Health Net Declined to Adhere with Safety Audit: OPM

March 11, 2018


The U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG) has issued a Flash Audit Alarm declaring Health Net of California has declined to abide by with the latest safety audit.

Health Net supplies benefits to federal employees, and under its agreement with OPM, is required to abide by audits. OPM has been performing safety checks on FEHBP insurance carriers for the last 10 years, which includes checking for flaws that might possibly be abused to gain access to the PHI of FEHBP subscribers.

When OPM performs audits, it is focused on the information systems that are utilized to access or hold the data of Federal Employee Health Benefit Program (FEHBP) subscribers. Nevertheless, OPM points to the reality that numerous insurance providers don’t separate the data of FEHBP subscriber from the data of commercial and other Federal customers. Audits of technical infrastructure must be completed on all parts of the system that have a logical or physical link with FEHBP data. Because of this, systems storing data except that of FEHBP members will also be evaluated for vulnerabilities.

In its Flash Audit Alert issued, OPM said Health Net declined to allow OPM to carry out susceptibility and configuration management checking and documentation was not provided that would let OPM check whether Health Net was able to switch off information system access for freelancers who no longer required data access and for dismissed staff.

By declining to collaborate, OPM might not decide whether Health Net has been working as a responsible guardian of confidential PHI of FEHBP subscribers.

Health Net asserts that it has been collaborating with OPM and allowed the agency to finish the audit, even though the insurance carrier spoke with its external advocate and was instructed that if it collaborated completely with OPMs requests and agreed to specific parts of the audit procedure, it would risk violating agreements with other third parties. Health Net has responsibilities to those third parties to make sure their data is safe.

Health Net thinks that it has – and will – be capable to meet the requirements of OPM and OIG without undermining the safety of its system and the secrecy and privacy of members’ and workers’ information. Health Net also charges that the rights made in the OPM statement are with basis.

They stated: “We know the worries linked with work of this type, we take great caution to minimize danger. Our processes were developed as part of a cooperative working group consisting of health insurance industry Chief Information Officers and Chief Information Safety Officers.

“There is nothing exclusive concerning Health Net, its technical setting, or the nature of our recommended testing that would spare Health Net from our omission and this checking.”

At this point in time it’s not clear what, if any, action OPM will take versus Health Net if the business will not abide by its audit requests totally.