Audit of the Office of Medicaid (MassHealth)—Review of Continuity of Operations Plan Overview of Audited Entity

Under Chapter 118E of the Massachusetts General Laws, the Executive Office of Health and Human Services (EOHHS), through the Division of Medical Assistance, administers the state’s Medicaid program, known as MassHealth. MassHealth provides access to healthcare for approximately 1.8 million low- and moderate-income children, families, seniors, and people with disabilities annually. In fiscal year 2021, MassHealth paid healthcare providers more than $18.1 billion, of which approximately 45% was funded by the Commonwealth. Medicaid expenditures represented approximately 40% of the Commonwealth’s total fiscal year 2021 budget.

EOHHS is responsible for working with MassHealth to establish its continuity of operations planning, business continuity planning, and disaster recovery planning controls over MassHealth’s Medicaid Management Information System (MMIS). Since 1978, state agencies have been required by executive orders to perform and document their planning efforts for the continuity of operations during emergencies. Most recently, Executive Order 490, issued in September 2007, states,

To achieve a maximum state of readiness, these plans should be incorporated into the daily operations of every secretariat and agency in the executive department, and should be reviewed on a regular basis and, with respect to agencies supplying services critical in times of emergency, exercised regularly. . . . In addition, each critical secretariat and agency shall submit an annual report to the Executive Office of Public Safety and Security.

MMIS is the claim processing and data warehouse system MassHealth uses. MMIS contains various types of information, such as healthcare information about services provided to MassHealth members and billing submission data, and is used for processing data, verifying eligibility, and running reports that identify medical treatment.

According to the Massachusetts Emergency Management Agency’s “State Agency COOP Program Template,”

The . . . Continuity of Operations Plan (COOP) provides a framework to ensure continued operation of mission essential functions for up to 30 days when an internal or external emergency impacts [an] Agency’s facilities, systems, personnel, and/or operations.

The continuity of operations plan should address important elements that are fundamental to business continuity planning, such as a list of essential business functions, a designation of MassHealth’s mission-critical systems, MassHealth’s emergency notification procedures, personnel contact information, and a detailed list of responsibilities for continuity of operations.

An effective disaster recovery plan should provide specific instructions for various courses of action to address different types of disaster scenarios.

The Executive Office of Technology Services and Security’s (EOTSS’s) predecessor agency was MassIT, which had a supervisory role over information technology (IT) at Commonwealth executive branch agencies. On August 1, 2017, the Governor formed EOTSS with the goal of consolidating more IT functions in executive branch agencies into a central agency. This was called the One Network initiative.

EOTSS, and EOHHS’s IT Department, manage MMIS. Although EOTSS has had an increasing role with agencies’ IT Departments, EOHHS is still responsible for establishing controls to ensure proper safeguarding of the information it collects and retains in MMIS.