Editor’s note: This article was updated at 4:10 p.m.
State Auditor Doug Hoffer wrote in a 38-page report that supplements his team’s April audit that the Department of Vermont Health Access, which oversees the health exchange and Medicaid programs, has been entering into “authorization to proceed” letters with contractors, a practice that is outside of Vermont’s procurement policy.
Between July and October, the report says, the commissioner of the Vermont Department of Health Access signed two such agreements with OptumInsight Inc. and Exeter Group Inc. in anticipation of signing new contracts. A third company worked with sensitive tax information while under no written agreement.
Exeter closed up shop the last week of October and left Vermont to perpetually maintain code — free of charge — that makes up the Vermont Health Connect front-end portal. The company could make up to $305,131 under its authorization to proceed agreement, according to the audit, even though its previous written contract was set to expire in November 2014.
In three separate documents, according to the audit, Vermont agreed to pay up to $485,840 to Optum to remediate the change of circumstance backlog through Oct. 2.
The company then worked from Oct. 2 to Oct. 30 on the backlog without an “authorization to proceed” agreement or an updated contract.
“As of Nov. 6, 2015, DVHA had not signed contract amendments pertaining to these agreements,” the audit said. In a meeting that day, the department’s lawyer told Hoffer’s staff the agreements “are not contracts and are not binding on the state,” and “contractors know they can only be paid for their services if a contract amendment is signed.”
A third company, Archetype, received approval to work with Internal Revenue Service forms and Medicaid reconciliation in mid-October, according to the audit. On Oct. 26, the company entered into a written “authorization to proceed” agreement with the Department of Vermont Health Access. Again, there was no new contract signed as of Nov. 6.
VTDigger is underwritten by:
“Bulletin 3.5 does not authorize or even mention these types of arrangements, and there is no evidence that DVHA sought approval from the Secretary of Administration to use such documents to procure services,” the audit said. “The use of these (arrangements) has the effect of circumventing the approval requirements in Bulletin 3.5.”
The Agency of Human Services provided an official response to Hoffer’s team: “Although DVHA had a different understanding at the time, the Department is now aware it should seek Secretary of Administration approval for (authorization to proceed agreements) … and will seek such approvals going forward.”
Lawrence Miller, the chief of health care reform for the Shumlin administration, said in an interview Thursday that “alternative contracting processes” are used “mainly because the contracting process is too long.” Miller said the administration knew the department was entering into the agreements, and the secretary of administration did not sign a waiver.
In an interview Thursday, Hoffer described the audit as a “mixed bag.” It’s important to note the improvements in Vermont Health Connect, he said, such as the partially automated change of circumstance functionality.
The auditor’s team identified 121 security weaknesses with the website, including three high-risk and 63 moderate-risk weaknesses, but declined to release more information about the issues for fear of making the website more vulnerable to attack.
Exeter, a contractor for the state, implemented a software system called OneGate for the website that the Department of Vermont Health Access must now maintain. Miller said the state has hired a new chief information security officer and will always have more work to do in security.
“They [the department] earned some kudos, but they also find themselves behind the 8-ball again,” Hoffer said. “Exeter is important. They’re not just any contractor. They’re the company that created the software. As is always the case, the latest version has to be tested, and it hasn’t been tested yet, and inevitably, there will be defects.”
Vermont is the only state that continues to use it. The audit describes the software as “fundamental” and used for six things: Medicaid eligibility screening, evaluating subsidies, processing applications, selecting plans, maintaining customer accounts and managing cases.
The audit says that the software has “known defects,” and “it is unknown whether the latest version of this product to be used in the next major software change contains additional defects.”
Miller said the state’s Quality Assurance team is still working on the code. There were 150 defects with the software on Oct. 22, and 47 were Exeter’s responsibility.
Many other functions of the exchange have not come to fruition, or are only implemented in part, according to the audit.
• Vermont Health Connect’s billing process doesn’t comply with Medicaid rules. In February, the state hadn’t terminated 1,147 delinquent Dr. Dynasaur accounts for non-payment.
• Eight change-of-circumstance functions can only be performed by state workers. They include adding a new baby to a plan, reporting a pregnancy, removing a subscriber, and reinstating coverage.
• Reconciliations between the exchange, insurance companies, and the premium payment processor, Benaissance, have not been automated.
VTDigger is underwritten by:
• Medicaid renewals are not fully automated. (The administration says it will renew income-based Medicaid recipients starting in January.)
Vermont Health Connect currently serves about 33,000 individuals who buy commercial insurance. Over time, the state wants 143,000 people on an income-based Medicaid program to join the exchange. They have up to 60,000 people left to transfer.
Clarification: Chief of Health Care Miller said Thursday his comments about concerns about the length of the contracting process applied only to “emergency situations.”
Don't miss a thing. Sign up here to get VTDigger's weekly email on Vermont hospitals, health care trends, insurance and state health care policy.