Finding Text
Finding 2023-003 - Special Tests and Provisions: Sliding Fee Discounts
Name of Federal Agency: U.S. Department of Health and Human Services
Federal Program Name and Assistance Listing Number: Health Centers Program Cluster (93.224 &
93.527)
Federal Award Identification Number and Year: H8000372 03/01/2022 – 2/28/2023 & 03/01/2023 –
02/29/2024
Criteria
In accordance with 42 CFR sections 51c.303(f) and (g), health centers must prepare and apply a sliding
fee discount schedule ("SFDS") so that the amounts paid for health center services by eligible patients
are adjusted (discounted) based on the patient's ability to pay.
Statement of Condition
While performing the audit, we noted that the Center was unable to provide supporting documentation
to verify that the visit occurred and that the proper amounts were billed and adjusted. We were also
unable to obtain documentation to support the patient's income level and family size. As a result, we
were unable to determine proper application of the SFDS.
Cause
The Center suffered a cyber incident in October 2023 that compromised their electronic medical
records system. As a result, all patient information, including progress notes and proof of income level
and family size, were unable to be recovered.
Effect
The Center may not have properly calculated the sliding fee or discount given to the patients and the
discount given, if any, may not have been based on the patient's ability to pay.
Questioned Costs
None
Context
While performing the audit we noted the Center was unable to provide sufficient and appropriate audit
evidence to support proper application of the SFDS for any patients who visited the Center prior to the
electronic medical record system becoming compromised in October 2023.
Identification as a Repeat Finding
This finding is not a repeat finding.
Recommendation
We recommend the Center enhance their data recovery procedures to ensure that information
necessary for compliance, in the event it becomes compromised, can be recovered.
View of Responsible Officials
While Management is in agreement with this finding, we would like to state that during our 2023 HRSA site visit, our sliding fee discount program was found to be in compliance. Due to the cyber-attack, FHC was not able to access its practice management system for 2023. To reduce future breaches, FHC implemented the following changes: The virtual machine hosts were re-initialized, and the latest version of VMWare were installed. Advanced endpoint protection was also installed on all computers and servers; Multi-factor authentication (MFA) for email use was established; the remote workers access was changed to TruGrid, a platform that provides secure remote desktop protocol (RDP) connections. Backup redundancy was established, following the 3-2-1 method of three backups, two different locations, one copy always offline. Servers are constantly replicated in the Cloud, differential backups are run every two hours, and one copy is always kept offline. FHC is confident that these changes will greatly reduce the likelihood of another cyberattack. Frederiksted Health Care has arranged a cybersecurity partnership with High Tide Solutions, a technology firm. High Tide Solutions now provides a suite of services including server management, penetration testing, data backup management, network management, Ransomware protection, cybersecurity training and cloud platform support. As a result of the implementation of the above-mentioned changes, FHC is now confident that we will have the appropriate safeguards in place to protect pertinent data in the event of another cyberattack.