Audit of the Office of Medicaid (MassHealth)—Review of Telehealth Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of certain activities of MassHealth for the period January 1, 2020 through June 30, 2021.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is our audit objective, indicating the question we intended our audit to answer, the conclusion we reached regarding the objective, and where the objective is discussed in this report.

To achieve our objective, we gained an understanding of the internal control environment related to the objective by conducting inquiries with MassHealth officials. In addition, we performed the following procedures to obtain sufficient, appropriate audit evidence to address the objective.

We received a data extract from MassHealth for all telehealth claims submitted for behavioral health services for our audit period. We selected a random statistical sample of 47 telehealth behavioral health service claims (totaling $3,466) from the population of 1,306,414 (totaling $96,464,816) paid during the audit period. We used a 90% confidence level, a 5% desired precision rate, and a 0% expected error rate. We reviewed the medical record documentation for each of these claims to determine whether MassHealth providers properly maintained documentation in each member’s medical records, as required by MassHealth’s All Provider Bulletins 281, 289, 291, 298, 303, and 314. Specifically, we tested the following requirements from the “Requirements for Telehealth Encounters” section of Appendix A of All Provider Bulletin 314.

1. Providers must properly identify the patient using, at a minimum, the patient’s name, date of birth, and MassHealth ID.
2. Providers must disclose and validate the provider’s identity and credentials, such as the provider’s license, title, and, if applicable, specialty and board certifications.
3. For an initial appointment with a new patient, the provider must review the patient’s relevant medical history and any available medical records with the patient before initiating the delivery of the service.
4. For existing provider-patient relationships, the provider must review the patient’s medical history and any available medical records with the patient during the service.
5. Prior to each patient appointment, the provider must ensure that the provider is able to deliver the service to the same standard of care and in compliance with licensure regulations and requirements, programmatic regulations, and performance specifications related to the service (e.g., accessibility and communication access) using telehealth as is applicable to the delivery of the services in person. If the provider cannot meet this standard of care or other requirements, the provider must direct the patient to seek in-person care. The provider must make this determination prior to the delivery of each service.
6. To the extent feasible, providers must ensure the same rights to confidentiality and security as provided in face-to-face services. Providers must inform members of any relevant privacy considerations.
7. Providers must follow consent and patient information protocol consistent with those followed during in person visits.
8. Providers must inform patients of the location of the provider rendering services via telehealth (i.e., distant site) and obtain the location of the patient (i.e., originating site).
9. The provider must inform the patient of how the patient can see a clinician in-person in the event of an emergency or as otherwise needed.

All Provider Bulletins 281, 289, 291, and 303 contain the same or similar requirements.

We obtained telehealth claim data for behavioral health services from the Medicaid Management Information System (MMIS) through MassHealth officials. To determine the reliability of the data, we relied on the work performed by OSA in a separate project, completed in 2020, that tested certain information system controls in MMIS. As part of that work, OSA reviewed existing information, tested selected system controls, and interviewed knowledgeable MassHealth officials about the data. As part of our current audit, we performed validity and integrity tests on all telehealth claim data for behavioral health services, including (1) testing for blank fields, (2) scanning for duplicate records, (3) testing for values outside a designated range, (4) testing for dates outside the audit period, and (5) testing for data validity errors (specifically, character fields that contained invalid printable characters and date and time fields that contained invalid dates or times). Additionally, we selected 20 claims from our telehealth claim data and traced them to the hardcopy patient records. Based on these procedures, we determined that the data obtained were sufficiently reliable for the purpose of this audit.