The agency that manages the state's mental health system paid claims to dead people and didn't adequately verify that other patients qualified for state assistance, according to a legislative audit released Wednesday.
The audit said the Mental Hygiene Administration would take back $5,500 it had paid to two patients who were listed as dead during the time of their claims, and would refer the cases to the state Medicaid fraud office.
The audit also found that health records with patients' personal information could have been exposed to security risks and attacks because of lax Web security measures.
The security problems are linked to ValueOptions, the state contractor that pays claims, monitors providers and authorizes medical services based on necessity, among other functions.
The audit looked at activity during a three-year period ending June 30, 2010.
Health Secretary Joshua M. Sharfstein said in a letter to the Office of Legislative Audits that the agency would agree to implement recommendations made in the audit to fix the problems.
Auditors compared death records from the Social Security Administration with paid claims data and found that 106 people were listed as deceased but received claims for mental health services. The agency paid $207,000 in such claims from September 1, 2009, to October 31, 2010, the audit found.
The auditors further investigated five of those cases to see whether actual fraud or improper payment had occurred, and found in two instances that claims were in fact paid to people who had died.
The agency will investigate the rest of the cases, as recommended by auditors, and has agreed to better compare Social Security records with claims in the future. State health officials said problems may have come in instances where there were billing errors. Patients may have died between the date of service and the time the final bill was submitted.
"We have been looking into this, and it is actually a rare occurrence — one referred for criminal investigation and not tolerated," said Brian Hepburn, director of the Mental Hygiene Administration.
Patients who had mental health services paid for under the state's uninsured compensation program might not have been eligible, the audit also found.
Auditors looked at 16 patients who had claims paid from Sept. 1, 2009, to Oct. 31, 2010, and found documentation discrepancies in 12 of those cases. For instance, the Social Security number or proof of residency was not provided in some cases.
Hepburn said health providers are supposed to check to make sure patients qualify for uninsured status and that the auditors were concerned that they weren't collecting enough documentation. As a result of the audit, ValueOptions now also verifies patients' status, Hepburn said.
The audit also recommended that the mental health agency takes steps to ensure the security of ValueOptions' portal and Web software. It said ValueOptions' account and password controls were not adequate, opening up the potential for security breaches.
ValueOptions CEO Mary Mastrandrea said in a statement that the company worked alongside the Mental Hygiene Administration and the Maryland Office of Legislative Audits to address matters that arose.
Mastrandrea also addressed the company's technology-related security. She said ValueOptions undergoes two annual audits from internationally recognized auditing agencies, employs a certified security specialist and uses a secure computer system which has limited access and rights.
"Our technology is secure," Mastrandrea said. "The audit by the Maryland Office of Legislative Audits identified a few areas for improvement but overall, the findings determined that our system is secure."
"We take confidentiality very seriously, and we have designed our system to provide for the utmost security," she added.
The audit also said that the mental health agency needed to better track collections, which mainly come from grantees or vendors because of cost settlements.