Editor’s note: This article was updated at 4:10 p.m.
State Auditor Doug Hoffer wrote in a 38-page report that supplements his teamโs April audit that the Department of Vermont Health Access, which oversees the health exchange and Medicaid programs, has been entering into โauthorization to proceedโ letters with contractors, a practice that is outside of Vermontโs procurement policy.
Between July and October, the report says, the commissioner of the Vermont Department of Health Access signed two such agreements with OptumInsight Inc. and Exeter Group Inc. in anticipation of signing new contracts. A third company worked with sensitive tax information while under no written agreement.
Exeter closed up shop the last week of October and left Vermont to perpetually maintain code โ free of charge โ that makes up the Vermont Health Connect front-end portal. The company could make up to $305,131 under its authorization to proceed agreement, according to the audit, even though its previous written contract was set to expire in November 2014.
In three separate documents, according to the audit, Vermont agreed to pay up to $485,840 to Optum to remediate the change of circumstance backlog through Oct. 2.
The company then worked from Oct. 2 to Oct. 30 on the backlog without an โauthorization to proceedโ agreement or an updated contract.
โAs of Nov. 6, 2015, DVHA had not signed contract amendments pertaining to these agreements,โ the audit said. In a meeting that day, the departmentโs lawyer told Hofferโs staff the agreements โare not contracts and are not binding on the state,โ and โcontractors know they can only be paid for their services if a contract amendment is signed.โ
A third company, Archetype, received approval to work with Internal Revenue Service forms and Medicaid reconciliation in mid-October, according to the audit. On Oct. 26, the company entered into a written โauthorization to proceedโ agreement with the Department of Vermont Health Access. Again, there was no new contract signed as of Nov. 6.
โBulletin 3.5 does not authorize or even mention these types of arrangements, and there is no evidence that DVHA sought approval from the Secretary of Administration to use such documents to procure services,โ the audit said. โThe use of these (arrangements) has the effect of circumventing the approval requirements in Bulletin 3.5.โ
The Agency of Human Services provided an official response to Hofferโs team: โAlthough DVHA had a different understanding at the time, the Department is now aware it should seek Secretary of Administration approval for (authorization to proceed agreements) โฆ and will seek such approvals going forward.โ
Lawrence Miller, the chief of health care reform for the Shumlin administration, said in an interview Thursday that โalternative contracting processesโ are used โmainly because the contracting process is too long.โ Miller said the administration knew the department was entering into the agreements, and the secretary of administration did not sign a waiver.
Functionality assessment
In an interview Thursday, Hoffer described the audit as a “mixed bag.” Itโs important to note the improvements in Vermont Health Connect, he said, such as the partially automated change of circumstance functionality.
The auditor’s team identified 121 security weaknesses with the website, including three high-risk and 63 moderate-risk weaknesses, but declined to release more information about the issues for fear of making the website more vulnerable to attack.
Exeter, a contractor for the state, implemented a software system called OneGate for the website that the Department of Vermont Health Access must now maintain. Miller said the state has hired a new chief information security officer and will always have more work to do in security.
โThey [the department] earned some kudos, but they also find themselves behind the 8-ball again,โ Hoffer said. โExeter is important. Theyโre not just any contractor. Theyโre the company that created the software. As is always the case, the latest version has to be tested, and it hasnโt been tested yet, and inevitably, there will be defects.โ
Vermont is the only state that continues to use it. The audit describes the software as โfundamentalโ and used for six things: Medicaid eligibility screening, evaluating subsidies, processing applications, selecting plans, maintaining customer accounts and managing cases.
The audit says that the software has โknown defects,โ and โit is unknown whether the latest version of this product to be used in the next major software change contains additional defects.โ
Miller said the stateโs Quality Assurance team is still working on the code. There were 150 defects with the software on Oct. 22, and 47 were Exeterโs responsibility.
Many other functions of the exchange have not come to fruition, or are only implemented in part, according to the audit.
โข Vermont Health Connectโs billing process doesnโt comply with Medicaid rules. In February, the state hadnโt terminated 1,147 delinquent Dr. Dynasaur accounts for non-payment.
โข Eight change-of-circumstance functions can only be performed by state workers. They include adding a new baby to a plan, reporting a pregnancy, removing a subscriber, and reinstating coverage.
โข Reconciliations between the exchange, insurance companies, and the premium payment processor, Benaissance, have not been automated.
โข Medicaid renewals are not fully automated. (The administration says it will renew income-based Medicaid recipients starting in January.)
Vermont Health Connect currently serves about 33,000 individuals who buy commercial insurance. Over time, the state wants 143,000 people on an income-based Medicaid program to join the exchange. They have up to 60,000 people left to transfer.
Clarification: Chief of Health Care Miller said Thursday his comments about concerns about the length of the contracting process applied only to “emergency situations.”
