the estimated accrual amount was reasonable and accurately reflected expenditures that occurred within the state fiscal year. Transaction Testing We judgmentally selected and examined two expenditures that were recorded in the accounting system with service months prior to the allowed period of performance for the SABG federal fiscal year 2022 award. We found one of the expenditures (50 percent) was an accrual made at the end of the year with no subsequent liquidation payment. We also judgmentally selected and examined five out of a total population of 24 expenditures made during the SABG federal fiscal year 2020 award liquidation period. We found three expenditures (60 percent) were for indirect charges automatically applied to the award through the Authority?s cost allocation system for activities that occurred after the allowed period of performance. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition While the Authority had written procedures for the year-end estimated accrual, management did not ensure that only obligations incurred within the state fiscal year were included. Furthermore, the Authority did not have a process in place to review estimated year-end accruals to verify the reasonableness of the accrual calculation. Additionally, management did not ensure that the cost allocation system only allowed indirect payments occurring within an award?s period of performance to be charged to the grant, and did not monitor sufficiently to detect the improper charges. Effect of Condition and Questioned Costs Without retaining adequate support for the estimated year-end accruals and having a process to verify the reasonableness of the estimated calculation, the Authority cannot reasonably ensure its SABG expenditures are for allowable activities and within the period of performance. We identified $19,870,537 in known questioned costs related to the estimated year-end accruals. For the federal fiscal year 2022 award that opened during the audit period, we identified questioned costs totaling $85,492 for services performed outside the period of performance. For the federal fiscal year 2020 award that closed during the audit period, we identified questioned costs totaling $3,685 for indirect expenditures that were unallowable. In total, we identified $19,959,714 in known federal questioned costs. Without establishing adequate internal controls, the Authority cannot reasonably ensure it is using federal funds for allowable purposes and that spending occurs within the allowed period of performance. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve its internal controls to ensure estimated accruals are reasonable and supported ? Improve its internal controls to ensure the cost allocation system only charges eligible costs to the grant ? Improve its internal controls to ensure payments are within the award?s period of performance ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Authority?s Response HCA concurs in part. HCA acknowledges that the version of the document used to determine year-end accruals was not retained as a supporting document. We also acknowledge that some portion of the accrued amount could have included obligations beyond state fiscal year 2022. HCA does not agree that we cannot reasonably ensure that SABG expenditures are for allowable activities and within the period of performance. Expenditures reported on SABG are prepared based on cash and liquidations and all costs are reviewed to ensure they meet the period of performance. While the year-end accruals may included some amounts beyond the state fiscal year, the amounts accrued were based on four quarters of activity. This would not result in errors in federal reporting or federal cash draws. To question the year-end accruals in their entirety is an overstatement of any potential error that was made. The year-end accruals were solely recorded as estimates, and were not used to make any program payments or draw funds from the grantor. HCA only makes program payments to subrecipients and contractors after receiving invoices which are reviewed by staff, including review that the expenditures are within the grant period of performance. HCA does not agree with repayment of the $19,870,537 questioned costs associated with year-end accruals. HCA also does not concur with repayment of the $85,492 questioned costs associated with an accrual transaction. An accrual was entered in the accounting system based on expected billing. No invoice for the transaction was received for FY 22 grant activity, and as noted in the finding no payment was made. HCA does not draw funds from the grantor until a payment is made, and as a result no funds were drawn for this accrual. HCA concurs with the $3,685 for indirect expenditures that were unallowable for the grant award. An accounting cost center was not correctly updated at the end of the grant period, and as a result some termination leave indirect expenditures were charged to the grant after the period of performance ended. HCA will review processes to ensure cost centers are appropriately closed to prevent unallowable expenditures from being charged to grant awards and discuss repayment with the grantor. HCA notes that of the total $19,959,714 questioned costs, only $3,685 meet the definition of Improper Payments as defined in Uniform Guidance 2 CFR 200.1. Based on preliminary discussions with the grantor, HCA should expect that repayment of questioned costs related to the accruals will not be requested as no funds were drawn. This information was shared with the auditor. Auditor?s Remarks In its response, the Authority acknowledged it did not retain supporting documentation to verify the year-end estimated accrual expenditures were incurred during the state fiscal year. Furthermore, the Authority acknowledged that the year-end estimated accruals likely included expenditures incurred after the state fiscal year. The Authority reports cash and accrued expenditures on the Schedule of Expenditures of Federal Awards and, as such, the accruals are required to be audited. In our judgment, the Authority does not have sufficient processes in place to verify the reasonableness of the year-end estimated accrual calculations. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit period. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments, which states in part: (2) Where the costs, at the time of the audit, are not supported by adequate documentation. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 502, Basis for determining Federal awards expended, states in part: (a) Determining Federal awards expended. The determination of when a Federal award is expended must be based on when the activity related to the Federal award occurs. Generally, the activity pertains to events that require the non-Federal entity to comply with Federal statutes, regulations, and the terms and conditions of Federal awards, such as: expenditure/expense transactions associated with awards including grants, cost-reimbursement contracts under FAR, compacts with Indian Tribes, cooperative agreements, and direct appropriations; the disbursement of funds to subrecipients, the use of loan proceeds under loan and loan guarantee programs; the receipt of property; the receipt of surplus property; the receipt or use of program income; the distribution or use of food commodities; the disbursement of amounts entitling the non-Federal entity to an interest subsidy; and the period when insurance is in force. Title 2 CFR Part 200, Uniform Guidance, section 510, Financial statements, states in part: (b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee?s financial statements which must include the total Federal awards expended as determined in accordance with 200.502. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Behavioral Health Grant Unit Procedures, state in part: WHAT IS ACCRUAL: Fiscal year end and end of biennium contract subsequent payments. PURPOSE: To prepare contract accruals for the end of a fiscal year or biennium and the subsequent payment of those invoices by the Behavioral Health Grant Unit. BACKGROUND: Accruals and liquidations are looked at a high-level by program, fund, and fund source (GF-S/GF-F), to see if the agency has over liquidated our authority. Some accruals are based on actual billings/claims, but a good chunk is based on estimates, because of the lag in billings, as well as the amount of contracts per grant; mainly block and SOR. BLOCK GRANT AND SOR PROCESS 1. Create a SFYXX Accrual workbook using a JV workbook template. 2. Pull grant direct expenditure data to date including GL 0159 (liquidations), cash expenditures (6510) and accruals (6505), using your grant Webi criteria. a. We pull in accruals (GL 6505), because we want to see accruals that have already been booked by AP, so we don?t double book them. b. Expenditures paid in the new SFY will automatically need to be accrued since they weren?t paid by the end of the SFY. c. Filter out/do not accrue on any interagency transactions including state universities. Those are processed outside of our unit. 3. Take total SFY of year processing obligations from grant spreadsheet. ? NOTE: For auditing purposes, if one was to reproduce the obligation amount it could change if you refer to the original document later than the date that we established the original obligation amount. Please always refer to the accrual spreadsheet for the obligation amount pulled at the time for the purpose of accruals. 4. Reduce obligation amount by 2% so that we don?t over accrue (The percentage was recommended?due to not spending everything that is obligated.). 5. First pivot to run is to identify total expenditures and accruals for SFY being processed. Use the expenditure amount for the second pivot table. 6. Second pivot to run is to figure out the split out the expenditure between ER and NB, because they are the most common. Calculate the left to accrue amount by taking the obligations with 2% reduction subtracting the expenditures as well as the previous accrual amount. To see what you need to accrue. 7. Third and Fourth pivot tables find the most common PI for each of the subobjects. 8. Fifth pivot table identifies most common org index. 9. Sixth pivot table (SABG)identifies the ER and NB expenditures by allocation, so that they can be accrued by percentage of the total expenditures. 10. Calculate percentages to spread the accrual across ER and/or NB in allocations, per grant. 11. Complete the rest of the workbook following our JV process with obtaining the JV log number, filling out the JV log, adding the explanation and backup data for the upload and release tab. On the JV tab complete the TC to be 736 and include GL 5111. If we need to complete a reversal the TC would be 736R. 12. Upload and email the JV to Supervisor and Lead. 13. Supervisor and Lead review, approve, and release the JV.
2022-068 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure it met the earmarking requirement for the Block Grants for Prevention and Treatment of Substance Abuse. Assistance Listing Number and Title: 93.959 Block Grants for Prevention and Treatment of Substance Abuse 93.959 COVID-19 Block Grants for Prevention and Treatment of Substance Abuse Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B08TI083138-01; 6B08TI083138-01M003; 6B08TI083138-01M004; 6B08TI083486-01M001; 6B08TI083486-01M002; 6B08TI083486-01M004; 1B08TI83519-01; 1B08TI084681-01; 1B08TI083977-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Earmarking Known Questioned Cost Amount: $661 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grants for Prevention and Treatment of Substance Abuse. The Authority provides federal funds to counties, tribes, nonprofit organizations and other state agencies to develop prevention programs and provide treatment and support services. In fiscal year 2022, the Authority spent approximately $67.3 million in federal program funds. Federal regulations require the Authority to spend no more than 5 percent of the federal program funds on administrative costs of the grant. Federal regulations also require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. To monitor the administrative earmarking requirement, the Authority has staff run monthly reports from its accounting system to determine if it is on track to meet the requirement at the time the grant closes. Upon closing a grant, the Authority also runs a final report to ensure it met the requirement. In prior audits, we reported the Authority did not have adequate internal controls and did not comply with earmarking requirements for the program. The prior finding number was 2021-056. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure it met the earmarking requirement for the Block Grants for Prevention and Treatment of Substance Abuse. During the audit period, the monthly tracking workbooks used to track the earmark requirement contained an erroneous calculation for determining the percentage of administrative costs. A $13,212 supplement to the technical assistance award was incorrectly added to the base grant award amount instead of the technical assistance amount in the tracking workbook. We found the Authority closed the federal fiscal year 2020 grant while having exceeded the 5 percent administrative maximum. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition Throughout the year, staff ran the required monthly reports using the expenditures to date to track the percentage of administrative costs to meet compliance. However, management did not review these workbooks to ensure they correctly calculated and monitored this requirement. Effect of Condition and Questioned Costs The Authority was awarded $37,786,705 for the federal fiscal year 2020 grant. Therefore, it was allowed to spend $1,889,335 on administrative expenditures. However, it spent $1,889,996, which exceeded the administrative cost maximum by $661. As a result, we are questioning the $661 in unallowable administrative costs. By not establishing adequate internal controls, the Authority cannot ensure it meets the administrative earmarking requirement. By not complying with federal requirements, the Authority risks having to repay federal funds or having future federal funds withheld. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve internal controls to ensure it does not exceed the maximum allowable amount for administrative costs at the end of the award period. ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Authority?s Response HCA concurs with the incorrect calculation of the administrative expenditure limit in the tracking workbooks and will implement formal review procedures for the tracking workbooks. However, HCA does not concur with the identified questioned costs. HCA processed subsequent adjustments reducing the final administrative expenditures charged to the grant award to $1,840,664, less than the allowed amount of $1,889,335. The auditor did not consider the adjustments during the audit. Auditor?s Remarks At the time the Authority submitted its final SF-425 report, the administrative costs that were identified as charged to the grant exceeded the allowed maximum by $661. In addition, the expenditures in question were still charged to the grant in the accounting system at the time the final report was submitted to the grantor and were not reversed until four months later. As stated above, we recommend the Authority consult with the federal grantor to discuss whether the questioned cost reported in the finding need to be repaid. We reaffirm our finding and will review the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 403, defines factors affecting Allowability of costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 45 CFR Part 96, Block Grants, section 135, Restrictions on expenditure of grant, states in part: (b) The State shall limit expenditures on the following: (1) The State involved will not expend more than 5 percent of the grant to pay the costs of administering the grant
2022-067 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the Block Grants for Prevention and Treatment of Substance Abuse program were allowable and met period of performance requirements. Assistance Listing Number and Title: 93.959 Block Grants for Prevention and Treatment of Substance Abuse 93.959 COVID-19 Block Grants for Prevention and Substance Abuse Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B08TI083138-01; 6B08TI083138-01M003; 6B08TI083138-01M004; 6B08TI083486-01M001; 6B08TI083486-01M002; 6B08TI083486-01M004; 1B08TI83519-01; 1B08TI084681-01; 1B08TI083977-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs/Cost Principles Period of Performance Known Questioned Cost Amount: $19,959,714 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grants for Prevention and Treatment of Substance Abuse (SABG). The Authority subawards federal funds to counties, tribes, and nonprofit organizations to develop prevention programs and provide treatment and support services. In fiscal year 2022, the Authority spent about $67.3 million in federal program funds, $52 million of which it paid to subrecipients. The Authority can use grant funds only for costs that are allowable and incurred during the period of performance, as specified in the grant?s terms and conditions. At the beginning of each federal fiscal year, and whenever the Authority receives a new federal grant, it establishes new cost objectives and allocation codes to ensure expenditures are charged to the proper grants. When the Authority receives reimbursement requests, program managers are responsible for reviewing supporting documentation to determine if the services billed meet the period of performance requirements under the grant. Fiscal managers are also responsible for ensuring that payments are coded to the correct period. The Authority follows the accrual basis of accounting and uses the Agency Financial Reporting System (AFRS), which is the state?s central accounting system, to record federal expenditures. At the end of the fiscal year, the Authority?s federal financial reporting (FFR) unit estimates the amount of outstanding obligations to providers. These amounts are recorded in AFRS as an accrued expenditure for SABG and subsequently reported to OFM for the compilation of the Schedule of Expenditures of Federal Awards. FFR has written procedures for calculating its estimated accruals. The calculation begins by using a spreadsheet that tracks contractual obligations to SABG subrecipients and vendors to determine the total state obligation amount through the end of the subaward or contract, which usually extend past the end of the current state fiscal year. This total is then reduced by the number of actual payments made to the subrecipients and vendors, and is also reduced an additional 2 percent to account for anticipated underspending. The remaining total is then recorded as an estimated accrual for the fiscal year. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior two audits, we reported the Authority did not have adequate internal controls to ensure payments made under the SABG program met the period of performance requirements. The prior finding numbers were 2020-059 and 2021-057. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the SABG program were allowable and met period of performance requirements. Year-end Estimated Accruals During the audit period, the FFR unit recorded two state fiscal year-end estimated accruals totaling $19,870,537. The Authority did not retain the obligation workbook used at the time of calculating these estimated accruals. Without this documentation, we were unable to assess the accuracy of the obligated amount. However, the Authority confirmed that the obligation amount used in the calculation included expenditures that were incurred after the state fiscal year. Any expenditures incurred after the state fiscal year has ended are not allowed to be included in an accrual. Furthermore, provider payments liquidated after the state fiscal year are not assigned to the estimated accrual in the accounting system. Therefore, we could not determine if the estimated accrual amount was reasonable and accurately reflected expenditures that occurred within the state fiscal year. Transaction Testing We judgmentally selected and examined two expenditures that were recorded in the accounting system with service months prior to the allowed period of performance for the SABG federal fiscal year 2022 award. We found one of the expenditures (50 percent) was an accrual made at the end of the year with no subsequent liquidation payment. We also judgmentally selected and examined five out of a total population of 24 expenditures made during the SABG federal fiscal year 2020 award liquidation period. We found three expenditures (60 percent) were for indirect charges automatically applied to the award through the Authority?s cost allocation system for activities that occurred after the allowed period of performance. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition While the Authority had written procedures for the year-end estimated accrual, management did not ensure that only obligations incurred within the state fiscal year were included. Furthermore, the Authority did not have a process in place to review estimated year-end accruals to verify the reasonableness of the accrual calculation. Additionally, management did not ensure that the cost allocation system only allowed indirect payments occurring within an award?s period of performance to be charged to the grant, and did not monitor sufficiently to detect the improper charges. Effect of Condition and Questioned Costs Without retaining adequate support for the estimated year-end accruals and having a process to verify the reasonableness of the estimated calculation, the Authority cannot reasonably ensure its SABG expenditures are for allowable activities and within the period of performance. We identified $19,870,537 in known questioned costs related to the estimated year-end accruals. For the federal fiscal year 2022 award that opened during the audit period, we identified questioned costs totaling $85,492 for services performed outside the period of performance. For the federal fiscal year 2020 award that closed during the audit period, we identified questioned costs totaling $3,685 for indirect expenditures that were unallowable. In total, we identified $19,959,714 in known federal questioned costs. Without establishing adequate internal controls, the Authority cannot reasonably ensure it is using federal funds for allowable purposes and that spending occurs within the allowed period of performance. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve its internal controls to ensure estimated accruals are reasonable and supported ? Improve its internal controls to ensure the cost allocation system only charges eligible costs to the grant ? Improve its internal controls to ensure payments are within the award?s period of performance ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Authority?s Response HCA concurs in part. HCA acknowledges that the version of the document used to determine year-end accruals was not retained as a supporting document. We also acknowledge that some portion of the accrued amount could have included obligations beyond state fiscal year 2022. HCA does not agree that we cannot reasonably ensure that SABG expenditures are for allowable activities and within the period of performance. Expenditures reported on SABG are prepared based on cash and liquidations and all costs are reviewed to ensure they meet the period of performance. While the year-end accruals may included some amounts beyond the state fiscal year, the amounts accrued were based on four quarters of activity. This would not result in errors in federal reporting or federal cash draws. To question the year-end accruals in their entirety is an overstatement of any potential error that was made. The year-end accruals were solely recorded as estimates, and were not used to make any program payments or draw funds from the grantor. HCA only makes program payments to subrecipients and contractors after receiving invoices which are reviewed by staff, including review that the expenditures are within the grant period of performance. HCA does not agree with repayment of the $19,870,537 questioned costs associated with year-end accruals. HCA also does not concur with repayment of the $85,492 questioned costs associated with an accrual transaction. An accrual was entered in the accounting system based on expected billing. No invoice for the transaction was received for FY 22 grant activity, and as noted in the finding no payment was made. HCA does not draw funds from the grantor until a payment is made, and as a result no funds were drawn for this accrual. HCA concurs with the $3,685 for indirect expenditures that were unallowable for the grant award. An accounting cost center was not correctly updated at the end of the grant period, and as a result some termination leave indirect expenditures were charged to the grant after the period of performance ended. HCA will review processes to ensure cost centers are appropriately closed to prevent unallowable expenditures from being charged to grant awards and discuss repayment with the grantor. HCA notes that of the total $19,959,714 questioned costs, only $3,685 meet the definition of Improper Payments as defined in Uniform Guidance 2 CFR 200.1. Based on preliminary discussions with the grantor, HCA should expect that repayment of questioned costs related to the accruals will not be requested as no funds were drawn. This information was shared with the auditor. Auditor?s Remarks In its response, the Authority acknowledged it did not retain supporting documentation to verify the year-end estimated accrual expenditures were incurred during the state fiscal year. Furthermore, the Authority acknowledged that the year-end estimated accruals likely included expenditures incurred after the state fiscal year. The Authority reports cash and accrued expenditures on the Schedule of Expenditures of Federal Awards and, as such, the accruals are required to be audited. In our judgment, the Authority does not have sufficient processes in place to verify the reasonableness of the year-end estimated accrual calculations. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit period. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments, which states in part: (2) Where the costs, at the time of the audit, are not supported by adequate documentation. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 502, Basis for determining Federal awards expended, states in part: (a) Determining Federal awards expended. The determination of when a Federal award is expended must be based on when the activity related to the Federal award occurs. Generally, the activity pertains to events that require the non-Federal entity to comply with Federal statutes, regulations, and the terms and conditions of Federal awards, such as: expenditure/expense transactions associated with awards including grants, cost-reimbursement contracts under FAR, compacts with Indian Tribes, cooperative agreements, and direct appropriations; the disbursement of funds to subrecipients, the use of loan proceeds under loan and loan guarantee programs; the receipt of property; the receipt of surplus property; the receipt or use of program income; the distribution or use of food commodities; the disbursement of amounts entitling the non-Federal entity to an interest subsidy; and the period when insurance is in force. Title 2 CFR Part 200, Uniform Guidance, section 510, Financial statements, states in part: (b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee?s financial statements which must include the total Federal awards expended as determined in accordance with 200.502. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Behavioral Health Grant Unit Procedures, state in part: WHAT IS ACCRUAL: Fiscal year end and end of biennium contract subsequent payments. PURPOSE: To prepare contract accruals for the end of a fiscal year or biennium and the subsequent payment of those invoices by the Behavioral Health Grant Unit. BACKGROUND: Accruals and liquidations are looked at a high-level by program, fund, and fund source (GF-S/GF-F), to see if the agency has over liquidated our authority. Some accruals are based on actual billings/claims, but a good chunk is based on estimates, because of the lag in billings, as well as the amount of contracts per grant; mainly block and SOR. BLOCK GRANT AND SOR PROCESS 1. Create a SFYXX Accrual workbook using a JV workbook template. 2. Pull grant direct expenditure data to date including GL 0159 (liquidations), cash expenditures (6510) and accruals (6505), using your grant Webi criteria. a. We pull in accruals (GL 6505), because we want to see accruals that have already been booked by AP, so we don?t double book them. b. Expenditures paid in the new SFY will automatically need to be accrued since they weren?t paid by the end of the SFY. c. Filter out/do not accrue on any interagency transactions including state universities. Those are processed outside of our unit. 3. Take total SFY of year processing obligations from grant spreadsheet. ? NOTE: For auditing purposes, if one was to reproduce the obligation amount it could change if you refer to the original document later than the date that we established the original obligation amount. Please always refer to the accrual spreadsheet for the obligation amount pulled at the time for the purpose of accruals. 4. Reduce obligation amount by 2% so that we don?t over accrue (The percentage was recommended?due to not spending everything that is obligated.). 5. First pivot to run is to identify total expenditures and accruals for SFY being processed. Use the expenditure amount for the second pivot table. 6. Second pivot to run is to figure out the split out the expenditure between ER and NB, because they are the most common. Calculate the left to accrue amount by taking the obligations with 2% reduction subtracting the expenditures as well as the previous accrual amount. To see what you need to accrue. 7. Third and Fourth pivot tables find the most common PI for each of the subobjects. 8. Fifth pivot table identifies most common org index. 9. Sixth pivot table (SABG)identifies the ER and NB expenditures by allocation, so that they can be accrued by percentage of the total expenditures. 10. Calculate percentages to spread the accrual across ER and/or NB in allocations, per grant. 11. Complete the rest of the workbook following our JV process with obtaining the JV log number, filling out the JV log, adding the explanation and backup data for the upload and release tab. On the JV tab complete the TC to be 736 and include GL 5111. If we need to complete a reversal the TC would be 736R. 12. Upload and email the JV to Supervisor and Lead. 13. Supervisor and Lead review, approve, and release the JV.
2022-068 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure it met the earmarking requirement for the Block Grants for Prevention and Treatment of Substance Abuse. Assistance Listing Number and Title: 93.959 Block Grants for Prevention and Treatment of Substance Abuse 93.959 COVID-19 Block Grants for Prevention and Treatment of Substance Abuse Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B08TI083138-01; 6B08TI083138-01M003; 6B08TI083138-01M004; 6B08TI083486-01M001; 6B08TI083486-01M002; 6B08TI083486-01M004; 1B08TI83519-01; 1B08TI084681-01; 1B08TI083977-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Earmarking Known Questioned Cost Amount: $661 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grants for Prevention and Treatment of Substance Abuse. The Authority provides federal funds to counties, tribes, nonprofit organizations and other state agencies to develop prevention programs and provide treatment and support services. In fiscal year 2022, the Authority spent approximately $67.3 million in federal program funds. Federal regulations require the Authority to spend no more than 5 percent of the federal program funds on administrative costs of the grant. Federal regulations also require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. To monitor the administrative earmarking requirement, the Authority has staff run monthly reports from its accounting system to determine if it is on track to meet the requirement at the time the grant closes. Upon closing a grant, the Authority also runs a final report to ensure it met the requirement. In prior audits, we reported the Authority did not have adequate internal controls and did not comply with earmarking requirements for the program. The prior finding number was 2021-056. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure it met the earmarking requirement for the Block Grants for Prevention and Treatment of Substance Abuse. During the audit period, the monthly tracking workbooks used to track the earmark requirement contained an erroneous calculation for determining the percentage of administrative costs. A $13,212 supplement to the technical assistance award was incorrectly added to the base grant award amount instead of the technical assistance amount in the tracking workbook. We found the Authority closed the federal fiscal year 2020 grant while having exceeded the 5 percent administrative maximum. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition Throughout the year, staff ran the required monthly reports using the expenditures to date to track the percentage of administrative costs to meet compliance. However, management did not review these workbooks to ensure they correctly calculated and monitored this requirement. Effect of Condition and Questioned Costs The Authority was awarded $37,786,705 for the federal fiscal year 2020 grant. Therefore, it was allowed to spend $1,889,335 on administrative expenditures. However, it spent $1,889,996, which exceeded the administrative cost maximum by $661. As a result, we are questioning the $661 in unallowable administrative costs. By not establishing adequate internal controls, the Authority cannot ensure it meets the administrative earmarking requirement. By not complying with federal requirements, the Authority risks having to repay federal funds or having future federal funds withheld. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve internal controls to ensure it does not exceed the maximum allowable amount for administrative costs at the end of the award period. ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Authority?s Response HCA concurs with the incorrect calculation of the administrative expenditure limit in the tracking workbooks and will implement formal review procedures for the tracking workbooks. However, HCA does not concur with the identified questioned costs. HCA processed subsequent adjustments reducing the final administrative expenditures charged to the grant award to $1,840,664, less than the allowed amount of $1,889,335. The auditor did not consider the adjustments during the audit. Auditor?s Remarks At the time the Authority submitted its final SF-425 report, the administrative costs that were identified as charged to the grant exceeded the allowed maximum by $661. In addition, the expenditures in question were still charged to the grant in the accounting system at the time the final report was submitted to the grantor and were not reversed until four months later. As stated above, we recommend the Authority consult with the federal grantor to discuss whether the questioned cost reported in the finding need to be repaid. We reaffirm our finding and will review the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 403, defines factors affecting Allowability of costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 45 CFR Part 96, Block Grants, section 135, Restrictions on expenditure of grant, states in part: (b) The State shall limit expenditures on the following: (1) The State involved will not expend more than 5 percent of the grant to pay the costs of administering the grant
2022-067 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the Block Grants for Prevention and Treatment of Substance Abuse program were allowable and met period of performance requirements. Assistance Listing Number and Title: 93.959 Block Grants for Prevention and Treatment of Substance Abuse 93.959 COVID-19 Block Grants for Prevention and Substance Abuse Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B08TI083138-01; 6B08TI083138-01M003; 6B08TI083138-01M004; 6B08TI083486-01M001; 6B08TI083486-01M002; 6B08TI083486-01M004; 1B08TI83519-01; 1B08TI084681-01; 1B08TI083977-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs/Cost Principles Period of Performance Known Questioned Cost Amount: $19,959,714 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grants for Prevention and Treatment of Substance Abuse (SABG). The Authority subawards federal funds to counties, tribes, and nonprofit organizations to develop prevention programs and provide treatment and support services. In fiscal year 2022, the Authority spent about $67.3 million in federal program funds, $52 million of which it paid to subrecipients. The Authority can use grant funds only for costs that are allowable and incurred during the period of performance, as specified in the grant?s terms and conditions. At the beginning of each federal fiscal year, and whenever the Authority receives a new federal grant, it establishes new cost objectives and allocation codes to ensure expenditures are charged to the proper grants. When the Authority receives reimbursement requests, program managers are responsible for reviewing supporting documentation to determine if the services billed meet the period of performance requirements under the grant. Fiscal managers are also responsible for ensuring that payments are coded to the correct period. The Authority follows the accrual basis of accounting and uses the Agency Financial Reporting System (AFRS), which is the state?s central accounting system, to record federal expenditures. At the end of the fiscal year, the Authority?s federal financial reporting (FFR) unit estimates the amount of outstanding obligations to providers. These amounts are recorded in AFRS as an accrued expenditure for SABG and subsequently reported to OFM for the compilation of the Schedule of Expenditures of Federal Awards. FFR has written procedures for calculating its estimated accruals. The calculation begins by using a spreadsheet that tracks contractual obligations to SABG subrecipients and vendors to determine the total state obligation amount through the end of the subaward or contract, which usually extend past the end of the current state fiscal year. This total is then reduced by the number of actual payments made to the subrecipients and vendors, and is also reduced an additional 2 percent to account for anticipated underspending. The remaining total is then recorded as an estimated accrual for the fiscal year. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior two audits, we reported the Authority did not have adequate internal controls to ensure payments made under the SABG program met the period of performance requirements. The prior finding numbers were 2020-059 and 2021-057. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the SABG program were allowable and met period of performance requirements. Year-end Estimated Accruals During the audit period, the FFR unit recorded two state fiscal year-end estimated accruals totaling $19,870,537. The Authority did not retain the obligation workbook used at the time of calculating these estimated accruals. Without this documentation, we were unable to assess the accuracy of the obligated amount. However, the Authority confirmed that the obligation amount used in the calculation included expenditures that were incurred after the state fiscal year. Any expenditures incurred after the state fiscal year has ended are not allowed to be included in an accrual. Furthermore, provider payments liquidated after the state fiscal year are not assigned to the estimated accrual in the accounting system. Therefore, we could not determine if the estimated accrual amount was reasonable and accurately reflected expenditures that occurred within the state fiscal year. Transaction Testing We judgmentally selected and examined two expenditures that were recorded in the accounting system with service months prior to the allowed period of performance for the SABG federal fiscal year 2022 award. We found one of the expenditures (50 percent) was an accrual made at the end of the year with no subsequent liquidation payment. We also judgmentally selected and examined five out of a total population of 24 expenditures made during the SABG federal fiscal year 2020 award liquidation period. We found three expenditures (60 percent) were for indirect charges automatically applied to the award through the Authority?s cost allocation system for activities that occurred after the allowed period of performance. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition While the Authority had written procedures for the year-end estimated accrual, management did not ensure that only obligations incurred within the state fiscal year were included. Furthermore, the Authority did not have a process in place to review estimated year-end accruals to verify the reasonableness of the accrual calculation. Additionally, management did not ensure that the cost allocation system only allowed indirect payments occurring within an award?s period of performance to be charged to the grant, and did not monitor sufficiently to detect the improper charges. Effect of Condition and Questioned Costs Without retaining adequate support for the estimated year-end accruals and having a process to verify the reasonableness of the estimated calculation, the Authority cannot reasonably ensure its SABG expenditures are for allowable activities and within the period of performance. We identified $19,870,537 in known questioned costs related to the estimated year-end accruals. For the federal fiscal year 2022 award that opened during the audit period, we identified questioned costs totaling $85,492 for services performed outside the period of performance. For the federal fiscal year 2020 award that closed during the audit period, we identified questioned costs totaling $3,685 for indirect expenditures that were unallowable. In total, we identified $19,959,714 in known federal questioned costs. Without establishing adequate internal controls, the Authority cannot reasonably ensure it is using federal funds for allowable purposes and that spending occurs within the allowed period of performance. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve its internal controls to ensure estimated accruals are reasonable and supported ? Improve its internal controls to ensure the cost allocation system only charges eligible costs to the grant ? Improve its internal controls to ensure payments are within the award?s period of performance ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Authority?s Response HCA concurs in part. HCA acknowledges that the version of the document used to determine year-end accruals was not retained as a supporting document. We also acknowledge that some portion of the accrued amount could have included obligations beyond state fiscal year 2022. HCA does not agree that we cannot reasonably ensure that SABG expenditures are for allowable activities and within the period of performance. Expenditures reported on SABG are prepared based on cash and liquidations and all costs are reviewed to ensure they meet the period of performance. While the year-end accruals may included some amounts beyond the state fiscal year, the amounts accrued were based on four quarters of activity. This would not result in errors in federal reporting or federal cash draws. To question the year-end accruals in their entirety is an overstatement of any potential error that was made. The year-end accruals were solely recorded as estimates, and were not used to make any program payments or draw funds from the grantor. HCA only makes program payments to subrecipients and contractors after receiving invoices which are reviewed by staff, including review that the expenditures are within the grant period of performance. HCA does not agree with repayment of the $19,870,537 questioned costs associated with year-end accruals. HCA also does not concur with repayment of the $85,492 questioned costs associated with an accrual transaction. An accrual was entered in the accounting system based on expected billing. No invoice for the transaction was received for FY 22 grant activity, and as noted in the finding no payment was made. HCA does not draw funds from the grantor until a payment is made, and as a result no funds were drawn for this accrual. HCA concurs with the $3,685 for indirect expenditures that were unallowable for the grant award. An accounting cost center was not correctly updated at the end of the grant period, and as a result some termination leave indirect expenditures were charged to the grant after the period of performance ended. HCA will review processes to ensure cost centers are appropriately closed to prevent unallowable expenditures from being charged to grant awards and discuss repayment with the grantor. HCA notes that of the total $19,959,714 questioned costs, only $3,685 meet the definition of Improper Payments as defined in Uniform Guidance 2 CFR 200.1. Based on preliminary discussions with the grantor, HCA should expect that repayment of questioned costs related to the accruals will not be requested as no funds were drawn. This information was shared with the auditor. Auditor?s Remarks In its response, the Authority acknowledged it did not retain supporting documentation to verify the year-end estimated accrual expenditures were incurred during the state fiscal year. Furthermore, the Authority acknowledged that the year-end estimated accruals likely included expenditures incurred after the state fiscal year. The Authority reports cash and accrued expenditures on the Schedule of Expenditures of Federal Awards and, as such, the accruals are required to be audited. In our judgment, the Authority does not have sufficient processes in place to verify the reasonableness of the year-end estimated accrual calculations. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit period. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments, which states in part: (2) Where the costs, at the time of the audit, are not supported by adequate documentation. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 502, Basis for determining Federal awards expended, states in part: (a) Determining Federal awards expended. The determination of when a Federal award is expended must be based on when the activity related to the Federal award occurs. Generally, the activity pertains to events that require the non-Federal entity to comply with Federal statutes, regulations, and the terms and conditions of Federal awards, such as: expenditure/expense transactions associated with awards including grants, cost-reimbursement contracts under FAR, compacts with Indian Tribes, cooperative agreements, and direct appropriations; the disbursement of funds to subrecipients, the use of loan proceeds under loan and loan guarantee programs; the receipt of property; the receipt of surplus property; the receipt or use of program income; the distribution or use of food commodities; the disbursement of amounts entitling the non-Federal entity to an interest subsidy; and the period when insurance is in force. Title 2 CFR Part 200, Uniform Guidance, section 510, Financial statements, states in part: (b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee?s financial statements which must include the total Federal awards expended as determined in accordance with 200.502. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Behavioral Health Grant Unit Procedures, state in part: WHAT IS ACCRUAL: Fiscal year end and end of biennium contract subsequent payments. PURPOSE: To prepare contract accruals for the end of a fiscal year or biennium and the subsequent payment of those invoices by the Behavioral Health Grant Unit. BACKGROUND: Accruals and liquidations are looked at a high-level by program, fund, and fund source (GF-S/GF-F), to see if the agency has over liquidated our authority. Some accruals are based on actual billings/claims, but a good chunk is based on estimates, because of the lag in billings, as well as the amount of contracts per grant; mainly block and SOR. BLOCK GRANT AND SOR PROCESS 1. Create a SFYXX Accrual workbook using a JV workbook template. 2. Pull grant direct expenditure data to date including GL 0159 (liquidations), cash expenditures (6510) and accruals (6505), using your grant Webi criteria. a. We pull in accruals (GL 6505), because we want to see accruals that have already been booked by AP, so we don?t double book them. b. Expenditures paid in the new SFY will automatically need to be accrued since they weren?t paid by the end of the SFY. c. Filter out/do not accrue on any interagency transactions including state universities. Those are processed outside of our unit. 3. Take total SFY of year processing obligations from grant spreadsheet. ? NOTE: For auditing purposes, if one was to reproduce the obligation amount it could change if you refer to the original document later than the date that we established the original obligation amount. Please always refer to the accrual spreadsheet for the obligation amount pulled at the time for the purpose of accruals. 4. Reduce obligation amount by 2% so that we don?t over accrue (The percentage was recommended?due to not spending everything that is obligated.). 5. First pivot to run is to identify total expenditures and accruals for SFY being processed. Use the expenditure amount for the second pivot table. 6. Second pivot to run is to figure out the split out the expenditure between ER and NB, because they are the most common. Calculate the left to accrue amount by taking the obligations with 2% reduction subtracting the expenditures as well as the previous accrual amount. To see what you need to accrue. 7. Third and Fourth pivot tables find the most common PI for each of the subobjects. 8. Fifth pivot table identifies most common org index. 9. Sixth pivot table (SABG)identifies the ER and NB expenditures by allocation, so that they can be accrued by percentage of the total expenditures. 10. Calculate percentages to spread the accrual across ER and/or NB in allocations, per grant. 11. Complete the rest of the workbook following our JV process with obtaining the JV log number, filling out the JV log, adding the explanation and backup data for the upload and release tab. On the JV tab complete the TC to be 736 and include GL 5111. If we need to complete a reversal the TC would be 736R. 12. Upload and email the JV to Supervisor and Lead. 13. Supervisor and Lead review, approve, and release the JV.
2022-068 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure it met the earmarking requirement for the Block Grants for Prevention and Treatment of Substance Abuse. Assistance Listing Number and Title: 93.959 Block Grants for Prevention and Treatment of Substance Abuse 93.959 COVID-19 Block Grants for Prevention and Treatment of Substance Abuse Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B08TI083138-01; 6B08TI083138-01M003; 6B08TI083138-01M004; 6B08TI083486-01M001; 6B08TI083486-01M002; 6B08TI083486-01M004; 1B08TI83519-01; 1B08TI084681-01; 1B08TI083977-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Earmarking Known Questioned Cost Amount: $661 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grants for Prevention and Treatment of Substance Abuse. The Authority provides federal funds to counties, tribes, nonprofit organizations and other state agencies to develop prevention programs and provide treatment and support services. In fiscal year 2022, the Authority spent approximately $67.3 million in federal program funds. Federal regulations require the Authority to spend no more than 5 percent of the federal program funds on administrative costs of the grant. Federal regulations also require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. To monitor the administrative earmarking requirement, the Authority has staff run monthly reports from its accounting system to determine if it is on track to meet the requirement at the time the grant closes. Upon closing a grant, the Authority also runs a final report to ensure it met the requirement. In prior audits, we reported the Authority did not have adequate internal controls and did not comply with earmarking requirements for the program. The prior finding number was 2021-056. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure it met the earmarking requirement for the Block Grants for Prevention and Treatment of Substance Abuse. During the audit period, the monthly tracking workbooks used to track the earmark requirement contained an erroneous calculation for determining the percentage of administrative costs. A $13,212 supplement to the technical assistance award was incorrectly added to the base grant award amount instead of the technical assistance amount in the tracking workbook. We found the Authority closed the federal fiscal year 2020 grant while having exceeded the 5 percent administrative maximum. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition Throughout the year, staff ran the required monthly reports using the expenditures to date to track the percentage of administrative costs to meet compliance. However, management did not review these workbooks to ensure they correctly calculated and monitored this requirement. Effect of Condition and Questioned Costs The Authority was awarded $37,786,705 for the federal fiscal year 2020 grant. Therefore, it was allowed to spend $1,889,335 on administrative expenditures. However, it spent $1,889,996, which exceeded the administrative cost maximum by $661. As a result, we are questioning the $661 in unallowable administrative costs. By not establishing adequate internal controls, the Authority cannot ensure it meets the administrative earmarking requirement. By not complying with federal requirements, the Authority risks having to repay federal funds or having future federal funds withheld. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve internal controls to ensure it does not exceed the maximum allowable amount for administrative costs at the end of the award period. ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Authority?s Response HCA concurs with the incorrect calculation of the administrative expenditure limit in the tracking workbooks and will implement formal review procedures for the tracking workbooks. However, HCA does not concur with the identified questioned costs. HCA processed subsequent adjustments reducing the final administrative expenditures charged to the grant award to $1,840,664, less than the allowed amount of $1,889,335. The auditor did not consider the adjustments during the audit. Auditor?s Remarks At the time the Authority submitted its final SF-425 report, the administrative costs that were identified as charged to the grant exceeded the allowed maximum by $661. In addition, the expenditures in question were still charged to the grant in the accounting system at the time the final report was submitted to the grantor and were not reversed until four months later. As stated above, we recommend the Authority consult with the federal grantor to discuss whether the questioned cost reported in the finding need to be repaid. We reaffirm our finding and will review the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 403, defines factors affecting Allowability of costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 45 CFR Part 96, Block Grants, section 135, Restrictions on expenditure of grant, states in part: (b) The State shall limit expenditures on the following: (1) The State involved will not expend more than 5 percent of the grant to pay the costs of administering the grant
2022-067 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the Block Grants for Prevention and Treatment of Substance Abuse program were allowable and met period of performance requirements. Assistance Listing Number and Title: 93.959 Block Grants for Prevention and Treatment of Substance Abuse 93.959 COVID-19 Block Grants for Prevention and Substance Abuse Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B08TI083138-01; 6B08TI083138-01M003; 6B08TI083138-01M004; 6B08TI083486-01M001; 6B08TI083486-01M002; 6B08TI083486-01M004; 1B08TI83519-01; 1B08TI084681-01; 1B08TI083977-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs/Cost Principles Period of Performance Known Questioned Cost Amount: $19,959,714 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grants for Prevention and Treatment of Substance Abuse (SABG). The Authority subawards federal funds to counties, tribes, and nonprofit organizations to develop prevention programs and provide treatment and support services. In fiscal year 2022, the Authority spent about $67.3 million in federal program funds, $52 million of which it paid to subrecipients. The Authority can use grant funds only for costs that are allowable and incurred during the period of performance, as specified in the grant?s terms and conditions. At the beginning of each federal fiscal year, and whenever the Authority receives a new federal grant, it establishes new cost objectives and allocation codes to ensure expenditures are charged to the proper grants. When the Authority receives reimbursement requests, program managers are responsible for reviewing supporting documentation to determine if the services billed meet the period of performance requirements under the grant. Fiscal managers are also responsible for ensuring that payments are coded to the correct period. The Authority follows the accrual basis of accounting and uses the Agency Financial Reporting System (AFRS), which is the state?s central accounting system, to record federal expenditures. At the end of the fiscal year, the Authority?s federal financial reporting (FFR) unit estimates the amount of outstanding obligations to providers. These amounts are recorded in AFRS as an accrued expenditure for SABG and subsequently reported to OFM for the compilation of the Schedule of Expenditures of Federal Awards. FFR has written procedures for calculating its estimated accruals. The calculation begins by using a spreadsheet that tracks contractual obligations to SABG subrecipients and vendors to determine the total state obligation amount through the end of the subaward or contract, which usually extend past the end of the current state fiscal year. This total is then reduced by the number of actual payments made to the subrecipients and vendors, and is also reduced an additional 2 percent to account for anticipated underspending. The remaining total is then recorded as an estimated accrual for the fiscal year. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. In the prior two audits, we reported the Authority did not have adequate internal controls to ensure payments made under the SABG program met the period of performance requirements. The prior finding numbers were 2020-059 and 2021-057. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure payments to providers for the SABG program were allowable and met period of performance requirements. Year-end Estimated Accruals During the audit period, the FFR unit recorded two state fiscal year-end estimated accruals totaling $19,870,537. The Authority did not retain the obligation workbook used at the time of calculating these estimated accruals. Without this documentation, we were unable to assess the accuracy of the obligated amount. However, the Authority confirmed that the obligation amount used in the calculation included expenditures that were incurred after the state fiscal year. Any expenditures incurred after the state fiscal year has ended are not allowed to be included in an accrual. Furthermore, provider payments liquidated after the state fiscal year are not assigned to the estimated accrual in the accounting system. Therefore, we could not determine if the estimated accrual amount was reasonable and accurately reflected expenditures that occurred within the state fiscal year. Transaction Testing We judgmentally selected and examined two expenditures that were recorded in the accounting system with service months prior to the allowed period of performance for the SABG federal fiscal year 2022 award. We found one of the expenditures (50 percent) was an accrual made at the end of the year with no subsequent liquidation payment. We also judgmentally selected and examined five out of a total population of 24 expenditures made during the SABG federal fiscal year 2020 award liquidation period. We found three expenditures (60 percent) were for indirect charges automatically applied to the award through the Authority?s cost allocation system for activities that occurred after the allowed period of performance. We consider these internal control deficiencies to be a material weakness, which led to material noncompliance. Cause of Condition While the Authority had written procedures for the year-end estimated accrual, management did not ensure that only obligations incurred within the state fiscal year were included. Furthermore, the Authority did not have a process in place to review estimated year-end accruals to verify the reasonableness of the accrual calculation. Additionally, management did not ensure that the cost allocation system only allowed indirect payments occurring within an award?s period of performance to be charged to the grant, and did not monitor sufficiently to detect the improper charges. Effect of Condition and Questioned Costs Without retaining adequate support for the estimated year-end accruals and having a process to verify the reasonableness of the estimated calculation, the Authority cannot reasonably ensure its SABG expenditures are for allowable activities and within the period of performance. We identified $19,870,537 in known questioned costs related to the estimated year-end accruals. For the federal fiscal year 2022 award that opened during the audit period, we identified questioned costs totaling $85,492 for services performed outside the period of performance. For the federal fiscal year 2020 award that closed during the audit period, we identified questioned costs totaling $3,685 for indirect expenditures that were unallowable. In total, we identified $19,959,714 in known federal questioned costs. Without establishing adequate internal controls, the Authority cannot reasonably ensure it is using federal funds for allowable purposes and that spending occurs within the allowed period of performance. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve its internal controls to ensure estimated accruals are reasonable and supported ? Improve its internal controls to ensure the cost allocation system only charges eligible costs to the grant ? Improve its internal controls to ensure payments are within the award?s period of performance ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid Authority?s Response HCA concurs in part. HCA acknowledges that the version of the document used to determine year-end accruals was not retained as a supporting document. We also acknowledge that some portion of the accrued amount could have included obligations beyond state fiscal year 2022. HCA does not agree that we cannot reasonably ensure that SABG expenditures are for allowable activities and within the period of performance. Expenditures reported on SABG are prepared based on cash and liquidations and all costs are reviewed to ensure they meet the period of performance. While the year-end accruals may included some amounts beyond the state fiscal year, the amounts accrued were based on four quarters of activity. This would not result in errors in federal reporting or federal cash draws. To question the year-end accruals in their entirety is an overstatement of any potential error that was made. The year-end accruals were solely recorded as estimates, and were not used to make any program payments or draw funds from the grantor. HCA only makes program payments to subrecipients and contractors after receiving invoices which are reviewed by staff, including review that the expenditures are within the grant period of performance. HCA does not agree with repayment of the $19,870,537 questioned costs associated with year-end accruals. HCA also does not concur with repayment of the $85,492 questioned costs associated with an accrual transaction. An accrual was entered in the accounting system based on expected billing. No invoice for the transaction was received for FY 22 grant activity, and as noted in the finding no payment was made. HCA does not draw funds from the grantor until a payment is made, and as a result no funds were drawn for this accrual. HCA concurs with the $3,685 for indirect expenditures that were unallowable for the grant award. An accounting cost center was not correctly updated at the end of the grant period, and as a result some termination leave indirect expenditures were charged to the grant after the period of performance ended. HCA will review processes to ensure cost centers are appropriately closed to prevent unallowable expenditures from being charged to grant awards and discuss repayment with the grantor. HCA notes that of the total $19,959,714 questioned costs, only $3,685 meet the definition of Improper Payments as defined in Uniform Guidance 2 CFR 200.1. Based on preliminary discussions with the grantor, HCA should expect that repayment of questioned costs related to the accruals will not be requested as no funds were drawn. This information was shared with the auditor. Auditor?s Remarks In its response, the Authority acknowledged it did not retain supporting documentation to verify the year-end estimated accrual expenditures were incurred during the state fiscal year. Furthermore, the Authority acknowledged that the year-end estimated accruals likely included expenditures incurred after the state fiscal year. The Authority reports cash and accrued expenditures on the Schedule of Expenditures of Federal Awards and, as such, the accruals are required to be audited. In our judgment, the Authority does not have sufficient processes in place to verify the reasonableness of the year-end estimated accrual calculations. We reaffirm our finding and will follow up on the status of the Authority?s corrective action during our next audit period. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments, which states in part: (2) Where the costs, at the time of the audit, are not supported by adequate documentation. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 502, Basis for determining Federal awards expended, states in part: (a) Determining Federal awards expended. The determination of when a Federal award is expended must be based on when the activity related to the Federal award occurs. Generally, the activity pertains to events that require the non-Federal entity to comply with Federal statutes, regulations, and the terms and conditions of Federal awards, such as: expenditure/expense transactions associated with awards including grants, cost-reimbursement contracts under FAR, compacts with Indian Tribes, cooperative agreements, and direct appropriations; the disbursement of funds to subrecipients, the use of loan proceeds under loan and loan guarantee programs; the receipt of property; the receipt of surplus property; the receipt or use of program income; the distribution or use of food commodities; the disbursement of amounts entitling the non-Federal entity to an interest subsidy; and the period when insurance is in force. Title 2 CFR Part 200, Uniform Guidance, section 510, Financial statements, states in part: (b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee?s financial statements which must include the total Federal awards expended as determined in accordance with 200.502. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Behavioral Health Grant Unit Procedures, state in part: WHAT IS ACCRUAL: Fiscal year end and end of biennium contract subsequent payments. PURPOSE: To prepare contract accruals for the end of a fiscal year or biennium and the subsequent payment of those invoices by the Behavioral Health Grant Unit. BACKGROUND: Accruals and liquidations are looked at a high-level by program, fund, and fund source (GF-S/GF-F), to see if the agency has over liquidated our authority. Some accruals are based on actual billings/claims, but a good chunk is based on estimates, because of the lag in billings, as well as the amount of contracts per grant; mainly block and SOR. BLOCK GRANT AND SOR PROCESS 1. Create a SFYXX Accrual workbook using a JV workbook template. 2. Pull grant direct expenditure data to date including GL 0159 (liquidations), cash expenditures (6510) and accruals (6505), using your grant Webi criteria. a. We pull in accruals (GL 6505), because we want to see accruals that have already been booked by AP, so we don?t double book them. b. Expenditures paid in the new SFY will automatically need to be accrued since they weren?t paid by the end of the SFY. c. Filter out/do not accrue on any interagency transactions including state universities. Those are processed outside of our unit. 3. Take total SFY of year processing obligations from grant spreadsheet. ? NOTE: For auditing purposes, if one was to reproduce the obligation amount it could change if you refer to the original document later than the date that we established the original obligation amount. Please always refer to the accrual spreadsheet for the obligation amount pulled at the time for the purpose of accruals. 4. Reduce obligation amount by 2% so that we don?t over accrue (The percentage was recommended?due to not spending everything that is obligated.). 5. First pivot to run is to identify total expenditures and accruals for SFY being processed. Use the expenditure amount for the second pivot table. 6. Second pivot to run is to figure out the split out the expenditure between ER and NB, because they are the most common. Calculate the left to accrue amount by taking the obligations with 2% reduction subtracting the expenditures as well as the previous accrual amount. To see what you need to accrue. 7. Third and Fourth pivot tables find the most common PI for each of the subobjects. 8. Fifth pivot table identifies most common org index. 9. Sixth pivot table (SABG)identifies the ER and NB expenditures by allocation, so that they can be accrued by percentage of the total expenditures. 10. Calculate percentages to spread the accrual across ER and/or NB in allocations, per grant. 11. Complete the rest of the workbook following our JV process with obtaining the JV log number, filling out the JV log, adding the explanation and backup data for the upload and release tab. On the JV tab complete the TC to be 736 and include GL 5111. If we need to complete a reversal the TC would be 736R. 12. Upload and email the JV to Supervisor and Lead. 13. Supervisor and Lead review, approve, and release the JV.
2022-068 The Health Care Authority did not have adequate internal controls over and did not comply with requirements to ensure it met the earmarking requirement for the Block Grants for Prevention and Treatment of Substance Abuse. Assistance Listing Number and Title: 93.959 Block Grants for Prevention and Treatment of Substance Abuse 93.959 COVID-19 Block Grants for Prevention and Treatment of Substance Abuse Federal Grantor Name: U.S. Department of Health and Human Services Federal Award/Contract Number: 1B08TI083138-01; 6B08TI083138-01M003; 6B08TI083138-01M004; 6B08TI083486-01M001; 6B08TI083486-01M002; 6B08TI083486-01M004; 1B08TI83519-01; 1B08TI084681-01; 1B08TI083977-01 Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Earmarking Known Questioned Cost Amount: $661 Background The Health Care Authority, Division of Behavioral Health and Recovery, administers the Block Grants for Prevention and Treatment of Substance Abuse. The Authority provides federal funds to counties, tribes, nonprofit organizations and other state agencies to develop prevention programs and provide treatment and support services. In fiscal year 2022, the Authority spent approximately $67.3 million in federal program funds. Federal regulations require the Authority to spend no more than 5 percent of the federal program funds on administrative costs of the grant. Federal regulations also require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. To monitor the administrative earmarking requirement, the Authority has staff run monthly reports from its accounting system to determine if it is on track to meet the requirement at the time the grant closes. Upon closing a grant, the Authority also runs a final report to ensure it met the requirement. In prior audits, we reported the Authority did not have adequate internal controls and did not comply with earmarking requirements for the program. The prior finding number was 2021-056. Description of Condition The Authority did not have adequate internal controls over and did not comply with requirements to ensure it met the earmarking requirement for the Block Grants for Prevention and Treatment of Substance Abuse. During the audit period, the monthly tracking workbooks used to track the earmark requirement contained an erroneous calculation for determining the percentage of administrative costs. A $13,212 supplement to the technical assistance award was incorrectly added to the base grant award amount instead of the technical assistance amount in the tracking workbook. We found the Authority closed the federal fiscal year 2020 grant while having exceeded the 5 percent administrative maximum. We consider this internal control deficiency to be a material weakness, which led to material noncompliance. Cause of Condition Throughout the year, staff ran the required monthly reports using the expenditures to date to track the percentage of administrative costs to meet compliance. However, management did not review these workbooks to ensure they correctly calculated and monitored this requirement. Effect of Condition and Questioned Costs The Authority was awarded $37,786,705 for the federal fiscal year 2020 grant. Therefore, it was allowed to spend $1,889,335 on administrative expenditures. However, it spent $1,889,996, which exceeded the administrative cost maximum by $661. As a result, we are questioning the $661 in unallowable administrative costs. By not establishing adequate internal controls, the Authority cannot ensure it meets the administrative earmarking requirement. By not complying with federal requirements, the Authority risks having to repay federal funds or having future federal funds withheld. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendations We recommend the Authority: ? Improve internal controls to ensure it does not exceed the maximum allowable amount for administrative costs at the end of the award period. ? Consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Authority?s Response HCA concurs with the incorrect calculation of the administrative expenditure limit in the tracking workbooks and will implement formal review procedures for the tracking workbooks. However, HCA does not concur with the identified questioned costs. HCA processed subsequent adjustments reducing the final administrative expenditures charged to the grant award to $1,840,664, less than the allowed amount of $1,889,335. The auditor did not consider the adjustments during the audit. Auditor?s Remarks At the time the Authority submitted its final SF-425 report, the administrative costs that were identified as charged to the grant exceeded the allowed maximum by $661. In addition, the expenditures in question were still charged to the grant in the accounting system at the time the final report was submitted to the grantor and were not reversed until four months later. As stated above, we recommend the Authority consult with the federal grantor to discuss whether the questioned cost reported in the finding need to be repaid. We reaffirm our finding and will review the status of the Authority?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. Title 2 CFR Part 200.1, Uniform Guidance establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs. Title 2 CFR Part 200, Uniform Guidance, section 403, defines factors affecting Allowability of costs. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 45 CFR Part 96, Block Grants, section 135, Restrictions on expenditure of grant, states in part: (b) The State shall limit expenditures on the following: (1) The State involved will not expend more than 5 percent of the grant to pay the costs of administering the grant
2022-013 The Department of Corrections improperly charged $37,392 to the Coronavirus Relief Fund. Assistance Listing Number and Title: 21.019 COVID-19 Coronavirus Relief Fund Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: None Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs/Cost Principles Known Questioned Cost Amount: $37,392 Background In March 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which authorized the spending of $2.2 trillion in federal funds to respond to the COVID-19 pandemic. The CARES Act established the Coronavirus Relief Fund (CRF), which authorized $150 billion in federal financial assistance for state, territorial, tribal, and certain eligible local governments. Through the CARES Act, Washington was awarded about $2.95 billion of CRF money to help fund the state?s response to the COVID-19 pandemic. Of this amount, the Office of financial Management allocated approximately $2.2 billion to state agencies for various programs. In fiscal year 2022, state agencies spent approximately $345 million in CRF funds. The CARES Act requires recipients to only use CRF payments to cover: ? Necessary expenditures incurred due to the public health emergency (COVID-19) ? Costs that were not accounted for in the government?s most recently approved budget as of March 27, 2020 ? Costs that were incurred during the period that begins March 1, 2020, and ends December 31, 2021 In fiscal year 2022, the Department of Corrections spent $240 million in CRF funds. The Department used the funds to cover payroll costs for employees who were substantially dedicated to responding to the COVID-19 public health emergency. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department improperly charged $37,392 to the CRF. We found the Department had adequate internal controls to ensure it materially complied with activities allowed or unallowed and allowable costs/cost principles requirements. We used a statistical sampling method and randomly selected and examined 59 monthly payments out of a total population of 29,459. In addition to the 59 payments, we judgmentally picked two individually significant items. We examined the supporting documentation for each monthly payment and found one instance where an employee?s payroll overpayment totaling $37,392 was identified and referred to collections by the Department, but was inadvertently charged to the CRF. Federal regulations require the auditor to issue a finding when the known or estimated questioned costs identified in a single audit exceed $25,000. We are issuing this finding because, as stated in the Effect of Condition and Questioned Costs section of this finding, the actual questioned costs exceed that threshold. This issue was not reported as a finding in the prior audit. Cause of Condition The Department followed procedures for approving payroll costs. However, multiple reviews did not prevent the overpayment made to an employee from being charged to the CRF. Effect of Condition and Questioned Costs The Department improperly charged the CRF for payroll costs totaling $37,392. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendation We recommend the Department consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Department?s Response The Department of Corrections (DOC) would like to thank the State Auditor?s Office (SAO) for the audit of the Coronavirus Relief Fund (CRF) grant. The Department agrees that questioned costs were charged to the grant due to an employee?s overpayment. While the SAO has complimented our internal controls and processes for being able to track each line item in the CRF, we also know that internal controls can always be improved. The Department has additional allowable costs that were not charged to the grant which should compensate for the questioned costs identified and intends to discuss this change with the funder. The Department appreciated the patience of the SAO in obtaining supporting documentation and having clarifying conversations during the audit. Auditor?s Remarks We thank the Department for its cooperation and assistance throughout the audit. We will review the status of the Department?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs.
2022-014 The Department of Social and Health Services improperly charged $390 to the Coronavirus Relief Fund. Assistance Listing Number and Title: 21.019 COVID-19 Coronavirus Relief Fund Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: None Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs/Cost Principles Known Questioned Cost Amount: $390 Background In March 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which authorized the spending of $2.2 trillion in federal funds to respond to the COVID-19 pandemic. The CARES Act established the Coronavirus Relief Fund (CRF), which authorized $150 billion in federal financial assistance for state, territorial, tribal, and certain eligible local governments. Through the CARES Act, Washington was awarded about $2.95 billion of CRF money to help fund the state?s response to the COVID-19 pandemic. Of this amount, the Office of Financial Management allocated about $2.2 billion to state agencies for various programs. In fiscal year 2022, state agencies spent about $345 million in CRF funds. The CARES Act requires recipients to only use CRF payments to cover: ? Necessary expenditures incurred due to the public health emergency (COVID-19) ? Costs that were not accounted for in the government?s most recently approved budget as of March 27, 2020 ? Costs that were incurred during the period that begins March 1, 2020, and ends December 31, 2021 In fiscal year 2022, the Department of Social and Health Services spent $40 million in CRF funds. The Department used the funds to cover payroll costs for employees who were substantially dedicated to responding to the COVID-19 public health emergency. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department improperly charged $390 to the CRF. We found the Department had adequate internal controls to ensure it materially complied with activities allowed or unallowed and allowable costs/cost principles requirements. We used a statistical sampling method to randomly select and examine 83 monthly payments out of a total population of 9,415. We reviewed the supporting documentation for each monthly payment and found: ? One overpayment for four hours overtime and overtime shift totaling $208. ? One payment where there was no supporting documentation for an employee?s shift differential pay of $7.50. ? One overpayment for call-back pay totaling $174.23. Federal regulations require the auditor to issue a finding when the known or estimated questioned costs identified in a single audit exceed $25,000. We are issuing this finding because, as stated in the Effect of Condition and Questioned Costs section of this finding, the estimated questioned costs exceed that threshold. This issue was not reported as a finding in the prior audit. Cause of Condition The Department followed procedures for approving payroll costs. However, multiple reviews did not prevent the unsupported shift differential pay and the two overpayments from being charged to the CRF. Effect of Condition and Questioned Costs The Department improperly charged the CRF for payroll costs totaling $390. Based on the unallowable payments, we estimate the likely questioned costs for this grant to be $45,266. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflect this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendation We recommend the Department consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Department?s Response The Department concurs with the audit finding. If the grantor contacts the Department regarding the questioned costs, the Department will discuss the way we used the funds and will take additional action if appropriate. Auditor?s Remarks We thank the Department for its cooperation and assistance throughout the audit. We will review the status of the Department?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs.
2022-013 The Department of Corrections improperly charged $37,392 to the Coronavirus Relief Fund. Assistance Listing Number and Title: 21.019 COVID-19 Coronavirus Relief Fund Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: None Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs/Cost Principles Known Questioned Cost Amount: $37,392 Background In March 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which authorized the spending of $2.2 trillion in federal funds to respond to the COVID-19 pandemic. The CARES Act established the Coronavirus Relief Fund (CRF), which authorized $150 billion in federal financial assistance for state, territorial, tribal, and certain eligible local governments. Through the CARES Act, Washington was awarded about $2.95 billion of CRF money to help fund the state?s response to the COVID-19 pandemic. Of this amount, the Office of financial Management allocated approximately $2.2 billion to state agencies for various programs. In fiscal year 2022, state agencies spent approximately $345 million in CRF funds. The CARES Act requires recipients to only use CRF payments to cover: ? Necessary expenditures incurred due to the public health emergency (COVID-19) ? Costs that were not accounted for in the government?s most recently approved budget as of March 27, 2020 ? Costs that were incurred during the period that begins March 1, 2020, and ends December 31, 2021 In fiscal year 2022, the Department of Corrections spent $240 million in CRF funds. The Department used the funds to cover payroll costs for employees who were substantially dedicated to responding to the COVID-19 public health emergency. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department improperly charged $37,392 to the CRF. We found the Department had adequate internal controls to ensure it materially complied with activities allowed or unallowed and allowable costs/cost principles requirements. We used a statistical sampling method and randomly selected and examined 59 monthly payments out of a total population of 29,459. In addition to the 59 payments, we judgmentally picked two individually significant items. We examined the supporting documentation for each monthly payment and found one instance where an employee?s payroll overpayment totaling $37,392 was identified and referred to collections by the Department, but was inadvertently charged to the CRF. Federal regulations require the auditor to issue a finding when the known or estimated questioned costs identified in a single audit exceed $25,000. We are issuing this finding because, as stated in the Effect of Condition and Questioned Costs section of this finding, the actual questioned costs exceed that threshold. This issue was not reported as a finding in the prior audit. Cause of Condition The Department followed procedures for approving payroll costs. However, multiple reviews did not prevent the overpayment made to an employee from being charged to the CRF. Effect of Condition and Questioned Costs The Department improperly charged the CRF for payroll costs totaling $37,392. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendation We recommend the Department consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Department?s Response The Department of Corrections (DOC) would like to thank the State Auditor?s Office (SAO) for the audit of the Coronavirus Relief Fund (CRF) grant. The Department agrees that questioned costs were charged to the grant due to an employee?s overpayment. While the SAO has complimented our internal controls and processes for being able to track each line item in the CRF, we also know that internal controls can always be improved. The Department has additional allowable costs that were not charged to the grant which should compensate for the questioned costs identified and intends to discuss this change with the funder. The Department appreciated the patience of the SAO in obtaining supporting documentation and having clarifying conversations during the audit. Auditor?s Remarks We thank the Department for its cooperation and assistance throughout the audit. We will review the status of the Department?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs.
2022-014 The Department of Social and Health Services improperly charged $390 to the Coronavirus Relief Fund. Assistance Listing Number and Title: 21.019 COVID-19 Coronavirus Relief Fund Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: None Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs/Cost Principles Known Questioned Cost Amount: $390 Background In March 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which authorized the spending of $2.2 trillion in federal funds to respond to the COVID-19 pandemic. The CARES Act established the Coronavirus Relief Fund (CRF), which authorized $150 billion in federal financial assistance for state, territorial, tribal, and certain eligible local governments. Through the CARES Act, Washington was awarded about $2.95 billion of CRF money to help fund the state?s response to the COVID-19 pandemic. Of this amount, the Office of Financial Management allocated about $2.2 billion to state agencies for various programs. In fiscal year 2022, state agencies spent about $345 million in CRF funds. The CARES Act requires recipients to only use CRF payments to cover: ? Necessary expenditures incurred due to the public health emergency (COVID-19) ? Costs that were not accounted for in the government?s most recently approved budget as of March 27, 2020 ? Costs that were incurred during the period that begins March 1, 2020, and ends December 31, 2021 In fiscal year 2022, the Department of Social and Health Services spent $40 million in CRF funds. The Department used the funds to cover payroll costs for employees who were substantially dedicated to responding to the COVID-19 public health emergency. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department improperly charged $390 to the CRF. We found the Department had adequate internal controls to ensure it materially complied with activities allowed or unallowed and allowable costs/cost principles requirements. We used a statistical sampling method to randomly select and examine 83 monthly payments out of a total population of 9,415. We reviewed the supporting documentation for each monthly payment and found: ? One overpayment for four hours overtime and overtime shift totaling $208. ? One payment where there was no supporting documentation for an employee?s shift differential pay of $7.50. ? One overpayment for call-back pay totaling $174.23. Federal regulations require the auditor to issue a finding when the known or estimated questioned costs identified in a single audit exceed $25,000. We are issuing this finding because, as stated in the Effect of Condition and Questioned Costs section of this finding, the estimated questioned costs exceed that threshold. This issue was not reported as a finding in the prior audit. Cause of Condition The Department followed procedures for approving payroll costs. However, multiple reviews did not prevent the unsupported shift differential pay and the two overpayments from being charged to the CRF. Effect of Condition and Questioned Costs The Department improperly charged the CRF for payroll costs totaling $390. Based on the unallowable payments, we estimate the likely questioned costs for this grant to be $45,266. Our sampling methodology meets statistical sampling criteria under generally accepted auditing standards in AU-C 530.05. It is important to note that the sampling technique we used is intended to support our audit conclusions by determining if expenditures complied with program requirements in all material respects. Accordingly, we used an acceptance sampling formula designed to provide a high level of assurance, with a 95 percent confidence of whether exceptions exceeded our materiality threshold. Our audit report and finding reflect this conclusion. However, the likely improper payment projections are a point estimate and only represent our ?best estimate of total questioned costs? as required by 2 CFR ? 200.516(3). We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendation We recommend the Department consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Department?s Response The Department concurs with the audit finding. If the grantor contacts the Department regarding the questioned costs, the Department will discuss the way we used the funds and will take additional action if appropriate. Auditor?s Remarks We thank the Department for its cooperation and assistance throughout the audit. We will review the status of the Department?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs.
2022-013 The Department of Corrections improperly charged $37,392 to the Coronavirus Relief Fund. Assistance Listing Number and Title: 21.019 COVID-19 Coronavirus Relief Fund Federal Grantor Name: U.S. Department of the Treasury Federal Award/Contract Number: None Pass-through Entity Name: None Pass-through Award/Contract Number: None Applicable Compliance Component: Activities Allowed or Unallowed Allowable Costs/Cost Principles Known Questioned Cost Amount: $37,392 Background In March 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which authorized the spending of $2.2 trillion in federal funds to respond to the COVID-19 pandemic. The CARES Act established the Coronavirus Relief Fund (CRF), which authorized $150 billion in federal financial assistance for state, territorial, tribal, and certain eligible local governments. Through the CARES Act, Washington was awarded about $2.95 billion of CRF money to help fund the state?s response to the COVID-19 pandemic. Of this amount, the Office of financial Management allocated approximately $2.2 billion to state agencies for various programs. In fiscal year 2022, state agencies spent approximately $345 million in CRF funds. The CARES Act requires recipients to only use CRF payments to cover: ? Necessary expenditures incurred due to the public health emergency (COVID-19) ? Costs that were not accounted for in the government?s most recently approved budget as of March 27, 2020 ? Costs that were incurred during the period that begins March 1, 2020, and ends December 31, 2021 In fiscal year 2022, the Department of Corrections spent $240 million in CRF funds. The Department used the funds to cover payroll costs for employees who were substantially dedicated to responding to the COVID-19 public health emergency. Federal regulations require recipients to establish and follow internal controls to ensure compliance with program requirements. These controls include understanding grant requirements and monitoring the effectiveness of established controls. Description of Condition The Department improperly charged $37,392 to the CRF. We found the Department had adequate internal controls to ensure it materially complied with activities allowed or unallowed and allowable costs/cost principles requirements. We used a statistical sampling method and randomly selected and examined 59 monthly payments out of a total population of 29,459. In addition to the 59 payments, we judgmentally picked two individually significant items. We examined the supporting documentation for each monthly payment and found one instance where an employee?s payroll overpayment totaling $37,392 was identified and referred to collections by the Department, but was inadvertently charged to the CRF. Federal regulations require the auditor to issue a finding when the known or estimated questioned costs identified in a single audit exceed $25,000. We are issuing this finding because, as stated in the Effect of Condition and Questioned Costs section of this finding, the actual questioned costs exceed that threshold. This issue was not reported as a finding in the prior audit. Cause of Condition The Department followed procedures for approving payroll costs. However, multiple reviews did not prevent the overpayment made to an employee from being charged to the CRF. Effect of Condition and Questioned Costs The Department improperly charged the CRF for payroll costs totaling $37,392. We question costs when we find an agency has not complied with grant regulations or when it does not have adequate documentation to support its expenditures. Recommendation We recommend the Department consult with the grantor to discuss whether the questioned costs identified in the audit should be repaid. Department?s Response The Department of Corrections (DOC) would like to thank the State Auditor?s Office (SAO) for the audit of the Coronavirus Relief Fund (CRF) grant. The Department agrees that questioned costs were charged to the grant due to an employee?s overpayment. While the SAO has complimented our internal controls and processes for being able to track each line item in the CRF, we also know that internal controls can always be improved. The Department has additional allowable costs that were not charged to the grant which should compensate for the questioned costs identified and intends to discuss this change with the funder. The Department appreciated the patience of the SAO in obtaining supporting documentation and having clarifying conversations during the audit. Auditor?s Remarks We thank the Department for its cooperation and assistance throughout the audit. We will review the status of the Department?s corrective action during our next audit. Applicable Laws and Regulations Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance), section 516, Audit findings, establishes reporting requirements for audit findings. Title 2 CFR Part 200, Uniform Guidance, section 303, Internal controls, describes the requirements for auditees to maintain internal controls over federal programs and comply with federal program requirements. The American Institute of Certified Public Accountants defines significant deficiencies and material weaknesses in its Codification of Statements on Auditing Standards, section 935, Compliance Audits, paragraph 11. Title 2 CFR Part 200.1, Uniform Guidance, establishes definitions for improper payments. Part 200.410 establishes requirements for the collection of unallowable costs.