Connecticut’s state-based health insurance exchange, Access Health CT, was recently audited. The audit gained considerable media attention after it found that the exchange failed to report 44 breaches of personally identifiable information (PII) to the Auditors of Public Accounts and the State Comptroller as statutorily required. But the audit had several other findings that state-based ACA exchanges should review to ensure they’re operating smoothly.
With that audit in mind, here are 4 lessons state-based ACA exchanges can learn from Connecticut’s recent audit:
Adhere to strict vendor sourcing and monitoring protocols and promptly and appropriately communicate any security breaches.
Auditors chastised Connecticut’s state exchange for its internal controls and communication process after a series of security breaches exposed PII. The audit found that between July 2017 and March 2021, 44 breaches of client data occurred. In fact, one phishing attack affected 1,100 customers. The audit also found that one state contractor was responsible for 34 of 44 of those breaches. Also, the state exchange failed to ensure that contractors complied with privacy and security standards. As a result of the breaches, the exchange had to pay for two years of security monitoring for affected clients.
The state also failed to properly communicate the breaches as required by law. Specifically, regulations required the exchange to notify the Auditors of Public Accounts as well as the State Comptroller.
Takeaways:
- Document a Breach Communication Plan — Connecticut’s audit found that, though it did communicate the breach, the state failed to meet all statutory requirements. The exchange indicated they were unaware of a specific requirement. So ensure you have a detailed, documented breach communication plan that meets or exceeds any statutory requirements. Travelers has a good, basic starting point for crisis communications planning for a data breach.
- Create a Risk Management Framework to Ensure Contractor Compliance — Auditors faulted Connecticut for failing to ensure the security processes of their contractors. To rectify the issue, they’ve started using a Risk Management Framework that helps them assess, mitigate and monitor risks within their exchange. There are a number of frameworks available to help, including the NIST Cybersecurity Framework designed to improve the country’s critical infrastructure cybersecurity. You can learn more here: https://www.nist.gov/cyberframework.
Minimize the use of sole-source contracts.
The audit also found that Connecticut’s procurement procedures were overly broad and gave the CEO leeway when purchasing single-source contracts. As a result, a review of ten contracts found four single-source contracts totaling over $1 million. The auditors felt that because the purchasing rules lack any objective process, but instead essentially leave the decision whether to use sole-source contracts to the CEO, the exchange was likely paying more for services. The audit recommended that the state exchange further refine its procurement criteria to use specific criteria for awarding single-source contracts. Why? Because it would likely save the state money while offering opportunities to more vendors.
Follow purchasing process rules.
Single-source contracts weren’t the only procurement issue auditors discovered. Auditors also found issues:
- Receiving services prior to the approval of purchases orders
- Waiting a long amount of time (as much as two years) before receiving a vendor’s completed W-9
- Not following the exchange’s rules for credit card usage
- Not having purchase orders for specific credit card transactions
- Lacked form W-9 on file for more than 10 credit card transactions
By not following designated purchasing rules, the exchange may increase the likelihood of improper purchases occurring. Plus, by not requiring purchase orders or not following credit card rules, the likelihood of funds being unavailable at the time of purchase increases.
Create annual and quarterly reports, if required.
Finally, the audit found that the exchange failed to submit quarterly reports about spending, revenue, and personnel to the appropriate state department. The state exchange was also required and failed to send lists of contractors to the State Elections Enforcement Commission.
Due to internal staff changes, the state had failed to submit a number of operational reports as required. Even if not required, quarterly or annual reports can help improve visibility for your state-based ACA exchange among policymakers, newsgatherers, and even the general public. If you need to see samples of how other states leverage annual reports, check out a blog post we wrote last year, Improving Your State Health Insurance Exchange — Insights from 2020 State Exchange Annual Reports.
Certifi helps state health insurance exchanges improve enrollment and build a better member experience with state insurance exchange premium billing and payment solutions.