The URL can be used to link to this page

1. Audit of Health Insurance Operations ABSTRACT The City has outsourced the administration of health insurance claims. Further monitoring of the Third-Party Administrator would provide further assurance that claims are adjudicated efficiently. In addition, the City has generally established adequate controls over benefits plan management NG� and participant enrollment. �NSVRP NE Internal Audit Department City Auditor Madison Rorschach, CIA, CGAP Audit Staff AUDIT OF HEALTH Neeraj Sama, MBA INSURANCE OPERATIONS IIT crry DENTON The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process Table of Contents Auditat a Glance .................................................................................................................................3 Introduction.........................................................................................................................................4 ManagementResponsibility.....................................................................................................................4 Audit Objectives, Scope, and Methodology..............................................................................................4 Findings&Analysis..............................................................................................................................6 Medical Benefits Plans are Appropriately Monitoried for Compliance & Utilization...............................7 Plan Enrollment is Adequately Managed; Dependent Monitoring Could Lower Costs............................8 Claim Administration Controls Appear Adequate but Should be Regularly Reviewed ..........................10 Claims Funding Process Should be Clarified ...........................................................................................14 Periodic Verification of the TPA's Performance Would Increase Assurance..........................................15 Appendix A: Management Response Summary.................................................................................. 18 The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process Audit at a Glance Why we did this Audit: What we Found: As a self-funded health insurance The City has outsourced the administration of health provider,the City has a fiduciary duty insurance claims to a Third-Party Administrator; to its residents and employees to however, it is responsible for managing the benefits ensure health care services are being plans offered to employees as well as participant provided economically. Annually, the enrollment. Findings for each of these processes are City pays over $25 million in health summarized below: insurance claims for City employees and their dependents. This audit was Benefits Plan Management. The City has developed included on the City's fiscal year two health insurance plans with the assistance of an 2019-20 Audit Plan as approved by Employee Benefits Consultant who negotiates with the City Council. health care providers and facilitates plan compliance with applicable regulations. The Consultant also provides regular reports on plan and network What we Recommend: utilization, which adequately allows the City to monitor health insurance operations funding levels. Recommendation 1 Periodically identify and remove Participant Enrollment. The City has developed ineligible dependents who are not adequate controls to ensure changes in health removed by employees in a timely insurance plan enrollment are communicated to the manner. Third-Party Administrator. In addition, the City is adequately verifying that employees' dependents are Recommendations 2, 3, &4 eligible for coverage when enrolled; however,there is Regularly review the Third-Party no process to periodically verify that dependents are Administrator's claims processing still eligible for coverage. controls and report results to City Management. Claims Administration. The City's Third-Party Administrator appears to have developed adequate Recommendation 5 controls over claims administration; however,the City Annually verify that all individuals should regularly review available independent audit with access to the City's health and performance reports to ensure this continues. In insurance portal are authorized. addition, conducting an independent review of adjudicated claims could help identify claim Recommendations 6 processing & plan implementation errors and verify Clarify the claims reimbursement that performance guarantees are met. reconciliation process. Finally, the City has an effective process for funding Recommendation 7 health insurance claims. Still, updating this process Implement procedures to verify that documentation to include Finance's responsibility the Third-Party Administrator is would facilitate consistency and provide clarity on meeting performance guarantees. funding authorization levels4(I01 ry m DENTON Audit report translations may be requested by emailing InternalAudit@CityofDenton.com. The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process Introduction The Internal Audit Department is responsible for providing: (a) an independent appraisal' of City operations to ensure policies and procedures are in place and complied with, inclusive of purchasing and contracting; (b) information that is accurate and reliable; (c) assurance that assets are properly recorded and safeguarded; (d) assurance that risks are identified and minimized; and (e) assurance that resources are used economically and efficiently and that the City's objectives are being achieved. The Internal Audit Department has completed a performance audit of health insurance operations. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.We believe that the evidence obtained provides a reasonable basis for ourfindings and conclusions based on our audit objectives. Management Responsibility City management is responsible for ensuring that resources are managed properly and used in compliance with applicable regulations; programs are achieving their objectives; and services are being provided efficiently, effectively, and economically. Audit Objectives, Scope, and Methodology The Internal Audit Department has completed an audit of health insurance operations including benefits plan management, participant enrollment, and claims administration. This report is intended to provide assurance that City management has established adequate processes and procedures to ensure health insurance operations are effective, efficient, and economical. Audit fieldwork was conducted during September and October of 2020.The scope of review varied depending on the procedure being performed. The following list summarizes major procedures performed during this time: • Reviewed documentation to develop criteria including industry standards, best practices, policies, and procedures; • Developed process narratives to identify current control activities in the participant enrollment and claim funding processes that was certified by Risk Management and Finance staff; • Interviewed Risk Management and Finance staff as well as representatives from the City's Employee Benefits Consultant firm; • Inspected a statistical sample of 78 dependentS2 eligibility documentation to ensure they were verified according to the City's requirements and reviewed the 2019 Dependent Eligibility Audit results; v CLO r 1 The City of Denton Internal Auditor's Office is considered structurally independent as defined by generally accepted government auditing standard 3.56. 2 This sample size provides with 95%confidence that the true sample mean is within±15%of the sample estimate. The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process • Reviewed contracts entered with the Third-Party Administrator and Employee Benefits Consultant; • Assessed the Third-Party Administrator's 2019 Service Organization Control Report and the 2017, 2018, and 2019 Performance Guarantee Reports; and • Examined supporting documentation for payments made to the Third-Party Administrator for administrative fees and claims reimbursement. v nA The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process Findings & Analysis Health insurance operations have three functional parts that must work together to ensure health care services are provided effectively.The City of Denton is a self-funded health insurance provider, meaning that it is ultimately responsible for all three parts including the sole responsibility for paying all health insurance claims.'These parts and associated processes are shown in Figure 1. Figure 1: Health Insurance Operations Benefits _ •Plan & Network Development - *Utilization Monitoring Enrollment •Coverage Change Management *Participant Eligibility *Processing •Payment funding In general, the Risk Management Division of the Human Resources Department is responsible for directing the City's health insurance operations.The City has contracted with two outside vendors to provide the following services: ➢ The Employee Benefits Consultant assists in developing the benefits plan and provider network as well as monitoring plan utilization; and ➢ The Third-Party Administrator processes health insurance claims including receipt and adjudication.' The City of Denton accounts for its health insurance plan contributions and claim payments in a separate Health Insurance Fund.6 Figure 2 illustrates the associated revenues and expenses. Figure 2: Health Insurance Contributions & Payments Summary $30,000,000 $25,000,000 $20,000,000 $15,000,000 $10,000,000 $5,000,000 $0 FY15-16 FY16-17 FY17-18 FY18-19 FY19-20 iiiiiiiiiiiiiiim Employee Contributions iiiiiiiiiiiiiiim City Contributions Health Insurance Payments a) W M a 3 A Self-Funded Health Insurance Plan is different than a Traditional Health Insurance Plan,in which the City would pay a Health Insurance provider administration fees and premiums to manage all aspects of the health insurance operations. 4 The Health Insurance Third-Party Administrator is not responsible for processing workers'compensation claims. s Health insurance claim adjudication encompasses determining how a benefits plan applies to a claim. 6 The Health Insurance Fund also accounts for dental,vision,and disability coverage contributions and payments as well as the costs to operate a City health clinic. The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process This audit generally evaluated all parts of the City's health insurance operations including benefits plan management, participant enrollment, ' and claims administration. The City also operates a health clinic for its employees; however, clinic operations were not evaluated as part of this audit. Medical Benefits Plans are Appropriately Monitoried for Compliance & Utilization As a self-funded health insurance provider,the City is responsible for developing and managing its own health insurance plan including: ➢ Deciding what benefits employees will receive; ➢ Establishing a health care provider network; ➢ Monitoring plan utilization and projecting funding needs; and ➢ Ensuring compliance with applicable regulations. What We Found • The City has contracted with McGriff, Seibels & Williams, Inc. (McGriff) to assist its Risk Management staff in these efforts as an Employee Benefits Consultant. o McGriff generally appears to be complying with its contract conditions and is adequately assisting with the administration of the City's benefits plans. • McGriff assists the City in creating and administering its health insurance plans and contracting with health care providers and Third-Party Administrators as needed. • McGriff periodically provides claims analysis reports to the City which cover the City's benefits plans'expenses, plan and network utilization,claim trends,and other information enabling City staff to effectively manage and report on health insurance claims. • Monthly, the City holds Employee Insurance Committee meetings to review claim payments and plan and network utilization. McGriff representatives attend the meetings to provide advice on current issues, if needed. • The City manages compliance with health insurance benefits related rules and regulations with McGriff's assistance. o McGriff tracks the City's compliance with ERISA, COBRA, HIPAA, the Affordable Care Act, and other applicable rules and regulations and provides regular compliance deadline updates, City-specific compliance checklists, and legal disclosure guides to the City staff for proper compliance. Why It Matters As a self-funded health insurance provider, the City has a fiduciary duty to its employees and residents to ensure it is appropriately monitoring plan utilization and compliance. The City has established effective monitoring procedures to ensure its health insurance plan is adequately utilized. In addition, information and guides provided by McGriff provide further assurance that 7 Enrolled City employees and their dependents are considered participants. The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process the City is complying with all applicable regulations— including its fiduciary duty. These processes help the City lower costs and avoid potential non-compliance penalties. Recommendation: None Plan Enrollment is Adequately Managed; Dependent Monitoring Could Lower Costs The City is required to pay its Third-Party Administrator an administration fee for each participant enrolled in its health insurance plans. Similar to other organizations, the City offers health insurance coverage to its employees and their dependents; the City considers the following individuals dependents: • An employee's legal spouse • An employee's natural child, stepchild, or adopted child • An employee's common law spouse • A child under the employee's legal guardianship The City offers its employees and their dependents Gold and Silver health insurance plans, which have differing levels of coverage. Employees may choose either plan or may elect to not enroll in a City health insurance plan.At the end of fiscal year 2019-20 the City had a total of 1,326 employees enrolled with an additional 2,207 dependents as illustrated in Figure 3. Figure 3: City Health Insurance Plans Enrollment (FY19-20 Year End) 900 800 700 v) 600 500 ■Employees 72 400 ■Spouses 300 Children 200 100 0 Gold Plan Silver Plan What We Found • Weekly, the City's benefits system automatically communicates plan enrollment changes to the Third-Party Administrator. o Enrollment is verified monthly as part of the Third-Party Administrator's administration fee invoicing. Based on a review of three sample invoices paid during the past three fiscal years, all bills were accurately paid based on the contracted price per enrollee and the number of enrollees per health insurance plan as of the billing date. • The City requires new and existing employees to submit dependent eligibility documentation when new dependents are added to their health insurance plan. In order to verify eligibility, an 00 employee must complete a Dependent Verification Form and submit certain legal documents a, The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process that support the relationship between the employee and dependent. These documents typically include the following: o Marriage certificate; o Birth certificate; and o Court document that establishes the relationship between the employee, or their spouse, and the child. • Prior to fiscal year 2019-20,there was no process to verify new dependents' eligibility. During 2019, the City hired an outside consultant to conduct a dependent eligibility audit. This audit found that about 98 percent of the City's dependents were eligible for coverage as shown in Table 1. Table 1: Dependent Audit Results (Oct. 2019) Audit Status Dependents Percentage Passed 2,299 97.9% No Response 26 1.1% Incomplete 18 0.8% Ineligible 5 0.2% Total: 2,348 100.0% o Of the 49 employees who did not pass the 2019 Dependent Eligibility Audit, 17 were still covered by the City's health insurance at the end of fiscal year 2019-20. Based on discussions with Risk Management staff, two of these dependents had not been adequately verified since completion of the audit. These two dependents have since been adequately verified and remain covered by the City's health insurance plans. • Based on a statistical sample of employees whose coverage began after Oct. 2019 and before Oct. 2020, about 96 percent of dependents' eligibility was verified as per the City's requirements.These sample results are shown in Table 2. Table 2: Dependent Verification Sample Results (FY19-20 Year End) Verification Method No.of Dependents Percentage Dependent Audit 42 53.85% Submitted Documentation 33 42.31% Process Exception$ 2 2.56% Not Verified 1 1.28% Total: 78 100.00% o Only one dependent reviewed as part of the sample was not verified prior to enrollment. This dependent was enrolled in coverage after the 2019 Dependent Eligibility Audit began, but before the new dependent eligibility verification process was implemented. Based on a review of current dependent coverage dates,there may be about 20 additional dependents who were not verified when their coverage was a, initiated. ro n0 Cl- These dependents were not enrolled per the City's stated eligibility verification process;however,both appeared to be eligible upon review. The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process • The City's benefits system automatically removes dependent children who age out of coverage from the City's health insurance. o Of a judgement sample of 47 dependents who aged out of the City's health insurance plan between Oct. 2019 and Oct. 2020, all were appropriately removed. o Other than this automatic removal process, there is no process to periodically verify that dependents are still eligible for coverage, which increases the risk that dependents such as spouses and stepchildren may remain covered inappropriately. • For the plan year 2021 open enrollment process, employees are required to attest that their enrolled dependents are eligible per the City's requirements.This practice should help remind employees of their responsibility to remove ineligible dependents. Why It Matters The number of participants enrolled in a health insurance plan is the most critical cost driver. For that reason, it is critical to ensure that the Third-Party Administrator receives accurate enrollment information and that any changes are promptly communicated. The City has established adequate processes to communicate and confirm enrollment changes with the Third-Party Administrator. Similarly, ensuring that only eligible dependents are enrolled demonstrates that the City meets its fiduciary duty and ultimately reduces costs to City employees and Denton residents. While performing this verification before enrollment decreases this risk, periodically verifying that dependents remain eligible would provide further assurance that these savings are realized. Recommendation: 1. Develop and formalize a process for periodically identifying and removing ineligible dependents who are not removed by employees in a timely manner. It may be appropriate to focus these monitoring efforts on spouses and stepchildren who are at a higher risk of becoming ineligible than other dependents. Risk Management Comments: The Risk Management department concurs. Because the City relies on the employee to notify when a change in familial status occurs annually within six months of the close of open enrollment, a report will be run to identify dependents who are on the Plan. A sample of the dependents will be identified, and dependents' eligibility will be verified through a review of eligibility documents previously provided and by contacting the employee to verify that the dependent is still eligible to be on the Plan. Claim Administration Controls Appear Adequate but Should be Regularly Reviewed The City has entered into a contract with United Healthcare to act as a Third-Party Administrator for its health insurance plans. As Third-Party Administrator, United Healthcare is responsible for the claims administration process, which is outlined in Figure 4: O v The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process Figure 4: Claim Administration Process Receive • ValidateAdjudicate Claims By Payment to Health Claims Calculating Care Provider Reimbursement Amount Annually, this process is evaluated by an independent public accounting firm in accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements No. 18. The results of this evaluation are communicated in a Service Organization Control (SOC) Report, which describes the reviewed process, reports on any material control weaknesses,and recommends controls that user entities should employ in their own organizations. What We Found • The City does not conduct any independent review of adjudicated claims to verify that the Third-Party Provider is implementing the City's health insurance plans as intended. Based on discussions with Risk Management staff,this is due to concerns that such review would violate the Health Insurance Portability and Accountability Act (HIPAA). • United Healthcare is required to provide the most recent SOC report to the City upon request by contract; however, the City does not have a process to regularly obtain and review this report. • The 2019 SOC Report found that United Healthcare's claims administration process controls were suitably designed to provide reasonable assurance if complementary user controls were operating effectively. o Based on a review of the controls described within the 2019 SOC Report, there do not appear to be any control weaknesses that should concern the City. • The 2019 SOC Report recommends several complementary controls that a user entity —such as the City—should implement.These controls are outlined in Table 3.The City should ensure these controls are implemented to most effectively use United Healthcare's services. o In general, the City appears to have adequately implemented City processes that align with the recommended controls; however, improvement is needed in two processes9 to adequately address associated risks. v 9 The claim payment funding authorization process is addressed in the next section. The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process Table 3: Complementary City Process Assessment Recommended Control Assessment Result10 The user's customer benefit plan is complete,authorized, Adequate and furnished to United Healthcare promptly. Enrollment files are complete, accurate,and timely when Adequate submitted. Only authorized users have access to the United Improvement Needed Healthcare information available on the eServices Portal. Available claim payment funds are authorized. Improvement Needed Claim charges are funded completely and timely. Adequate User reconciles monthly invoices using the number of Adequate enrollees and contracted rates. Relevant financial performance reports are obtained and Adequate used appropriately. User completes any needed actuarial analysis. Not Reviewed" • Specifically,the City does not have a process to periodically review user access to the eServices Portal. While access is generally managed by Risk Management staff, periodically requesting a user report from United Healthcare would provide further assurance that only authorized users have access to sensitive health insurance information. o In response to the audit, Risk Management reviewed user access to the eServices Portal and removed three individuals' access. Why It Matters Due to HIPAA regulations, the City is unable to perform its own review of adjudicated claims. Still, conducting an outside review could help identify any health insurance plan implementation errors and provide further assurance that claim administration controls are effective—potentially saving money in future years. Similarly, regular review of controls implemented by the Third-Party Administrator for its claim administration activities is essential for quickly identifying any material control weaknesses or exceptions that could increase the risk of errors or irregularities when adjudicating claims. Additionally,the Third-Party Administrator's controls,as assessed in the SOC Report,are developed based on the assumption that the recommended complementary controls are functioning in the user entity. Establishing a procedure to regularly review and report on the claims administration controls—including the City's complementary controls—would increase assurance that claims are processed efficiently and further demonstrate the City's commitment to fulfilling its fiduciary duty. Finally, periodically reviewing user access to the City's eServices Internet Portal provides increased assurance that unauthorized users do not have access to sensitive health insurance claim information. N a� a 10 Assessment results are generally detailed in other sections of this report. 11 According to Risk Management staff,the City's Employee Benefits Consultant conducts actuarial analysis as needed;however,this analysis was not examined as part of this audit. The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process Recommendations: 2. Periodically conduct a review of adjudicated health insurance claims to verify plan implementation and identify claim processing errors. Best practices suggest that the period between Third-Party Administrator audits be based on previous audit results and changes to the benefits plan design. In addition, performance guarantees could be verified as part of this process. Risk Management Comments: The Risk Management department concurs with this recommendation. In response to this recommendation, the Risk and Compliance Manager has requested price quotes for an external claims audit. When quotes are received, a determination will be made regarding funds availability in this year's budget. 3. Develop a process to report to City Management any control weaknesses identified in the Third-Party Administrator's Service Organization Control Report. If weaknesses are identified, City Management should develop a plan to appropriately address these weaknesses. Risk Management Comments: The Risk Management department concurs with this recommendation. The department obtained the current report during the audit process and requested that moving forward, McGriff provide the report on an annual basis as part of our Plan mid-year review.At the mid-year review, the report will be reviewed, and we will work with McGriff and the TPA to address any areas of concern.Should any areas of concern be identified, the Risk and Compliance Manager will notify City leadership about the concerns and the processes put in place to address the concerns on an ongoing basis. 4. Annually verify that the City has adequate complementary user organization controls based on the Third-Party Administrator's Service Organization Control Report. Risk Management Comments: The Risk Management department concurs with this recommendation. Based on the SOC report received and reviewed at our Plan mid-year review as described above, the department will review and work with McGriff and the TPA to put in place any additional complementary controls needed to address any concerns. 5. Periodically request the Third-Party Administrator provide a list of individuals who have access to the City's eServices Internet Portal and verify that only authorized individuals are included. Risk Management Comments: The Risk Management department concurs with this recommendation. The Benefits Supervisor will request a user report from the TPA at the end of each Plan Year and when an employee begins work with the Benefits Team (on a temporary or permanent basis) to ensure only authorized individuals are permitted access to the employer services portal. Additionally, when any team member departs the Benefits Team, the Benefits Supervisor will ensure the team member's access is removed on or before their last day with the team. m v to The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process Claims Funding Process Should be Clarified As a self-funded insurer, the City is solely responsible for paying all health insurance costs for its participants.Overthe past three fiscal years,the City has paid approximately$65.3 million in health insurance claims,or about$85,000 in claims a day. Figure 5 generally outlines the claim submission and payment process. Figure 5: Health Insurance Claim Payment Process Provider Selects Health •Pays claim per Care Provider *Submits City's Health *Reimburses and receives insurance claim Insurance Plans Third-Party service for provided Admin. for Participant servicesThird-Party Claim Administrator What We Found • The City has setup an escrow account from which the Third-Party Administrator is able to reimburse themselves for each day's health insurance claims. Notification of these withdrawals are sent to Risk Management staff each business day. o The City's bank automatically refunds this account each day to ensure that a balance of$206,000 is maintained. o Any withdrawals greater than $700,000 must be approved by the Treasury Manager prior to transfer. • Each week, Risk Management staff prepare an Outgoing ACH Confirmation Form, which includes a copy of each withdrawal notification and that week's Paid Claims Report. Based on a judgement sample, an average of about $421,000 was authorized each week over the past twelve months via this process. o Based on a review of documentation, health insurance claim funding has been authorized inconsistently over the past twelve months. In particular, a sample of twelve reconciliations were always approved by the Risk & Compliance Manager; however, only five reconciliations were approved by the Finance Director and one additional reconciliation was approved by an Asst. Finance Director. o Risk Management has created a Standard Operating Procedure to guide staff in preparing the ACH Confirmation Form; however, this document does not include Tzt information about Finance's role in the process. Similarly,there does not appear to be written guidance on who should authorize health insurance claim funding; however, the City generally requires the following authorizations for outside funding transfers: 0- The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process Table 4:Transfer Authorization Thresholds Employee Role Min.Amount Supervisor $0 Dept. Director $5,000 Asst. Finance Director $50,000 Finance Director $100,000 • Accounting staff records the daily withdrawals weekly in the City's Health Insurance Fund based on this reconciliation process. Why It Matters Documented policies and procedures help an organization retain institutional knowledge, navigate emergency situations, and facilitate consistency. This is particularly important when a process involves multiple departments and has a relatively high volume of transactions. The City has developed a claim funding reconciliation process that ensures the following: ➢ Adequate funds for claim payments are available when needed; and ➢ Claim payments are recorded in the City's ledger promptly. Steps involved in this process have been documented to some extent; however, it does not include information about Finance's role in the process, which has made it difficult for Risk Management and Finance staff to understand each others' responsibilities. Likewise, it is unclear at what level of the organization health insurance claims funding should be authorized. Updating this documentation would facilitate clear understanding and potentially increase efficiency. Recommendation: 6. Clarify the weekly health insurance claim funding reconciliation process in consultation with the Finance Department. This documentation should clearly identify roles and responsibilities in the process as well as clarify funding authority levels. Risk Management Comments: The Risk Management department concurs with this recommendation. The Benefits Team has the claims funding reconciliation process documented up to the point where the process transitions to the Finance department. The Benefits Supervisor and Benefits and HRIS Specialist will work with Finance to document the full process in one complete document. Periodic Verification of the TPA's Performance Would Increase Assurance United Healthcare is obligated to maintain certain performance standards as agreed upon in its contract. Best practices on monitoring a Third-Party Administrator's performance recommend requiring and monitoring performance guarantees. What We Found Ll) • The City's contract with United Healthcare—the Third-Party Administrator—generally contains provisions that align with best practices including: stated performance guarantees, a right to M 0- The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process audit clause, record retention requirements, access to data,and access to Service Organization Control Reports and other information to administer the plan. • The City does not have a procedure to obtain and review United Healthcare's annual Performance Guarantee reports. o While the City's Employee Benefits Consultant does annually review the Performance Guarantee reports, there was no documentation indicating that the Consultant provides these Reports or a summary of the results to the City. • United Healthcare appears to be 100 percent compliant with claims administration performance guarantees, as shown in Table 5. In addition, performance guarantees for customer service and satisfaction were fully achieved for the 2018 and 2019 plan years. o It should be noted that Performance Guarantee Results are self reported by United Healthcare and are not verified by the City or the Employee Benefits Consultant. Without an independent verification process, there is risk that performance guarantees are reported inaccurately. Table 5: United Healthcare's Performance Guarantee Results (2018 & 2019) Performance Standard Guaranteed Actual Percentage Percentage 2018 2019 Claims Processed within 10 Business Days 94% 98.80% 98.80% Dollar Accuracy 99% 99.89% 99.92% Procedural Accuracy 97% 99.84% 99.77% • The Performance Guarantee Report also reconciles the administration fees and stop loss premiuMS12 earned by the Third-Party Administrator to those paid by the City. During this reconciliation process, United Healthcare also calculates performance guarantee noncompliance penalties, prescription discount and rebate credits, and stop loss insurance adjustments. o During the past three plan years United Healthcare reported that they owed the City $35,276 and $72,705 for prescription discount rate guarantees for 2017 and 2019 respectively. These amounts were appropriately credited to the City as part of the administrative fee payment process. Why It Matters The City has appropriately established performance standards that its Third-Party Administrator must meet along with corresponding penalties for noncompliance. Despite United Healthcare producing annual performance reports, Risk Management staff does not appear to be reviewing these reports to verify compliance. Regular monitoring of the Third-Party Administrator's performance guarantees would assure the City that it duly achieves performance standards for claims administration as agreed and would allow for timely follow up of performance guarantee penalty payments. In addition, an Q 12 The City separately has contracted with United Healthcare to provide Stop Loss insurance for the City's self-funded health insurance plan. Stop Loss insurance protects against catastrophic or unpredictable losses. The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process independent review, as described in Recommendation 2, would also provide an opportunity to verify that Performance Guarantees are being met as reported. Recommendation: 7. Implement monitoring procedures for performance guarantees. The City staff should also ensure that United Healthcare duly pays the penalties for non-performance, if any, relating to claims processing and other agreed performance guarantees. Risk Management Comments: The Risk Management department concurs with this recommendation. The Risk Management department will request that McGriff provide the Performance Guarantee report annually as part of our Plan year-end review. Upon review of the report, we will work with McGriff and the TPA to address any concerns. rl v The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process Appendix A: Management Response Summary The following summarizes the recommendations issued throughout this report. The auditors found that staff and the Department were receptive and willing to make improvements to controls where needed. Management has provided their response to each recommendation. Develop and formalize a process for periodically identifying Expected 1 and removing ineligible dependents who are not removed by Concur Completion: employees in a timely manner. Q4 2021 Comments:The Risk Management department concurs. Because the City relies on the Responsibility: employee to notify when a change in familial status occurs annually within six months Benefits & of the close of open enrollment, a report will be run to identify dependents who are HRIS on the Plan. A sample of the dependents will be identified, and dependents' eligibility Spec/Benefits will be verified through a review of eligibility documents previously provided and by Supervisor contacting the employee to verify that the dependent is still eligible to be on the Plan. Periodically conduct a review of adjudicated health insurance Expected 2 claims to verify plan implementation and identify claim Concur Completion: processing errors. Q3 2021 Comments:The Risk Management department concurs with this recommendation. In Responsibility: response to this recommendation,the Risk and Compliance Manager has requested Risk& price quotes for an external claims audit. When quotes are received, a determination Compliance will be made regarding funds availability in this year's budget. Mgr Develop a process to report to City Management any control Expected 3 weaknesses identified in the Third-Party Administrator's Concur Completion: Service Organization Control Report. Q4 2021 Comments:The Risk Management department concurs with this recommendation. Responsibility: The department obtained the current report during the audit process and requested Benefits that moving forward, McGriff provide the report on an annual basis as part of our Plan Supervisor/Risk mid-year review.At the mid-year review, the report will be reviewed, and we will work & Compliance with McGriff and the TPA to address any areas of concern. Should any areas of concern Mgr be identified, the Risk and Compliance Manager will notify City leadership about the concerns and the processes put in place to address the concerns on an ongoing basis. Annually verify that the City has adequate complementary Expected 4 user organization controls based on the Third-Party Concur Completion: Administrator's Service Organization Control Report. Q4 2021 Comments:The Risk Management department concurs with this recommendation. Responsibility: Based on the SOC report received and reviewed at our Plan mid-year review as Benefits described above,the department will review and work with McGriff and the TPA to Supervisor/Risk put in place any additional complementary controls needed to address any concerns. & Compliance Mgr Periodically request the Third-Party Administrator provide a Expected list of individuals who have access to the City's eServices Completion: 5 Internet Portal and verify that only authorized individuals are Concur January 2021 included. Comments:The Risk Management department concurs with this recommendation. Responsibility: pQ The Benefits Supervisor will request a user report from the TPA at the end of each Plan Benefits =1 v Year and when an employee begins work with the Benefits Team (on a temporary or Supervisor The City of Denton Internal Audit Report November 2020 Audit of Health Insurance Operations Process permanent basis)to ensure only authorized individuals are permitted access to the employer services portal. Additionally, when any team member departs the Benefits Team,the Benefits Supervisor will ensure the team member's access is removed on or before their last day with the team. Clarify the weekly health insurance claim funding Expected 6 reconciliation process in consultation with the Finance Concur Completion: Department. Q2 2021 Comments:The Risk Management department concurs with this recommendation. Responsibility: The Benefits Team has the claims funding reconciliation process documented up to the Benefits& point where the process transitions to the Finance department.The Benefits HRIS Specialist, Supervisor and Benefits and HRIS Specialist will work with Finance to document the full Benefits Sup, process in one complete document. and Finance Implement monitoring procedures for performance Expected 7 Concur Completion: guarantees. Q2 2021 Comments:The Risk Management department concurs with this recommendation. Responsibility: The Risk Management department will request that McGriff provide the Performance Benefits Guarantee report annually as part of our Plan year-end review. Upon review of the Sup/Risk& report,we will work with McGriff and the TPA to address any concerns. Compliance Mgr Ol rl v nA