• This page, Audit of the Office of Medicaid (MassHealth)—Review of Continuity of Operations Plan, is offered by
  • Office of the State Auditor

Audit  Audit of the Office of Medicaid (MassHealth)—Review of Continuity of Operations Plan

The audit found MassHealth did not annually update its COOP or conduct staff training or exercises related to the plan and did not annually update or test its disaster recovery plan. The audit examined the period of January 1, 2020 through June 30, 2021.

Organization: Office of the State Auditor
Date published: July 15, 2022

Executive Summary

The Office of the State Auditor (OSA) receives an annual appropriation for the operation of a Medicaid Audit Unit to help prevent and identify fraud, waste, and abuse in the Commonwealth’s Medicaid program. This program, known as MassHealth, is administered under Chapter 118E of the Massachusetts General Laws by the Executive Office of Health and Human Services (EOHHS), through the Division of Medical Assistance. Medicaid is a joint federal-state program created by Congress in 1965 as Title XIX of the Social Security Act. At the federal level, the Centers for Medicare & Medicaid Services, within the United States Department of Health and Human Services, administer the Medicare program and work with state governments to administer state Medicaid programs.

OSA has conducted a performance audit of MassHealth’s continuity of operations plan (COOP) and disaster recovery plan (DRP) for its Medicaid Management Information System (MMIS) for the period January 1, 2020 through June 30, 2021. The purpose of this audit was to determine whether MassHealth complied with Executive Order 490 and Sections 6.1 and 6.2 of the Executive Office of Technology Services and Security’s Business Continuity and Disaster Recovery Standard IS.005.

The audit was conducted as part of OSA’s ongoing independent statutory oversight of the state’s Medicaid program. As with any government program, public confidence is essential to this program’s success and continued support.

Below is a summary of our findings and recommendations, with links to each page listed.

Finding 1
 

MassHealth did not annually update its COOP or conduct staff training or exercises related to the plan.

Recommendations
 

  1. MassHealth should establish monitoring controls to ensure that it properly adheres to the policies and procedures it has established for updating and testing its COOP.
  2. MassHealth should work with EOHHS to annually update its COOP and conduct staff training and exercises.

Finding 2
 

MassHealth did not annually update or test its DRP.

Recommendations
 

  1. MassHealth should establish written policies and procedures for assigning, managing, and monitoring its DRP.
  2. MassHealth should identify an offsite disaster recovery location to use for MMIS. Once the site has been selected, MassHealth should test the updated DRP and incorporate the results into it.

 

A PDF Copy of the Audit of Office of Medicaid (MassHealth) - Review of Continuity of Operations Plan is available here.

Downloads

Contact

Phone

Fax

(617) 727-3014

Address

Massachusetts State House
Room 230
Boston, MA 02133

Help Us Improve Mass.gov with your feedback

Feedback