Health Net Refuses Security Audit Says OPM OIG

by

Health Net California, a provider of government employees’ benefits, has been marked as not willing to undergo security audits as per the Flash Audit Alert released by the U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG).

Over the past 10 years OPM has been assigned to perform security audits on Federal Employee Health Benefit Program (FEHBP) insurance companies. OPM is to examine areas that are vulnerable to and can possibly be a way for illegal and unauthorized access to the PHI of FEHBP members. As OPM’s partner, Health Net is contractually expected to go through these audits.

When OPM performs audits, it is concerned with the information systems utilized to access or save the data of FEHBP members. But OPM remarks that lots of insurance carriers don’t separate the records of FEHBP members from the records of business and other Federal clients. Audits of technical facilities must be carried out on all parts of the system which have a physical or logical nexus with FEHBP records. As a result, systems that contain data besides that of FEHBP members will likewise be evaluated for vulnerabilities.

OPM’s Flash Audit Alert disclosed that the office is unable to ascertain if Health Net is really doing its responsibility as a guardian of FEHBP members’ PHI considering that it does not submit to the necessary audit. OPM said that besides the refusal to go through vulnerability and configuration management screening, Health Net also failed to supply required documents that would allow OPM to verify whether Health Net was able to stop system access of ex-contractors and employees.

Health Net says that it has cooperated with OPM and permitted the agency to perform the audit, despite the fact that the insurance carrier conferred with its lawyer and was cautioned that if it cooperated completely with OPMs demands and subjected to particular parts of the audit procedure, it would risk breaking legal agreements with other third parties. Health Net again says that it will fulfill the requests of OPM and OIG without compromising the security, privacy and confidentiality of members’ and employees’ information. Health Net likewise states that the accusations made by OPM are unproven.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]