Recommendations Tracker

HHS should commit to creating and implementing a Cybersecurity Maturity Migration Strategy to advance the cybersecurity program from its current maturity state to an effective state across HHS. This strategy should include the following. Perform a risk assessment and identify the optimal maturity level that achieves cost-effective security based on your missions and risks faced, risk appetite, and risk tolerance level. Identify gaps between the current state at each OPDIV and the criteria required to reach the optimal level across HHS' enterprise-wide cybersecurity program and develop security controls to implement effective security. Ensure the requirements for all metrics is Consistently Implemented or higher are achieved. Articulate roles and shared responsibilities needed to meet the requirements for effective maturity, including whether requirements are to be implemented through centralized, federated, or hybrid controls.

The Information Security and Privacy Policy (IS2P) is HHS' primary policy document governing cybersecurity which is pending a rewrite to address the upcoming requirements in NIST 800-53 revision 5. When this update occurs to the IS2P, HHS should specify required cybersecurity control maturity levels in addition to identifying the selection of NIST controls; describe HHS' Cybersecurity Shared Responsibility Model, including the key roles under centralized, federated and hybrid strategies for control implementation; include responsibilities of the OCIO, the OPDIVs, and third-party stakeholders (including contractors); and communicate that a Managed and Measurable or the optimal maturity level, based on HHS's risk assessment, be required to be deemed “Effective".

We recommend that the HHS OCIO work with the OPDIVs to ensure that the OPDIVs cybersecurity management create and implement a patch management strategy to ensure that patches are installed timely as required by HHS and Federal requirements.

We recommend that the HHS OCIO work with the OPDIVs to identify roles of stakeholders to ensure proper identification of responsibilities in a shared responsibility environment.

We recommend that the HHS OCIO work with the OPDIVs to implement the enterprise-wide configuration management plan, working with system owners to align system configuration management plans with the enterprise plan.

We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs create and implement a process to require privileged users to sign a privileged user rules of behavior agreement for all systems prior to provisioning privileged access to those systems.

We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs ensure implementation of strong authentication mechanisms for privileged and non-privileged users to all OPDIV systems using multifactor PIV credentials, NIST 800-63 Identity Assurance Level 3/Authenticator Assurance Level 3/Federated Assurance Level 3 credential or other strong authentication for non-privileged and privileged users.

We recommend that the HHS OCIO work with the OPDIVs to ensure that all PIAs are reviewed, approved and signed by the appropriate HHS personnel at a minimum within three (3) years of the last PIA approval date.

We recommend that the HHS OCIO work with the ODPIVs ensure that role-based training is obtained for all users with significant security responsibilities before granting access to the system and annually thereafter.

We recommend that the HHS OCIO work with the OPDIVs to ensure that they plan and execute resource staffing such that ATOs are kept up to date without a lapse of authorization.

We recommend that the HHS OCIO work with the OPDIVs to ensure that they plan and execute resource staffing such that SCAs are kept up to date as needed to support the ATO process.

We recommend that the HHS OCIO work with the OPDIV to implement threat profiling techniques within the defined framework that helps management understand where the OPDIV's high-value assets are located, who could be interested in taking control of them, and what attack vectors and under which scenarios they would likely be used to exploit vulnerabilities to succeed in their pursuits.

We recommend that the HHS OCIO work with the OPDIVs to monitor and validate each OPDIV's implementation progress, which should include periodically sampling HHS systems to ensure the effectiveness of contingency plans, including adequate testing based on system categorization.

We recommend that the South Carolina Department of Health and Human Services refund $1,524,536 to the Federal Government.

We recommend that the South Carolina Department of Health and Human Services enhance the monitoring of provider compliance by conducting periodic reviews of telemedicine payments for compliance with documentation requirements.

We recommend that the Mississippi Department of Human Services refund to the Federal Government the estimated $22,284,900 Federal CCDF share of the Child Care Payment Program claims paid during FYs 2016 and 2017.

We recommend that the Mississippi Department of Human Services develop policies and procedures to ensure that attendance documentation is maintained and provided to the State agency when a provider closes.

NIH should conduct targeted, risk-based oversight of peer reviewers using analysis of information about threats to research integrity.

NIH should require all peer reviewers to attend periodic trainings about peer review integrity.

CMS should recover from States the Federal share of inappropriate fee-for-service Medicaid payments associated with terminated providers.

CMS should follow up with States to remove terminated providers that OIG identified as inappropriately enrolled in Medicaid.

CMS should safeguard Medicaid from inappropriate payments associated with terminated providers.

CMS should take steps to disallow Federal reimbursements to States for expenditures associated with unenrolled MCO network providers, including seeking necessary legislative authority.

CMS should work with States to ensure that they have the controls required to prevent unenrolled ordering, referring, or prescribing providers from participating in Medicaid FFS.

We recommend that Forbes Hospital refund to the Medicare contractor $3,343,748 ($590,646 in net overpayments identified in our sample) in estimated overpayments for incorrectly billed claims that are within the reopening period.

Strengthen controls to ensure full compliance with Medicare requirements by ensuring that all IRF beneficiaries meet Medicare criteria for acute inpatient rehabilitation; ensuring that all inpatient beneficiaries meet Medicare criteria for inpatient hospital services; ensuring that the procedure and diagnosis codes used are supported by the medical records; and ensuring that the codes used for distinct procedural services are supported by the medical records.

We recommend that the Iowa Department of Human Services, Iowa Medicaid Enterprise, improve its controls, to include fully implementing its own requirements, regarding the reporting and monitoring of major incidents involving Medicaid members with developmental disabilities. Specifically, we recommend that the Iowa Department of Human Services, Iowa Medicaid Enterprise work with community-based providers on how to identify and report all major incidents; work with community-based providers to ensure that they appropriately document resolution of major incidents, including completion of the "Resolution" section of the Critical Incident Report form, to prevent or diminish the probability of future occurrences; perform trend analysis that identifies patterns and trends to assess the health and safety of members and determine whether changes need to be made for service implementation or whether staff training is needed to prevent recurrences of major incidents and to reduce the number or s

We recommend that the New York State Department of Health ensure that MCOs work with their contracted adult day care services providers to correct the 476 instances of noncompliance with health and safety requirements identified in this report.

We recommend that the New York State Department of Health obtain and review the results of MCO site visits at adult day care facilities as part of its beneficiary health and safety monitoring activities.

We recommend that BMA refund to the Federal Government the portion of the estimated $96,185 in improper payments for claims incorrectly billed to the Medicare program that are within the reopening period.

We recommend that BMA exercise reasonable diligence to identify and return any additional similar overpayments outside of our audit period, in accordance with the 60-day rule, and identify any returned overpayments as having been made in accordance with this recommendation.

We recommend that BMA modify its internal controls to ensure that ESRD measurements are properly supported.

We recommend that the U.S. Department of Health and Human Services, Assistant Secretary for Financial Resources work with PMS personnel to improve HHS OpDiv grant management offices' access to timely data.

We recommend that the U.S. Department of Health and Human Services, Assistant Secretary for Financial Resources continue the grant remediation process to close remaining pooled accounts in the PMS.

We recommend that the U.S. Department of Health and Human Services, Assistant Secretary for Financial Resources consider revising the HHS regulation at 45 CFR § 75.381 and the GPAM to align closeout time limits for OpDivs with those specified in 2 CFR § 200.343.

We recommend that the Colorado Department of Health Care Policy and Financing redetermine, as appropriate, the current Medicaid eligibility of the sampled beneficiaries who may not have met Federal and State eligibility requirements.

We recommend that the Colorado Department of Health Care Policy and Financing ensure that information is maintained in case files to support that eligibility determinations were performed in accordance with Federal and State requirements.

We recommend that the Florida Agency for Health Care Administration refund to the Federal Government $3,909,840 (Federal share) in unallowable payments.

We recommend that the Florida Agency for Health Care Administration modify its current methodology to identify beneficiaries with multiple Medicaid identification numbers.

Implement a comprehensive case management system that allows for efficient access to case documents and information.

We recommend that CMS verify that all State plans comply with Federal requirements prohibiting payments for PPCs by reviewing all existing State plans to ensure that States' policies related to PPCs are defined.

We recommend that CMS issue clarifying guidance to States to help ensure that they identify PPCs on inpatient claims from all inpatient hospitals.

We recommend that CMS issue clarifying guidance to States to help ensure that they acquire from all inpatient hospital providers the information necessary to determine whether Medicare crossover claims contain PPCs and fully understand how to determine whether a crossover claim containing a PPC requires a payment adjustment.

We recommend that CMS issue clarifying guidance to States to help ensure that they use all of the diagnosis codes that inpatient hospitals report to them to identify PPCs.

We recommend that CMS work with States to ensure that their systems and processes for identifying PPCs use all diagnosis codes reported by inpatient hospitals.

SAMHSA should work closely with States and territories during the no-cost extension period to address barriers to timely spending and to ensure that administrative cost caps are not exceeded.

We recommend that the Missouri Department of Health and Senior Services follow up with the 20 nursing homes to ensure that corrective actions have been taken regarding the life safety and emergency preparedness deficiencies identified in this report.

We recommend that the Missouri Department of Health and Senior Services conduct more frequent surveys at nursing homes that have a history of multiple high-risk deficiencies and follow up to ensure that corrective actions have been taken.

We recommend that the Florida Agency for Health Care Administration follow up with the 20 nursing homes to ensure corrective actions have been taken regarding the life safety and emergency preparedness deficiencies identified in this report.

We recommend that the Florida Agency for Health Care Administration conduct more frequent surveys at nursing homes with a history of multiple high-risk deficiencies and follow up to ensure that corrective actions have been taken.

We recommend that the Florida Agency for Health Care Administration continue to follow up with nursing homes to ensure that they implement their supplemental emergency plans.

We recommend that the Florida Agency for Health Care Administration expand State agency guidance to include all Federal emergency preparedness requirements in addition to the State emergency plan requirements.

We recommend that SAMHSA identify steps it can take and take action to ensure that it meets its goal for the number of OTPs it inspects each year.

We recommend that SAMHSA ensure that its compliance officers follow the Compliance Audit Guidance by reviewing alternative patients' charts when parts of a chart are unavailable to determine an OTP's compliance with the Federal opioid treatment standards.

We recommend that SAMHSA comply with Federal regulations and the HHS policy for documenting and retaining its evaluations of accreditation elements.

CMS should allow revocation of Medicare enrollment for inappropriate billing of Part D.

CMS should apply the Preclusion List payment prohibitions to pharmacies and other providers that dispense Part D drugs.