Commonwealth Health Insurance Connector Authority - Finding 1

The Commonwealth Health Connector Insurance Authority (Connector) could not provide a log of alleged fraud complaints that were received through telephone, email, mail, or in-person means during the audit period.

Without documentation of fraud complaints received, the Connector cannot monitor the number of complaints, as well as actions taken to address specific complaints.

According to Section 10.01 of the Office of the Comptroller of the Commonwealth’s Internal Control Guide: [Office of the Comptroller of the Commonwealth] Statewide Risk Management document, agencies are required to develop “policies, procedures, techniques, and mechanisms that enforce management’s directives to achieve the entity’s objectives.”

In addition, according to Section 12.01 of the Office of the Comptroller of the Commonwealth’s Internal Control Guide: [Office of the Comptroller of the Commonwealth] Statewide Risk Management document, managers and other personnel members in key roles should document internal control, all transactions, and other significant events in a manner that allows the documentation to be readily available for examination. The documentation may appear in management directives, administrative policies, or operating manuals, in either a paper or an electronic form.

Also, the following information is found in the “Quick Guide: Schedule Number 06–18” from the Massachusetts Statewide Records Retention Schedule, as revised in July 2022:

B04–04: Licensure Complaints, Investigations, and Hearing Records

See sub-schedules for specific retention periods.

Documents complaints received and/or investigated relating to unregulated activities. Complaint types include regulatory non-compliance, fraud and program abuse, administrative process, and citizen requests for services. Includes intake documentation, complaint forms, interview notes, hearing transcriptions, investigation reports, appeals, [and] hearing proceedings.

According to an email to us from the Connector’s compliance manager, “There were no complaints that rose to the level of a privacy and security incident. Also, we only track complaints that rise to the level of Privacy and Security incidents in the [privacy and security] Incident log.” We could not verify the accuracy of this statement, because there was no log of complaints for us to review to determine the severity of complaints, the accuracy of their categorization, or how well the authority evaluated and adjudicated them.

1. The Connector should develop and implement written policies and procedures surrounding the receipt and resolution of complaints.
2. All fraud complaints received should be logged into the Connector’s privacy and security incidents log, along with documentation to support the actions taken to resolve them.

In response to [the Office of the State Auditor’s] draft audit report on the Health Connector covering the period July 1, 2021, through June 30, 2023, the Health Connector acknowledges that the Auditor is recommending that the Health Connector “develop and implement written policies and procedures surrounding the receipt and resolution of complaints,” and that “fraud complaints received should be logged into the Connector’s privacy and security incidents log.”

The term “complaint” is non-specific and vague, but the Health Connector understands it to refer to the various areas of compliance oversight with which it is tasked, namely complaints of Fraud, Waste, and Abuse; violations of its Privacy Policy; violations of its Nondiscrimination Policy; and violations of its Language Access Policy.

The Health Connector does not agree that all of these kinds of complaints should be tracked in its privacy and security incidents log, since that log is reserved only for documenting privacy or security incidents.

Further, the Health Connector notes that it makes available to members of the public several channels to report violations of the above-mentioned policies, including complaint forms, email addresses, and phone lines dedicated to each type. The Health Connector takes seriously its obligations investigate any complaint that alleges a violation of these policies, and notes that to date it has received none.

That said, the Health Connector understands that the Auditor recommends logging all communications received through these dedicated complaint channels, including those that are misdirected, inappropriate, spam, or otherwise fail to allege a violation of a Health Connector policy. The Health Connector therefore will create policies and procedures to document each communication received through a dedicated complaint channel and log them in an appropriate location, consistent with the Auditor’s recommendations.

The key issue that led to our audit finding was that the Connector did not log all complaints received, nor did it document the resolution of complaints. Without a documented log of complaints, the auditee is not in compliance with the Office of the Comptroller of the Commonwealth’s guidance or the Massachusetts Statewide Records Retention Schedule, listed above in the "Authoriative Guidance" section. This prevents Connector management from receiving relevant information to assist in the management and improvement of the operations of the authority and prevents auditors from receiving documentation to support audits that review the performance of the Connector. Based on its overall response, the Connector is taking measures to address our concerns regarding this matter.