U.S. Office of Personnel Management accuses Health Net of obstructing federal IT audit: 6 things to know

The Office of the Inspector General at the U.S. Office of Personnel Management alleged in a Feb. 12 report Health Net of California obstructed a federal IT audit, thereby violating its contract with the OPM.

Here are six things to know about the allegations against Health Net of California.

1. The OIG performs IT audits of all insurance carriers participating in the Federal Employees Health Benefits Program, which includes Health Net of California, according to the report. The goal of the IT audits is to ensure insurance carriers that provide coverage to federal employees, retirees and their families have controls in place to protect the confidentiality and integrity of patients' protected health information and personally identifiable information.

2. The OIG issued an IT audit notification letter to Health Net of California Sept. 12, 2017, as part of the agency's "normal procedure," the report reads. The OIG engaged in pre-audit planning discussions with the insurance carrier through January 2018, and scheduled two site visits for the IT audit: one in late January and one in mid-February.

3. The OIG completed audit interviews during the first site visit in January. However, it "subsequently became apparent that Health Net did not intend to cooperate with our planned testing," according to the report. The agency issued 13 data requests to the insurer, due by Feb. 1. By Feb. 6, "not a single document" had been provided to the OIG, the report states.

4. The OIG issued a formal memorandum to Health Net of California Feb. 6, requesting they state whether they intended to comply with the IT audit. The agency reportedly received an email from the insurance carrier Feb. 7, stating it would not allow the OIG to conduct vulnerability and configuration management testing, nor would it provide the agency with certain data.

5. The OIG alleged Health Net of California's refusal to participate in the audit violated its contract with the OPM. The agency recommended the OPM director require Health Net of California to cooperate, permit the requested IT testing and provide the requested records.

"Health Net's refusal to provide complete access and termination lists is unprecedented in our IT audits," the OIG wrote. "We request only the individual's name (or a unique identifier such as employee ID) and the employment termination date. This information is not considered PHI or PII, so there is limited risk to these individuals in the unlikely event that the lists were somehow inadvertently released."

6. In a statement to Becker's Hospital Review Feb. 23, Health Net of California said it has "fully cooperated" with the OIG's IT audit.

"We believe the Flash Alert and its accompanying memorandum issued by OPM contain unfounded allegations that Health Net is obstructing the audit," the statement reads. "We also believe the alert contains grossly inaccurate statements about the security of Health Net's technical environment."

In the statement, Health Net of California said it was advised by legal counsel that complying with certain audit requests would "risk violation of contractual obligations that we have in place to protect our data."

"We have discussed our concerns with the OPM and OIG over how their audit approach could compromise the security of our data and our members' privacy," the statement continues. "Based on our experiences with other audits, including audits by other federal agencies, we remain convinced that we can satisfy all of the objectives of the OPM and OIG requests without compromising the security of our systems."

To access the OIG's report, click here.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Articles We Think You'll Like