Audit of the Norfolk County Sheriff’s Office – A Review of Healthcare and Inmate Deaths Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of certain activities of the Norfolk County Sheriff’s Office (NSO) for the period July 1, 2019 through June 30, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer; the conclusion we reached regarding each objective; and, if applicable, where each objective is discussed in the audit findings.

To accomplish our audit objectives, we gained an understanding of the aspects of NSO’s internal control environment relevant to our objectives by reviewing NSO’s internal control plan and applicable policies and procedures, as well as by interviewing NSO’s management. Specifically, we took the following actions:

• We evaluated the design and implementation of internal controls related to the creation and approval of meeting minutes documenting the quarterly meetings held by NSO and its in-house healthcare employees.
• We evaluated the operating effectiveness of internal controls related to the initial medical screening process. Specifically, we reviewed the electronic forms of the initial medical screening, which contained the approvals of the qualified healthcare professionals.

To obtain sufficient, appropriate evidence to address our audit objectives, we performed the following procedures.

We inspected a list of the inmate deaths that occurred during the audit period, which NSO management provided to us and which came from the Offender Management System (OMS). This list included one inmate who died in NSO’s custody during the audit period and whose cause of death was reported as complications related to COVID-19.

To determine whether NSO created and complied with a documented policy or procedure regarding the death of an inmate, as required by 103 CMR 932.17, we took the following actions.

• We interviewed NSO management regarding the deaths of inmates in its custody during the audit period and obtained NSO’s Policy CSD 622 (Death Procedures).
• We inspected NSO’s Policy CSD 622 to determine whether it included the following requirements listed in 103 CMR 932.17(2):

(a)  internal notification to include medical and administrative staff;

(b)  procedures when discovering body;

(c)  disposition of the body;

(d)  notification of next of kin;

(e)  [Criminal Offender Record Information] notification [sent to victim(s) of an inmate] as soon as practicable [when such notification is necessary];

(f)   investigation of causes;

(g)  reporting and documentation procedures;

(h)  procedure for review of incident by appropriate designated staff with a final report submitted to all appropriate parties.

• We examined the documentation related to this in-custody death to determine whether in-house healthcare and administrative employees, as well as the inmate’s next of kin, were notified about the inmate’s death.
• We obtained and examined the inmate’s death certificate from the Office of the Chief Medical Examiner to determine whether NSO notified the Office of the Chief Medical Examiner about the inmate’s death.
• We contacted the Norfolk District Attorney’s Office to determine whether NSO sent victim(s) of the inmate a Criminal Offender Record Information notification.
• We examined the clinical mortality review document related to this inmate’s death to determine whether appropriate staff members reviewed the circumstances surrounding the inmate’s death and whether a final report was submitted to all appropriate parties.

We noted no exceptions in our testing; therefore, we concluded that, during the audit period, NSO created and complied with a documented policy or procedure regarding the death of an inmate, as required by 103 CMR 932.17.

To determine whether NSO held quarterly meetings with its in-house healthcare employees and reviewed quarterly reports regarding healthcare services for inmates, as required by 103 CMR 932.01(3), we took the following actions. We examined the minutes of all eight (100%) of the quarterly meetings that took place during the audit period between NSO and its health authority. We reviewed the dates the meetings were held, the attendees, the topics addressed, and any follow-up correspondence related to these meetings. We also examined all two (100%) of the annual statistical summaries that the health authority submitted to NSO during the audit period.

We noted no exceptions in our testing; therefore, we concluded that, during the audit period, NSO held quarterly meetings with its in-house healthcare employees and reviewed quarterly reports regarding healthcare services for inmates, as required by 103 CMR 932.01(3).

To determine whether NSO provided its inmates with initial medical screenings upon admission, as required by 103 CMR 932.06(1) and Section 601.13(1–2)¹² of NSO’s Policy CSD 601, we took the following actions. We selected a random, statistical sample of 60 inmates out of the population of 4,350 inmates who were admitted to the Norfolk Sheriff’s Office Jail and House of Correction (NJHC) during the audit period, using a 95% confidence level,¹³ a 0% expected error rate,¹⁴ and a 5% tolerable error rate.¹⁵ We then performed the following procedures:

• We inspected the Medical Entrance Screening Form in CorEMR to determine whether each field in the form was completed. In addition, we examined this form to determine whether the inmate acknowledged that the initial medical screening was performed by signing and dating the Medical Entrance Screening Form.
• We examined the Medical Entrance Screening Form to determine whether it included the following information regarding initial medical screenings: completion date, completion time, and an electronic signature by a qualified healthcare professional.

We determined that, during the audit period, 1 inmate out of our sample of 60 did not receive the initial medical screening upon admission. For more information, see Finding 1.

To determine whether NSO ensured that a qualified healthcare professional conducted a face-to-face meeting within 24 hours of receipt of a sick call request form, as required by Section 601.15(1)(b) of NSO’s Policy CSD 601, and whether NSO documented the medical care it provided to its inmates after receipt of a sick call request form, as required by 103 CMR 932.18(2)(h) and (k), we took the following actions.

We received a list of all 6,176 healthcare records from the audit period, as recorded in the CorEMR system. We observed one of NSO’s data specialists extract sick call request data from the population of 6,176 healthcare records using a Structured Query Language (SQL) query,¹⁶ specifically searching for healthcare records with the keyword “s.s_text”¹⁷ in the “Description” data field in the CorEMR system. According to this SQL query, inmates submitted 630 sick call request forms during the audit period. NSO clarified that the results of this SQL query did not encompass all sick call request forms submitted during the audit period, particularly those that a qualified healthcare professional input without the keyword “s.s_text” in the “Description” data field and any made by inmates verbally to a qualified healthcare professional or officer. We then selected a random, nonstatistical sample of 50 sick call request forms out of the population of 630 sick call request forms that were submitted by inmates during the audit period.

From the remaining 5,546 healthcare records that did not contain the keyword “s.s_text” in the “Description” data field, we selected a random, nonstatistical sample of 60 healthcare records to determine whether these healthcare records were related to sick calls but not labeled as such in the CorEMR system. Specifically, we searched these 60 healthcare records in our sample for any sick call request forms that were scanned into the inmate’s medical file but were not labeled as a sick call request. We identified 14 healthcare records that included a scanned sick call request form but were not labeled with the keyword “s.s_text” in the “Description” data field. We added these 14 healthcare records to our sample of 50 and performed the following procedures.

• We examined each sick call request form and noted whether the inmate completed the form and the date it was signed by a qualified healthcare professional.
• We inspected the medical tasks screen and medical notes in each inmate’s file in the CorEMR system to determine whether a qualified healthcare professional recorded each inmate’s sick call request form (both by manually inputting the data and by scanning the original sick call request form into the CorEMR system) and whether a qualified healthcare professional held a face-to-face meeting with the inmate.
• We calculated the number of days between the date that a qualified healthcare professional received a sick call request form and the date a qualified healthcare professional held a face-to-face meeting with the inmate to determine whether this face-to-face meeting occurred within 24 hours of receipt of the sick call request form.

We noted no exceptions in our testing; therefore, we concluded that, during the audit period, NSO (1) ensured that a qualified healthcare professional conducted a face-to-face meeting within 24 hours of receipt of a sick call request form and (2) documented the medical care it provided to its inmates after receipt of a sick call request form. However, for more information regarding NSO’s use of the CorEMR system for tracking sick call requests, see Other Matters.

We used both statistical and nonstatistical sampling methods for testing, and we did not project the results of our testing to the corresponding population(s).

OMS

We assessed the reliability of the inmate data obtained from OMS by interviewing the NSO information technology employees who oversaw the system. We tested the general information technology controls (i.e., access, configuration management, segregation of duty, contingency planning, and security management controls). We selected a random sample of 20 inmates from the list of the 4,350 inmates who were admitted to NJHC during the audit period (which was extracted from OMS) and compared the inmates’ information from this list (i.e., their full name, date of birth, and date of admission to NJHC) to the information in the original source documents (i.e., the mittimus or a warrant from the state police) for agreement.

We selected a random sample of 20 hard copies of the mittimuses and compared the inmates’ information from the mittimuses (i.e., full name, date of birth, and date of admission to NJHC) to the information in the list of inmates from OMS for agreement. In addition, we tested the data for duplicate records. We reconciled the list of in-custody deaths from OMS with the list provided to us by the Office of the Chief Medical Examiner.

Based on the results of the data reliability assessment procedures described above, we determined that the OMS data obtained for the audit period was sufficiently reliable for the purposes of our audit.

CorEMR System

We assessed the reliability of the list of all 6,176 healthcare records obtained from the CorEMR system by interviewing NSO officials who were knowledgeable about the system. We tested general information technology controls (i.e., access, configuration management, segregation of duty, contingency planning, and security management controls).

We verified the healthcare record numbers in the CorEMR system by comparing these to the list of all 6,176 healthcare records that NSO sent us. We then tested the list of all 6,176 healthcare records from the CorEMR system for any worksheet errors (i.e., hidden objects such as rows, headers, and other content). Additionally, we compared the inmate information (i.e., the inmates’ booking numbers, dates of birth, and dates of admission to NJHC) in the list of the 6,176 healthcare records to the inmate information on the list of inmates booked during the audit period from OMS.

To assess the completeness and accuracy of the list of the 630 sick call request forms identified by the SQL query (which came from searching for the keyword “s.s_text” in the “Description” data field) in the CorEMR system, we selected a random sample of 20 sick call request form records from the list of 630 sick call request forms that inmates submitted during the audit period. We observed an NSO employee query the CorEMR system as they extracted sick call request data. We reviewed this data on the NSO employee’s computer screen, comparing inmate information (i.e., their full name, their date of birth, and the date of their sick call request form submission) to the information on the hard copies of the sick call request forms. Additionally, we selected a random sample of 20 hard copies of sick call request forms from the list of 630 identified by the SQL query and traced the information from the forms (i.e., inmate’s full name and date of the sick call request) to the sick call request form scanned into the inmate’s file in the CorEMR system.

Based on the results of the data reliability assessment procedures described above, we determined that the CorEMR data obtained for the audit period was sufficiently reliable for the purposes of our audit.